079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916dde

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
Size

625KB
MD5

a315bb174d7ec57fe6c64be3fca15ab0
SHA1

6c26ef1af09fb52ab2dd808f5696b95111db933d
SHA256

079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916dde
SHA512

68f1654f2355bcefbda1de056bed6fda13f696a522405e817e16b3f8c6fb8f5fc1e6fe2e544f502aef74e21d7b2cd59ea416109eb2aa00f06772124b834cf99e
SSDEEP

12288:t2wWCIkeRlk7ugd1EOFcNW2f+zRIxzA0RJ4P3Zu/t4ZJ0FSlg6BdLET7bI/IiN:EwWHRlMugdD+JsRgZRJ4fM430Eg6nETi

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5096	alg.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
2040	fxssvc.exe
220	elevation_service.exe
3636	elevation_service.exe
2976	maintenanceservice.exe
1404	msdtc.exe
4524	OSE.EXE
4052	PerceptionSimulationService.exe
3568	perfhost.exe
1640	locator.exe
3152	SensorDataService.exe
64	snmptrap.exe
3080	spectrum.exe
2692	ssh-agent.exe
4756	TieringEngineService.exe
1864	AgentService.exe
1064	vds.exe
744	vssvc.exe
5052	wbengine.exe
3828	WmiApSrv.exe
4104	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a0089fb352c8123.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\vssvc.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\wbengine.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\System32\alg.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\System32\msdtc.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\msiexec.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f6640096312db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bca7d076312db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003901d6076312db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001965b9076312db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6c5da076312db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000622beb0a6312db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad4cc8096312db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe
3260	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4332	079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
Token: SeAuditPrivilege	2040	fxssvc.exe
Token: SeRestorePrivilege	4756	TieringEngineService.exe
Token: SeManageVolumePrivilege	4756	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1864	AgentService.exe
Token: SeBackupPrivilege	744	vssvc.exe
Token: SeRestorePrivilege	744	vssvc.exe
Token: SeAuditPrivilege	744	vssvc.exe
Token: SeBackupPrivilege	5052	wbengine.exe
Token: SeRestorePrivilege	5052	wbengine.exe
Token: SeSecurityPrivilege	5052	wbengine.exe
Token: 33	4104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4104	SearchIndexer.exe
Token: SeDebugPrivilege	5096	alg.exe
Token: SeDebugPrivilege	5096	alg.exe
Token: SeDebugPrivilege	5096	alg.exe
Token: SeDebugPrivilege	3260	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4112	4104	SearchIndexer.exe	109
PID 4104 wrote to memory of 4112	4104	SearchIndexer.exe	109
PID 4104 wrote to memory of 3120	4104	SearchIndexer.exe	110
PID 4104 wrote to memory of 3120	4104	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe
"C:\Users\Admin\AppData\Local\Temp\079e2e523886661355c74cb0fcc38f50ebf37063ab66bc9a8d93373c23916ddeN.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1728

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3152

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1180

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4112
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9b4996ce84823218b0262917fcb17dd1

SHA1
8075af908178e80d18236d3f9cbb6f672abc4cc9

SHA256
1585ff116fc00d9bb109341a5c7465f55d96d72cbc21619efe08789c4f99e794

SHA512
1bdadbca8b53f52011f09be1e18e497ee1704f92083fa8cad405ed7754e412f97649dc87ffc6872fc09d6acf3f301a00443a247bb3855aae39689c54ce9bfb3c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
7a59f98797965e8a82a2113770c33e58

SHA1
0db6efd9415f5cc5a1504dcd01bf77e3638a81c9

SHA256
99f4f47edbd5b47a96e0d54cf5c668626eea6bc101d4f84778d8cf256926c7c1

SHA512
ebd7e7d5b9666fef793b12f611352cf7a44bb5ea793d2cb519a20779337fdfe6bd1a0a8e8b3fc8f48afabadff004a79ad5945c4f9eaf06b68a6b1be3a7db3275

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
80d66774cef9291d066c2c57cd32578d

SHA1
54f5c60967df943c8c0b42a18d7ce5f38c14df23

SHA256
fd9bb204b189afd14ad6774ea8eb7687662a56b2935c66bfd50b04c946735c49

SHA512
c0dec648fe436c3b48a5544449d36a8881a8d8360f2ed50ca4481f1f0097ccf4eaa280dbdbb0f047adc660d1d393db7b576ef022c7a847ec35be683f9336c952

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
437f99f1178e2160929d2daccfe48e07

SHA1
bcf63a5011e5433e3604711a82fc11641b7fd036

SHA256
a7c2cfe3902795e71d0f2c1205c75083da5760460e5bfeddf47e78412bf771e3

SHA512
d001b3fd30374e4944b527dc3c743ab3f3134d6e2b4c5063c2d0f813790e9a7f7e60b7d7b60c70b02729ce526bdf38d3821cbcb750f14e986978f4937a490d77

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9b866521fe7de224e2694c50762da3f5

SHA1
eb215b56a67348837bf41c654e2012e8e4998ad0

SHA256
3c63f121b82da4f83c2447786af69d5700ca94edcf1315ca9a4081b0b1ff221b

SHA512
a2b4b073d2509f5134db2716be0817bce2344318351769f1a8507eea2cf0bde4d94f53e18fb2041f0122ca936c800c8e5f00e1ff0a13045e20a12420475b5a37

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9a417d823cb5d227231e0cc6e3610ef3

SHA1
ebd16e51a44e48753cab4de93d9a77d5a842237b

SHA256
e64500f4e9506b337e00424e680e5262a0fba83a3a4ad6f40f24b1216914892d

SHA512
13f9b5bdab53e48fb657aa1adf07aebb399b1eb0c91657f5a2a906ec0c060634a4328bcbdcf580e4e87652794148d71a784433807503b86070f88cdb7c8dcdb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8f7a9e97d95aa0ddacedad0837ec35ee

SHA1
7d15c513b845fa5816e4dc3e956a86ff8d05e268

SHA256
f26c167df6ff901ffdee82d9184454ea5d44f824b5f7ce809c1967d64471b545

SHA512
d0b8566b41beb91a78d6c503592300856d0969793ddb7dce15a31f91d0cc5088daed26d5c095bbe3231605427cece6026e1b1819a20193b40e35f10d9606b226

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
55e120c950acf5ab1515eff65b7878a1

SHA1
4d61090dd83fa6719d52b7816375e3b7b41ac696

SHA256
3e4c6850771281dd086606e9debdeed6b0ee96ab1fd43071270bf886d28ccfcf

SHA512
220215c04bc758019defdee4368efd2fa15be7213dd53e26739df6b36c25c2c69476d9209d2618b62446546e34047de3581b5903a4dec7fd6e579a9f1144ae05

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fd4b2a90be075573d150cdaa5e851069

SHA1
e98feaeffc6fdec7edff8358bd2032b4767c9f57

SHA256
971b32400b785f6900a8e81d0581d1d1ee3a37bb770956b383eac1e3ed9e75e2

SHA512
9ae5d19ec38c5e846f1ced4cf206406fe6859d522c48cdf86e601dd5ce9578a1d68eaa786489414abefaaff839f8872fb1e72f6c09d1b8257517434fc1023130

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
13e4c711661641f62c74e64fc1b3564a

SHA1
69eea5f08bf7b42e40f15ccc7bdfff6e169a24e6

SHA256
46b85864c9c13b79dd40971801498adb58fb0c78ee1feed11d8b2580ecaec516

SHA512
578e80df7a457570c64f55fd962aecfa585d8b82927bcf7b7fb37fd7ea9da4beea1666c7f651c5426f8a7c0aec254db66962f7cd8970ad1958e973d8d4513b10

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3a3c4b77c303aad948fb49fc81eacdf2

SHA1
7b8d983bf56be25ee148707574bcfceed4e1d9f4

SHA256
dd098fad41ab8ed53d7125922441207ee0356891a0e289238bc40c529eb88665

SHA512
5e4cfe446d624cdb3a93586a9d2d0e7e9724d821c82d673e36b7782d262bc4f2b75915d8d603bf269c014fd2d291e300259fbab457470452de4c6fbbd7b0122a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e0564037217abd5f98403db202044c6d

SHA1
5e516e1010282fae5d9ac64c0267c45321c824f3

SHA256
2dec1e75109df5774776f6622764486bcb68b60a02e2afe9e39d8e7b86f217bd

SHA512
854ebd269c13ad544cc348b31730c6885c788793a1c4d6f30b4fccf74db9c532afed70e4320e7e586ee4e33790aaba414287e1945a100dc660e073db274692a0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
87fff160030969d8c5a9fda49aa5db0a

SHA1
c8fdbff17b84113040fea7b8c457e952ab65a0b5

SHA256
7809c7bf1a8433a90ce1837bb7be34a04a21ff9dd66308b505cf18d2e046a1ae

SHA512
2af49fdbd42dbdcc1e558c4e01a5b03e6a760cfed26f19d31801291b234fc292593af5ff33be85cff59e32f7f24988cee4904e5303e3c5864eaacdc292a7cd85

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2b801accc7563f2f163705dcbe4d5bd3

SHA1
c461c532c96784785f5e75e651923129f0c7e557

SHA256
b2a9b084c5b0cb70235c8561d20a026292395e282aa151fa0add31948b35ed5d

SHA512
5385a85a3604dbdd07aa036fca7298aeb1a4263bcbcbf6aa4cb6356f13aeec9209225560cb218993ea1ff4c92d061b9c1b29abd86b8e55096569a96683a4740e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b92e2dd14d939872bf7d80382e3754f6

SHA1
0fe0f47234a892163627d5b225cb8cd2614e2bf4

SHA256
83832f4b0f28ec77540d765a3ff6a868c248e032316a09d60987df072d2e63d1

SHA512
5ec18e07c945de967597d210b452b1648c5d845dbfc1ff631b4857d97ae3969d8f7267dfdc87bfcf80443fc3e856f92604bc1a44fa86326add81193bc39db057

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
1b5b973cacabb1f5925d59e794f44706

SHA1
1e277c91850793df04c253254bbf0f98a27b0dd8

SHA256
3870fbcfbc904c3f7ce904d3068e0a651bfc6d11268887b3116dd9a6972e846c

SHA512
b324b571519159a18b06f5f81538d1de1fab44ecdcae7137b2ac413f85a421dc5ed98f587769bb6565d9c83d6029fc7747c878ff9fdcdbbd4a9686a1c7d9a4b8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
931f285842de5b0d0610303d2d04c3a9

SHA1
c86b468d1b5a700b7f87365a3f944d0a25a24359

SHA256
c7b1d05b1d7e65bb398bd7d267dcadaafd8a830ac908f63546b40c9145dc20b1

SHA512
93b42f06d386cfa0107d42d4062db98a50a6b641683b74f4b0375067d2faace64497d3e8734eb68f063e024a17f4e06410b8600879c6da13c5684257c4a5a51e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1f708db171ed870aac2ca3cbab14946a

SHA1
dbe1950c89d4bdadd69c3cb1bc3c26fc502a3bc7

SHA256
b8563f3dd268c1f314c61aa706f837c369aba7d7103750ae0fe4294e11604b98

SHA512
5753ddf7735ece17d9096c4829c27692dd7418d9e52fd36c27ca5952f768159c855c40cdcb745088addae1ea5f8b560a8af639a10e7024080522f6a44336b29e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
aa528c94db6e7c293a31a7d1422c0a07

SHA1
28b4956b4b431d002ad6c82466b7c191824b2d93

SHA256
99adc8ca380631840cb2087d299cec729c826a9f9d83a9187cd82fc2f5558771

SHA512
c7fc9e084dbc5caf45f7813381af39bb81c9e59b384da91de33581d4d168928c9221d41328936c22b2daf77e9b2549dda3411c5c7ce07389be086f2c30a79fd3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
86ea5c53392267ad9e9f7831b9f46c11

SHA1
9db387ffcc1fd315d1a483f3e7bd6d2141a161ff

SHA256
1315a28bdaa7aa93361ac04c94958f0e7ba435e38e6e89cadcd56afee68a9838

SHA512
56eff5e002e2750c1986af2809d0bd19e8db0ee6642ff6e516f06f5fcd01652a41c67d4a9d6de7c2f6f5bc0a4cee429dba261bddafe978cbaf1c5f8237078c9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
79290a883ef4bd13357cee49fc94b74f

SHA1
5c2763a4f43b5c6af8a0b4c9be992ab0b3c57428

SHA256
d146c5296fffa8fd2c820b6ae5d481b86aed0b75000c426661b8e9998708ecda

SHA512
6fdbf46c554d8f04c8d2842ce418f010726d11401398e31b32d0841d79c91760c05ddf64796dbbd3bb4c5d4481fc2de941c5f91732edd09fccd16dfcca466999

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
46bc73d1815e3c0782e04d4a31e3eb16

SHA1
2d86c13ebf17939d7689cc5913a1f8eacf70bada

SHA256
035e3a7a3919a44caaad3bf12599aa4d7d01246d177950597d1330505ff62222

SHA512
fd04f5c12a83547f6c38f79ec552887786b89ac55bc43adb74bbabf96ed8474f6b5638c4fa3bb604e504ae5addcea08300432ccd0461db326ebdcb7834bd4d0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
37da994c079a3d913a751a13099d13bf

SHA1
278b4eb3476a670b9194d8bf0afa164d3dc32a5c

SHA256
57e6e213e00267ad88780f50e776bbb8af59826b71e0105b143931061d4bd140

SHA512
bb4930272935f020fcd9d4e6dd5ff1c6e64f0ff69731d86027063056e19e36436356ba1284c93e0defd168b9aa04a1155158f40e1e21faf82a76be31d2b954ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9b13a17f30effcc99e1ee79bed90758e

SHA1
ae0e3b9e6fc66cf697d3c6b87451bb8113736734

SHA256
aad4511e00488f94ef0da7e8de88cdbf1e4ff5c4da3425c852e20857f71d9f10

SHA512
4c427b16c666b9e948c2908637d85da818f5df4ee0764af2aa72195ef855031ee0d609658615b16fefb8910d6f105f3d4587ec9ae39ddf7db2fb889bba5afaba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9bf32fe89a93ad2d1c178de647616ea4

SHA1
ec997dfd94db5835749037ad1f35aa6a69757939

SHA256
3b8873362aebe329dcdec0ca47682769778eeb57a794a8cb6dcef15784ed2c05

SHA512
c2235f0d4e8455cfffa47ba3bd32e387878094ad9274c5cc1eb1380c57cee3989da1a27083d0234a615fbd4ccb9ce1bf6357c123d3024abb4e57c7909d0fdc0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0514dc3aedb4550b2f9e8db02fb8eab1

SHA1
6d2878087f6b9b9b309058d3dce0e96a71d3443e

SHA256
af4f4fad96f9d5e31f2bcb9b1154735ac584516ba08074b12602f10252af225f

SHA512
8cd76eb3c20e52850ef18da1083a3fd144347fae8a270d51307e54710f5a6b036a42f485107cafdb1006654a56149e5db7cdc45ae1bb6851b28e95480f77d302

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f2ab851e52dc1a000a5b7cc865cac83f

SHA1
b8921e2690f44eab71d8bbc9236703edf7aaf99c

SHA256
d9180910642f985251fdea615bbea40985935116c9c4bba13b312d8b26733dfa

SHA512
fbd99bd7a1b7f1f82ddecd30e87e349f719810a48fa6322c69ed520a0993bb5ac05ab5e320581f550287fc39903a34fad47216378ae50aa1be2968929cacdba9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c6571e4be72f2fdc58e6ad17a99842f5

SHA1
cd3559833dbbd65a69b5d21aa2a439aa818a11e6

SHA256
f0cdd46b3343f8fd739547d816d7adee878f7824e59478f054ad3255112f1e93

SHA512
6520fc17e3b576e5fd10e2dbfb89549812363382493fe4942850832b1c46b9fff0a7d6c7d2341a0d3f32e87fd1dcd366d2598d7ce7773742477891f2c8aa76af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4457ca77c6b0c591cd6b8a43570b5c35

SHA1
2fc136ca15993be595344c849ed844e1ed27d067

SHA256
4717fbb985a635e8a44046ba189a74f98a12337684a2fe768c2989df67d6b4ae

SHA512
c557d3d8fe34538c0f4b138d39686add3ae10a3fb5930075000aafac948e7336cc2dc4776b20bc9b75e73a8304e0e286551b3b90bcf7dd3e0d0841135f246005

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
48bbcd02522685311bd24ffc45295faa

SHA1
d74bd30e117af40b360ec409fbe572fd8740d3a4

SHA256
5ae6ce84a5f073e9c1fa2dd1d5f2316a0fd2144a52ff06e0f5b41062e5fa9c93

SHA512
29ae5358a3416c8e64c9694d929c562af5625cde80942ca5c76267b6c7b966d5570d747f8707ff5bd24695417292c45184c15051ca4bd55cacd5d08294d95487

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7304fa7789d500313890d44677fb6a12

SHA1
3f22c98e75afddf28ce8bc6bbdb2231c68eadfb2

SHA256
36975a72673761b2b5a44da2b158e6b0ba86ee4624ca266a7ae0bd48f8a657b0

SHA512
e95688526e68a5f2dffcd3dee838e46aac65f16f03508e546b2fe96aace2e96d6f5bfe0b35ccd77db1c5891b8d97383c82b879032b9c492bdbbd1c630332061a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4a00a6d1c4dc104456cd45c1e05d8d7d

SHA1
944b586c1953a356b218ff14c4ad3543c99e1225

SHA256
cfe2259e2725c610800d08a1567f09c030800e5f31f90da3b4824260d97582ac

SHA512
d0bc56a5eb389c2ff1a62f9982126a85c9589a537330501c7f307eccb3649b6336ae472f827af88adc9cce62a3cae798ecea596ad2edd46439e86df0356a1584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
d69272f4c5eae10fa7de847c66307e95

SHA1
92a8525e89165a63407a0010d484db44234aa13a

SHA256
1e8a5a97204ab71d55446c8529a4687e68a9676dfd39d027d2b5e0a3a139c41e

SHA512
f9fec9f3f0dc685e6bf43455fa342a48b695da6d23345ec68ca87ff0c40eae5a762e5c5a35f714dcf7918e4f8f2089f0581a3536c3981bd03f6ad8cbaa449278

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e5036e1af5adc5c042c297096d322721

SHA1
f534c1e07b39448cd2d261e81f1e039728fa6f39

SHA256
92c6768fbe66453dfc4f77962cca2cf36e3f038c1be99fecfc18b7a3c6c380a3

SHA512
8afc519657e2568f9dacfd1023be7a44e50c94426dcce0368aeb54de4d3f0ef1b1511c824be2902f118a4b1e5bf15a500f1e9dc1e67a81092c19161a2aeb82e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bb588816d166e131f5c1fed08d0574f0

SHA1
7e382e7cb9f3a7d9e0ba3a21968d54210a29fb60

SHA256
e1b103a1c7e0841ce9144f6cedeec46db3029179d8b6811eaed7126538efd11f

SHA512
72ee4e93e131a6da548ad9ce2e9fc96d9da8f09527c2c5a15c85e4879fce48972a33a24face453cc29c82bc0cc5aea5f764f41eba03e66ae87f857901d1f0be4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e848c65b2b00ee39654b2ae47831f623

SHA1
4c7ddefc3c7253f43212a96f1bfd29f22853d86f

SHA256
4d94d3fb998c79dee98702e112f0081d3c74bb7b01642975c94da5b252edc906

SHA512
ea981d4de119b8dc98117a19389af5e6bd16facd743c7251e70ce9bde89459cfd84111b11b62793addc3f743e5f8cb53cc90d4a216a2b7bea2ce090f24fbf655

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
7762e27992233612305a9c990e5af66e

SHA1
e76294081c568e036fc2ff330f30f61fcfd8350f

SHA256
e67e58fe530b171043491c8612aa2c72a0c94a0e4edf4020f879c9d83461ed38

SHA512
0e207c1f92f588e489183ba9829f85c4c1816e4778b4257d0294db417e9b5e75dd1ba5bea124d076b15434ed2bc90f7f2d80f9986aaeea3ba3a73765fb1664ad

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
591343919738f3c9e446cf30de81c0b4

SHA1
141d857d36616df2c6d3809f3aa512ff9849f8bc

SHA256
777e33ba77ad2b17d66395f421d1fedb7272781faf609eb695f50b0db4a61e54

SHA512
cc6cb85992f30a5110915552817f6f64c9b22a67e0a9415f2dd42f806a607ec7d8e31f100f56f466717952b160c713247aa131b39e3d7bdd4b2c6317f35699bc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8b4fd0c14111c216784ed6cc03acbef2

SHA1
bc5ed3f3bb017673398a520e74af1d08ed24319b

SHA256
fc1a338b00c2534515b188a90ecb39b7e38de867f6050ae008e86047cc6498c7

SHA512
2367e14c213054286f4e2fde8d73b84313ace3266ca75a0f316b20f3fdac484e49a4d7360b326ff4c911487fac0b6dae52c85989714a54e737202b81fd975d32

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
496801782025b3454e5bddfa78f64e2e

SHA1
c7c657cfbe25b47eeb58e9d26656758841da6558

SHA256
e13be285c55853a1ac40ad6963eea56acec7e45929f74184b26d8b656afcd644

SHA512
9660544a12829d4a2406d30d825e6c1410c1e9d4102e4f2df4f4cc70a7dc4928ba003b99529c0bb7185e2d7de6abae8f295cead516d895d18332491606d129e5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
317e4dad6cea7eddd4c235f91efba581

SHA1
cae92268f7c243e48097968ffe772abb903de602

SHA256
ce04d40236c60b564dc382500c9fd25cd2cffb0c3d2c431af6ad06513fb6c06b

SHA512
598fcb430d4583cf8f7927b8ad05975f861c840801a3d838911ac09c6d9db5f4ef6108c2cd6d55a84d2d4f1e53be10721daafe60e92f97d5f184783a3cccf00a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e22c83527acf10b54b138a9fc8e818b7

SHA1
55d5020379d37881e58439fa8e97460c2c712089

SHA256
f14e30f4fe9b7bd3db65046d0d5a548d1e203d657c8afdbfbd9afcdd3c5763d2

SHA512
4493107298863ef68b62a894c4cfb362fbfddd278cd74cdee02de6281150f3af4db5f031a08d7ff33fb630b8dc14e00292852e19911f9ed09299772ae2f8222e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4213dd75a2ffd9a84e949000cdd437bb

SHA1
32e94d4dce96d4d2020d88478c06549185adfc47

SHA256
d5f6d20293ceff3f9de4b8d45531e5ed03df2b0c65907e150d2c7c98b264e098

SHA512
6cdc19a435141d405b2b210a05440e177aa0d93b20dc3cab35be2a8578f0c83f19d0d2170710b329297d8bb13c254ae9eb1469be5723e8f177acca715a56b6f5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
364684817535a015ec84935e8439aace

SHA1
791aaaed7035f08806e1bfc94046ca49acc3046e

SHA256
8be83528659992f06a1fb4f5ed78ea2c2f63b4398ab1ff277ce744a50b1ed9f3

SHA512
8ef4007d01483ed215669b890dc6365ab5c728f03cab71b3c97464d805199d92e4b79475960a4465af095261f0785d3d97420ec9528a1517a9261a68f1c86fd7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8503d938a6bc9f3e95734d5ad58b0e88

SHA1
db6b7e767eff9573f030af7a6f84d170fb487126

SHA256
e76ceab718afc3c5c12a8ebfbd20a8a3fdec332850c6b2a31fd3dddfc2abcf0a

SHA512
e8a91f3bb8d50f8008590a85deeb24c2cd5a6a30f2c76be25ff660f0b207d2b18d5ac7514ecdff28dd5b44dc1ef502bec492612da6e75dc2ed3ac2dc99009ca2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8cbf3046faa1101158117c43aeb93023

SHA1
97c5378c48ea62e5c5b9be108979e9245fb7fbfb

SHA256
b4f793e393c075fef725a43a76d761481e1c48b35e7fc0d06800cfa715e7c8f9

SHA512
350e3c916663a8e1b2bb7135254b1e5d72a8e069d64840bb930c867a86bf8e5f50df3f6c5230aa291430fe5fe33edc0fbab576662c625b71fae245362fff3c53

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
08626a9044e075dd6c58ab928260c1e3

SHA1
13647a614a6d397f9f576f035240997df2045b75

SHA256
7708ac42633794d0a28143220b89fc8562d54f2efb6702c8ffde9632acfac791

SHA512
aeadd3f59597f6ac4bfd564c203ff24507fcb2566ff166d07375e913056a0aabb529be2b507be36a083bd3a7a6d0589b6e7cc29a459bc90784e07ca67670aa77

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bf9373aac6f83cd3dbad5e88d017d714

SHA1
c2710d751cf0c313469acbe3e8f44a76b962298e

SHA256
28d269e0a79b36a9599caede988964f1131243454b15f476747be5e1e0a0c50d

SHA512
41264c5b53e3f506a5406e91e1e362ba1d4a0ab0f130639852e618fbfc252f2419c3dab3e711c8bb4e2e2852faf94edca4505a2d58f91da9d62e57726de447ae

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3d95e229ca980f3005715f91d493e3ab

SHA1
a2ea703915aa4e452c7d48c59ca3ed9b1480b47d

SHA256
67f92c1a9856aec3509795d193cc953bde528689b81d405bd558496664c6baad

SHA512
936954458a904d500413c2bdc9a4fa829aa4196679c0299d6fe992de2923cb6c47c1729d0beed687b032fb577d7d60d053c1ee3b9259c2380f1c3704e58f862a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
11726f9e4875b951f91981efac422dc9

SHA1
d5cd635b998f8576482cef0c79b90be7bb04e32e

SHA256
83004fb5d7bd3dc0309696ff4561c827ac934bb31a768bfe1d1ac68ef6fad6bd

SHA512
563c4c63aee0ffc64028d8cbb72e08c12f058be1ca71761b673b2dee70451980973dec47594fe1bd6271dcbb1208e9210e2522697f48dfe3787c8e34a80dc977

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a75d95778cf74ae0f2c912c0b838b2c4

SHA1
75683397d79eeb5cb1c290b3c29d27d1f9975e10

SHA256
03596454ce257a15d59aa7055828b3a7f1598976be2edf3033d8c52237b59eef

SHA512
7c6e4e3e7f98613e623d9216ae0d09ab2bc55afc2a063957877a74ff42b703c05f753b6d1a29591d0e04b2c487c59908eaf01b1d3c4a3ab371224ad146a6389c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5ee9374fb757d02ace0f0b5821a32e3e

SHA1
d9e0111f868ea716ec2f03d12ec3610507d561e3

SHA256
260230af3e89d8f4b3e25cf22e3edd80a9f1cd406a2d96e138d4b1f0596d4a62

SHA512
e6fd6807920e699d2eb807db79957318757bd941a4f39ea7d461c2a139d7bd3d4dea21709d48c0dfc249678288de8b8a0d05895d24e07375e3586bed42d027d6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3f2df55fa4c333de1028becb80dd846e

SHA1
a7d04a3f3ea02fe9d938db6e9715ed0365ee9d24

SHA256
0991feaa5b61ad6046e379472da6654bc8b682bb3db4631d7c80233464806afb

SHA512
7501759071b344915f11524f3555a9623c35ac0257b8ef4069b98c4344c9a15ee733bab4fb2d11dc3e732c2792713889af442621acb8857f2375acbcd7cbaf61

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8842db7af5706ea77eb962343e248707

SHA1
5ba7a8adf9c5414d316a10ee63bd56fd8ef8a1fd

SHA256
801a41b12d6fdc18112da8ca5da3929f7d88fe01350b8dcaed28bd34906b3020

SHA512
b69a616aa1287bd170ca8014e335a3d86cee3890e4051a3fd5b91a53b60cfce9ef433e44c3f238635e9b78cc3854ac5d1caba5d2b9a6e6ec6ee2957d3d641c2d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5abaffaf67c68a83043d0f69193663fd

SHA1
eaa18d2179d89f8d38249141bbc87539a02ca03a

SHA256
59b5b1632897c6ee4f0f13bb04fb00e2d406fbf2791acc8b454de55c9c182b82

SHA512
61c7b33f550197025e17c07bdc8e120a81b35182de932dc5a355dc772457d6866f36b5f332e65d07a339412ebf6dbb957cc4b8e673417ac09b3ed39a5a4a8016

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
48a16cf9fbe168572676c11323bfb80f

SHA1
b287de798441ff902f3fc32c484e41e52de7c1a2

SHA256
5a56893d459812b0b731d9dc67b0f243139ca2ce36d76933c023721899b225bd

SHA512
3b31801b9c6b00170c7ed664474f409cada562e80200d693e03d9381de07cc350f9705bf6fb4305159ff7add2eaf92356755d2880c9283976359876f9298c1ac

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2fa786397544b77978314e17917a2d69

SHA1
06defba804fe30a94e9f12096fdaedea2119d4be

SHA256
c439ac9eaf665e054ac6f11f6f3819777abc8703c2e78184f7e9dba8c72249fb

SHA512
ed27c2a8ed30d1496e92ae2c53f79ac4ca5add17cd35098c140ac072fb127e4036b1ee73ae7a334f3448cc85d34def4b453131ea4d5df511feab296edcea3916

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
489f8eb0012c3adaf89220193637a5bf

SHA1
dc037ec7a0fcfb0a84e65949831ea7b0a8aec997

SHA256
f944f8e6afb66cc9714759293d03f444f5230760aeb2d81d51c8fcb2f173089b

SHA512
03a24c7b38d2ef03ecd5c7bcf22897f9a7ecfdb93186de6442d0a575b779f45fa01e2fb13b68152cda17fe4ace66e5f1ee0829c8c4b15113f43e7ce8a049f9b5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4ef1e8648cf587877e4c6635bc96123d

SHA1
aad10f30a083b00b86a2562935aa10adb6a81cc9

SHA256
2eac1629fe4bc96d553669c32e580db734fd9924867af4ce4ff17118471a7972

SHA512
a671f60eb8a0d02d385668dd5550e58cb6436dc3cb23098f26bda965e29c89a05537a2a915d6164037cf09f8d0f56e5e9ac2540b278c78deaf49e659461783bd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
3c928082a51344ddb55dadc68e778407

SHA1
ca81ee46b9d3e953e39e005403507d28e60a1265

SHA256
0b5313653d061be3bcde8e357497c3c25adfb1e7c0d694dc615b696d744e803b

SHA512
ff2799e85e3036b11d4fd35b537182e93bba1b39e14e2acf00ed3da29b13f84af3ffb92c4135b449c9a57131c7d84db2530bc91e813182bebd6e8f796a4269b7

Download Submit
memory/64-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/64-367-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/220-177-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/220-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/220-59-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/220-52-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/744-528-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/744-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1064-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1064-510-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1404-215-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1404-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1640-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1640-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1864-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1864-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2040-47-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2040-46-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2040-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2040-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2040-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2692-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2692-453-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2976-87-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2976-91-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2976-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2976-82-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2976-76-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3080-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3080-429-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3152-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3152-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3152-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3260-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3260-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3260-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3568-227-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3568-124-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3636-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3636-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3636-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3636-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3828-251-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3828-615-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4052-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4104-264-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4104-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4332-6-0x00000000005B0000-0x0000000000617000-memory.dmp

Filesize
412KB

Download
memory/4332-2-0x00000000005B0000-0x0000000000617000-memory.dmp

Filesize
412KB

Download
memory/4332-454-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4332-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4332-74-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4524-123-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4756-471-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4756-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5052-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5052-566-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5096-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5096-88-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5096-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5096-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5096-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download