4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
Size

648KB
MD5

ceb35d4e5aea0b6bfb3ce229581f4c12
SHA1

503795791064b4cd145b176b585fb973f0bbbef7
SHA256

4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459
SHA512

546a7ec1a8c82bea7f461d982898b589042b5dc9a2ad9ce7f5803433aed441f68662c7d0430a25e6b2dfad09d5bf62312c32c3508a5677ad71bc1e40cadd3459
SSDEEP

12288:Xqz2DWULqx0MsTe7IArn6xI51Ahl/9EG5/0Ty2LEGQ8WCorG44JmLJFK9yyx:az2DWTP+wIk6xI5ul/9EgnQQ/CtJIJFw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5012	alg.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
2344	fxssvc.exe
3092	elevation_service.exe
4496	elevation_service.exe
5104	maintenanceservice.exe
4792	msdtc.exe
1528	OSE.EXE
3044	PerceptionSimulationService.exe
4992	perfhost.exe
1176	locator.exe
3356	SensorDataService.exe
5112	snmptrap.exe
2324	spectrum.exe
2964	ssh-agent.exe
4236	TieringEngineService.exe
4668	AgentService.exe
1104	vds.exe
1584	vssvc.exe
2284	wbengine.exe
1616	WmiApSrv.exe
3792	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\System32\alg.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\System32\vds.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\locator.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\63d2599f674cc675.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F123CA10-B28F-434D-9884-6C3679B73C43}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efa513820e3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000454230820e3bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f38eba8a0e3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005736fe890e3bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059830c8a0e3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002be2ef810e3bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000af55f8a0e3bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4084	4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
Token: SeAuditPrivilege	2344	fxssvc.exe
Token: SeRestorePrivilege	4236	TieringEngineService.exe
Token: SeManageVolumePrivilege	4236	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4668	AgentService.exe
Token: SeBackupPrivilege	1584	vssvc.exe
Token: SeRestorePrivilege	1584	vssvc.exe
Token: SeAuditPrivilege	1584	vssvc.exe
Token: SeBackupPrivilege	2284	wbengine.exe
Token: SeRestorePrivilege	2284	wbengine.exe
Token: SeSecurityPrivilege	2284	wbengine.exe
Token: 33	3792	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeDebugPrivilege	5012	alg.exe
Token: SeDebugPrivilege	5012	alg.exe
Token: SeDebugPrivilege	5012	alg.exe
Token: SeDebugPrivilege	4492	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4768	3792	SearchIndexer.exe	112
PID 3792 wrote to memory of 4768	3792	SearchIndexer.exe	112
PID 3792 wrote to memory of 2264	3792	SearchIndexer.exe	113
PID 3792 wrote to memory of 2264	3792	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe
"C:\Users\Admin\AppData\Local\Temp\4f6063a7b5886f773ae0b907f0c95ef949a5445725028f28bb24692a663c4459.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4792

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3356

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2324

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1836

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4768
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
aed367729aec3caa117c4b0248188a61

SHA1
d8245ed3d13d312a121486423c033a1a5166253f

SHA256
03061e159d935882f09d0f3c2967076a1ecf11fdbbd4600f6ab31010f6c22697

SHA512
6612070782abcd7348c342f163803044967228498407e1b89b364e6633d8b3de62b849de01dce1e8f97acc3a88bd3b758830603ee8d63d45ff6b16fb5513d4b3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
8078fc5423890343c4195135cce49815

SHA1
202edfa81ff2167a78ef2418abf492c10e7337d3

SHA256
f9ab50d50554d1f33e6be6f3139bcd747860c0405660b905dd332eff1441f33c

SHA512
12400bb435ea8c25147df7858c5f66ca0d4bec169d5f10059cd8284a43daea710c3d50292bf63e6db45b3039be0a4b054f8cc135ad273575eba5d23aff0deeb5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d77f33188454f47a8d5904e40cb3350f

SHA1
23946c1672c024c578d308f7d013593d0ce9154e

SHA256
f0696aebade3b11a9c8cfeb7560cfeb9cdd294ba7117521428261c8ce952f8fc

SHA512
d2c9491e531ceaf66a4c84f9e8636e5c45ffa35080dd149213e11d7e526b3b1c3d1b8473fc5a31d758bb06128b7013c5362917349a94b98e2033f6e2a70de895

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e8c7df9f6af93709cdbbb7256834638e

SHA1
a944989d0092bcd7d2b27dfcac29438e74d43da8

SHA256
4e4127b2fd7881c059d79a1d598f265da33fb4429a92ea5be7b692f06237dda9

SHA512
3c8f560bfc7dea25fe5dec1d24bbdfe4f794f18e0e585069008906e101d8beecba72b863abde2fb2b5d9f67884168ff701df16ff0f87dbe1b6174f39bc8c8c20

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c7ec6c1c9c28673b713a7700a68c01f2

SHA1
0907d14c8c25fadc7309071302f36c30e5634447

SHA256
03f486953ac2d15e019bf6b502ef045a87d8e2614b1527be76d80ed99f1e6f25

SHA512
6f10cb64bb266b408f7a0fc4cccdc5d24e9f0c3f7b03d813c77199a805c9ffb948e7ee9ed9bf4afa1d97b8ce057e69005eabc8d53433eff89d8a2092f82c3110

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
cca9503ec7813aabddb2baa0e3f79662

SHA1
11c765e9a6604ffa8873a18d35b2655b842bc436

SHA256
96d840db6e9060cfe530256354a092af59991e4c927f466417744ab9a2bc2bd1

SHA512
a70f0eafcf4b88abf810661a2d9871a5c578e4e0ce4c64b5ac60b32cb9efee7ff02b298ce82077dedc4e98f9da2172a665a5f882c916b72bf28cfb79739b1aab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4388dba13154e29fedb9edf048ed2ff4

SHA1
cf84f41a838bc8e5454afb569bd3462366abf099

SHA256
7a4ebec9026f2dfd690939236e079214e6872a1395a4435c2a2a7e9227b2b965

SHA512
39b496986536e87a3b982fc99bc627eef2664f6a2698707368935284ce5e3f2779423bc0459bccfe45c824ccab9c8d50fe4f44728c43a245b39db92b01b311ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ae0058aa6723ad896ca48c8058d3bbe9

SHA1
fb42f3449600ac8b3d80709c48e9faf5aec37464

SHA256
fa44c9b23966618596c22550699ab7d8708f6be1b3ec7ce6ca53fd33fdbadba7

SHA512
f7f4abfba69b58270b99adbed73fdf33831677c01c80cd4c7d1e4b2d9f252f56008301793e22192aa490ec1a7d8627e70ea982351972f9ee8180423a4ebfebdb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e0f4f68dffaf641e1d5a8fa5cd8a6f5e

SHA1
576bf2f9727bc8ceaa1fb34f8b3c4d741f06626d

SHA256
afac13d3f947436ade8c3225828aed99b8c5ea9865210db0c41d8990dc50a8ab

SHA512
b6c1fa38d9d35e472c0ecdf1ca0757ace06fcc64467ca41bfd1abfb7e0f4828c37e6d62df508ae8c3e93e8b7306102fe150d8f67b0bfb845504f15587f2ba9d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c5d9647f3808625f9b1c680543e404cd

SHA1
9e9b98a9f25ec058814a7ad6ec589128435206f0

SHA256
74568b149cf1201a637e2a7205c6302ed86805749f3fff865fd5ce6dd309ace2

SHA512
241e6dbf77e52139e0be18da980f9d133995d4ce26a342f92cb525b7b7d266848bcb4b884918bace92886a2648cd9e4779935020b740b6f299a93457247aac82

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6d883bda187ac6eef6dee5f35d5df562

SHA1
a78141ab6c4d6658bb7d45824262c6051d40717d

SHA256
cd2fbd7ab6e5700472414d46dd53a440af68af90b950e707bbb20c078ea9b02f

SHA512
7b3da3bbae9832d4a374506b6b3054a1cab195cefd44d62728d5736ac0614bc29b9c085e32056d38fe89fa37d152a924708b00f0b68aa4ac477d7275c86b60c2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2d975f5f08ad07cf3c2efd06acfaaed8

SHA1
343a5fdd9e0b9c9f900651ef63828510ca6a8798

SHA256
fbe1535ee6278a4e92764ac7f649942eca088a531b6620cdba0dd422de96fbb3

SHA512
aa18ad8f72e43d85feaadb2a2f817fa09442b26ac93865fde9cd1c61d35ddd17d552135f7601b53cc8764a6d375a9d9e2b973bf64b8c81ab2a259e3e9c4a7575

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
383f16824438bc4f19cb894684467d99

SHA1
8a1f4cafd3bb2fd960798e4f500bb9a730a57416

SHA256
8713f07d5d610fbc8fccf96732d3c51a6400c43894845d3676cf8eeae135e88c

SHA512
a2b414d7705e188ebaa36a6b312fe1c7fb32d7f7040c3deda6f6c9eb80d9e6d67267690e012f63ccc70620b73a5f491a1b596c9198f435df6ded89238502ebf7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3f072e13d33c5276c1c4ae8b4fb2868c

SHA1
254a161654e04513c652eb075e0545effa1eead9

SHA256
093b2270592c17097cc563e787a34f3e483bb9107d2c8eb1d175322bbaca86e8

SHA512
9a28c343b562894ca851ae47e686776418db0bf31ebcf75cdf4eb6a05ff5f69f3b42c6e4e7c459c93d3eca3bcd904a6713ee8a91e41cfa1a2caf68bb48091bf3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
147f19959321160a36580be6d9c7420d

SHA1
f8a352d05871a51f748c6015629567401d0ab693

SHA256
eb1c6cc88a8ad1a67187df2591b47f61359223560834b18fee21a7d2ee43bafb

SHA512
f630339b901dd5f8f0a0c64b8fbfd10be10addaab9355ce2d63f531292e05a758818c7c539237ed0619b918cc75c7072b29a4ce27c2e2cb5d7b410a87d92907e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
d2865d07875550176352f6604e9ec580

SHA1
2f86d60c0dce1a1dfdfffe35ca2b56e5c3826e8e

SHA256
6b33a20f8292ef0d159d48f93383a5c5a1d9ae0a6d763b23e446b1937090a826

SHA512
ad02fa11635c7b6b1e15365f0483da8dcbd5c023a5f7588a99ef3aad99878d4cd144d573e5e256b2a9dafe70784c81c18d537fba43402b356b4d2f9cac79e72a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
34aa60562792e7035984f76b014013c6

SHA1
8df4d8283455e7c5b33b3c94615b43eb6e01e95e

SHA256
a7efac86f7affafd4d576c2505fb751334c7d800fece642a9266702cb5a30957

SHA512
b45f5db0b70ea35314ff39592a46fe6aacbad297c215a6f5784dbc925626cfc3527aa0532e18ee7982fc4ffd4581d7ebd0f621cf31dca3e402bcf841472c9caa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
4705fe79eb0871bc8c037fabf3d43200

SHA1
c4fda7d22290f562cac01992cc5784668a2f97bb

SHA256
fe725f7ee5be3eb50f5e8b54655fe5aaa38fa78b518370fafc6cad55309e38c6

SHA512
ddb55144dbc3c77aa3eef5656608ddec4a23862fc9d2b2f1bc2dd89f6f7c4ce2695087b46e95331f4a4e6d26d3e8565310c72938fc82d61cc9c7967d72d3a45e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9d98b3721b9cd829d8e590c55a11177b

SHA1
ebf32dc92cbe36fa597054672543f8ca2b343f6a

SHA256
268824ab211f48dcf75cba9bf209f8a31531cfa308de3e83009af040ec1860b7

SHA512
8c62f3278bf62cf80ac1aeea557ed7b29b162d53171e4c52f56a3749af4b99a10b684b1ddec7f0460edef587590147a50353582e5e819bccc3f1adf8cffe0b3f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e3d7fe6400f03334a996caf9c29ac42f

SHA1
32b05dfe4f8802abd891563a7d82d79f45d3f44c

SHA256
90dd0f6d3d613a7dc9dfa5d00dd99f3c9b05be743c0ec65035861e950149e981

SHA512
0fe6ffcb404283381dfd1c2ee7fceac7b02eb24f242d8bc85a1d73b4a7a29d0ff779f9b7a9a949a3c1018cc7c9a6b8f8684453792bdebcb4de68005bac862a16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0162cb9980f7873e0ba52cd77192111b

SHA1
a8bf8d8da5d8646b063bdceea77c94928158d522

SHA256
b295f61763a230a6df02723a576496de494a1ee4e5183ce71a3bed6d9321bae7

SHA512
78de1beb66ec27ef358332f2ba1b8ab98c172bfc3f9eda42bdc22729a62655cffbcb8313d8c9678818e837c8870e67943e399336e1c41438ff58e89bc82c654b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
280e4f516504b488f1d6e8d1ff44dce8

SHA1
782308a0462cff6ab199bb527d05dfd48460ac65

SHA256
474b21c0c509a46fbbf38719e2ca8d6352ed061426a8c3c676e21829c5b70f6d

SHA512
438f38e06f91c9c37809654d24bb63ab44522ed6d5df797f872150f07b0b4167dd23924d5387813c76c393a4c73e1fb3842c27ddde2e391fc1bac5b0771c10d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
daa5b5d50e9bf8b5b2a4a0918494c9ac

SHA1
586bff5cf56890924e9866adc8813dddfbcd31f4

SHA256
03d00571b8c0b9daf90c06e3e43b990c8a03329eb388459f5142a9754d226bc6

SHA512
6c9ee8e7ea5b811604e8c01db9762598cac6fe38b61a708afd83b0f21a8c6f5da86e40b3a8a02767a2e72f1e38e7d7077b5626c5aea7d8167a1de0166edaf607

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0ff38a9901d0a07ba1d8f2829ddb9b97

SHA1
b118e8276fad031700679416a0b6a36fcd21e61a

SHA256
d27afe6532224463ea3de7575687f9f9c9f4951321dff9ff597f90966e9cdb19

SHA512
52cde59e00d6dc4180cb5ec82a7d2618225f26760755c5b053653abf41cb81b82282eb495d1d2dbc02235851f04606090b0b0fb595e88c7ce2c77884fb40bef3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d303c282868cf3c6912f8b078665f45d

SHA1
a06bf9c507e926944a93e741742cb01e27f213a4

SHA256
07a3dac281ded7af49fdac5daf93ae2874f14364e66ba2bf336c8ba5ffd20b66

SHA512
a4fb88927b1344ff4f4fab57434fd3cfa4bbc8279e48094f983d76bcc492ca4acfea8a3b8f3848fcf3f81c48c264095e670d6eac3f8b667882bb33a78c75faae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
55b473e3436a1aa9799cce9738f2c464

SHA1
34bb3cd694cb44fe74b07ed748b63a2c1d72bfc5

SHA256
6c7880abd966e66f1cb27cc3a76ed2f72c853da14ae46ab85d89acdbd989e813

SHA512
d21b13df1468008da0311fb1aa08306769b93255e18f89679b7ec1936274b61a0103245e46296c7a6bd8da2ac8e8c495b8cb5194d3d9236355c01d6249393811

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b3ddcc84bd5497e6275b73e34beba2bb

SHA1
3208628998320b3dedbbc4d57fdabec2af20ae15

SHA256
dfd07c8e97e4332608738e4ed0696682a5f10aa66ff15989ec2eed862c413d71

SHA512
99b064bf84210ae26a3f0b8ecb5a59dc1f8207ca09e97eea19d1ceed1cac812f00f667096e00ba58453e864daf918bbcd55a25862bdb78d4f6a4dc821de99383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b627e05853387db9784a7ffcb13e43b6

SHA1
bb1c9027e680ea4a8c8455aba2682d70f6a7c49e

SHA256
d5cd5d116e0631ef030f2fff640d94b956208293aaa3023c03e8cc7a4a354921

SHA512
6bb70694c5ae4a2c44af9c8f2343755d8f736b23378515531e2698e98f9caccbd1d513a3bb7e11c7a27fb18379688b35e6f2366dd7bbc6d085b73f2075eb5902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3e44204bde879a8b6c732f01dde108de

SHA1
6aaa713e30a0d4bb644ccc033235749f0fd65f17

SHA256
8c7745d5ce3f54001166f1e0c9f4c58914d6cd0d3392f4cd627e25fadd46feac

SHA512
37231de2e0445a8222af63d0ab62ef71a6c41641a7ae3abe923e7db0ce1f0d80f1ce4e37a865fc41c90b1c0c726512a4b34372a5ee0ce7c82b5a38edc68e55a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5842eb42d7256ca9e09fe6eda2e7af1a

SHA1
85e0f51e7a7588b12e778670daf3a2d797cac084

SHA256
30281c6f79974261aa27f12925100c67ccf4e5c5ad4a2e593e81910db8ae1626

SHA512
39100b501a9728d6d1b19349b52605ab574a82fd4023c85077ac7423772d7dc6956434d1d3bb0be5661af5ca970800634208a12e751b45b1071d8067a7d9d88a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
55c9b4549e8ad0a8be238b14f2b4d205

SHA1
7f57d9996f0af78098c9744c8424ea1cd217f9ba

SHA256
7b1f2cd43ba8292e5ee7eb13ecf7dbe857171e1a4f90d884c5970f13b51c5688

SHA512
884bef39ea8701f8106b6d3ba8f8d8417c1dfecd3dcf59e7198df2d575f244e6b8dae1b7b977530fced4f2ed71231c7ee74aa11496fdf54add939199c771f8e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b51e831507bf1ef434bdf689419e38a3

SHA1
fb21c761457d0d4873e899c72d1baab95139a655

SHA256
c5e3809f0268a7a6740cdca20fb376e2692dc9967215ea770586de21f8f43269

SHA512
29e98b61f9421424fb6445d942095d16301e2904441105cb44b7c1cb639b6ac04fdedb461374927693d03c2cfbdd7df582541226d39d0d8e906515202481000e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ec43e3f10c322aa7c59ad983804ae6ec

SHA1
851e0f0203ba8b506aea74794ee75ed71eb77ada

SHA256
f321eb3e9813440ae9199e948a0e7f40bd0ef11c4f62373ea9214621d5c2535a

SHA512
aef2b83ee2806c981ce8239582206a90c33ead20f50520a81936c16c3775eba96b410ba7ec4026d5c25934d9be3c59c83be6f2a75130078afc13210b8931689e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9877b5d991ea18f00b4b44731b965b97

SHA1
f207978bf55047072dc9705d2c2b09133e741bba

SHA256
ee29597499e0fd742f93a94f830c8acaf786cbfe83e7ed98f31a87c6d646dc76

SHA512
6e8ac41f5637e0b306ddaee96cb394e5a7976de986352e502a83b961acbb73cfaace980798425ffad58b6f3c3597f97b5238b3bba950c5e6f930f421e1a22147

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7cf8cdbc3721ab4171f71ce5025cba5a

SHA1
dd6d0abb9bceb005bcc6349fb8f54ee491c874c9

SHA256
25ef50b60abf087e08c29d74497503c58ae971c72050b2588d6abd4b725dbefa

SHA512
98645f51d6890fc08959067f42fbff4030a2023672f4e1fd1320c53dc21077ca10fe5e5a8f6c49076d88295ea22fd6eecbd32268548d2b5337da4c1e79a8f72c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
41809cb6ba55d3a868133eb5ed728b28

SHA1
dfff534943deb31a3918e10d10678aa8acd74b09

SHA256
a0079e375f139027220f9680bbb11930ce0e8b91123e98d64e04f8514cc93535

SHA512
6173a9b3e823bb354990c5612c5fa187a11b4572b94896eb8bb34f6558f21924310549ca5de65d65253032042b6f9e73caa05eee063da871c584f71d58b98b92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c71494fcc82fe61c9f3a3f436f402df5

SHA1
bee4cc391880f5f30464e3cac59d0eb2e3344d5e

SHA256
47c214780a48c5f02b3d30ab73f20174f6d1cd3789e4201fb705bcb57e914f15

SHA512
7b7423b662ec963bda8cdb48949bb5a84cdd9be863d5a4964da98deb21778e963e5d56b0ea1c32eab1868c8620780ac74f2ef5390b72edd15c4ee5a8532ef36e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f7ce2637bc2ac3b379b29d767e46e582

SHA1
dee2669059effa678cf4242950710ae0304749c4

SHA256
3df86d57a648eae2e6df450cb676c0381d5a236db0fd152b04e888e63e90aa0b

SHA512
85d5ed36df6003b0bf588bfc55722e4c65905155539ede233a0a04ca98dd5221451838e42f63ebd014c125f90d65e197c3dc1890081966da06b4f6234c6928ce

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b4324ff7e7da57d5f36718b839ee7418

SHA1
84b6d1b06acb7414aa1b1fd8493b9deeca3aac88

SHA256
6198c3f66b8e316a762f8b5c3e8f08569d2f5cdd75beb0a9ea289ea1839a42aa

SHA512
b931b6c06daa6530dc0310835baabb9c33584b3352194aa3467c73b1026257308f34ae6355a5ac75b37e065316e4b13a4329ed97e3bcfe586fc89c290473be56

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4833e34666e5a530fd1fb45908267187

SHA1
063d8e9a4db87f5126537aa5b501c3b07a4c0454

SHA256
cb30cda31b0f810234ac74f95b6ed03add4d88335f9a145b9ea53b6901c232ad

SHA512
5a47a49a1d7b2916d12903cfe78e5fc38863fe5263207430faafa0b383663efd641484cb3b80940369863e018e8e458a38c38825e76834e513cc3cacba28842e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
42bf7589dbc83257102f752b3c6cee13

SHA1
d85798e0ef61abf9e55502f3f2102e22172b54d2

SHA256
c69237cfb0d04c713dd4761e301995cd5396d3f97e80fa0e8704a279eb671c37

SHA512
f196784fd5d88aa4a88b144e1238bd53287d858fb8de4fc9cd1659249e9678abcb3481a476067d42677408172754119e234c940b865603e9943dd7cbcb767ee9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0e5bce1f843e6d6da4463ce23b4f21f1

SHA1
171f9dbc06789ac196c04b2ccb54066c51c55060

SHA256
75dfd805b25eeb0058fea727184b9d68805b4cd235bd5a0efaec665bdab42773

SHA512
2ed5000a0ea2269140dc0cef4b3b631aecdec268471a5ae278e91e9b59f663a2ebba4f3887afa0447a01ee69f247c4ad777600ae4f7c0ffd755e91bf34d292cc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
51ca67ed758a5cb70bd19034d5e23c2f

SHA1
e0fc17f2001123d5c62261e912c84405e40b46d2

SHA256
57956dff7eb4dfb212b880a10393538bf00498a8db88d4e0886dd23c921a3902

SHA512
d39ee21656a21a9c51a1ba298ecee671acb9b9d6a8c0f09eb0c8501f622f1ab50e6be287c39d0c6874d8a7833dafc32059e41f973e851bba273523a487b01a71

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
235abe88aaf98578bddbda9013c63cf4

SHA1
4e02ac98371dc51c1231ac53abbce67a44759f52

SHA256
2a290d5236d6d307f3d057d20f2fe38523d950f2d907ca0e54730f218c0cea7d

SHA512
b9b4c7dea922f9e768a2e22d19d2659871d404265e64189e06a7350f4c5c7863a748f729f8e578aa198bc81436c38aebba04ea8ae5a468ae76b8807cd0c75f02

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a951da1659bf12e7af6f28e4b674f9f6

SHA1
7a48fb415739bc6fb2420a9ca26eb0ba311a8594

SHA256
5d47937b2bb5922ab11870597245a5006da3531b29f4cb345065c542e817c5ad

SHA512
91451056e06a1363dd355bab2124b27da05c2faa5e7de449160585ac7c1d48c06d86696d6cf617bd98abb6f71b11ab095aa35753a1b5a1e3631b5812e55c324b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
489985560002f923bafdf8069479f5fe

SHA1
ebcb4da43942542de91eb2fcf6218a29a12de5d1

SHA256
fee33b5e46100f786f576c783ee313eba66c692e3ff4c2dfaf767ea04eb40bf9

SHA512
c15c5eb30aa647442d35c615d02b611c8d0b4805235cde48311ee075fc1141109dee44b57b990fad4d575b37f0742f347c58178021d3b5430e863b9c8d38aa7a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
691ae8a5b41daa653aeeafa55b892e50

SHA1
bbfb6e4982ff2df6c0bf02d4df48ff4d5f707c2f

SHA256
73828b3afb8727eee5d075f5d1c97ce86e408f7add8af813741e92088a01aa18

SHA512
0498542f5d64d31823049e36c398c565912e6adf01dd4372db3c3e38ae8919e3e17fc1a212354d84bd7980d0e01e751e9644a4fac571aef85cc79d1ba7113fe7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1d2639ff5aba1da51a7407eec91b0912

SHA1
a0ef09c2acd2f226ed2225a8de77c27816428024

SHA256
5c0210035b24519ce72e8286234c469fe284463b6e2aebf0c93a93916cd8ef1d

SHA512
b3aa6aa3009bca7da581a04cd99ae96dd22695fb61471f2af6eeae6655d1c9ef948db27d642d9cbd83b84634e922510319ebc7462003d08c7053916a645c7fe5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2cc3b2f17eddf3b3c23b903b99661f27

SHA1
2013dd3ed26b8990a1a624dec1aba74df1c58f23

SHA256
cdc8ae5a1a5f74af7197c01281283663988b3286b38686527f973ab18f36a006

SHA512
f37962441b1ab10bf28d1bcd6d3f4aec0c7554613dee52bf43337dd10950a30b244c51f535815aeb79d7f1543de309eca4ce3e1370ccf93b4b8126bbbb652047

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f527973d58d044fb269f878f1cb415cb

SHA1
2f5640cef4c4affe4f714d68bcdd4c0cbaa800b5

SHA256
0afc8542814499e1c66d036ff9952d1520fc0b9956a7f7edfede880c32ececd2

SHA512
673e055679c129d9b64d51b8de95af4d86877f86eea97cfd47a9193fab5d4e2e2b98d97a7dfd4e59c60ba0221112597994c29fa241086ed4e4024956de9b4898

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
496652820e588bee0590941b09ab207e

SHA1
3b093ab3c4aec97ce8d8960960c6d5d9a4b0ac70

SHA256
9cdaacd687e05e758ebad4f3f94512ecb281beedf26d6f9da1f372365de7db08

SHA512
60e9bd134b363a30e4ca6b3730d8ee186b12235b106753bae43c573afcbb495e74585995e701a71806edcad9e869cf066d7e0a638dfd46b652086a4e5fefae7f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3f35172d2ca07126adf0e15c8c65ce1e

SHA1
adff708d21043405efdd15ec1db4f06935a26630

SHA256
48cbcfa2e9cb3eeb0987c1807af5fd92449af566e3894bb72cb42ad4b44b2d7e

SHA512
0412954f04cf8f6806272445c8e5e784ca5c9907ccea7364cf33117e2aadc45778bd5f935d33793f7bed481c9b19098ca0ef4d9d2b33495c3fb2dfb11f2914cb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c0cdc564fe9a339402caae44f1e5b937

SHA1
d1164f23a83b174469d930a0bf0600a6b77d4af1

SHA256
767eab815cb23e575d0bb5b147655dbbbd107392a518bf74b06bef1542560c69

SHA512
0a1a9ee01d1e6d2755197e4964e0e877d26b850547e6d58a31e799de132612320707bf2903bb5e0620de203e539182c796e3c2cba28455e49c2f1a3d2923e117

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ea7fd00b608722a260a03662a90d950c

SHA1
a221e92f48fa32ff2ea8f3700a81972c10485213

SHA256
0e6f4bcce12ba25e8bdbda9e9481c53cbd2ba81b84fc728905d0a70c747703d7

SHA512
2164368b014354a5d17a70b3d2e978fd6d91c52a44096b0d12eec3406a9a51b32109e298e3631918016f62fc6911ea0bda26720d5c289b1028de6e95d8ccba3a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ee391713b5d5957e241e2ae0b0ba1a6a

SHA1
ebdb7b1bf3dd176167a024a647ff782568692b52

SHA256
c71b11815f94c6bb86d10a0cc6790492d45c0f9349bd54abcdf10317a2e1fa72

SHA512
3b99849ae1c5fe3b709c7b99647e37000df3dc2501ec382da8a86439725bc20d1666eec664803fe7d8c3796df356f1482f23e356f850374ff4149a7e800d5f9f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
513229e8a1468be1fc5b916f98ad0996

SHA1
ccd076a10500934aeea53cdd17317082f416706f

SHA256
05d6c876568ed81ab8a4726e0b738bb12cab20939b459b5febf183194830a1c1

SHA512
d922bd498997421a9b5a0a6b767c76e567b180c0ceb0c9ab0ed0e329d6be97b02efb9451742739c3593ee0019c8a11a1b1ed89ef70b7a9cba22c8708a2c95f80

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ef3de603c76804deb6282841bedfa820

SHA1
632d34a0affaeffe323122b1e81f13afc851c7ef

SHA256
73e34e0f315e6508e5c6737a0882877f2aa1f61da664c1fff86a45914d27ade6

SHA512
6ed56c103b85c704f9d2cd86e5dadd47899960ef79882a35359c4bc8feb5b87e525f8fdc378359cbbcde311d5f2f29823389993e9a3f9d930b519397aa37e8db

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e7dd70fa763454985ffa7cf4be8fa71f

SHA1
f2262da86bd7bc0e01bcb99094c1326a08575a1d

SHA256
1e8cd3128a3657950c9db391471ecbdd019ac0479e3359fe6a8e1ecf4c7bc90f

SHA512
7fd88d250148e28e471579fa1d7850b7ce36a6abdfbd5ccc3a519f4991eb55119c568123a37054235af0631c7cdfe07945cbfb4cdf8345aa0c608a91c4bf32be

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
977cede2ed33f218a2cd324f941d05e5

SHA1
295618f5e9896014e80d04aa331b5ca1d280ef2e

SHA256
3a021884438f8a34f5c979224b523c145718652a1cef2daa313f356d7c841e12

SHA512
3b19a31e32505cfac7edc0173c750415c5d926b29e9c342e36ad7a7ab946e7ef430563f06bc9b7732a475d12cea6370bb1879878927998733dbe9aaef93699a1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9c75b6fc9b4d28c1fc3457c1c010c9a3

SHA1
20d034287da67074ae6a88aaacf1a9630b0fe49f

SHA256
a023a779f312ae7c0c54c587ddd63e0a34f23a3905c2b1888acb1cf5836afea7

SHA512
0842a0b4e21142887a5b2cc1bde73af62e4cf8c7b2c69667f442a1117cc2939425e7a393d7606bfb59cc5ff00d84a418e90a65e1d1e8dab986ddc6557a13a1be

Download Submit
memory/1104-569-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1104-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1176-148-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1176-266-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1528-233-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1528-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1584-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1584-574-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1616-267-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1616-578-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2284-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2284-577-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2324-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2324-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2344-82-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2344-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2344-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2344-39-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2344-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2964-196-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2964-440-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3044-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3044-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3092-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3092-181-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3092-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3092-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3356-572-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3356-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3356-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3792-579-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3792-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4084-460-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4084-9-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4084-459-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4084-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4084-83-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4084-1-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4236-207-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4236-475-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4492-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4492-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4492-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4496-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4496-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4496-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4496-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4668-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4668-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4792-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4792-93-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4792-217-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4992-257-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4992-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5012-13-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/5012-22-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/5012-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5012-91-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5104-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-77-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/5104-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-87-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/5104-71-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/5112-322-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5112-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download