00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
Size

1.8MB
MD5

436f1a82030cda74dd7a485fcd832448
SHA1

b873c298110df3b6f4ca0ebdf5ab5dfa36a01c3a
SHA256

00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d
SHA512

6681e72d4e6b2024f8ec1dcbd3032d8b7ba70904f01febc9f641a56dd87ddabacce500552ce0bef548fac100fa39060e368086393eb14252d5376bdc173bb7f4
SSDEEP

49152:UKJ0WR7AFPyyiSruXKpk3WFDL9zxnSLXvYMLprznyDSga9:UKlBAFPydSS6W6X9ln+XvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3964	alg.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
1560	fxssvc.exe
964	elevation_service.exe
2828	elevation_service.exe
1148	maintenanceservice.exe
3128	msdtc.exe
764	OSE.EXE
1528	PerceptionSimulationService.exe
1900	perfhost.exe
4932	locator.exe
4340	SensorDataService.exe
3232	snmptrap.exe
4032	spectrum.exe
4376	ssh-agent.exe
3360	TieringEngineService.exe
796	AgentService.exe
3540	vds.exe
2056	vssvc.exe
1392	wbengine.exe
3100	WmiApSrv.exe
3292	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\47e5537a8beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\System32\vds.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4352.tmp\goopdateres_mr.dll	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4352.tmp\goopdateres_sr.dll	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4352.tmp\psuser.dll	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4352.tmp\goopdateres_sv.dll	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4352.tmp\goopdateres_iw.dll	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4352.tmp\goopdateres_kn.dll	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4352.tmp\goopdateres_pt-PT.dll	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe

Drops file in Windows directory 4 IoCs

Processes:

00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dcfdae908aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093f400ea08aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d95441ea08aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000655ba6e908aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008895dfe908aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c20e79e908aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
964	elevation_service.exe
964	elevation_service.exe
964	elevation_service.exe
964	elevation_service.exe
964	elevation_service.exe
964	elevation_service.exe
964	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3116	00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
Token: SeAuditPrivilege	1560	fxssvc.exe
Token: SeRestorePrivilege	3360	TieringEngineService.exe
Token: SeManageVolumePrivilege	3360	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	796	AgentService.exe
Token: SeBackupPrivilege	2056	vssvc.exe
Token: SeRestorePrivilege	2056	vssvc.exe
Token: SeAuditPrivilege	2056	vssvc.exe
Token: SeBackupPrivilege	1392	wbengine.exe
Token: SeRestorePrivilege	1392	wbengine.exe
Token: SeSecurityPrivilege	1392	wbengine.exe
Token: 33	3292	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3292	SearchIndexer.exe
Token: SeDebugPrivilege	4568	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	964	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3292 wrote to memory of 1208	3292	SearchIndexer.exe	SearchProtocolHost.exe
PID 3292 wrote to memory of 1208	3292	SearchIndexer.exe	SearchProtocolHost.exe
PID 3292 wrote to memory of 4732	3292	SearchIndexer.exe	SearchFilterHost.exe
PID 3292 wrote to memory of 4732	3292	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe
"C:\Users\Admin\AppData\Local\Temp\00490abf690ba27e366bb8a1028c3af9dffccb5f7f075f34dc152acbf53f332d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3928

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2828

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3128

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4340

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4032

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1208

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
403523fbb3006e8e4ed1955c25049b41

SHA1
4ef4327c5b0f2e02ca109adb6993206f9e5efae3

SHA256
69e0da3f1f309ed5ce30e7cd44be4d34f8798e34fc9d06d38ef8d90ef921a0c9

SHA512
e4f478b5a958f1a380cfdbab4334823cb12ca748c450047272cb891746b3da99fbd337ccdd940b42f546a70d2537c36f3735018ff5997e98c73633098de17002

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
7612b67d8eddaab2daa481b96fb7c4c9

SHA1
36141157a7289ed1a7e71610f1c8c89ea40e04e0

SHA256
ce614989aa4d994a74d7eb559fd13677cc90dd3206a6b73b86068b3487cd5826

SHA512
f9be56697b0b75addccbc893e55da358ca9a80c982c6f77771a6f930c00c4e236148c13ecd2ad86e951cff5004c3820c93a4f94d88e1163e4962843c5327c907

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
5ee8294a41fc756828b06604b6e0b6bc

SHA1
6c1b6edd34c6d5c2c02989eda62641fab774a864

SHA256
12f492c81f9ad03980b6c3cbf46ac5ba5262392af26ad61f111c14781dd93786

SHA512
3432610cd422e2672d78049c4706421a40d45e4fe96d9183c319d143aad8fd18b734fe51cd4f456ada0f4e16bbb6fb8a9b475b7523dd0bc0e3e47a4b9b9714e9

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4dd8b87519dba8728d6664b45c91cba1

SHA1
3d3efe251dc54a440ce1a510ca89cbaf01732e4d

SHA256
afd3c7f41a1b09129b74da52caf714b9c156f43da20b0247fb6dbade4a52aa3b

SHA512
0fec4010ffada3192f41f325b11b7a0870d25a472bad84fd132d35178e59ea9e46a9a60949f05fe9ccf6716defefdf568bc548ecb9d0e7ae998cc596f88124ad

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1252d9db2fea7ab7b679a9b20088067b

SHA1
9180ab70987e342f248c4660f610dc7cb912af4a

SHA256
901885758b0013617cd75276cfd8b0cf2b327ea64ca74361b555400af869633d

SHA512
98b5c5c46298a03dcc94a5282c8d8e9233bca739e677872d93cb85dd5c5afbbdfa8e097fbb9edeb5b58347fe1a6da161da5b3f35be992c1094927a5c7bf597e8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
425e6145ce67c748af62c6afe4d0a068

SHA1
706a080c9eda0f32fd69e2d55980dc27183f1113

SHA256
1f9588d9584be598a606e395a2920786390f06c9ad3f69aa37f9a2d52343ad5a

SHA512
550773b7067715c69ebe20ad45569a5f58f174fa7f3641b7777b64577fb329d192db04f9e850dc19543fb0f85773427f79e307bad335e743cb924e338d5b9f0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
8be9885da6051cf3e170674c39a33ca8

SHA1
ae36f32bc2655884fdeb4a1fd93dab15cb30f119

SHA256
12139ac9b41f34cbd9e1ab8b33ffec1f4522faac9c0eb7e5c360c209778d56f8

SHA512
a21aca67d1f1701533780f7d57341a08a5865b03467de58bc84f76010c6c9d0fd4592d0d6e63b634934950b9b7a0b512b9e5ca0f050f5ac7de95a58afbad496c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
6020a3e699a69b4ce20681fbafee086a

SHA1
a41105d898e98e9ef7284baba19992335873f68e

SHA256
605c911c33ec23f5fcfeede57cc282e32d7227062bb8a1b9b94bdd0309e4c6d5

SHA512
3fbbddc6a7d43a354b6d529190e33b754fc993f863efbf8f8f5f01523f4bc99d7b9693607319e2299c2fa7a9f4f8e8e6208ad545633a0ecffaec79c48964104d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
ba5179ae7b846c70a1d861d87f31460d

SHA1
549dffe7f678546d348a6df82389b7b868091db0

SHA256
12442104db4a6b86a5f5dc01f2b571a14555c1b7274916daeb83df95c8cfcb46

SHA512
9f1112d938bf953f53e4dd149ddc977052fe8955d646019950a8b440c06022a22a4b7492adcd5b6a26ac7a60951b81bf22ae7088580952f95ecd3c90cdc905a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b226979f7b99f3064f4c63c5f78408ad

SHA1
942054970cf4c59c958a24821b79f479dc1676f9

SHA256
1aca33cc28cdef3afa73e62717faa7cb05e1d55c36500fde9f81005d5e3489e3

SHA512
b5a82603f29f79f9421f4b0617973d78a14156c5c43f20e1f2a96b5b510fac3ff5aedab9f844627aa09ed0ee666fc606752187a0073e9577ab2bb86df45626ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5ac11e597c3fa3c086acc99ad777258c

SHA1
bd5870afcc9dc0cc3df8080c0f0c9c2732c27a37

SHA256
07ea6562d4c7b7e8e8b6a5425c43aa83313cb3da4b34a142d644dc4011505541

SHA512
eb7be529b890ee11e9eaefb98030de0a0fd63affd9fca15d85f5e102f0bb310fd4e12864f91dd761218f78c37420436edb9b560d0b22286559a7d37a87f93448

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
e77e91706782d62be176b8febb804f7c

SHA1
25282896ae754770277e93f534b72207f3b8f7b1

SHA256
23c25d4be2f45ded99a591a855f0eaed369f904e6ae94c66bb9be4ba673cde58

SHA512
45389d47f857c4dd021688612fd910741b2228d0b42b9b6bd658117882ebaddcc7fb38a085efc4a7f3c228756b51d2629578badaab03a4419e0dedf1b5729cd2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
e4c64049d8d48c2582f0c7a863294dda

SHA1
8ce13c7a95046be7d5014018ef5e2273a851103c

SHA256
32e01e58bf16da16627c319f63919cf5429a960f6b58e05d8e704c91acf5e904

SHA512
3e60b80723ff6fca96bef2870fbb0856ab07638300dea51aa4721177f4c8220ec6c9c35d720800c276ba157578e9d3fc95e5d014ce71a0b7c03953c064f2455e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
17bf7b4b2ff81d17a369874cde5cf951

SHA1
c86698f4c2e0b0c70966e9ecc24491e5150a8f45

SHA256
598e31dd86c0f9c1dc45f717b058d474c87a8f9d46be1c8b7b05acea5dbd8e89

SHA512
96a209e8857bcdcf914551228b55a8d180418c77813ebcabfcbf5ddadb1d9fa8c483f742c902b16b40976402b6c9cd389b817f9b9ca83f73edf5887bf44371da

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
62535e8c6724413d67f3809412186f6b

SHA1
ffeb4788d805fd3eee98792d6e345ba6e894f070

SHA256
46bdc01288917607da28f2d1c5e6d53c3c8c14835060f721eb09be0917b55a66

SHA512
ca7ceff5c7dd92cd6dec6bb8d85ac0bcd77c01ea84c80d7be36c250ef43af90d2ab88c33fc27b1969ede0eb2254eed740edfee2c751852e8ca363c16c704a845

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
527aa3f815d0399fd4dc15d6183586b0

SHA1
363d9278dba2047632247ac413ed8f4e3f63134f

SHA256
e3f56c8063fe7ee4852aac3b226bbc938e28325ff5903a3c1aa90070a2670682

SHA512
18443b31f5f7b3d227ee93433fa1383a489f6e6421465496e64344fad6828f9084c8d85850c6c6f75bdac1402b621124eb6ab470ca47ba1ecb2d71fb17fd199e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
c8597c634daf261c4f1a951bb739ae89

SHA1
c28f6bec51d7393568bfb30a5325265e0fb55039

SHA256
f31d353f84ef90d3587437c08b3cfe26ec4ab20dd8422bdad96f7a046baae060

SHA512
c06d0b6800484887903cf18bfe95121bb0914851c71fbba723556033d2953174c9d35f453864ef9737680e34181c28f344ba27b6f310260c680df94da7ea8964

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
f6ca312e4b0dd3473e83e12a88ea7f07

SHA1
ca180a6603cdb1dda481b38f7335ea7ffa04b74f

SHA256
a60579a8fba3e772840dff5b902ab25b99832e10076f39938f15a93d7290bc33

SHA512
2060d07e7bcdee0abe40d39ad1a3e9bdcada9e14d75d327740828cb4ce3070e99d2685b56b0e71731e5543e4139dbfb0ccac6f549af9bd1ce2902d02f85b591e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
0d37e59c144e772854ea6a16707297ee

SHA1
c7c669de0167edf849b47bf46d3887e45e186f33

SHA256
7679db412b9f9dbdbb9fa2ab8a1afff8f3d11af82e278c39a5a7c64111c691b1

SHA512
2f4f18a56325c43654e271107ed5bac87304e6181f466d8f0069e7a76ba3cba063fe5e489c31af8fb733fde25b25f6a71184bdfb3e4460aed518f905f1d910c0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
eaa2e5b4845ede66c855d3b353e26638

SHA1
28d1a100546d25fc336b2d4849615c18a8de92cc

SHA256
ab254acff8e547bd4a809958d1bbf0cc68410229c754cfff98d068f2eb6311da

SHA512
cd94ec521f2d1de7e01895eac4b5b9d54d286399e3a56a9cbdfbb3a5dd234827ab58ce4d0044447a3fe8fd1f355d0bd6dcd9f87888ebc5d86021d209e66d8b6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
80ca4b9daef4f8852a7cc4162ab87380

SHA1
479d15ac9e46373b335c4bee47826ef414fa8660

SHA256
dbc779a5daf0fbfba55e43716eb0289b9bbc57a3a796f4865f33c5c769f907c1

SHA512
44c10b9e73ca82a870a781fcf764ae57bc93b9f3d996d437f628a484f2828896d539fe57db339d15e4ad7b51c39919c93ebe7c3160ffb7f9cfc3aef3689f1a51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
c99cbb4417dc4ab504f1afb95b5ff2c5

SHA1
f8a1fb0f34b7574e43839eabda711e978829a5ff

SHA256
282179ab2145e35c3c9b055a7ee7ee788ca0820d9e61b354bfcbf9ed667762ac

SHA512
7e1c247f52656ed6075cf241f786a9d5aad64a8306cd23de8b2eb9648cfecec070038e28915a94988febaf87098a87373d291a45736742bf13fffa6b6d9c1d4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
bb6ad7647da3a9d816670f6cf8a2e007

SHA1
279fb7496417f7be960a748de66c2b3a2e6dd509

SHA256
5526faece05e971abd78f5548a690c000e7e4985731b1634637f2d8165ec5dcd

SHA512
576b15a1d0155e2c8d4201660827aa5d70f00394f219a7a1f4788567e95f9e48fed49e4766b6d73b9c984351846c6dba256ff6b7bac74ad87fc8e939e887f3ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
4f96ffc88d7cdaecc499cc001670980b

SHA1
4e8baf13fbf6c74d84dfaaec76b12ad6f205bdb7

SHA256
763eaeb35c4b605a393acadea039f4fc4fb35976615f4286875245a5263ee816

SHA512
9952cbe48643c25bd105f6e9f6f132e5893fbac90a76622de6f2868ce47d90fe62103514b670d6a17df259a954c2bb85ea6bbc5c8ceef07f9216fba43abbaedd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
55442108e5422af8f1f47469c072335a

SHA1
3dedd3d2ebb10a6e3bb22dece9aafca3089d4a48

SHA256
df33eca6e7f6a128db404d72496d4285f3ff594d563e64688d12ee1478d16fc7

SHA512
787a209383302e309618fd12b77215797c42306b161c8d899967bf5ab649f080f942848d3f9d2d65267b49a49068692948d47498685c62e519d679fa178acddf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
adee10640da7f77cd0bf52acd9a0fd8f

SHA1
51880a7e98f9d09839ec1f614c50f2b50fed1cf7

SHA256
f9db5afe8e2f24fb5c3ef35b1f5e3cb5c47f63041bdf949d9b6e6745ee6fb0be

SHA512
3011cce142e81a3668c11a0fd375d95d72e50a9a5df32d5bd73e638093953d714fa4a6fd4fb9847ec564d1de5235814c204406424cc914efa9fd221b71e18009

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
57003b4e6021dbc517970523ec8dfc3e

SHA1
4ee32be4ee792514b7371fc4ecd4acc3dbf5e4ed

SHA256
943cd2a4333b2462f7b10c529c85a9697776f6816054ff58b1b4bcffa670c569

SHA512
f292e19da019f91158c39b05090088166661f0f528de43ca2e2d01f5c7808cb6f99c57a0e2b1191a66f624dc67bfa1d2aa0d8daddf4521883c56db3a4e98ca46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
8cff6dcc52bef8089b0bc702520be618

SHA1
f902ae76da2dfd1ccacff7ca6bac01f4e3617e6c

SHA256
f99a7ea056f90da9a5f97c7169b1146c19f7dec338352f829788e5d22dff773a

SHA512
a090412440ade358c10bbfb18e37cac0210026e68f8a9d1dc5075c75be75e3637298a7336e513f5635dbe768fdb865c4e575cd1764da4c0de2142fab6071b6ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
e67121b9577bd0f7e09514f40494faa0

SHA1
222b97dd1a1036cebd7eac09cd5b0525b3037940

SHA256
3e843b20f337173382c5d27483fbe66038dcefb3213fd398e7edddc59011c254

SHA512
433fe81c9953aef07301f48ac4b6bb85c5a08fd181cd3173512229b8ded3abf44a99faa0a7653476393f8d2eb773208de06fb9ed0e98e8ad622f30bfd4f7c399

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
c6f7fd2356ce163c2d76ca3369efcd4f

SHA1
7bed34897c522c801e0816e31369d0317b3c775e

SHA256
cac796a3e414d5422f9a80c43e128111f9e14f6c902761337e115fc9bbb6ad3c

SHA512
6fd5172b762d72097e93524134851c30bd5719dfd31410ea68047606ea2ca8b19f7419cff5f8f5153692c822bb6b9ea900b398c2af909e3a022f9b71f043411b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
071fec378adffd2e73848736570495e4

SHA1
5692870e3f39dd874ce5a56cb77cf31021b5b403

SHA256
bddaa3f442d7550d82bb80d7b92ad3ec0d5afcbfc3a8f50df9f156e9870f68e2

SHA512
c5b5e51893359e9d694db814842192ebfd1b0c2878c5393f422f8296e878f708b5d4e6595fb988a9a5623919509a4985005df4e8ffbb9dceda105a228a601284

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
b2b3a189293412704dcd790add6c7427

SHA1
eb94ef4b49f103317c809241e3e2d1c2d3ed411c

SHA256
764cf01bd4d5f4302347f8df54a47a414b9b0a9cb04399c7ebdeedf81f8b1a87

SHA512
67efbab705627e6732e50bfe89be521906781c7214bc855ffb8cba7c02a38f1461d995223b842ae093825f082883692bba57140b256b212ffad091821fb3139e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
bcb38a42542fb1c13919cc54d8ef174d

SHA1
07d9ba6dd68fbe96dd5db1e4570adb27e39bf803

SHA256
47ef979025b4896e7d9fd16d3c78ba70a3c35e58142428c0384d5dbb53fc618e

SHA512
224776e507d56eb898744824fe539a6188d2bf6e9e7a1fa1789255df5852a4c323f3c9afd674a31378fbb6cc676a738ad8bd4f3db9685c117a166569f8537947

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
1fa72c7fea0db84d98e251c8367eaf52

SHA1
d73d6d71c9134e11b96cd62d0f7103a14cc211b3

SHA256
a2660ca1317cc56541683f6cebee459589d1a6b656553a3d7a2ba4330fc33612

SHA512
b7c6e4a8a53652b64b80527e635eae84b9771b6c380f3e75a362639377a05de52955260f23f1423d3382b04c475e1a0825d377e961db0202027312d7bd8c398b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
151f8dc1d9f7499f7d7d0f9c046d1955

SHA1
f2ee514182b1d21c1e5e06d8df9708896440d8bd

SHA256
2cb8a180c4c580836124a8280f39a9e3d13fd0ecc2749c4fa127ce85b73bb3d8

SHA512
f67f249bfb42946b689bc943fe616fe11ec13a047cf487d8be170b4c46143a2c70103b6ba8498a747e6935439597800919ac9c0f84d5feebe672394c107a714a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
481e0977c1c52692517110b0d840abfa

SHA1
584962d934f4b1a9917a183e8f4803c671af9caa

SHA256
2e5835ae0c4bb36e003a4d56ffcc926f572406e580b47fcd41ae610f5fc92eec

SHA512
3ec5367bc350e3faa417ad4b67f3aa62df0e0de545a65214485f85d9ec118b9e4fc52e028deaa36ee84cc54e511372196971fb4278ca66f8dec1581e97a1d99b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
3d5a0d2b4ea43014220ea53cd227d06e

SHA1
c4fe68c09acd284ff065c7389b1e79124f8aacf6

SHA256
469b83cd62ab79d6f9c3d0b1a0f8708086082ab15a9c83ae9d0e7bd038985516

SHA512
4d7d0b10b0c932b074a5ab2ac062f32663d734458e8d4b66ff78d1f42a824abd1f0d241bd3c6d951cc5b3f229a53ab875e6aeb9cba0e6acbbf0e29b4cc7dd146

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
c306fc085658b4688a8cfa802226c2f0

SHA1
277dd5ea8d7ea3e572c746898132b619b5ae9ac3

SHA256
70f841560d3bd2874b90a567f5772a4a934d418378d0e9b4a7c3a7c22e454e1f

SHA512
18587873e3ab5766d8dfd27919b5c4d281e2a0bacdc8df57cc2967127c287fe0825735d88f6f5ffa84ba67d5874904be31c8a7f7704bfa6722e6c76c97b8e0ac

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
c808ef0b5154914059bf4f93e2be1c22

SHA1
3df3fa09ba96152548ecf21943ec8da8a43f4a4d

SHA256
46f243a1cb1cc3ed46b5897a5444062a70b53a0d2c41eb51318509006c4545c7

SHA512
0c76259035eba73a58ebc4e8c16dc7c77d4595390c3cf4cb3fe02be28829ed6509ccd7e94f848e37f94842ec910f1df21acc4892c9fedf151371f87e0b9c7357

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
e36d65500da6c5a961bce06b2beb2194

SHA1
2c2520250691e600b3c25b061892ff79e36bc6f3

SHA256
d7ca4f91e990ad8ab082f904c3623ed66b8d61a4364ae5793502e62475bb615a

SHA512
f4dced3dd56cbad78a3aabe6d829302e5ff2b4c685c212788aaad978340620c8aab599cb3adc889da118b2be7b8782d2e30748211f59cf01a605f551c7081127

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
3211ab058980f9926943018fdffb6c15

SHA1
006fad8cbf0165a929e10203d2e9fd671f125e84

SHA256
5c0c5f26032f9a4256eec46987ac8ee238c6e6c50811467db7b8c6d2112cb9e2

SHA512
de8c076b3b670282ef6e04b02c6f8128be4039de87665eac7dc43846f572735f30fb71ed6b162573fd9909d24a7cb76023b4cf6c160c25f75957d75e7c935660

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
8168725df0f947ab73640fd8d42adae9

SHA1
85b72ad205fee856e316fc7110c03a3cdbe11d6e

SHA256
cca255933f01e65488f5f79da94b0559c2955bec3f17661e4fa19e092803500b

SHA512
e3fb81ae92f2a9ea153d8d3b1dfff2f656684fb63ee414632ca951619a7b1c80a2a0f47172d787a45a37a4d262eb1fec3acb2a6f2606aa6a9ef2262da1875e6e

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
eaab2c182e510034b60942fd7706faa3

SHA1
038efdd00798bd79e9a0157d306b2d697a203ef0

SHA256
517b3ecd7bce81f21169dc3f7af6de2559a1844bd9fb0dfcc88ccfe479ec30ad

SHA512
1a30af804df39ca76b245e73b28b1664f03b78be745d96fd194e51b7c13b75cea5268bc5b74026211c6d0bf78794508f5e3a1da5e5ee28cfd5dc5592d036e375

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
b8a3c195398e64dcf1e34bfd08b3cb71

SHA1
bb5cbcff94c01ac273dd947981c16a23836505d6

SHA256
c2124d9951c0e0b38f24b979a0a6e289109c6d00f72b07b822c35f9d105d6e08

SHA512
2c1f8dc86bf377db100ae1fad493fb5e7daf095de105891292d70922274c85df8bc83ca3acb19b8ebed3e62cf0726ed61a85d9209e5a528cacdf5e0017fc04f5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
4fb5298380ee0a4dbd9c0477e02bc395

SHA1
cfb204ef66faf74b2ef8a715b66ace284fd96b93

SHA256
85095d74190b1b1ed1b8d42f92428d71d25b18b1133b396ca4ad25b107598a26

SHA512
7bbfb91698d678306cd712f2dbe9c12be24f3d10849c28c2d631e362dc854c7cdb9fe886b4285c5079501d076488eda5bc62c4f9a916198bb38c16c4d37a7c0e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
41c87e83866a76416f28be34de87eb4a

SHA1
260bde40bf364fd1f5a144517cb636024edfd878

SHA256
e1a0f86caea0c98ed4e8289c23955356a9309dc59eaff3ea12504f034777351c

SHA512
05cc657b9081732c9dd8b2a2c6d1557d924892a2421c87016d7a1ba5c64eb4224dfd6474478cea850a0ea943bc312fc204dcd65b2cc058def7d5df80caf3b430

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
9054103a954f4a67e99b0cace592be19

SHA1
f975716cef9b4b1f42bb39e83304eaff41b8aeb7

SHA256
c68fed89fc5f9426ed50d5b748c7f0e85a50dced93cc70278104a6d1889222c2

SHA512
7b14759f0bb36819a5e7fda01358cdafe418200ce68e47d1537bfbe3c8d0bf2496b8726c97e3d71c6a1668824302bbbeec960fc030e6e434c7b277b0358d11c6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
415cb7eff8ac55ead6e5bef052d28eb4

SHA1
dd411c6d6e29796401bbb9bd188d26b4a3f76a97

SHA256
7af0c730b5e6e769433e703976394c15bf72ca771aeffd586d254044e2c9e054

SHA512
793bff129b07dd11eabf25da9e8c686d64f046b2666418183c352765c03f4d72bb674dde4e04ac2e7d650549f1ac989e6a2e1ad1efc182f4855b6aac35ffd866

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
61b6060d6819bf71e711673bf89340c6

SHA1
4308c85a7f8f571e880f1a36011c3d28e62a7b1e

SHA256
336af42fc5af674397a7efd9fc1323b278cf74d9c9e4b904214039a7d95eea9d

SHA512
60ba53082bffd8b8c63f4bb7656025328db58f19bd062dae5ed564a9022c0836d941ed7089010a015dc736d566dc7a9eb5a301b8adcaee9abea327a196615e37

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
ac7468b23d3c938773b9610cfb6e7925

SHA1
d2863b09e23f4101996169b455dbe3fe098c48d6

SHA256
434d6dab4975989d8ae2b7afb0bff10147a29ad7d9f7bd819aec17ae7fbcf356

SHA512
04229055b249e86b649d4e181a8d679f8626d439170df9ede85ee7f48c47c172eafd34bc47fe5bbe423ea18a033b4a48f048c0393e84d84528f7d78c51cc2c08

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a7a8b4af7219e024318688d71c9943d4

SHA1
21587d11ac4fdc04bd21d4a5592794048e7669c6

SHA256
1ab9d40beefe5701a566c039f30f199736ba9f57736667ae71951e96aa0a5f44

SHA512
980b8cb0f0dd6357d4aade8960b4f5d2113677f5227c9e0492c57fc1b223555bdd0d77d244d1e0bfc1838d60cd653a2d3515268f29e033f87cc8d6fb4846bcca

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
bf4b1a1ed3132cd74be3f6162211d043

SHA1
23c3abacc7541e8a0e4994bb46dd27d1c305e922

SHA256
e1f4c3580dbf3ceb2315964c01ec27730c82ecb9de6f014288ec6b91848af68c

SHA512
f6221cffef2d80faba6157838f9f21a6a42cdc88f7f2d30097b6440b4d8d2256f8c132831fd217433a6ffa7ff0f7854db4c06a1b42bfc81063e23fbc51886d19

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
dad64bb41216a9a881050222e45a62ea

SHA1
f14e2d32bc8739938a802eebc6ea1732436e42a4

SHA256
f09b3f90ac5734f63189ee3f17c470b37b4e01770622e08fb0da78e5baf6d78d

SHA512
a1bff3328579409959380cda8bee61b50be637d4dc90f871560fc3ec59d54bfb8825517419f323ee4ca28a1ef31297cf88acb18fedf13e755dbce0ebd16bec90

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
b0035d42c7684233249bef9ce0cfe22d

SHA1
877a6fa69f2f3367689bb5e1f07e61b9de6d7ebe

SHA256
d6f54962867df7a4c69c402644e33e455717ae6d99bc406b8ce9a2e81db6129d

SHA512
7880319c0ced550b09a67a876e5844a2a030d8575c95092e915d8e7c217181a21bd2ac5642924beb37c37e24e964441ea1df843a19577b85a0778b5a3fd4a72b

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
459c0507c926740af3a76733b30faf5f

SHA1
7e1b7cd54d7474d3f11f5b1b1ba55f5865d49391

SHA256
507c78f1a68229a89d08b15f06f71aa964a8cb9fe08911187d0fe4cf67950d9a

SHA512
e98719afca1b042a98c20b5f72de0c7a225ad6240933a52c2ac842e6d769aa611690a8444831e1dd8f28699054345c76f34f368835570389323272e8fbcc589d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
e6a409c89e6284d5758a0466e91f89ed

SHA1
a4b42fb3319234872f312c5767f1f1c2ef7b1965

SHA256
f64897ff6602d49cc8325db0a37a13e0125dd2c49570ccea3b64d3d1d32f4dde

SHA512
07f1c3f504a09b3e84d7ef5e28591d7d598514460a0716931db19fbdcd8b4104c1eade0a26ab46caaf04f69d99dd24e9b1a3106195f6cb64651ed0fa6869de61

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
0f8600fdbddeb778a8891b0b20d51325

SHA1
ebc8c32081b2a38182ad699a45b1c1f23377730d

SHA256
9be9f192fe6190b0451771f307f193289adb5435c5c93b8c555ca169d8952b84

SHA512
7e020a8cc6888fbf1da0775f3514ac253e93d3ac85001603006c763c2100232e816cf2fc705c9fab8e6ac6cd3ef9362634761ccb279c412e13453503caf3ff33

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
5af957f13a607bba2737fb8fca4027fb

SHA1
6e13cbf533bdedba0fab178a00407e85dac71566

SHA256
4f086ef80ec4e37cd9511a05bece275fd578ff93764a145cd14c15c4f2ccc063

SHA512
4f28f15a49d0ea2b05f473f25843ec7bc80c5f63d97d4b2e7cb123348486d077ad3e7c1c4fb69f40f10c21082ba8c7557ad577c8043cd52f17869f73552734fb

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
a4b8c1f5c65b5bca3079c142a7d76c14

SHA1
f483c8f68300c921ca765bafee2ee70bed5c1017

SHA256
bea819d0ba376fa20b4c0fe5e5a0215cc1b925c3a297840ef141f5dd7148bcb5

SHA512
89015e4988a718129b15f89fe1a060d61d9b94562525ed111f32013409f004d3dcede157f1963796de2260ce9a543ae32edfc55130bd919d0489358eb0045fe9

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
ad4b200df8743cfa19aa908996570200

SHA1
03f75fdac8584eb6430f56b5e6824f2bcc49200c

SHA256
308f944ead61db9085baac26835e7f57d3ff1f65e4fbc38a74d55b5a93cdf26a

SHA512
0e6fb9345b82133ac696b49e51cb1f505d971569d99838db5c340e31ca768dc92943f6005904c947e3226a088a36f66064b1b1bc128367519983df45254e7918

Download Submit
memory/764-152-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/764-144-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/764-150-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/764-224-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/796-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/796-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/964-99-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/964-208-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/964-107-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/964-105-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1148-130-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1148-132-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/1148-134-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1148-128-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/1148-122-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/1392-229-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1392-635-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1528-228-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/1528-156-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1528-164-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/1528-162-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1560-109-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1560-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1900-174-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1900-172-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/1900-233-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1900-167-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/2056-225-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2056-632-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2828-213-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2828-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2828-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2828-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3100-636-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/3100-235-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/3116-6-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/3116-155-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3116-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3116-535-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3116-1-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/3128-220-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3128-137-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3232-186-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3292-237-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3292-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3360-630-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3360-214-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3540-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3540-631-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3964-12-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3964-177-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4032-628-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4032-210-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4340-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-629-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-403-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4376-212-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4568-59-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4568-57-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4568-18-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4932-180-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download