009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
Size

625KB
MD5

3044618301c66bb614ec5499853d1a48
SHA1

5aad7dc9ba7c0ee623e237c2b993ab5b98cc3a34
SHA256

009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728
SHA512

b82aac652724a1bc6747be4493f608f0910e53a541306950ee2448d6e63cf6935fb5dad08341641282c0c6c7bbe41203918f1c9585e592b1f8628063d79fa4ba
SSDEEP

12288:E2MgeKznl5TXJR0j3p2pVUrrQuLoWTF23JVbd0UILzXSocmKdYNq6:xM7ozX0j52pMkuLoiSJVlIL29mhNq6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2988	alg.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
3460	fxssvc.exe
5072	elevation_service.exe
3288	elevation_service.exe
556	maintenanceservice.exe
2076	msdtc.exe
3324	OSE.EXE
4500	PerceptionSimulationService.exe
1392	perfhost.exe
952	locator.exe
4576	SensorDataService.exe
4312	snmptrap.exe
5032	spectrum.exe
212	ssh-agent.exe
2964	TieringEngineService.exe
1488	AgentService.exe
1564	vds.exe
2232	vssvc.exe
2920	wbengine.exe
4972	WmiApSrv.exe
3220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\wbengine.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\66c93e3c293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\vssvc.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\spectrum.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\system32\AgentService.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe

Drops file in Program Files directory 64 IoCs

Processes:

009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000706909a93badda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ce529aa3badda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a61f9ea83badda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d01d63aa3badda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063a9a7a83badda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4076	009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
Token: SeAuditPrivilege	3460	fxssvc.exe
Token: SeRestorePrivilege	2964	TieringEngineService.exe
Token: SeManageVolumePrivilege	2964	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1488	AgentService.exe
Token: SeBackupPrivilege	2232	vssvc.exe
Token: SeRestorePrivilege	2232	vssvc.exe
Token: SeAuditPrivilege	2232	vssvc.exe
Token: SeBackupPrivilege	2920	wbengine.exe
Token: SeRestorePrivilege	2920	wbengine.exe
Token: SeSecurityPrivilege	2920	wbengine.exe
Token: 33	3220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeDebugPrivilege	2988	alg.exe
Token: SeDebugPrivilege	2988	alg.exe
Token: SeDebugPrivilege	2988	alg.exe
Token: SeDebugPrivilege	4472	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3220 wrote to memory of 4728	3220	SearchIndexer.exe	SearchProtocolHost.exe
PID 3220 wrote to memory of 4728	3220	SearchIndexer.exe	SearchProtocolHost.exe
PID 3220 wrote to memory of 4476	3220	SearchIndexer.exe	SearchFilterHost.exe
PID 3220 wrote to memory of 4476	3220	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe
"C:\Users\Admin\AppData\Local\Temp\009340e2da6ce29d138db36edac0a2807a9d9b2a2d457ecdded8262a388ba728.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3704

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2076

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3324

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5032

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4372

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4728

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
71316a9f8aeebb2afc636ab1721e0fdb

SHA1
f415560a6a00b3da7c1f2dd62607f44af0e46a93

SHA256
be45712a93d2bbb051f7d8883ab49dd22bff3feb0689cd0849d51b4e3eac5779

SHA512
9b1d42ff4e3b0c1ab06f7268d968320219b8fb3e7bfa32f2451943e9b8b52ca1eb5b042afec5041de06e91570bc7288e9fa8c5b1514127910a867ea1a57c4a9d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
eb5fb57bcb7f473fa3f20e01f7d9fbcd

SHA1
b269af051e7f593fb97efcc9f6d626683637a9c4

SHA256
bc14a261450e3e21678f5ec62984b714e960c8d1d0c72b63071cb34f12b27b57

SHA512
9be934ddefaee25dba66fcb80fd7e4a79e845383bf5c9d53e8ad2d91856a2ebad9b57f5546ca7e3a9a6f7bd05f9b54903477d7eacc8cbd2d075ea978ab28b0c2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
83da10d32439786f6838204bdb63c2de

SHA1
7ac0df897edc4fd665fd37607b159d2325c766e0

SHA256
73830faa7d8ad11269b61e66700aa27b23b247dd46bf8bd5fa4492fd922a4304

SHA512
0655ff2cc950218b091d0430e5d3a5756e06bfa2e1edd9c53a9d70e7488987a898c866ab1dd31cab13f3be5fa4af02ca19667bee2ba44b50d87adad7a6a2f65c

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
a0a06f458a1cc012cc11f71875120b6f

SHA1
4672685588b49f85c0e9e59d36fdb1377e006e16

SHA256
bdf3e133b7627417a1cbd25220f1fa8a68775a2570887172be9101f6ab70b19c

SHA512
88f616161c2e40f4af9793a31fa340a4d486b70a78cde41007d196eda263b473115c98d4a3ac602ec2193ac7ae489a200ca4479cfda823863e2bf72ed7c00ed9

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d9266f458ab130339344ffab1956a6cb

SHA1
2ec0fd9e9ecdf242de9d8be1504ad7de71285bf8

SHA256
68504a7036bb7a521dc46e1cdf741b0e5a1ebb87ad515d28e7efadc7331a12ea

SHA512
05934c12a00ed0a0ea958baa983e89c58911e8ef6c1581083613a17eed4cc34d24c580e8b70207845981f83f797c368dfb62ba698b7acb0c6032c722227c00c0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
8a660710a168d2ed44c1cdcc9b8c8a98

SHA1
89a12903d63c4d20efbf97179c57d8251968ebd5

SHA256
265338e36ceccc1f6d708ec81a909eb0c2b1a283638a82eeaab4380ff0d3fe1f

SHA512
3e207dd2c04a9fd25d2b7952f8c33bf77669388e445420de20c215b8b757696b443f8777a03e5d46fd23f67ab38d02f7150c1799bf61faa8c80fcd87f9447455

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
a06282a69a28daed3b22960179460e2d

SHA1
a95a2f3f183c2ce093a975f4749ed814541eb221

SHA256
dca2dcfab3e5ee1769fcaf978eaad15570b2ae3b0ff86a2a86bd79a3626899fb

SHA512
99dd7ea6ac01973079b005dd7e1f799efec88112d3519637354cfa7da4e5a4f7219dfe5cf8ed81941ad79a56456f239ab3dda25f6ed927ddd814d274b00e4418

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
c03d4224620fe296238fb41abf4fa50f

SHA1
26255c2d73f7feb3945b9b68906e913e4e64392f

SHA256
9108c0a4197e584f9ed9a94d2e720e072c5d658930f0981ecbe0bac435218ce1

SHA512
c6219eec13983d9a155732ec69ee7ee0275d61ed292900bf66262aa7423e7638c03a0b9743f28bf80655d0faed608eac45f2ec794ed65c3b9862649881dca4d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
a90af27333058ba3057ee4a4c7bebb87

SHA1
954c4cb5ded33e65ed1940398634f3b73c42a160

SHA256
31c0a8376f13763ad23b02ae0aa39a25eaa43ae9c2e0c7812edb23701533c870

SHA512
c68520da40821d7280ce51971d47aa667d5e8f97f2df78c21bef223e69f503606faf88936244cee2983f77a5fa78869f6877e9e7301a6a6800a03e8e6f09c88b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b40ed11eab16d7d68bc3509dc3dad207

SHA1
595da124eeb1d5b93e643e4f4c2631b80efdb394

SHA256
94fad507e206f172a1a0e1cb135069965e689d3e49e0e5714d4d8d9c9df617c9

SHA512
16f17f7be781a702c5c415cae20405125731801575d512f58e08e93665a7cc56315ffc6b5f436d3ea1966cf9f824e3b5302d5e6e3a745aca54332d541e2647ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
b9fb92b4a4ceaf6edf801510c4e7130d

SHA1
28c5c4b4a82d8d63c08a40f9eade1841659629d7

SHA256
59136e7ce5ce66857a6ea2810eeb325f87c2d2fedf7ae0bf62ae432adc5609ae

SHA512
c86ab9c1c94ce81266a710bc577bfa3b2a7fe8f590090e85730406a52f12cf5640e7218380fccf2a576d41f140ac3ec180b635f0ecf3394eb0b5cc0b717c0d62

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
053225f00d4ba388e5bbb2cb6c2252c4

SHA1
5a354f4e56f1cf87bf7cc1ca34c8b9d1d8e1303a

SHA256
f19d394d8d2eca0f5034a2e4d3bc1d96930019a529731710eaf070b6d03101cc

SHA512
42288e1bdad762d9b1072e6560988630aada6b54e63543c661d29df0b4929e03c24c054543141d12ce9dc0710f864db75e4cae02a35d8d209d529876055d607b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
3e69ea409e72fc45d6b202d4b7a494a0

SHA1
96ec38ee93be2ec7e03160e94a067d955c5d4d0d

SHA256
c32ba237654212c5e50345377dc9fe2d67cf7b847a5456a840ad2ab4655e8585

SHA512
861a501ba036847b27a99a5cc37942255bea6c55f06d5543e4721aeb6fc57fc23ad156bb540f72cad36337bddb90355490a3181c6517391e0025baf27b3474ac

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
79ec6f5cd002d3f4f4a131c9bf01ffbb

SHA1
2d503286c0abda0d2066ca09a3ee93f3e37e652d

SHA256
67638c08fec16dde4d5a2a3a049fdc9fadc6d0a9fd83ff118077f09188c34780

SHA512
d192f5efba3c8d56c014ab078b2cd9052506b688987a0545edec507b5a30ad2007eeae1a7640c5b9dac10cc3f86860af38fb290470c8608befc9a5475257eedf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
d132a9b83ff3025d31cbb96212df2e04

SHA1
9c7560fb59f87933676baf3801e86aed173b8d58

SHA256
51a2837607441c2e037a495ece29440305de5ece1b5249d06752b251965cf08e

SHA512
4145b8d4bd4b0bf2457758691dcb74727a15e31ee28a5b94f6b3f4ec8c012ba2b9b2f4cd6a5e46ac86e3d3f1446611fb6757e8a0bac1da24c634333bef5afaf2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
436accae58f71140769d334098acf4b9

SHA1
3a99943b317efb9f1da761fd17e4afaaeb446107

SHA256
03401c107639336001cee05e98ea2fe55185b09766d3fb04f12444c8048e15e5

SHA512
d6730f4c12502ea90fba2e0f443b0d579adb23425219f14fce0a14fb20216d22a973ffd6e6b8a5f1f5d78c28baab59c8301999af6cdd95c33825c94c236daef4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
75b44a92f25a1d22d444321eb855ffda

SHA1
9c4feb4202ec8432f9fff3e8bcdab667d9a20e93

SHA256
26544d2ab684e60199550322cdba3d2049c7f9d24ff3fe4a2383a973815b61ae

SHA512
36165c175554731c70236d2b29e6e3f91cc66b1c44518fb755d4f739bbbb640b08d21a185d3dfbdf72d885a96bcf84434d055d4aca562b5ed271d4d55cfe0fab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
912ea73458645e3785e6e2ce22e9a216

SHA1
1eccc8697e860acf7ed09b22234b87592cf81562

SHA256
b160e95a63dfb8e4da121fe18ddab810d427913ee48179431432c19ffa884a7a

SHA512
08de63c43e70223c9c1398a2c9cf0a6ad72ebb5d4f07347b1ebd92310a8684dc421bd6288dd638fa9b9cd0de7a7f8da2cd3b6a1e921e6c1cf161385732759de4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
0f84982581def026c94ac2eb910c73f0

SHA1
76f3144a20d76b80aebd29dad90fb6bba99c3bfb

SHA256
670b72c133c21cc92098a12eef3888017d1aefe00432d3ba71ea3c514e6e81b5

SHA512
2397956e0dec50deda8b81583a0c5375f13c6c27aeba72017bb178e526c0878c6b99362ed98f90729a8c4ba34f992772ea1d0cd0b201899dc6953c9bd9e3016b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
13d734dd8f889340d95038773a6f9c50

SHA1
2508e7e93e28d8d111301cdff50023ba2c3a5ebf

SHA256
85a5a1e33c5cf1d11269c15d7e7760481e5f50f8d51c003618de723e5e692ddd

SHA512
1560b7f1ef78eec5b0e589ce5c4280a7a7ed6410ba16015d0fe8998fea76cbb1c1f73543fc3711b8e299d2d92192fb751c79a135bd1d3f9677f2e11fc53f8598

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
d8c56e737500c0a1610b318be404283f

SHA1
e2c79c028de50a83c43d494426753effcba60a5e

SHA256
8365e4486310137281ae7343f5f0bde2b5e8beeb5902741f884c4005c7c1cdbd

SHA512
e9654f3c43d66cca7080a255fe21f5887784a62e3960e29549fc7f2e928d5315b4ac1d24d0d4de492c32be8e9a2560c1edcc9032857124ff16d0a78570a0294e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
6835db80a96beb94e23c884c16f65b87

SHA1
df319d263af2de6ae16afff8e36e1f012e4a396a

SHA256
961899f0b8bbbf1b2ba3674a891c65642d64d6409ae08c1fc6ef700ca051598c

SHA512
a45910e984b9b00166ad518aeff3d56c418e8c475274166d5201d566927ca4fce62282bf4e026c4a43f473fa8acaba9e2ee4d69d9411ace7856bbd0767db2a18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
f507893fb8a712eb3cc89f2b1b29d75b

SHA1
ee2556903c684319c2a667e9f59184cd56af2001

SHA256
aa5b52218788265be8ea0f73b973b497ee849befbca11d4626d1086e2a831f6a

SHA512
38367b80c72aec991b9dc5ae76fb4c0a4d58c490b227580aca26320e76618b3e2d6502e28d9de4248b9fd8df007545494cdf705966ca0ff9e77fcdf642937006

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
5f90a3991f7d0b8d7823556aa5f38bca

SHA1
3a01f8e46b719b4df1ef35e9e68979e6fe1252ef

SHA256
5b15249329688c248515dad648da54348c4600b14e2f5764f74073631891be4e

SHA512
fed3797b2ec8e7141b9ec997689eb355254683c72638c442e82e75227b9fc15481a527bab756724d61ff4ef49c1baec2353414f060a410bd9e4f39940672bb0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
4b469495294f9a990b9e34e344ecc8fd

SHA1
67cc4b44abd72f1071511b7073c5682c35991bf1

SHA256
220047e8d9ff28f5ea27f60d0fed20a0738476818b036415ec69a75e1a83a01c

SHA512
af0eff6ef4553f006dd0d85016acb48071a96415c6e435d49daedadecc6ab69d65ba0a19166676ecea454e1a5d844f630665f660a90391281b2bea0efbf42ea9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
a4ecb0a5f07767679c5c3e7cc7ced39e

SHA1
ca72334fa823516a51ab32d3515407bef839721a

SHA256
17326c396422066c2ea93d041b6a79efc3e10217a13a6b7c4a9e2b043aaa3e7f

SHA512
2e322a1167ce85aa2f28968757ceb246e3f41f0bb1385e50517860cf5848db13f8f39b9e4722f3cf3aa46972df9df9437aec9912edf3a13aaa31e5f8ce04ded4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
fc25a387cf30e48a88be3ccb958ab63b

SHA1
895f3beea4fac3db969e24a056bdb98e0cc821ca

SHA256
5867a3d95a6a72cf0ccfd2c82ffddb99dedc328018adedb91ca1d7c01610b683

SHA512
9c3d93ce03bd400a4afd68b04e9e143f670ff718028b7a70bc4aefa5a62bfdddb2c0c16e4eb08d083d6d68a42c51b79f2dd76de7f2cb28c06b1601226f5cd6ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
03fb8ba180beee890f8fb1520fc86330

SHA1
1215bc246bf660fdb8704abe6ddc8ddf40b47673

SHA256
a57b5a673839622c7072ccc58d5949c52a149a7479a9dddcd236b95bfcc1caf0

SHA512
4edbd6153981ec20f4165e21f61a37afcfe8a1191832f1576b390b6a23a701445ca146b76161b583f26545c7e31ffdbae58a19fdf38befb8b1659c51d9ed327a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
2859ef141c1bb772537dfb94276a5271

SHA1
eeeedc1252e0290bc9fcde0581024d5584af2663

SHA256
88471cd14bc8661443df1e2d841b583ffc98d127b5606905b45924be3381929a

SHA512
e534512a03255500e801411cd7f24a813eefaee18a054b16e3f88e317e2e328ae96e0be10c29ee2451feab86b26829764d301ebac9a46e101bb6932c807153fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
278aea998065945a11409a21502be7a2

SHA1
08b07590a8d7b3c7ab0c8d29e0d48ae022abdfad

SHA256
0c7a5e1f3d84226db7acf87e7b387f754cefb4ff514a59c5feccfd15be0ac2a3

SHA512
6619afa3dd2e1ef04d771c59492a0ff9ca996f762332f1a7f307d52e9fd231b8d2a0243e1d6aff9023baa10c09ab55bc3d6191c27db22926fa41ff6dc873c04f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
7c224a5006f72445ebe57bdfbd1ac7cb

SHA1
854b5ccc81dfb0e7c8230acf5f333141d0f7dc8b

SHA256
88a7a45434b9b57409cd06f20873b2694a90e8b7856d009fe6ce338f68c0f846

SHA512
1a89b6a9297681acebc3d30f7780f58899bd3006a6c77ffdaee9706c7a55bde544baf1be28756f393f58d65f72232d316027fb2b831bfec61ed748e810c69a8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
c2445009e926f32803203f83d2c44ad5

SHA1
f873289cbf3b1ae5228d8e77e1ffd45936284da3

SHA256
0c7101b4f7957c5142e35c73ed11c6a017d1be753c28bbfcde8dadbff92889e2

SHA512
8b1105352764239fa4381aadfb82a699671e5dbe5abe34f9d9981f8d2583ea0f19f7f0b117e2ce912e4eb3a36e3145ce193f6d62f92458cf832b3aab04e33630

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
d2964e6f959a96dcea16af29a0571e37

SHA1
951544f8b97870df1220ade5e57e0613654f513e

SHA256
bcd7fd5fbe01cce91eb794a3fa3cd0a3f8269c75110972e463fddf9945115e57

SHA512
a9f97dc6f012bd674eea39838c01e1e959c684ec9c7882393046d68b73a72046909ef8bb1b3d9253575bbfcaeef47c6bb3e56e592c4d9dbe994533726080155f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
954b04621139d1cb327ffec6bf7e9dbf

SHA1
a0c41e45c2256b92829ae1c5b88738661390f4f9

SHA256
bea38cb09969101fa863469621b52194bac48168c3358ce710edd9489cacafdd

SHA512
90dab44edf1de2d8ac0434a4238213810d187490d2fe97a4205c94a2ded4e621881a5277571800657de0df385945be3ccc96242b0b9a2cae500ae66063e4a096

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
074213688527cd6d9ce88adb4d451b2f

SHA1
b0d76ffb1d2efd2295d6005f786adaecdae99de8

SHA256
f8b4cb01e2beb2a1e2fe0d0bc7b2c711f3321904d7ffee9ba465cff6e471f993

SHA512
a1c6936fef85e1e5cb91f8d6c8379c7ba106f2814ba8c62f2847810bb91b352b249dec252bfba20f6eb622d94765a601470f0380ec6f18f82d0727fc79803401

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
0e73b7fcfc47ae442852f3d22930667c

SHA1
a37964d703127839ee8f7b28aa4b2814df4c8835

SHA256
66092fe02175d9b3792108b2f3dc0833ae525c0f67c78f30de7eb73669c1912b

SHA512
d8670fed30e07ac0e118765511171aae84583f6b224db9651753b7b5c4b572771ca6e1bbb008f5ed6ee04e333ecb6e9ef484f1970a408bff03de4d8648a0a8eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
6d4d329592985fc877b6f987b77141be

SHA1
15768d7dbc862791181132d8c5c4313586cef91a

SHA256
9a0333f1e55ed733c2a3db6a3a46c1d055bd6aaf074618501a864598fda8c2da

SHA512
8a2e5caab44958aba1a74d57ccbea39da88b523496a673c0288d2314c695b8d0349678a797b81266f93528c5233a22f851b08462b12a266d93d0257764564b19

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
1a3fd5c863df0a3c9b2c08e0cdc8c858

SHA1
46a4de79a67ffa82f65f017f47e4b624d993a684

SHA256
e694cbcfc952fb2aeeb990497589f2657c6b6d37ee452b8eb8739b59b3abccd1

SHA512
556b178bd57fe6e55d11def5bd9e5005cf0295dfae79a240a32063891414645c13ef6a8acc0ccbb145cc396a27c92c7bdfa1973367bd31b018d72a8bf0714c3e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
8c3e0a413ebf1f77b714c19e805552a6

SHA1
d33040b3518243c8098e701a5674cd023bc05150

SHA256
bb88ad6e715ed3092a8b811abf9e0551fcc873028bcbb513fddc8c3d50ec0a01

SHA512
9aa424a94961415af0ff50782f5ed6132a5a7764791f8f8d4d7b36f385d4395efd5e8b929182aa502b2dd14429abe414e7b6657db453a54163554026c9042d7f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
dfe29f01d14e5efa8daf9236732dbd51

SHA1
00f7874ff551ab6336974da6a9d585fd48a69214

SHA256
a3b496fe398af0da5b9420de625562e12b96cc71f1ca195fd4f97ab3bfc35395

SHA512
ed63f970b4987a83d8ca8c2acbb9e0a84612a5ced6f9d00f16c1274339d848f9abc3c269c52f1ba3c8f3ec249b83d1e998e6eeb878ed9f3dc02c558dd55b50d2

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
7d4136e3e3f591875e1aeb8c16843f45

SHA1
16fd0c1aef230f2f5f7f7f32d1e63fa4db74dd6d

SHA256
397b968782fd006c41696eedd48bbe4b0834cf8c9e3698ca5aa7dc824429a572

SHA512
ffb99f4fad6e9173e9297258137eaaf9230019383c092666580893eaab4574253e1011c15b36773ffac11bc17e3ea6d1d4017156c7d33725e41a1565cbf6c0a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
add38b81d0e2770a7f1542a3ca9eef8f

SHA1
118ed9b2554b9cf2a7fcad97b7324dd4c187e58c

SHA256
faf4657d8541d400a8f06ffcb7aaba42cb6cf8e5f5d210e69dfac23ad6f91cab

SHA512
e8a2cf4ea81e1804fb6892bd3451cca37cd5d66a03911677e2f947ce87b5bda559d8e03a06167e39ded2e9ec8df4b92d60797578df047e8d85399d47aa068d8d

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
1353df34e457123d4e532a305fdb1254

SHA1
59348db687b01f42d21708450b317b34b6981ef4

SHA256
0efa365127a099a4aaa26a4d81b87daf1c79e5df1662f90cc6f4f77f9d03de39

SHA512
ab1368b5630c866a3624094f1a27410f5cdf30a4e5ee1eee2a63d39142c83923a72cc20adec5292b2684cc87951dbf0fb4f5f52ff7c51b7fa5d7ff7e12b1c0d1

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
9c5aed7109a9c8f661bcf5a85231dd9e

SHA1
be958e032476c9aabbbff867161e73066ec9fd9d

SHA256
08a88ac7a62c98b54ac2a7f3c8434fc568efeac93c70e438e2a7049cbd65229e

SHA512
f53e781da504c4724d6682c236f794834b77d61f219e63b9d5399ab1d51fe4e4f1647fa6b460409376743b298307362c9a1edf19034a55342ea7a17b89723c37

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
55c1e09cd313176c344e10617deea962

SHA1
66e82858f3c2af26b0cb25c73d1c94f9678a9a06

SHA256
5a1e42da924bc8168363bc732bef08a5773dc30215fd28937ccce69d58a3d41a

SHA512
2a3753036d026c46e06d08fec76574cf57306c2bc33e33411a2344735671e16e7061289beaafd6a75d8f4254cc2e7febff913dedc62e5fbb34a0bb95def3a7f3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d40b574e9d2790e877bebdc1141ead2f

SHA1
fe28123400b7b80d87d3fca18c2eb77bcc548734

SHA256
5af6c88c915da2cacc1fccdf74cb9b28673c229c1409ff9f350b38536ba0e66b

SHA512
7e9b3d395e5d728106d40e1f8199bf5f5ab8e80e6c5c3e59fa3a92a309d693de8dfe86afe2c9325a093fd14c033402c94deb43c305c768240f022babce607af2

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
aaa6378f7d896507e99b51d5dc542390

SHA1
d58d8a5e6b172830e0ab204b980d0837f9af86fa

SHA256
1931ad525723893551abee0331bb4af7d55bbb0bf2b39757e8d6870838163899

SHA512
3ce9a4fb8a7e054fe3c2b90a5bb09c1d0676f238685d43c06bbc70c14c3ce9ac7304bee3d0cc8392534b0b9fba87a1f1aa48b72133ad527c8888ccea4bd0625b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
17220c8f073f923daba33d8a1c1e6139

SHA1
bd875149389f3a1cbc69ca4c14a8b24ac52e5604

SHA256
fd43d60c70512f5b6007f0452c269302d5bfc7d9f19a883044e848cad5e4e7a1

SHA512
22aaa134e997a55a199f9c613c67e9adc0a6dbc7e9c71ac4b3d048b1e5179e871ff0b9fb77ecd85c6a7248604c0051af3fff1ac25a6a04463d9b5e18087a00ee

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
954a9c2e814da26d43a9308f98bfc207

SHA1
d3b71dc0309c1fc04a37c8aec9b389480aeb1e92

SHA256
f0889142dbf243fa200ea0a664ef604670aa973b0e214e779bedc8087e86adf1

SHA512
21df6ee19a9236e541d5109eb4299ac7e0c6d272d943aba75fd1550e3929a40c04dbbf30cb8dbcef9cf9297f971cdb4ba9f365a9ec69e0872409df3e0b9d67e7

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
74c8dc0accd7ea96c5790e7d4a21e9e4

SHA1
570d050b6cc52204d1acc69f7a8eee3beccb4470

SHA256
cb3469f24b8442052be2d83f660ef1a90571234d704e4d2807e1630a955e3524

SHA512
34bcb20c14f786f9f043f7b211caa04e55a63605aa7818986ac138ff1bafc86cb9e5f5ac46302bfe9fa7476be8a77861eae93dc2e73890640dfa4cd4a1c38ba8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
71500dbef10042701ce8a3a19c123911

SHA1
7da14dc70cf2bbabe51e515db666078d420d80f9

SHA256
c37c4df5a3199cdc3c3051a7eb33169d6e9b1c1b357d6ad049731f84d61d81fe

SHA512
f8395e570ed14b8bedf4b45832131c7223235f8f4fab727408130a5a2472c4094d39fea871a1d786963b7cf5a617f5a3fe34b2d9b7a68e7b5daf631a1ca7c36f

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
ab7a002a6dc27e7a1df2fd05cc21793b

SHA1
cb5534dac50255f9c3d85b5e2af812f23ac9098b

SHA256
9b97065cdc6f9e1f0a0b9622e87a23d04ad0295222e975e4ec4963b57b2221db

SHA512
d9efd884166bb4a6b5959d26cc626b075958ec39941dc246225a821b240c8b647aaea4ecc83853530eccc9dd5d1e72f6b09e7428cd95a82ecc3fefee49dbc896

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
08bfdabc09688d14f7e4085e2430ea70

SHA1
6a198640fb21b14670de11b9429ebaa325f1dd9a

SHA256
a3e01f602e9afe063a57bdf5905fcb8f4ce43098c5629af793d878150ca8e819

SHA512
f6975f0df56c58f80d82b182be4075ae4a4c2e058adbcaae74526fb9d114fdaa49475c3adf935fdb81078a65de198159961350eccb0ec27c4c8b73703bc7c6a8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e1c808bb807601571f8d825a0084b603

SHA1
119c1ebbdef8f92376bb958418e7bd06dbe31283

SHA256
aa881dc79f829b114205776b2cd3e48119e45b0a3c0189f6986deebda043c571

SHA512
9527bd538ff0a86eeb90ea8cab13140c18225e2e4fcede9c4fe0addda42475766d48558c9f3d9bc6af57b5a123fd9a9bb75718e53382f108aa8a633c1f23837a

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
08b1776b75fd67f00e843571872dc36d

SHA1
591d135ef148e15cd9ad5e1bad7ba6c999441aa7

SHA256
a3b509f03f13586a3e2ccf7f3b0b228fcc5c7bed6fa0ac33ab22492e4447b70b

SHA512
9fcd6a2518cef06825e36801675828107887447161b475023d039c8165c46ec3edc42caf17688e5cfce22b356ee4a031479f5201f4a22d0401dc32a4cb559521

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
b0b5eac36ef8053b397b8e5fed8e8fd5

SHA1
811ca7fc5ff98032336763af6c9768a732e77f25

SHA256
113ee03fdf2c82d09d994d0d6fcdf8bd28bd4f5fff3ca7f2f441bd76224cb87d

SHA512
631bac5f67f705475638691251991165e613d81473ffafd2f99b55c1824ed17dffa34cf8eaef9acb32a46a9421b3c21c9718d52f7b8f14e61cc407ebd8620c1b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
54ef61ef25c0336be58c59ab9cd291b8

SHA1
35db17bc2ea63630a1e887795c88903dd2e18772

SHA256
019d4c0351b2292c622d7eb0f44cf3d785f586e9c2c44c6a7a56288e13e4d7a7

SHA512
4029ca8a6bed809714522c28ab33c07f5466d65fae45a4828fae3810352a0844aeb86322b2f3a92eb43b71d3b73aa4acb1c6f89952f78ba8f5e95633730f8165

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
94d0500cec321484fab11af663281a82

SHA1
7fbe13981993fcb00cbd155d5ac919215cfd13db

SHA256
556f59f00a433c696e64512efd4e71f9f2023724c5e797a0db09ee5cdd1dd04b

SHA512
21dfd35b75c5ed1ddc08973bd70bdb63719e049f384f7ad890a20d70e4f9537d5db82df46cf915370c87e08525c273ac7c8bbc56f1129d10ce88d11dab286380

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
9393dfb6bbccbdd3b12988debf678d5f

SHA1
63b2d206f68efda348d265fa04b1f0e90cbb63d5

SHA256
d1fed524ab0736a93eb54741ce63718431fcdafa5b6873f1b56146abf0d0608e

SHA512
0a7bb0d6633b582652a265411f8a6449730e22ed40cd6d0b27d1a74cb2a98f58fabf39f13a6a0b60ea4d3fdb1673afadc30cd262e0495b1a2eeaa8fe885fee6a

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
fb040ae650e4fb2f5d133d219107e4bb

SHA1
d529dbf13a97190b38d184a1a8c25cc2a9229d6b

SHA256
dd68a44e9862df6885edbf12c079c17c5cd1177aee36237241771610ef07bfe3

SHA512
b5052bab0fdfbdc5b752a3525d3397314da010848ff89ab2e6f794d61a6b9b82015a20ef5f61b99b7977460b82dfced50b383b9dfe948e7f00fe8ea5c0707ba4

Download Submit
memory/212-548-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/212-177-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/556-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/556-85-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/556-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/556-74-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/556-80-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/952-151-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1392-150-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1488-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1488-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1564-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1564-551-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2076-90-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2076-226-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2076-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2232-552-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2232-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2920-556-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2920-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2964-550-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2964-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2988-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2988-111-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2988-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2988-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2988-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3220-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3220-558-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3288-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3288-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3288-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3288-208-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3324-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3460-49-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3460-44-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3460-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3460-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3460-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4076-6-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/4076-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4076-446-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4076-89-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4076-1-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/4312-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4312-432-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4472-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4472-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4472-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4500-249-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4500-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4576-541-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4972-250-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4972-557-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5032-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5032-542-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5072-188-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5072-58-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5072-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5072-52-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download