00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
Size

1.3MB
MD5

75f799786876a1a61ff71647ec8e8243
SHA1

3600b291aebfa54453746fc3dce16c7455967f3e
SHA256

00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f
SHA512

fdb23ff153bb2ed6ee96b661f3f8001a0aba8ca5e9f4a475246423cef0c2ceac817e35a38f8e36e039d49b92590c6ecfb67e68320fdee618d03399a5a578389b
SSDEEP

12288:98+lCFcD1goThydrWUeB+QChZsrwbebPeVmfCUqVfZbdbHF:OUOoTqy8QCYrLLeYKUML

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2124	alg.exe
2724	DiagnosticsHub.StandardCollector.Service.exe
4136	fxssvc.exe
4036	elevation_service.exe
932	elevation_service.exe
1136	maintenanceservice.exe
320	msdtc.exe
1840	OSE.EXE
2844	PerceptionSimulationService.exe
2160	perfhost.exe
2964	locator.exe
1540	SensorDataService.exe
324	snmptrap.exe
1512	spectrum.exe
228	ssh-agent.exe
1864	TieringEngineService.exe
336	AgentService.exe
1440	vds.exe
4400	vssvc.exe
3056	wbengine.exe
60	WmiApSrv.exe
5216	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\spectrum.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\System32\vds.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\584c9c97c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe

Drops file in Program Files directory 64 IoCs

Processes:

00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b618e1005aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e69e101205aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004513801005aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034f4291305aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e25581205aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b76281205aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2724	DiagnosticsHub.StandardCollector.Service.exe
2724	DiagnosticsHub.StandardCollector.Service.exe
2724	DiagnosticsHub.StandardCollector.Service.exe
2724	DiagnosticsHub.StandardCollector.Service.exe
2724	DiagnosticsHub.StandardCollector.Service.exe
2724	DiagnosticsHub.StandardCollector.Service.exe
2724	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4856	00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
Token: SeAuditPrivilege	4136	fxssvc.exe
Token: SeRestorePrivilege	1864	TieringEngineService.exe
Token: SeManageVolumePrivilege	1864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	336	AgentService.exe
Token: SeBackupPrivilege	4400	vssvc.exe
Token: SeRestorePrivilege	4400	vssvc.exe
Token: SeAuditPrivilege	4400	vssvc.exe
Token: SeBackupPrivilege	3056	wbengine.exe
Token: SeRestorePrivilege	3056	wbengine.exe
Token: SeSecurityPrivilege	3056	wbengine.exe
Token: 33	5216	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5216	SearchIndexer.exe
Token: SeDebugPrivilege	2124	alg.exe
Token: SeDebugPrivilege	2124	alg.exe
Token: SeDebugPrivilege	2124	alg.exe
Token: SeDebugPrivilege	2724	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5216 wrote to memory of 5892	5216	SearchIndexer.exe	SearchProtocolHost.exe
PID 5216 wrote to memory of 5892	5216	SearchIndexer.exe	SearchProtocolHost.exe
PID 5216 wrote to memory of 5932	5216	SearchIndexer.exe	SearchFilterHost.exe
PID 5216 wrote to memory of 5932	5216	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe
"C:\Users\Admin\AppData\Local\Temp\00c504dde6aee8d678d1f8e0979408fe95d2774254bece4ca93ecefbb8491d7f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4332

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:320

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:324

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1136

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5216

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5892

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:5536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
Filesize
2.3MB

MD5
1e154932409746a03f66cc5a3135ba0a

SHA1
e2cb3a192186af7556f1c0e0bb4b235a2a87aefb

SHA256
ab9cdcb22fb582660a5ab3758eccec4bf29daf652eb623121fe872760eb9e5a2

SHA512
83348e045630c8cbfa26c43970a323814749797f5b6c48ccbbb74b6853b283d469c61bd797979e3316ba8007843883dace91ec009947628fb7e569f5df8e795b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
dcf826da23407ce48985011731f85bb8

SHA1
9fd0d27bc111e682b8882ed66f065edfe8d01975

SHA256
10a2416d98cb8f2ab65989cba11bd3823457014560b85cd4b262f829a1837d53

SHA512
db40dc8195d13af48792ac5c2b2203e05dfe56f8334829bf3a3796672e0dda83017541dec82659d5acc4879719b1ad2a4159e19233113a3fed54ac0323c37cf4

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
d913c5b9c60fa30835589952d6a076ed

SHA1
d275a17c1dabb54aeaa20bc1f9d78dcc9b2d9b3b

SHA256
7f8b99481e5b17a382c4c633ed430e7c79d3a969bd8e2dc052c9a58f131b9dfa

SHA512
d1227f8927a73a337ca05663cd4eab634e4ea452f85ac2d164c8ddda142f7330da979a720ccc347c13f9bc1d3c421e6e82ba2564bccac9e4d18f1c0070a36ffa

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
f64d2b6d473526e364906de57884d590

SHA1
da91e083bd7a6d36350406ca6f30375df4863392

SHA256
0f2d2fbadfc4391643cbb41a56cf3642e093afdf0e7f1abda9504dca2cb9cabd

SHA512
fba6928f1f333bd2c600f09def3e719bda46ac02857651d4cec1d8ff2c91a81980e1c531d2dda73d3eb30ac653e51a37ce262719ef10ad315b8a017723426bca

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d9dceac417a79518b6d14f3cdb3edb7b

SHA1
eea6ded0b5bcd38024477e057f7bf0668d8d24a7

SHA256
08a86ff9b4b2b1dd61a1f490ab3aaaac138708324e8ec381841d02950c4561db

SHA512
858aaa0c00fc37aa2e3ab3fb8f64715c53a418d13f78948aff612cfccda76820f627b1a9070eaaf2f3a82d24a8f8b675daafa910c7147319dd8c22e194c8378e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
17f4e35732167451f5758fc15e23a3f4

SHA1
c2fd56ef1ae514f13027b58b774ddffcc7f5a3d9

SHA256
d9fec2c83b31e3269f38f2ea375dd8b1d8e73432a7e01b5b779fccb8f2569dad

SHA512
00a22183604d7fcaa64dfc44127486c3a520d8d81b69fbd561faf51bf0361277d59332212ecaa74b5a6db6c33716c1e0b49844aa0560c4bc64bb6d1e8ad003e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
8528eaabc1919cd20033c34969765304

SHA1
aa285e29409aff987b05fe88580e0379b3dced01

SHA256
f847cf30d1d55330e5db8b3db608d4a28d9e01c2c4a3320d010da13c701bdeba

SHA512
a1bced97af8d1535e7a0ac1f12300e8ec4821bac98711491d4b39bcf55ca0de8dac4c045b353e3cd2b20a10a4dbd2616ac1f67842116b200b21acbfacca0c0de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
a40b54f8642570ec65b743f1b3094662

SHA1
c72706ff39be70d02080da8ba402e6ffc0a4a156

SHA256
df7c417734f95bb46bf9e82c0aa2cf7e7d2b5481476c4e93fc474b29f3db380d

SHA512
1783f1eba7fb33c22cb05cb514c19784bb6ab295bfb684a51349082a26f4cf7888bbe1340b7a742f11f26d0bf931fb266f44ad0de52ed0b4a235e7c84b820ae2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
ba0b30f22e2ead1c2c8eea0555180fa6

SHA1
288bb8b31d5e4e8192cc6afd1de4a7e9c776b336

SHA256
480e8d2d8b659e61bfb6eee71d82caa6dad5cb0dbad37d6d8e07e7dd96cef8bc

SHA512
88e63bd0251276611667398a18c6dd00da62cac86965837917df92dc44406e17a4df1347ce8c101acce30f2a14b39b89501dcdc94a30a65d112a4898f7e8255d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9f158b8bb9656703062d073d95901d65

SHA1
ebfe0e755813d87baebd28d11c8c90b50ce09296

SHA256
0fc0c302f44d8a559708e4e14427b326e32cb5437ae981246516e8f23682b20f

SHA512
7cc41a74728c6386b63f4ad06be022eb6b2f817f14a66742705a44fd0a19efa0b0046473efbd87dde7d2662cd63fe5a8db85d12bc0f641da1282939ce3decac8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
c3ecdb99a92e15f3ab8b992f62fcea3c

SHA1
3edf0ec1b87cb1b0f7fa96146b71317bd357c4bc

SHA256
e32f956d2f37e2efe14e3b1be2a574047cc3399be771f0c31dd169b506911595

SHA512
8150b9a5fff1b705a3daa1ceac9b5954891964f8bd0dbee1481b0cc0fbf758c551f39f681cf72827b706a1128e38ec2a4e6f66f1c5bfdb1a9a966f38cea689c2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
37ec58282726275d3c4fe8d7320a98ec

SHA1
620ef2348fcbcf6ea026bafd01c59eda8e263a6f

SHA256
e17c11168aa7a584797220afc3c408ce9515d61246db3f6fdaade5a1b4245b5a

SHA512
87880e9e98b7b5206614e626573142f9800ac0889fb1772a2fd9b1b424ebd808df2fea6be41912887af138ba65952c5f789442cbe7a5a5173ac953272ea4f490

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
033cf9ec03bf9ae0249e04ec4e219d6a

SHA1
d53d4d20902ac293de6b1ad44f231450f446d128

SHA256
3f404235fe924de41ef1b94628e8ae5c8660e1fe26c37cf9b5aa293cc20b162d

SHA512
42d3d29b41ef7d32b6651aef782ff84d0dff202f6d8e029b4c3e8bd110383cd3f06a1e92244bc20b8fe621bd872179938ae15f7de811728af51fc0480a269b77

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.4MB

MD5
4d3bbb2033bb3a029f31f35dc60f8f28

SHA1
b17d8dd161c8dbc23ed75d79dcf6ffc6d4b8924f

SHA256
8ef9ab911cc62be19254baa8e9981302b396edfe1bf6d5a2df7fa8d42026d812

SHA512
8490dfbd9dbd813d5b706b7598d0c6b7e05c33c248cae82a4ae82e12940f8844bafde8f69e95c46afcfe69bbe1e8b50294781d96b54d7a5c13e27fcfeea09f4b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
a170cf643e85d24f9301b320e6e33d01

SHA1
d631cd3fbb4d1a54e76bbdb55d2df595cf123a1d

SHA256
98ca73a40d9f8fc92c65995e88201ca4c6f5950c1700ddc0aff5ee9b0ea5163c

SHA512
ccdab64ffd4c953b38e9eb0a6de482cf83922985f96da3e982bc095a368171c2474177e18a9281aa8dcb573c873f36ad0d3efeb407fe4a97d9df29d9f9b81a6c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
98fd4404ca20d32b3aade6d42dc11247

SHA1
80a41bf138184bcb62baac23beda19fe13e6ef40

SHA256
c6d3945a75a6eca08b8a8573ea45ac6b2caffd7f9ebdfb7031048bad8af9934a

SHA512
7f15d7f2bab273d620578d68a04aeff1fd36d2d9f91afe5eec2d7122e1c286df15b1d32bc50815526921e04596f0d817ffe6d2b82f32a5f78c844989c8c562b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
edbf453e6382d9429df7a5ca14fd5d35

SHA1
171e2884c342742766b5f878dda1da63f0238c1e

SHA256
2b449049f7ac06f30f848c337af84e64701b1cc0f0a6ce625e842ba69eb6c688

SHA512
3c046b035d65048d659590e35e5c2e35c383cf3150ac20d5c03b37bfe867e244ef1f77eaeaa6a44a9392ad567e348f14ee05fe054570db29b15a94d531ab8858

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
bc2b453291f54fa07a444049d6002e45

SHA1
e196edbdc8c301ff79932d5836a4e6170923b1ef

SHA256
3c511d5be79ab7829cd6a8c3a4bf73665788d5fc6b002c0c9f9bc2fe29ba0ae3

SHA512
5fb5b5065a772d10b13292da2d73f78f17c3b79d7587928eda960a49db8fb5afd518d68ec7957a4b3f864896af486ad846630b70e084df3c558835de70bdb746

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
19b579d186dc759924a509c077a28b7a

SHA1
5d3b3c34466d15985955e79d11eb7bdfc47e6881

SHA256
37ff45d5773fc7257edd02c6efec7caadc2d8ac807d8014b54410b8c280086c0

SHA512
823b47c343d7555b6e6eb873937489276acdb970c8250ea0d1d69d0494d7e9bac0bb7429914e55b982e28488c90a286258e9cd543f81111056c3e32a6e4b68fa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
53f4ae3e69cd136cdf16d2f9058db004

SHA1
86aca43177254607720a2359a76cb54f048df494

SHA256
0d63d7b6af39e840bbd0c2e6b31ad714d48672a0c0a29b905e7df7affbbda12e

SHA512
b9caf4f303f12845127f0a8823b7f64df92ff6291d0d4c213c7acac73b9d050399d7c0db0529f7150a883221fd7ca49f8bcc27bb87552ecdd2c1dab390213cc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.3MB

MD5
2e2425b969798b48c806d8e50e25cb92

SHA1
8d109fad9a12dcadbf2dea32359523486c67f5f8

SHA256
1968aa0496cadc503e7de08e02efdcef7e12811bdae558e8718546038f72a3ab

SHA512
908cf8f4a60560a2ad5c85fe51c31bdd0e3845862b0ab6cdd9bf8dafc4c4b52b5a3d7d981864ceab97fa395e959f0ce6bcd99bef1d0d7864a51c0aa59ad24e3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.3MB

MD5
e5209b94753e58df4785795e966bf9ee

SHA1
fb60957a21445c2d5d3d619da9a68f72dc9288c5

SHA256
f0de9b64eb7a41db22d0f65b1b835a9f9ebaade5496348f6710caea67442fad3

SHA512
ce8ff87caa1e2adcd242d359af6127ab880912164dd71a6d8062bff43f572acf9dd76e56e89dfb599465b5db7306c257d280fbca9b4173f93f3ed9bb1fe72885

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.3MB

MD5
6a6e406376c9ad0c827563a8eecd3b2c

SHA1
05ca2f37f37ab3bbb8d931fc6d17a5299ca34981

SHA256
d554fe49b11cf48ce5c862420c6244ea6fc5011aae146f5dc9994963c2ce5218

SHA512
36fc32ea412d9c33bbd31afcf6c7a168bb7a3c4bb2944122ee109475c5c7b6abf3a26e358281692794c399e490a34fa053120691e1ab06ce97c3b4a9ace1f928

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
27648d15a7cf62a76cce2decf5945307

SHA1
08cb9bd78b722f4a9731f0a0e617a9357b1bf95f

SHA256
4c199cfb749aa02dec96358db159b031632ce83edadd18d0b6d1e7b56a5b53c7

SHA512
eb941902038d207f4bef01ee3d42faafdf5e5ee9664e57f1c77b20176fc800ec4b51951386a383a204f60ddba5b7de54ebf62e5c1981e4475c7a41ac209f52db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.3MB

MD5
d8db1bc79f4d296fe8383d708d662d7e

SHA1
31a14a3e0aa4eb616c19accf6d22c7ca4aac8264

SHA256
00f9b20b8e82a4a2bf8a7588508405956f57806ccdf726ed4db88f2098e5c715

SHA512
7ef5135e43a438fb05d99a2c3dc5f60234f8d57f0db2dadc1ce6d94d18ea71d6deddb7d93ab55404b5fb143622139b7eb9e2bcba00cd0d8e5da24ced79c54b1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.3MB

MD5
4d3d33453f55572a2a3d2c2c7718111d

SHA1
90e6345eca3fb45d1eb6c6145e0c4d3de3824b74

SHA256
a120166edfb388ce82901c0c14af536e33e644c9d3aae297c5fab9932b8acd73

SHA512
ae6c46f09160a64a90c01547461f9d202ed3d9dd416b58d1729385619fc0277a38f476aaa36d71927a223860c6972ff4589e2b5799a4fe72fa10f5ddd921d0dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.3MB

MD5
49e4fedc33af95e5e6a9f22aa7e89ff6

SHA1
4aa7e78dad305b8022228b1fdbdf0f2023a78584

SHA256
6354c95eb80d42ef196e5b7781193ea64125cd06ac2302d96e05bd4850172599

SHA512
f70f09f3f4ed97060cdf611547813b85bb4a12f4f190f0d13d308e57ff35d25a8761e0614e6c504435d7603f73d13c767044f50ac241b88bd4ad3300300c14fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
a9cd88c402367f1d7a777492c005515c

SHA1
af54b8fe4ca1f3faf51c10ff1a34b612b31e6986

SHA256
dfa008d226994bd31f71cfd8d8e23a94dddea63e0f7f50323e57927225ee9527

SHA512
644042fe2a2a20875514f05f09fe9a6977195de146ccbdee34c7b9739ac762179bd190ce8cdc9c5ba4c4718dc076a68bd49f0b2e6beacdbb29406e4aff7ccb01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.3MB

MD5
166aea3e8d06af8f845b010a23f19f35

SHA1
b265e6dbcd111654b384bfac1c5e14adf018a47c

SHA256
8e02574387b8effc51737ac5265f9b747e424d8506df65dd2c38e47f4099449a

SHA512
fab34450738a8bd3de655671634c03c02fbe2c2f39125e7f99b093a25859e387c37ee9ae5764b423c4e26bcd1c2f94196d0a8f2eb45c366df2611557f9e5a2f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.3MB

MD5
93dc72b18618f7f7e51fee9ea0c0cb05

SHA1
616a604b75e1c35785549bb1dc7cb2952d7c1935

SHA256
0598a7ef9e1e15e2ff4aa31310ef9aae7ea4b422000d0ce8e5e96691e59895f6

SHA512
4b6d73c17ba3a33590fcd3a47fcd2ba62abcb4e33eef08aa27b46ad590e895a095a93e2ac9974a3fea27939c0482c261607efdb8d6c149a658166481c0bcc94a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
f1268655996e1394fc5f6c9bf44bd601

SHA1
d839dd5313ef8a188a2e250ae6d6bf9ca66ca1c3

SHA256
7d6ec82d60a4e6b835265bef69ff04b8ebf4d52314acb6da10f06cbb4d8e8d30

SHA512
e334dde4b7fe2ad0258de41cc2c9d9c435d275701db4641a6992d3a19042004353d8a139b8ba135609e3a0098ec9d812e53547b865432e71a7b48df465060388

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.3MB

MD5
091e727437d798c6dd7f2239afb88cfe

SHA1
a1c75e4f2822b26d87613082a6bc6723bc3e183d

SHA256
9c36cd24a464239d6cbfbc939bddb8464703f15a6f012982b7b3c4cec57f6161

SHA512
cb002496b51741f1394d896466ba591a1c10b8d123b98fa3879b74d0be1a0595289989a40c890ddd55df65a537f4eb3dfbe68e00852a4f3ed8b0c2b383f05e81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.3MB

MD5
ba3235f4a25d2f999c653d1638b6bea6

SHA1
c512001c913cb4a492a391d594392931b7c0b722

SHA256
2127862b64de16576f4485b1b1807cec749dbaa3b39dd74498f4380d6e9aad9d

SHA512
a6dcaf2a09515ade1fe5451ac5de96ebea4c1c1b30a70376d1de7b083945701c82d2fbdc967c8e49687cb3a2b77948a0dece976cf507955f3b50dc92b406246d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
e3236c6ee3bef60699ad17beb9c74cbd

SHA1
a049dea3ee743f0c79920f2d4da2a90d4e743158

SHA256
c064fcdfb4cf26f443f4e78918b2238f46e7a9d3bed2126c1dda864ae39e674c

SHA512
8b6c9ea74b90114a76aa89eba280221e50eea0898c52bf9e791351bac9a90b7e0a664a5743aa3523b9b0829545ea32cf1027307e0b54fd814d21a6636f549e37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
dda1997836f65b3b07ce5b7af50d5b79

SHA1
461201b6f958cc21368a8fdf055860078362b539

SHA256
8b5e80d701cc7fe892063e8417ff5cff28b869314c69d4e0bc80535797d7a119

SHA512
f751715e830f168134a8b913eed0951db613fa91104ee44b1eba7c3dc993be38703db4adb76e7054c05176659c05dc5ea53ccf29141b3ac7dfa7062028f08308

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.7MB

MD5
965849a87dbdb3e0034966f81644de28

SHA1
af5cd0d71659bbb27cbaabc6962a97007818b667

SHA256
95625285ed3808d57f5f96c1606ca52aa4c520932535c201bc8965ecd834ec7c

SHA512
76b56fb328dd3acad16820e7bc4443b579b35f39b02baa34db121987bf65dc84b9190a399a8ac0e9e1e418aba03e118eb2e486671827ea25c0cfda22bbbaf97b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.3MB

MD5
d5217c6a875f63e9b7a63c6a42c40e06

SHA1
1f1af163d15bfd206ea79c3352e26516ae4d1f44

SHA256
dc19fa36222cecc1490b8e3dee8eff1fee312de8f30fba835b30847bf2e4bc3a

SHA512
5864bed765c762ddba85c041e32e55382492e546aefd27e65c7cce36a36a68b44a6648544438bf2af91ff20e9fc8f499a9d737ddaa81d60e849e41d470c4b2cb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
47e8d893b94be3d449d19ab7272abb30

SHA1
8998ae39962c6151ded98bfb94bf07d1288f82f9

SHA256
caeac286df9a5669a70ff88e47e74033043c26a5bca33e7a75938fec04bc23a4

SHA512
002e956e817df995414743b521da125852030a638ec1d529303f943b8e2d0d2e1002ec7f32c4b62aac06c18af0842ae032b1812be2c8706ac3f3f37a9806531a

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
5efbf72ddde0b29bd093a2a12d2d89fe

SHA1
4a37acca504d7f60004e580cda845bc0f61336fc

SHA256
f42e04fb08411c0828668fca3c88e50a5a067ecd1808dd0db3a2cac00d7ca849

SHA512
0941e45919bb0a054902041c98d258dcb1055aff2013d86430a8ac059363c96334e5eb49fbcab8500e773aadee3d1ee799b0c1c61e9e37cd32fba5221b48c752

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
74726089416f0596169ebf7e96606336

SHA1
3c917ebcb083b3a4e58fb1d5418c247d36fa8b55

SHA256
e810f726878e071c7c09435581d74fdd4d08ddff7643f1e3ca8c9824e8f75b34

SHA512
ce8c747a33d356004fe182f123cc06170cac9a50d1c0b67b99b039345a7eb1a1c8a1966f4080e21df7e8870f5bf5c61f1af32a018b55d5a6dad0e66131180b0f

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
414e1d8893545054f52caef3699746c2

SHA1
39409c12edc94131530f76fceb31ab3d2ccd3063

SHA256
22636cca78113d29678ed9d0785b706411f8fb1c05b4b68335c44cbc14620e7f

SHA512
673ed3072ebe20cfc2ef05b630a7a5f0dbd49e78ee924b8ac827d835176563708d1f84a0c3262b9cabc720b7602ee4a7754403933973ab306842b669402a0fe2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.4MB

MD5
5a4cd1ab99e143981c8c177759aad8cc

SHA1
5e454ec8001c62763b7d7af553fe5e04658f6a22

SHA256
982b612cd4e9f2bc3acead7e0acb57a88fcd75434038162ab9fce5cbe667977c

SHA512
f2bafb5c092de9c44ee702f8875a9af522278c02383b8263b8b9a4ccaf5a6ed454d21ca200b15582b418564ff283556a2196f3635c73f1692115e3db69cd7ec4

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
22e4417e04b0651d8bd4d5044ae59337

SHA1
d6e0b998efb262fe9a10eb728011ae244d1a573c

SHA256
c1108db11142b2f490034ff77e1a5f7a36eed43d16def20685fdc040b13779a9

SHA512
e77e4517f790ac30f110a84916eba2af8e17ddb39ff47a5287f90046570f1462c2c14e45a6ec606b9b6d35c9b866e30fbb70b845a07f5bb211be1785065e47db

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
f8a2c693062ad884c46cf10669b69d0a

SHA1
124aead234a30779b71773949a5b0dee20374920

SHA256
c009bf8c42d31653484173560face179df904bf7d50541422e1460d41b1cec84

SHA512
6efde614cbd7b7daf03e62d3f5761e3962aad7116654256943dbbabb62d7baea98198789b70600b67fd5b55bfbbec71a5b2577912244c24650cb583afb4f0b52

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
fe134b81149f7e935aaf919576d47be6

SHA1
364105a6e05d1f40d7f448dd2092b4795b2c1d95

SHA256
484dcdbe6d482e25a5eeae5dd500fde74b41ceb51e584e460814fe66c7d6a324

SHA512
f149dfa5baf200f54f3fc646f511801406842babec95a8b9253d30721ff16367db623ae5d0e46fe600afe75540728f5f3016daa4770d763a136a7cdab2e81370

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.4MB

MD5
89644d8fc45c3f4e5e0ac24faa9ae680

SHA1
45e4df20bf00d29905306139faeab7c75585ad0b

SHA256
50ed96459fcb046411641edd0652e9caf96b64ab8ba3fd51beb28abadd4378c0

SHA512
ee8acd9c9079b20a0bd16a7bb0776ca9b5245133a107e9b4949b2a4175948ff862fbf6f742d3d6393c1a62c06faf4ba4b9541ca26a05a0b057241addace0643d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
0342ea1b4326e8865ae47ca2433529d2

SHA1
501c7908a10076b30a4ccf2d4d53f877f55b0ca6

SHA256
b18eca328f9d3adc0965f4e1c40d7b82fff53a9e939236488cf64d5e303e462e

SHA512
aa4ad594e5df1583a7ad0dc1dafc6a533516fdc26521018fcd47d14985261676f65b242c50bb0e9e7f5f5ab32014199415666d4e29d729cb5d45e28d5173d295

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
602cb2ea32be6987ed6fbe30f92a65f0

SHA1
9ad33b2695f30e62c7cb2b6c8232fc4bcc9d6259

SHA256
9c0a9885b580fe695bee8253be56bfdcc1c39c154563e7d634394392bfcd1e96

SHA512
9032a279533ece8097279049f0dc6ee0224624032f493a25d04efd5a99c0bed0d84cdb699298c9cdeaaa37cbf2ac327db6b8e6a347d1ebb91b3c85809c729027

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
1d1b4fab37a945791b1d2628779db4db

SHA1
2f5fd2938049d6e650d1aa6716b5aac6e883a9a1

SHA256
3c879c0d79741653139049388fa40a9a95d1abf482af73a36907711563d7becd

SHA512
fffcb9e12d0a9d1e9432bdbfb6a8d5b9648aba0eb15b31e7206225b4874ac85de81b26ba3cd1b162f75db2d0ebdd7fca263ed393331964aed6c20d444548715e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.6MB

MD5
f28dc8213db8ae6c8afe71275cc5a86d

SHA1
3ece66796b8a28ab5dbb04bd6c2947742f16c770

SHA256
03412433b748b2d97c7b42e66c70ebe5ff87d2279d97220f1ea60962b06c1017

SHA512
1283caec5a13cdc3a2f1a175c999f2d2dec9c6d3b665ece1e61d3def6ca246f78d60bf7a6b943652bad66e55806ffd5beda2b71ebb2cb47a4a0404b1310456fa

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
1c715a7f8f255d878bfd5dee41db95b1

SHA1
6c91c616d5601524e9c4787ce3823dccb3d05baf

SHA256
2e99e2d3413862e1efc9afcf9cbd85dc1bc4fc7d4a804346316feab1b7dbdda1

SHA512
f0f66e44d067125bd3568528e9920e00f55dacf0c6f61bcf50db412456824f32d757775fdfb004507e7e465a027890bdc9bddd9a6d41b65c20f79bebed4f73dd

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.4MB

MD5
45cee206d4ee540e26fe4ad01776029e

SHA1
0859a4b4e7649a19b7e5514bead3d500d244f6e8

SHA256
32f3cf17432a825ce63ecb486de91a01abfac4a472f3af975cb64a425bf32a81

SHA512
dd3337486cb715a8f8f0c36791f8bb5e7572e17e41c9034d7fff88a5f241d433f35228820d4d8f29700d8261255abf9b3d39862957bf6bab2dc2dffa1959a343

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
1e756e2040bb509dc6707478f3518470

SHA1
9270cbffc418917a17466735c3af6f4e814a961c

SHA256
846089b9746462dbe45a2b3448c405da9b93bd2c96c3291eea3017e85575f890

SHA512
edd2b8fa16d199b006e235a605fd01a8fb47471836301e08dfc08e57328245827d16f63d659c71c251616277d27aa0725be8e670618e4c482bce772a9da24c46

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
113fc0597d52be04402ff803965b6e00

SHA1
53ff4d58ea58aaf6f2024fe9fb888e40e5ee61d9

SHA256
963e3034617537d6e87126c55def4141653974016c7e73e1cce08f459506e905

SHA512
0cbbcb63831bbf9137856fb97480cb7d5f09f837edc27ebb1c5bc1c7159ba48434bc849cd5a5ae297a12ac4724a21b0ac2dee083ed47fd7e12548544c8eb2657

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
968826f489f62475853e44b0bb3c04cd

SHA1
9837868a76dfee8d22f99693cd3b1f34994dce60

SHA256
8e9e89bd3831fd7ad80db313791d6e15ff0263d2cc2333d380a20a9aaa96cb6c

SHA512
0f92fff8da815a192c1cf2239fe9a8b9884061ac3522cfab3a5c1b37a73c17bb29e15232cfd24d4d4f4acdd4025acfef9b93ddbab64e194a6b403cbf437a82bc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
01dbb2329cd97402241a140cb369e829

SHA1
baa854a6e55e97034c76f7878519c3fb3ee3515e

SHA256
2fdad6130a81cc61aa8c4ec4c25587403e9ead01d15f49b69f1331aa1fa6523d

SHA512
0e0c0025b558cdb68827c5bcf8ad0a8ab9f7f9004cae03698bfae32ac439087bbd056bd4e137f464bcc644335e2009e139bef75230c7bd6dee1e884aa3eb9d98

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
0fbd115a44942cad1212acc3c114ec40

SHA1
990074306fcbeefa7da466d1313395509d9e7a8a

SHA256
a26ed84dfa2d2434f63346dbfa5fd8463ee504710aac96b62810894f93a6cec9

SHA512
b6e9faf76ee0a3d8867fe909fddec618fe6f3b2254efb7e980a5e75101d01ace762d32eb04cce372ba29e525e4338f4c1cdf14970afac1fb73efc09f2748749b

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d030e6442f9b7b9e264b35a54c30ba18

SHA1
621ba700b2a926258513d435edceccbb635267c6

SHA256
2e9d15c45e852cb817bb7495882694bb5d858141bcf9992cf2068b589d7000ed

SHA512
5dcf622b606bc190f67d4d2a5facb72e95bbcd5621320aec7e0e4aee743c65895dd1711dcb832a07c9bedfa59d3a5b425950c3b3eac00165fc838e3051629ace

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.6MB

MD5
7b5324cddb3df1884db1001cc1d8034c

SHA1
36f25dbbd96b5f02b4473d512f2cdffb4688a835

SHA256
f713162ed972b5bcfef0ab98e021fcf6fff467e9e49fdd8b2a743607824371b1

SHA512
0c90878bdd5fb934a8b0e0c720481b156c2b371bf85cdc48862f9fb795a9827c475d0f52d0cc5e653c89470101f057e17c525f011b187955bb6de877daff03d0

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
e5077a1e991cfb0a954e21969576c814

SHA1
68e4ea9fe0a2e9de40f895341da6ffe10fc467bc

SHA256
57f71ed51a76f1f9c43c72040bc309ab5c972593cd98b8fc383a0887acde11d8

SHA512
009760cbda6cde2edb405d1dde309b7637cd25808eabe8a6f0166190e09720d596cbf2f1bc420a8a275f3ba65f066718230e0cff8c4f1c12389f999d8cdbf882

Download Submit
memory/60-645-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/60-261-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/228-638-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/228-195-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/320-209-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/320-90-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/320-91-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/324-540-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/324-168-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/336-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/336-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/932-186-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/932-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/932-73-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/932-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1136-83-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1136-86-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1136-81-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1136-75-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1136-88-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1440-640-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1440-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1512-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1512-618-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1540-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1540-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1540-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1840-103-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1840-224-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1864-639-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1864-198-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2124-128-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2124-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2124-20-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2124-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2160-136-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2160-248-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2724-26-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2724-35-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2724-34-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/2844-236-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/2844-117-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/2964-139-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2964-260-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3056-644-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3056-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4036-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4036-49-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4036-56-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4036-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4136-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4136-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4136-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4136-62-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4136-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4400-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4400-641-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4856-8-0x0000000002400000-0x0000000002467000-memory.dmp

Filesize
412KB

Download
memory/4856-0-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/4856-102-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/4856-1-0x0000000002400000-0x0000000002467000-memory.dmp

Filesize
412KB

Download
memory/5216-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5216-646-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download