fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
Size

1.8MB
MD5

862ae830ca8a772b8680d6e203f25ea0
SHA1

6230a2548ba2d28ac9e1d66fb565055135c2abb7
SHA256

fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d
SHA512

f210ea4145747ba96f74eab96f13ce60e9cced6326f4e6ecb9dd817b523ec11013601bc29816bd81d8e071913e14640a476083bd169880a20d5b8ddd71f9b4a0
SSDEEP

49152:Ux5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAxgDUYmvFur31yAipQCtXxc0H:UvbjVkjjCAzJLU7dG1yfpVBlH

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2844	alg.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
4168	fxssvc.exe
2640	elevation_service.exe
2936	elevation_service.exe
2076	maintenanceservice.exe
3704	msdtc.exe
3472	OSE.EXE
4776	PerceptionSimulationService.exe
2592	perfhost.exe
2684	locator.exe
5024	SensorDataService.exe
3360	snmptrap.exe
3036	spectrum.exe
4244	ssh-agent.exe
4676	TieringEngineService.exe
4124	AgentService.exe
4052	vds.exe
4764	vssvc.exe
2212	wbengine.exe
2456	WmiApSrv.exe
4136	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c8134b2f2dbdc151.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\locator.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\System32\vds.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUTDDED.tmp	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_is.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_nl.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_cs.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_gu.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_pt-PT.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_mr.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_no.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_hr.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_en-GB.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_da.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDDEC.tmp\goopdateres_fa.dll	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a7447d78214db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1be58d98214db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b79c4ed78214db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c0f83d78214db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000939751d98214db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4ab45d98214db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000591cb8d98214db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1364	fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
Token: SeAuditPrivilege	4168	fxssvc.exe
Token: SeRestorePrivilege	4676	TieringEngineService.exe
Token: SeManageVolumePrivilege	4676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4124	AgentService.exe
Token: SeBackupPrivilege	4764	vssvc.exe
Token: SeRestorePrivilege	4764	vssvc.exe
Token: SeAuditPrivilege	4764	vssvc.exe
Token: SeBackupPrivilege	2212	wbengine.exe
Token: SeRestorePrivilege	2212	wbengine.exe
Token: SeSecurityPrivilege	2212	wbengine.exe
Token: 33	4136	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeDebugPrivilege	2844	alg.exe
Token: SeDebugPrivilege	2844	alg.exe
Token: SeDebugPrivilege	2844	alg.exe
Token: SeDebugPrivilege	5004	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 212	4136	SearchIndexer.exe	109
PID 4136 wrote to memory of 212	4136	SearchIndexer.exe	109
PID 4136 wrote to memory of 1156	4136	SearchIndexer.exe	110
PID 4136 wrote to memory of 1156	4136	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe
"C:\Users\Admin\AppData\Local\Temp\fa63e0578201b907d5b6c81fed506b11e6110b63e314efaf06951edaa75ff23d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3704

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4300

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:212
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
90e1f3005936ef5d9a166acf83b1b49e

SHA1
52b6e0b348afb0a8c3220cc880cde389bf83de8c

SHA256
6941d3ce6d49120e7e7969f489cc4f5c407e97e48e9a8c28e083e54655486fdc

SHA512
a68b097760693b3a076187182baef5ae9c3e69a5becf5df93e19f8114d2b802009b9b0e15c5b269a0af8d30328c496277b4be484f27b06803c605cbeb014c4ad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
9817e96241f34436d2f07a94a9ee27c8

SHA1
0acd79f9c8c06ef4ea09953376b74ec5571f439c

SHA256
45a9ab114fec676224687275bc6ee2f00fbe16d56ae72ad61ad96024b85cc9e2

SHA512
28da0c2c0a36ebc1a33e5264239191eb7924a9ca91004c66eed7b8923d06a8dd82480df76bfcfe1dbde85e8b9689e5c975bb682da547a60a666189c650b899a5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
23c9c62b21146b738e2051f41de32e8b

SHA1
9770445fb45be59df5d095f60edde7de8ec448bf

SHA256
c754b69baddf789d2c7d53aa5917db5313500d85c32d5c6d5fbf98b03736b0b5

SHA512
9529a5943e3d7817e3cffb85bc369ea07cf1c4f64aa5e2260407b67e9021809e84a39b355567356812f1493c2e47875bdbd6706b4d2a227a405fbb25e9311c5a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a48fda0a14be58521cef2a11b0bcddff

SHA1
736e9ba6473a16d018f5778013956124cce8244c

SHA256
97d8f8669e3a8c95667ddee242464b00a774d35a6679af1221ebf777fe67f540

SHA512
159c72becb4dada02d08816885b25c5f73f61cc7aaaccaa221a4449ca48d36700902db3f0f52916d74bcb8a91c5bd14dc6f16f13e8d25b6d4cf3425df0cd8fcc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
398b8b067868e2c700ad24c31583bec2

SHA1
ecbf0e4d3c068c97ea42184b49917c12c39e54d6

SHA256
5db2480359af762ad87d309578d4dbba968a190fd8716652be34e306063b393a

SHA512
2867ac195d63f7bb0101b9cd7fb4ed3de45e5156d804a26c748011a129229c39ffa63197a03e809b2fe23885e31d4a0b410ceb70dea3e24ebd40b06a1b4807a9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
3aff8d6a2b26d9772d18a9e97e912d90

SHA1
66c569609213796ebdcadd1c1ee762efcde22100

SHA256
5f05a1609dd783aca5525f77c4532963d9c4838f259d626d70ce52009c0e3df4

SHA512
745002d7664b7953e02f706745aaf208c68d113ee3be9eaf89f064bbf578d6a888363db19e9deae2aeb26f234a76a38b3751d3ec24ad2a0c22c43a468a857b1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
fa7584e42a68d8d0b52d52fa05fec3c8

SHA1
875e682a8f552ed817044ced03bf0afde1898c08

SHA256
df634aae52174d94481e52595af3d48e66b7fc8a98abc810242c56625ce39a44

SHA512
1852a3d040691f99b1d89cd003200c3a15bfaefbea149031a6cc461158ef99750c47485c8fdc68f3b625c2ab4c04e7ff69550b2fac1f3c307bd270d030197f2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8ed48f1878b07f2a8dd46ecf40cfd017

SHA1
bda24926c25917e8f776b154c60b9baf7a78cacd

SHA256
49fa2b7c6fb594758601d069c36b915168047810e3dbe8d96758b8db989513c4

SHA512
4c37a4b2762877a885f624a598ef2a267ccf187254a1bcc458ee1d197c66501ce0852cbaabe2285e5f60cd315abed046f6696dc7d73255d2f51b78e5c73a21b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
1bd6ec224a15b75e064c60dd87941bef

SHA1
77c2197003c994a6e9bc3e9f5bc69829483f2b04

SHA256
2efa0ba372ccb64293a9ad56ce3f0d316b5ef795e690614931101e32d6bb9704

SHA512
2073ef621d7ee832583e2be8dbf37ec0ef23b8f390cdb1c8764837e33841259e0b0d648b0d0574a0aadba0028870a5ae3de4a3b6fa1ff6169a53a29810f4dd7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4f72036f6703d340537e0cd9dbe6aa93

SHA1
38a7abfe52ba4578782abbcaab562ab201d27063

SHA256
67018b0d2a48df1d5f20b67bf24ab65d474148d48dab4ce223abacb69ec91ca4

SHA512
4fc1dc681bf52f58319644fd0edeb2d699ee2a0827578ef19a27f75fd0f456d4a3aac87bad828395d44cb774c31c6a2a6ad657de527109279cedcaa559b355e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1ef234d79a7fc6ebf9a34bf2c56880ae

SHA1
6b7fd812df3d18a17ab0383ed0f78c53c60dc0f5

SHA256
9f8a43600598e8438722f9907638d288ab5620b39cc9af98aa52c22775d72cef

SHA512
00f2886f2ef2f90f3789908aca376f01ed4892c94c00fcf4347dcbb574cb08961145826ea19034155ac2715e9e00c7d674d71f33b693c2f045be3893cb571bdb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a8b8b9cae0216660eb69d2e829661787

SHA1
ca3b4ccc8afc874d81019aca5705e9c6836a59aa

SHA256
83a51325360e1ba0bc0a4dbc32594452a37c07dadb8772d9eb79017fc7718ef8

SHA512
6b92f9b1e751ed1336a74efcf3c68913db95a868dcf07d8ef540897970489477514d62352869d3d93b93434ec9502b63792dab17ee4d18c33e65e71be26a7ed4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
2e5a2a68e0d4847c9a2231496c8ec309

SHA1
a677f3614081eef68540835919214623ffe29b66

SHA256
2e26e8291c7473a451effd8f8cfd50a0983f7ca6dfb3cfea73e1024de48d16f6

SHA512
4fecd4ed235178043b9399796d2d4effb2bed25e5827eac729fead6f95c3369ac466569672c3be9cbf7a28a1fa08e8dee387e28b2bd2070e1e5f8e4a09ba5dc1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
554e8a56ea326b4e7d94ad332f19c413

SHA1
78a79bfd29d7c1522824c534a5b11315438ef377

SHA256
a0a32a164a95d7c1b8a26afdb081a2a758d87b0772ef9d28c2aad06bf5322d04

SHA512
5aff5c10b46b42eb9c16a9f8b9cc68b0731cfe6d601b6c17fbc75d4d7033e27170cb0b4d52f626c6d17fdef1d1eb5a249ea9364135a942788daf1222ac2f96f1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1bdcbea4757dd7e12c1baa4de3505b44

SHA1
fc2b9bca1b7fc1694da30d906d7e923bf3f00077

SHA256
c697cd36412a9e9195c485edaaf9f5f477cc853baacd29e229b3ffbc17e902e3

SHA512
10ece5a4436ba103a3424739cadbf75ebd2a185d3ff405f328b6b3690d2d2161b0acb9c13fca67dca1f59d7713a1e2af26a5235dc927c009dceb3ec842609d22

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
a1a02c24fcf6424d4af89fffefe7fab9

SHA1
24badb9272f76be9de95de33bd46a321d88a1ddc

SHA256
7d99e7e8107324994114cbdf91b164ac24c958a2ef7063088d52d5c7b34e4d67

SHA512
772b501575cfc253e62649841941b5fc35d4c83018528e3a3c704c52e966fa170d3829b832b98d8f659551dba51f9bd637b0183959f7deb1b0c1a7329c6dd280

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ba9cd5eba34d0b9707d75fffbcd66bde

SHA1
e750cbafe6dc63153dc9c1291b89d052fed4e450

SHA256
36ade5600b02ae5a45795f8a4fbb9489ab21f357f39bbc6fbe8b6a308e5f8ed0

SHA512
353b6420333775f1fcd97eac8f2f0b867f1d2fd522ec4f9c3c90ac1876fc7c7747dc2d57868553d62de8ced3699b68092517f7ffaa63d45b50581ecef81f3325

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0cd7234f36ea89f9808352a84c2def59

SHA1
4ad22d38a249fbc519de3ed070947ad2a72008d6

SHA256
2d627e97576e30ac0588ac39493dc694c6766845b2bb2792521ff3ded540703a

SHA512
de67edb8337765e73b64a75700bec388fb027db04c35431938de12b0a702f52b20657c3691d1a93b0e4d202777a44c195ee1cefb8a8751e6431f51d58f0464c9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d88886c5dcc8e2d81e711e073f4c77d1

SHA1
22151abaa8a0beac6f8cb82b5b68f240e589ccad

SHA256
f2cd20a322b691de353e37cd53cacacfebdbf58eb6d9301d05a0622e6e7b5fe6

SHA512
d598d05ba33165cea4b732bb288ab9ca1ede83af10b250e4e4a5db1b0fbb61f60d692f4edb0e24f6499d44b7d11ca0e12c7f22faf43af0c52569cb5b80e03989

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
25afca3d68637c2059315fe6cba0cb4f

SHA1
545e6b08a09fe61cb3325e46353cc425ca16f836

SHA256
640112d998dac74b62be2a428ffa9b3c041abe485217d9c867a1ac60b1391ffa

SHA512
f061ab50b6bddf31a4c52c53b4f8e430843cf732f32ca13a46e64d3b710e5f69d1192935156c1fca144cb7a1a18b1a265adfc821ed55a78a3ceebf937a4f1855

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
7a0f3282329d598facede53ac18d2d9e

SHA1
91541ad35a39f5f5bf15c238ff96f747b37cd6ce

SHA256
e1015e985b05497f98382282c4944cdef875e7c73cdc30dfb701fa259df0b04d

SHA512
abc3841bbc066d52aa3970f40a960c279b3a5ec779eae9cb8fd4a62776e475ae8b2821d4798d8d7e6e3bb009e6310c3b131629a6c048c39c26a5aa387af46f83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
aa5bca234afc72336d61308f23c2e022

SHA1
4ab5546fe89c95e08ec42a95956377323d709054

SHA256
78236a8d5b3bec5d1807b3b640118a6281ce2388bc567cf1aeb3901e52110d6a

SHA512
8f2e9662d322239137d123184f210aded6941097bd0c286dbe7554fad514cf8c952a83fe7db8b16406226d7ff4a2d7a5b3d7e8f8871ee63cddbe6f899a919266

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
20871538e1f9c5e212be34424db0ea67

SHA1
a89c503abd25133c7b052eed2285ecc6d4bba0cc

SHA256
11fc5df9f332fdd1b6d3d04cb12cf8e314903db8b56770161cf6608b495a3a8c

SHA512
3bea4a4e8cff9ab4670393cc91048c485c88cd19541345ea90a3d7499d0c981131f91aeb4797ed1c7d4aa4d518a2b57682ddae22262cf9e4ac046518da708ec9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
070b9acce30a4e1a6a9d8322a0decb05

SHA1
e1ac99e8233f5401aea872cc9e5aa717da81cda8

SHA256
66507073ffc846b105e892229cd29c49e24363430ab12dbd09bbf28e570d3867

SHA512
0eb207cc715138547e012e5d40095c3544abb24756882587b344ca53550223e6bae02757c5b05778bcaad8fe7b00767a1f223ab973a450bc510d5522afb4d494

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
aa35d908a3574d11e1d560eca1662dde

SHA1
7f4df5b84d705642c002f0efacc44d16ad3dfce1

SHA256
9bc6022b3dbbd16dd2ce6d996c6017a46c0f0cf7d9ba6d950143c8b8ed76207b

SHA512
bc5e5719fd0e0bfdd63d9a4c0569ecd398110b8bc46dbd7b88ed7a60723a53177e451aa6e5435e6d4b9626fe942574b49b26e9c07c0a34967f44c6f768dbdeec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
bcea67131d775bce7097756f987c1921

SHA1
5812fbb77949aae0d56edf09ac53cad0725c6268

SHA256
270951ef493b8d1424871db5f3d839a74c2e18e9cae8c105dd8766cf0e659802

SHA512
0c45b535e55e0d3fb3b4cc81a4e95d9f6e6a2dacff935b3724ae1b8b3bf57545e3855d2e2afe702fc5afa8ce6c5a3842e942359fecad162d8ecad72c6293bb56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
233d26dfdf9344c6c67f05f2b8670863

SHA1
81b1e0454a2010ddc80eb3c1e2f6248e26627781

SHA256
9692aa419e25dd290a20ea56f7c1b760a98f43a4e370e785cf29afef59bbf933

SHA512
c934bb42ffdaea7a52e97ae727470f9faad258d762e57746a88980c6147a5ec6aed87d383701fcc8d41531a3d11815bceccaac434ead27961a70c9ee4a9f26b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
76775547f7c9dff76e1f6900f26ca5c7

SHA1
bc77bb526554d57329287a607e48db4dc54f63ea

SHA256
080761f54b3c388761d06cb0c4ddedb31190f4b463d358d197a23ec94c315dd6

SHA512
dfd15271098a40581cfe68cef3ca2f0bf49444ff13ccceedb5c8e231fe18407d218c2d3565a805d8e4480f8a90ef1fc8643f9d865077fcfc2c65e38420d9a091

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
fcf9e9346e7396e71ed1ce856abd75a7

SHA1
1143b7885c7aaefc4408e55286285af89027ff09

SHA256
b22e5ee4d689a10075fd338d87705ea635dae146db236c4b7914b87740bf46e5

SHA512
bcf8775ec162c36d22f34e7441b0f7cd8446c088fd52921f98cf78c3ef35dd8c2bb2784c27e413c15a32cf7247dd30104ea2fa3986fcb790771cee4d9ce9853f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
ee56e9e14e572cd426c6efc88d7a3c18

SHA1
c8c9161306c23c3831acf4bd6598f925be288972

SHA256
9701210c8e92902e66f04d47869a335b7920fe23000f30afe067be2ff0e729b5

SHA512
9a5877caf6e03024bc536a45d607bfaaf8bd2dc070bfdd362d361e97c8b929463bbaf1a56732e649936f28de2901cd94fc03e87e7c6658d890555ec4fe1f0b3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
d7ccb214daad92e08aca0b57727f44e9

SHA1
e5971a953c2ee6acdaccb759939ad2e1beccd43d

SHA256
1291f94d9f5e42d340922f011dd2e9cace09d575c8c3ca1b82ed41f530dd09a4

SHA512
66eaff430b433cf9e8eaef78423d6b0488ce7838b0fa3afccfb1b74c74787dc59a9abe9f8d65964f19a838ad6bcaab372d86df4c87fc91fa4e433214d3f39a6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
860aa6fbc992a3b86d6555f3a9a5519d

SHA1
7e15aca8e6dfb73ce5e9e5d64041fafa3e00a157

SHA256
c08233438bd807d820f30758cfd8be7bc5009209790ac0a0a1833aa9fc9fb0f1

SHA512
de1d1e479fcd6d38d4f8d8d21f31a884ee05e297ea3054a8189ad426617e267a8db83c23c0cf470ef42f4eaf2fcf27016d1585be3d954e25eecd8713f3545cce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
0223c13983e6030cb235cf7be8637760

SHA1
adfa88676ce11ce520fe14bdb77cb5eeda971a26

SHA256
c0558732e7cd62faedc3e25e7839da32458b1cc7edfd82644bc3884773a93bf7

SHA512
3c1607a8b297df1e91f5aff6d7000635e390532c6f8175efab9d5cad696a3ef04768171a6fe4fbb8f14067727dce2fd6a6b448148668b1cc57907fb038f989d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
d33ae195397cea1b207d5578a98dfbbf

SHA1
56d9292c06b88841e81153b8eb120e3d67c498b1

SHA256
b16c4a613e9c3b89764cd15be17305410ecdf94e3dead7afa1fab2f853cf9699

SHA512
e412abfca3a6af786be8f73a6ed0774b97f7a0ac015fbc8c4776ee04373736cfcb19eccaaa6ca07661fd8d37c91ac7c2f0fc71aaa3b27775ea701165b130f8d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
3b53661364086eb5d828813446fb7953

SHA1
b7195bee8e389f94105fbf7c943a907fe341767e

SHA256
2971c8578508cfb78ffb5f8fa5064a96e933d56263ed5bc1ebdf92ce17f29424

SHA512
2e83f2b15051a45d020288cfe96d7bb581ae5832c631e8a7d8c9d5bd7437381ddb58e6b768a21f0bc8b70952840b39c7a7ea89b1a4e50e5e1d2b2818a2bf1b75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
b4fa79dc92b377dd0b95a0eaf9256709

SHA1
cca0ce2c562bada1e0d717026a735b136757fc97

SHA256
f6048e7bf329f7e83e3f0cd52a044dfda345a6a1df0849c37e388afa314da7dc

SHA512
2fb98df6014da0caf7c98eedee6a26910845c366c5c56f15a99a9d064d1a555f3a6802dbcd1354012f6f6bfe95fd189fc63b2e3700d7034b5062e7b0b61739d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
d1cd363c635992bae0e71b3b74546bff

SHA1
b98594693bf1f16b5a4f0e3484ec6377374a987c

SHA256
4875aa6ab4329082d07d6f23926ce61c8b07af927d7c42846b700e964c2da60d

SHA512
b2f48e788c12724934fd48140aec4eb1aa84283c5e6e3add1f3904909e91e8007299ca0e68b6ed901af23f9418c7768c219b06e9ff3cf0b428d36d88370d5b17

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
519a974262480edb85877084b6fb7ab0

SHA1
3765d57f678594eca627c10d21106bdabea29e9b

SHA256
905d8fb3c0c7a8125334993ab6d81ccfbb941953518c69faf225c7b5821b3820

SHA512
fbce864140edf310e642acbdedf6343c3a882a79eb08fe857bcec48132e8cf423d164665e3d4b6836393f2876389016575cdf7d33a91593600172d1c0a390a32

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
03326e0a8d678f20a69f035080e8186d

SHA1
7de8cbc23ed338f8561683239f5f8f16ad63260f

SHA256
b9cd5ffbf1a670c9244545009b673f7551fe779353bc2b9991ddbf9d1475045c

SHA512
32bda04f9266c46f992c77ff90f1b42cd943326dfbe874587de6b21de0cba57742d9a4d434cc53b799f03acc7a8c80c73b672c4d71f6a9cc2542542be48faad1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
2f6d39fca8b61e6ab6cd229982158ca8

SHA1
64cfa7dfbf0635c280ab2bd34aae04cd3aa7a2e8

SHA256
04845cb8b44213487944da1f2054ffe50fcdd52cf3c03802edb6a74b8a2e5040

SHA512
6155276e6e3b642482c1b2b95087b16a6f10cb2fee4e4dcf1fc2e64af7321c24bc5a2a3d354d93a605773645134191a7e34b8d17c4a81db4ecbcd7f5a5f7b120

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6b2319e499faa3ba3d742bea5ceebb02

SHA1
bc9d7ed9994f94de18b9b67b5a350ec0227942dd

SHA256
8ef61638e2b3612278a11cf0149c35eff0738f911100377e2db8a9480070b9e2

SHA512
1f2ea23ea65aef06858cfaec3cd8ebca8cad0a24c44d0490907ead1105b2f63bf4b7747625ca49ebe756ee5707c6128ea9b792fdcd483a00fb4c905be2000d90

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
46e9a25495442f581e902e36a1363b48

SHA1
f7a159687370e5005dbf90baba2e599046ab3e17

SHA256
137a8f4f78c171cdc9f95ce16fa5c8b9ebb2a548b98a5c606f04b0ecd9ba2c4b

SHA512
db1862019492984e3427e38daf5f0b4a53a27efec8130bf427f2f355188d74f9710227e7b8ab22d1d141ace5bae1bc8e211ad4b916fde8d8ac42c30ee63d0823

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a1a01550cd0f666f5228609ddc8ffb5d

SHA1
7c8abb930ceb687bda9c0d088034e0ac34f8930a

SHA256
daaac50089a183a984f909b292c05d0caca16e3ae6696ee5a32c5baf39f2048e

SHA512
a93681d961eb594b2ec00ab5d96f4b494406f8ad6ccc78caed8cb8970fb2dab62f145c24da61463dd81ff576ae3706e51cc3f4eedca5292d004b53e873f11509

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
0f21077e3bb9cdb8521dd661a8f4d7cf

SHA1
325b6a74175c50d78ce4360ada7ea9c886717ce6

SHA256
3132453a16ed9a4dda69b02097308a7a6e60fd8315e6e418808c3e1b03a8cd75

SHA512
7ae6e7be26bfe83071690ed405a06120294adaf94592ad6342b88ec0b6fa517a9e807d29f6c37420836a367683b75d818bd75715b54a8a98ee5cd5293012b27f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
087512581e65f42403aa13750c92a576

SHA1
910d9ae37baad8ab2a61a5cdad6e4042d99bd1bb

SHA256
b560be753e23ef1590f095cac197f08e2ac27c1e8d4e634e31ca622eedda834b

SHA512
edac50c2dd2aca5d12fb1c6666f7293e1c87e9572b3f19817cef2f00e4ff81497ef6a7213020a8005890ad8e16516ce79e2d7b8b247837c54ca0937252bc6e79

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
192fddd54641325103a0b4eacd83ccde

SHA1
46d10ea1dcb9cf8698d1bee1c787627b35feee36

SHA256
a4059c2984c8820f71886f0633e6339c9f52d6b02feea08bfbeb3c13e1f9b3b9

SHA512
0801a95cafe602fea0428a8c84b079f0ee3f390c427a7e5908020ebc9968d581bca989be9b5611815794b245ac5846f5f874a5c0577a259cb221b99c05ccf1f6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ed9abd9daaa517337fa76930b035edc4

SHA1
d1479ca0723c940b9e7776751c7dd932520feabc

SHA256
eea740999e5735f1938f3d45f54a12905ec5363aad7d7d1477066e007c807bd4

SHA512
51d553c2d97350a1fe8957c95c9e4f1fe869237cf9719fe581cf6324dc9de891d36e2c1e3895b469594ee7ea450a3871c32a8ff28d08c1418bd2c69d70a18c06

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3390bad7bfc6133a1cd5591916ba9175

SHA1
ca6d8bdbdef0dded6c958bfc8c96efac8bbfcb78

SHA256
1ec33f08b5e6e28f188876d9a8368a0e3aab1a2e27313c5f3326b13e6b81ccbc

SHA512
92a79b73f1e6c603c306dde7a160975e6fbda8eb73284417418d21488f31b9e34a7aa243fd98b279c02afc67f635809842e44ca2a77ce0d91e577e826ea447e3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8c9bff7a1ff9727df4bcfe4116709be9

SHA1
a339e2cfa8b79cd6d1421523ca3f4919ca9af181

SHA256
6709eb71f38343145df393c0389ac93a164062470d505ed9fb8a718c6d248ea4

SHA512
f00499eeb7e30c8b91f2fb8c2eb25c7d78158488fb59a000504702daf3e80c9b980cfb33c0d33e664f8bf0cecc8b061deaf8f1a7146961a63b01abc973241de2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1c3cbef82194b2da8cf4a1125f1f1ef4

SHA1
26c135fd750b88b9bc753dfafd8eb6e91ba7b7a2

SHA256
314124bf7b120f2d06f07e69a26e44a47c1e918fb47f368acfec5695912a77da

SHA512
4d204c947360825660aa38c45c39093c67031e2fc61d5424d8594a720a1bf6fe24877d1f55a60da85ac456d7e8a902800069d93fadf8944df32ffdedad307d02

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a140a199931a61ac0da237f767736dca

SHA1
4f79fe62589b34277c43781e1e96a8aa43b9360c

SHA256
9d791c78de86bb5bea48115fc6486114e988f678e8a1d92d9769a3692baf2e6d

SHA512
3f480a2be909508f2700bfabf4c94e6b45070dd796fe9eb086006c4fee9f24d4c54170d084c44f84a5dc14d24ffbb78c1ad40827aa04d7e7580d551808c066cb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
422f8c0c6095a53d00cc123374a5f12f

SHA1
8441d1f0f7a98cb2fd66cf93079c0b1d7f728613

SHA256
df0db7c1ea307f602a3243e345fa1d6012b13fa101a5da04765838bfb8336568

SHA512
e97318e35aac460e05a575f1566ad71515be3ca50e987434ac0db937badb993743abc1829a91ea73f66c5cda95fae1e354e30874eeac8dbb14db6d531a835efc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
6d2feb8dce13ec33bcf8609716123dbe

SHA1
01b4ec519755cd8cfa11afec318854d29029192d

SHA256
a7bbd4d52f38616ad42e6555883ee6e8be0bd13f9d4a23840fdec8c2afdaa617

SHA512
23615431a26f5f0b3746ccde625b24aa6ea6016aa07ecad31a4d7710d1308ee705a1965b841653b0e269e75e7119d6d0745e5c6b61994833b5fb8815e206bb62

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
df6e9da739fff1815ad69c2fd6af87b1

SHA1
0fdfb8556307ea178d6047ccc15c86df3e4f5dab

SHA256
5829e010e0cf6bc964dc079183f6f6fa4d178b30c19270e8b81ce7660bc9b712

SHA512
fa1a6b5f895c6cf1294e247e7a96304c69768914783d836495cbe1fb26680a5db1bdd005e3f2072355b5bc246ec1381a012811d50907830a2d807fd3bce08031

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e3df0f4e91967614cf6be77b207879c2

SHA1
ce7d8dce150e7c79562064891fc0ee0913fbe428

SHA256
85d589432f6155fbbf91ec4e64a0bd5937fdb92a34192698fdb39256cc217961

SHA512
a45fbd6cd2601711ecb21e450c4917458576c0eb474d1c3f189af440637e21f19be283bf73734605fe345945d3a179616ec4217b9b2753e4310896a425015cba

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
8b5e423b56eff8ced3496a0454d0fc1a

SHA1
12962c7ac1b4def66017a7f19847deb7e6ee9b62

SHA256
ab7a11d610c9da21a1dca4c679d94e5870db8e39139a276687820db52f0e3d07

SHA512
afba6b6cfa3ab5051685d7b12620ce0801ee84a639a34f16e104724a8bd981468c1a7c7766d3ae869cb5a4ff16bd844644bfd8f59538e76e4719ac705a5464f9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5e0a563f488aa3e2096781fdc19d9504

SHA1
d34b38adef75c45b2405b4dad9f9ef389711456b

SHA256
14d9d76c32324be62ab84604f48f55056259e1deef1d4682be05fc1ee1e9bdfc

SHA512
092ad4ac3d2af90c645b818839372944f0c625f597140c6ca6342a6df9d5ddc7ce59d5a6e29cd16bfe14e43f5bf75a624884a3c614c70265c61280e00c023c6c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3caa319ea4ddae5b29bec58d9408e4fd

SHA1
d2727e03260708ca6e0834ed0d993302aca57486

SHA256
395788dc1560cf41f6dd3fc153a691fc20f160a79d2593ff92f3fc4956f8e8d0

SHA512
ec02f3de9c149a4f8c548e0c3ad1a69d90d4763040ec791585b32bb4633f2ce3228941a348496c7c5b70f9780f873b5a8d4c461ac6509f51b9ae78457ff762bb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
54cb5c7f19f553084830455977d1c2e7

SHA1
e33844585f18fa95e439b07f62b1f54435efabda

SHA256
10d6634d488cadb9585939399e668f80d221f6e3723d94c986c49d80b7a5e7d7

SHA512
0b490478fa56eed3ff59a1c491cdb02ebe06df6d9454a52b359ab8b675190071b36ce70a33cdd94505823f76d57def31f7c0078bab88df5fcde49923685bd047

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
f33c0ee44d3e5915ea79e0015bb4ba7c

SHA1
6682aaa761041b2fc6186bfe1f89bd95ed457891

SHA256
b56e772608ffbf726ee500e85af3357ac85e984f1e6f48bbfca2a566737f7e4e

SHA512
a32ec29019dae34a2364194507705697c367e47cce368bd072136b1d425ef247006bf29b8d7047e6c60e128b61059a25c5fb8906d2c921cd3fcebcaf37f5b228

Download Submit
memory/1364-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1364-513-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1364-1-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/1364-8-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/1364-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2076-154-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2076-142-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2076-149-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2076-143-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2076-152-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2212-778-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2212-323-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2456-779-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2456-337-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2592-196-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2592-316-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2640-119-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2640-126-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2640-120-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2640-241-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2684-328-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2684-214-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2844-13-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2844-21-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2844-172-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2844-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2936-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2936-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2936-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2936-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3036-250-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3036-433-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3360-230-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3360-407-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3472-292-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3472-173-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3704-157-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3704-158-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3704-277-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4052-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4052-691-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4124-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4124-290-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4136-780-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4136-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4168-115-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4168-217-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4168-113-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4168-107-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4168-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4244-254-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4244-562-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4676-266-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4676-687-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4764-313-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4764-743-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4776-185-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4776-304-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5004-94-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5004-103-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5004-102-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5004-184-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5024-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5024-742-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5024-349-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download