14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 16:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
Size

1.8MB
MD5

f1fc71cc5fbcfdcb97c090eb2b6153db
SHA1

c711ed11593582be620b5ed4dd1082239920a815
SHA256

14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab
SHA512

5036ae1d77d295c90dde4f21bff99383b9ffd2578bca4af65c2f344b3cdb15d0d2995b14b44fd4b6fd63cd404538304d3d814b8cffa552ccd7a2425d10b9eca2
SSDEEP

49152:7KJ0WR7AFPyyiSruXKpk3WFDL9zxnSWw/3FPfUNDZ4:7KlBAFPydSS6W6X9ln0fFPfUNF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1748	alg.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
2236	fxssvc.exe
3816	elevation_service.exe
3532	elevation_service.exe
5772	maintenanceservice.exe
5336	msdtc.exe
2412	OSE.EXE
4708	PerceptionSimulationService.exe
3192	perfhost.exe
1144	locator.exe
2892	SensorDataService.exe
1432	snmptrap.exe
3588	spectrum.exe
5328	ssh-agent.exe
5456	TieringEngineService.exe
2272	AgentService.exe
4812	vds.exe
1928	vssvc.exe
5756	wbengine.exe
4960	WmiApSrv.exe
3016	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\dllhost.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\System32\vds.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\17282c4dd590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\vssvc.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\spectrum.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\wbengine.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\msiexec.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\AgentService.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM86A5.tmp\goopdateres_te.dll	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM86A5.tmp\goopdateres_fi.dll	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM86A5.tmp\GoogleUpdate.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM86A5.tmp\goopdateres_sr.dll	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM86A5.tmp\goopdateres_cs.dll	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM86A5.tmp\psmachine_64.dll	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM86A5.tmp\goopdateres_no.dll	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM86A5.tmp\goopdateres_ur.dll	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000115e392a78b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083b2cb2978b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f79b12978b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054659e2978b3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a48bc42978b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2c7a02978b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088d9d22978b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6edc62978b3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088d9d22978b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3028	14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
Token: SeAuditPrivilege	2236	fxssvc.exe
Token: SeRestorePrivilege	5456	TieringEngineService.exe
Token: SeManageVolumePrivilege	5456	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2272	AgentService.exe
Token: SeBackupPrivilege	1928	vssvc.exe
Token: SeRestorePrivilege	1928	vssvc.exe
Token: SeAuditPrivilege	1928	vssvc.exe
Token: SeBackupPrivilege	5756	wbengine.exe
Token: SeRestorePrivilege	5756	wbengine.exe
Token: SeSecurityPrivilege	5756	wbengine.exe
Token: 33	3016	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3016	SearchIndexer.exe
Token: SeDebugPrivilege	1748	alg.exe
Token: SeDebugPrivilege	1748	alg.exe
Token: SeDebugPrivilege	1748	alg.exe
Token: SeDebugPrivilege	4768	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 5888	3016	SearchIndexer.exe	110
PID 3016 wrote to memory of 5888	3016	SearchIndexer.exe	110
PID 3016 wrote to memory of 6136	3016	SearchIndexer.exe	111
PID 3016 wrote to memory of 6136	3016	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe
"C:\Users\Admin\AppData\Local\Temp\14ce5da5bb96a0c1edcd41b128b3ba4eb34743242565d3ecf300ce3b382940ab.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4324

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5336

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2892

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3588

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2888

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5756

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
82b079fb17640a9e75d1c09f9071ff6a

SHA1
7ac72b33a7ae6c3796afe147f1857675504473f6

SHA256
3e8d662d58c7838d91eb36265d7bad6d1387728e5c6bdcb7b4299558b2c06601

SHA512
dccd37be4b35a1247eb6a7893d5688838229dbb26ad8dcde94b433963a393f83f40bf21564043a46882fb87c3547422315da5b10eda98ca4445d84b3df6117c3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6f8b117c65fe662203422c6f28d02426

SHA1
666016816402191a20063a573a4a9651595a7680

SHA256
46a156fe3608116ebc426848585340bfa90e7eee48e1048e8cb5468508ad3373

SHA512
6011a295d7b6c5129dd378881c901ffcd0790aa12369d341fc4d119f808445a6c2ba4726477268483b34e2e649d927b48392e22c03f888af3cc7389b56625d0b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e20a60cf1dbfc54b7d3219f039e8064b

SHA1
81f81a5117e62254a9054d9adb70165ee2e88d33

SHA256
110cab9385849c1f6c96a9cf96edc44c761685c39cec831f05880888033479bf

SHA512
0e4cebf7c459d87046cfb0d1ea84027c12602774e7f9bc1d7f0ec8a06cd6d887288877a48804e3b3a4e34317886143ff5f953111dafa46ee184869aa1fc83213

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6fc2687ba85d44e7e9aba15349032275

SHA1
5e67d5590fda27ffae3317937d5128f81a5b6f37

SHA256
38cffa14616548792776cdfcdb60985e9aaad1a5446024910a7c89933dbc6c61

SHA512
357fc9468526d61533900804d4e1cedf968c5046741417ad73b8bdceaaf709d2171107d421364a8f3ee2301207ac9130470233981b5966826a7101449ed59779

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b167a5b081fafd88623472b27ca38ba0

SHA1
5bf91e64a610fc596dc4e4242699c4a389fe71f4

SHA256
0de4536eccfc056c0c138f32b18c77335c0032dfa984fe7794a9c59e3fbce53b

SHA512
2dcbe675e2d453efe230f7f43a2b2eac96bb9c56c4568902b64c31e604bba53f288d5e9147c9ad5e523f21f01114f31d7a831b39d8ba8663e57dc0faa21d006d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
397dff1c60f3cf6e4966a16271c8da03

SHA1
47a1a075938bfe74e445e594a05534b68336a872

SHA256
a399f58f3f47a8b521951b3d9739c0e7f07035dd0a752c3e4c7244376d1d29f5

SHA512
b73b55b752cc3a6b8b8d273ee44e23dce4ae4caeb554e950e4964427470447125e70bead0fabc8f42a5dd6e3f95d062e5e4b3e4e255432698583718df7127297

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8612f26518ac32ae4eb7661baf32c3fc

SHA1
b6744ef6ef0d5a1ed4a245828ab7aa671a3eb628

SHA256
1b2ef7f7fa86a5b32c7d745023c450cedca2b44f1686db7dfcd0229df3efaf57

SHA512
9479a139726e62e95f00babb9cf844e12dee1fd1f81d3ab7a686e2e8672b99340f003947b11413f669ea9ad94f866771ed2600c99aefda03a59f3f0a73cf7125

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5cef41483fc40f4f0d22afd163ccbca1

SHA1
36d985a6e6af1289c80c0344dda4bf5062a99407

SHA256
d96c1b1919a5f1dfd92a93646c7d73f49498354b14c92ec9e92cdf52d0ffa79f

SHA512
181a79ae36afd1e77c0c96ccab0005145f350a943a63b0d876b25b4aadcc3a1de42aa26495a74411bdff972e5f2a469339f87480c23b52726f39dfcc8df742a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c00c9a9658a0c695516b9ebdaa038b0b

SHA1
636f119268f6d710a7a612572a79dc99fb6f4df3

SHA256
b22cfbf3e23d1d8e473e49853a8f80bf109d30127f269bca1632f460234fe446

SHA512
8ee6f86398cd6bd1731288901d6f7d76e46f055b37db3fd58358a8074988b724344342623c2fe812a534ae5849f587f842787499c4e7eb449760d7d4892878ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
350d3778568cb346e3df530e2d71eb3f

SHA1
1bb51c6918c4e1e9021b9ea8eb2dc23e59e55c0b

SHA256
d0673019f6cdd9081d641ed3fead5de0bd74928b877d825eeb24955bc0f9bc85

SHA512
6e696f9e6bfd46e48becc92846e2c3e4bebbf2cd53026946e1defcecd6aaa51858ee74c16c0c0f0cd7d65df066c4ee95167bfcec5f9af755bea77693326c0438

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
551e033debdc849c92ec9e3f258ddb20

SHA1
fe76e4a952ef6ccdae5e4c83fcda13ed507c6aea

SHA256
8d30831a9b2e432ba1457898c31276cf210a5b83d2541ecd33775d093ca11b18

SHA512
6c6b7592ecc9923bf26f4e63f578c11a8460804c6421b6187a863da8a25717af085bb508f9b198a49628eebfaeada9394974ba3ec4094e04677cc85500d4dadc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2fd5f2a2cac1981c7035cb2fdaac3b9e

SHA1
ac49574f91451e91cbb23a12b82a245febebc053

SHA256
5e4560a9afcef6c0baeb76cec5c907e05fff20bf8e3e68911faecffb0df70a89

SHA512
1fc7cd8cbe8acefc5cc56aa3cbea28bfcd094274c8a4232868a00947c202fbdb01010f3eada69b4f782c7afaaf766ea2c37f4f1cf67098099969fa0b641f24bf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5e248f903025f5aeda4f44d31ea37999

SHA1
59e7b5d89f5a0dacd147ac60794ff00dcbb2a509

SHA256
01f49d193e8bf264590abe6ec25324b2fffa56555ddf4166493a91d1cea258fe

SHA512
d936749fb9bbb7f4cd12e774a3561a7bfe873c7546b3f371ce502bd8f190180342073db40ba2b6e235f1a1d3e8629e8c0bfec3d9c97db1fd6859a11d4933a188

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b28bd5a40e476d3d55e3625e2d54af4e

SHA1
b1fd9b5c0f6ef184e52667dcab90b8e3b43c532d

SHA256
4aa3670535f885c8c8bb349713036cc640ad261d276afbb1fce6702399ca2c14

SHA512
b41b4bd0c727cf25007887157869d2ad251afde1e796e152071e8b9f611339ab47985d8fa4312a6422b8eacf49cac1b0cf4174ba8f5003dc9a3e3e83f21120b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
37652dc968a04f7e93e135413e5d03eb

SHA1
048201f7d8118f46979acbe426f14983088b6889

SHA256
25d31ad6538a8412d583c1bce35c29ace16bbfef431af1af3ff146539a9a41cb

SHA512
4323a045bf2c0fa214c39465b1c8fd02d2c960a249bf4001daaabdc7c8c2605392a1894831960dcdd99964aeca31a2097787223ed556f2926e15f41272886cdc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
53dbb2ad9f24d5e3b33b5428c891dd3e

SHA1
22dca9fe9be69fe155d6866b4012b86c5767c4f4

SHA256
afcfec71aeb3593712fa3c76b1661d1207d06fa22537e7af91b8cb30e1f5147c

SHA512
e7889578d6c33301cb258ca7fe4e37c68a4a1168a73a6880fa12da439692c4b8716e7a8c4ceb4b1a208767cc326a67ebb68092cdd101f107bd885128293a2988

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
363d3dfcdf82f3629b30dedb61b48269

SHA1
5b722246dd0c6cc6cc08be72f56ae3acedde1887

SHA256
965091bf26b0c69ac9ce92d516f83edcb17b5620ada994e22a5f1b79e89ea6df

SHA512
8b3f4fd41fd7eb8e7a61a1fbc72cc4d2411acd569f30b70059b76ff611c6c5e1ef145ae7d58fcd9af9570c3b1f53e118fba7b93548b949eb8e682f8e6b721a6a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
04f74fa0e6eeb9c0deee987315c88bbd

SHA1
ebae77767200056e597f48c3eca6c272db42f6bc

SHA256
4bcd935433a64e512dbebc28289bbfbd41b1fd24e64dc1b227ae9ec06d436980

SHA512
c81046b9fd907e8839778e85b352ff8a86b74c920d25a691238995103f41dbb4ceb15b0f6ac86e24ef4e29469af09c3136fce60ac2205f5d92e98146f4a8d86d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5ce8667e05798183dabb823d0861fb82

SHA1
0c1e7b2275efcc2141ba904365e2bc842e0f8f61

SHA256
b5393ac126decc741ec9e3687ba9bcd3dfd68108093173f00bf0a6d48d639933

SHA512
70ad5ab61ebcbd2a2887511739eec6adcf76e7257b4b8a17c1f269f64f9059d4021b640e5546184aafdbbbbc2b212dd81665165d5b6dcd3894f96a5341257d24

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
075e2257c3cec762f39766e25b64c567

SHA1
82a59a2f1f2d007364c2c09f856e4a109c7efae1

SHA256
8b25f580ed4c72bd3b6fe7aba3fabc0d1898c16737431c9f32b010c7017a6561

SHA512
892c410edb3bafe76587aabafa3114d157157f7e60fd37aa67194190447d3476797883dfd66cd83270fe87bebab08babe23d903c12490e1699820c6033d7f4c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
66de0906efa3deef0ae100e0a9560cca

SHA1
7784ed921573106975a9212c241607d04e3f77d7

SHA256
59a5d44766a93f962819a92ec0b10d4c62f8a30ebf15ca505a5e3ba9211df309

SHA512
60e50af482a0b492d8037ca6f2fdcbf831c52d5417a11c6d878d5535943f3b0b081165515a2052dd38f71c00872114a1b0855b10ff1009ba03bc022fb5e0a4b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f9d90b87eba629b084dadeb81c01f431

SHA1
9cce4da93fac1e2068aac8744d03c68a086c6ed5

SHA256
56a9799cf0e1358e1a1d7185929564ca902a965b9abe90ee0f187f7c49cd18f8

SHA512
bb4a6b7a1d38acb4b8be9b1a56830bb3434e9878d85944baaf65dd44b6197381d403789a59d877ba44fc047d20208962ce6fcbd5e941fe66c6b2315d16712727

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
82f3c7fed88cf8c389780391dacdf12c

SHA1
94983ffea6cb9d0969475a3dc265af1e83a18be1

SHA256
b9ac16e2c46e08b5d2d53d735eb07cc51e3001a6395ce46fba2a1feba5779c63

SHA512
5589ce7e3e4f6c3b04336c7a62077d4967abed9f7442730511d569bcba781fcfd0e2d0311dd33d034e161bbfae6008edd11c78a4e482c34beb54fc5dc635a8a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
09af0b98854c81a70b5895fef96aaea9

SHA1
67576003e706b8ee3481a3f1b3ee04035a8df025

SHA256
90e799291304174ee65fe64336dff5e1c86c688f4a1dd6f951c69cb0797c84ab

SHA512
7ca4f0c493c96c46db0889f3335efb9fb314a781b3a9a28165e50efc1664d1b9adf3a278d4cb8c088bb73e60cc80f77ef872b0274c0391869ef179ee6e2615e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d0478d35c12f32c784c6da038de79bb5

SHA1
835ca898b2c7688b285042aecfa14e52fcd61dd4

SHA256
16f4087a99bafbdc61f404321fdd479db5556bfc4530b8405e1ff362281e6d55

SHA512
a1ea6006226da535fb79d31a35a7095bb648a54d58139c43d18117ce8cf10ecd57039609d139bd4e8357e1cead0c3fc080aa651de62fbb7f88cd7ba4fff601a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
595d7c4e66cf4ae154fcf8f38513b800

SHA1
7ad5b7d87581d6f5acb57f66747f3ccf50d8cf1b

SHA256
ea4c05062a1d660d6edd4c66ec194c3524fb6db71f228345423026bbe0ec936c

SHA512
3524cbeac362625ba3cb1b5c2b5bf7d2389ef934d95cc8dc6277d74ccffac4fc4925d151c9c17a7cfc1b71258170cd83f8a8350cb7b78687c65f95aca98a13d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
cdae2e66e6af4530a363ac894b9b1141

SHA1
ec48c48e3b1eb571ccba913b157dab49f5d73509

SHA256
92c9a314d8a613e393194781432ecd32fe7dc40aca303c86b4cc352377ff08b4

SHA512
04508e147edddb3473b1a0ff232195f5558e89a1458c836ef3c7c702f4148d586e4ee2aeff7904c3e8974160aa0c0ad4c860d9e5aef54ab869a4b590bf775587

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
64f515acd816e66130971805067f7b77

SHA1
63e1717bc05abf4a41fd6a3733d16a2995a3362f

SHA256
98d11bfa856db2c3d4a5ccbed06dd402d7900ba75f8e06e9269b651cfa262537

SHA512
9375447fb53ff585aaddbc6be2bf8a75515dac0e7efb9c120918d22ed2f265055a7b67b324b08e45b2a66086c00034c28805b100adff677147941f8f26f7fff1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
aa02b061428b0fb5411b40b605675ead

SHA1
f6350d42d996be1a0acff0f7b50e12c09fe6c4c1

SHA256
cf42b042026ca7f1c9c8909f20e70a9cac8728fe95a67534138370af137fb5bb

SHA512
62fe45e52640721dfc9e6a65952b0e26ad9a6cff0c5897d10fdec33c15202ffd4cc1c4fbd7131d732d0fc147e33673eeabcc1e74e216802d0e0a3462ea90b66a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
cfa9c63320c0edd00b3e9b10911303ef

SHA1
2951d015ac2764462e6fceec0c7102ebc3195a07

SHA256
63f294f79456094508b51a559489d1ef59c1b6bb4fa2ab0ccd10e6ca696b0a16

SHA512
2a2b88914b3bfb722e2e56da4d9cb910118591bffe5a0c812beb971bea59dc9faaa04654a037da7c3fbdeb57c5dc2f91f109317dc4434a56397cd8c28f526db3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1669afe3bda7d24765a1b3c1f1ad2c3e

SHA1
5ff543d0a422d6f664287588268c25b0aa77f2ec

SHA256
7f64c22febc1fb609a3718eb2e1e1afd52395700811ff2877f2f74dfea65ad64

SHA512
4be5267744e9255e9811f24adbb43f5a32b4cb7a87c697a967cdde6e27ebf429ef2c20b3e88efde7298d5e9ca66e7d09ddbe15f25b9f7ac7d0d2280ef89978cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3b18fa98f957ca8809a48e16edbc5df5

SHA1
a3f1b8b98e2d7efc98260130284db7fa0d3bc4a9

SHA256
62b55913b880bbb8e078f071b14bb4b30071cd6655bf258eb339e1beec7172e7

SHA512
487eacd8082d8fb651bc5f4f60ba491f53f3372066262f7ffd413523088bda54097b0c715d519aef4daab668744c07a4451450c6abc3732eadedaff3952a43aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
fb21703367715ef0e51afe948a960a02

SHA1
a194ffd885f8f625c1128e40c0f9f440cfbeeae2

SHA256
44860ce99684cb894040d277b963570e3f68f3b58a9686eadc8928fbfa4983d3

SHA512
74279b33e5edd4d9d68a4b71109a8519d494898b51d27c21d2df280ca69c3d3af5b6c2bd66d14ce013ec31290cecc1e221392e5b87d674ec03ce1f3fdbdbfbf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f045e4b4902fee79bc769ae62ab444a0

SHA1
e7e2efebb54d82c976070319ef24e8925af9dd2b

SHA256
6a51e49cc495532a697f25606a7b630c2586e833123d323ddc5bb169b9675cb0

SHA512
73a8777f16c1d27a602e54c24a626f14c6f3f3f7dc968741809bdd6c8ad66df2c57bac24c6f792533805b2d1e3155e4f22ed7dbff7f85a63368ea7a557330aa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9ff88cd251fceb3b7b7b53bba05ec2b0

SHA1
5e94e8789395d6faf8003c50d9eea300a660e750

SHA256
6603bf58ba340c267518aa7d59a59461e417713829ac8fc0405f761c616be6a3

SHA512
643222075a90a0e9400b9bb268d5f189201a4706e6d2d3365175f1b392c88bc80d7f6b30bdd0dd43a2c40bd4b9dac43e572c0007f039f2b531321791843052a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
053e1c161d070e6643ff119575cb3b3f

SHA1
3735b649dc25e84723e88b073b972c71381b3893

SHA256
32499ae41f4002697c34d0e855070ca6984c89c0784426e8439efc8a8ae2d742

SHA512
8455bbadf8806f21d0676292f4d532fd8e6b72b3913dd82ca5267804e346b6035bcdccfb6aeae0d0f124d7767173f7c17ed2692f461467d8a3a3556ce6bc89bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
3efb7b3a13771a998a94a427440058e3

SHA1
216312e59e0b15153eff46d1831d1b36ddda0259

SHA256
0607f23d9f64ab2c88fa3996a2c4ae6e9aab4b897a28388cd91cfcbe92d531b2

SHA512
f2fc353c16dc9cf4e8466c0cf589b499e8655e370e2465f5eb188d9617229157701b40a20df5de63c0591d861b1175e87fd9624b061784c992ab1fc6d81627ac

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
bd7a76b03a19d42f93e9cfd724392664

SHA1
81895783c68e50bd8c1093e5b1e3d861232efec8

SHA256
841e9ff74c211737fec23441d9a6c54cb06e33a89e08895fac369756a8492764

SHA512
a2e262d8d2da7798f78ec21bdca583caf8ce829684c6e2c95d9e4b499347c550b3ea6ed977d6be1452e1dd0e00883163e47816e974861d72c957bfe8065d43f3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7c985c45bd9bba45c7db1759856d2b72

SHA1
3b39e2284ebf0378143c2adc64391017ff3d0e0f

SHA256
d753713405e52cb882313da19e1c919645d2faf78c3662044ec6fe6b82ed38f5

SHA512
3ac0b525c858144fe0dabfcb18819a446bc98fe3c9988077f175c810009c9ac2200e0472c91fdd5affd8c20894821ede071d6df83b1e61bff9f68392746fa2ac

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
eb3f07009d85e1d9bca3413f6336024f

SHA1
efad958b9ddf149443b889be2bf4985b53d9b145

SHA256
3db923e24e91654f4d55518a87b6d56ab206b54ffc1e4262f97837a995e815c7

SHA512
4669a4e0e6ed183674fc1d2bea687c31302286287990e3c406705994cfa734131c47f354f039d855b2654b3e02462be36a1cd4067194a1f6d2a7c83c5480dec4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ca2224f8d34f7ee305a6e10392bf1737

SHA1
d92829275fadd7e24ca235161340f44ce8ffb166

SHA256
2f215d5c35b7890746bb77d11b8a4f29fd2fdc277e93dd5dba2249633c79c651

SHA512
c9e2f7d0adfc5c8ce5b4f5dab1e7b726d7dcf0b24dc9822c7a164f6feae9dbaaa7c5ef0f2b002ca2889c398c50113d02360c6bb4d12ab69d30be4841b4ffad75

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
345421c30fb9704d6b3953056497df8a

SHA1
5a9c8e6cddbb051c951bce9749dfdd88294d8768

SHA256
e2e74fbc6db456601c69a54f4fd336bc2d726e10f774deed91fbe1c8de04c5a8

SHA512
92fc7843cf75a43fa102e7f528f82e01e51c2646c21bf3c4163505718f39e7c6ff732ddba2514a661001dc26ad6e49fb114a3c7a68a9f2fe6633937194a9ba4f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
422f00fdc7e7eb42c07f7db044c18102

SHA1
891ceca42338b9f04067f80567378dd258c8c301

SHA256
af26e64a27a14684bfac18801119e8d2007705e88346332f956af3433b8188df

SHA512
2d8f269416107b7692c452b7b05bf29fc9cc7f5f65742b2fa8e857d6313966e6f1413d5b69ea08f38e074819880e1acb20a7ad7295b6d9789cfd707a4c8f4c7d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1d44b68beae48217ba0beb58abe2b44f

SHA1
b7c2f7ca4cc44c0e5b1d9fc1e5b81ad5053165df

SHA256
ca3ca4c3e88e430fbd796960a0a8acd40ce7204014ae31a4a201f73a08789394

SHA512
d8f4170e80cd89a4086505e97eedca49faa0b2de0dcc6d8033a90d57dff7068696f945cf020405f39c14fcf0cb2aba21386652de48dca3e321a77462c197d399

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7aaba6727eb6139c8d7734277997d12d

SHA1
d1666232fd1cb26208683a371be0e526dc191d27

SHA256
dbc142b3cc00143f6db1981f6f3c16451f24bcde6c4b7f41bbf8f25a7d497f86

SHA512
bd6af7211677434f1ce83d712e39558af54a3f10f9241280c306ceab33172589eb530600932fa64b6623f34f2a807814f89c8acf6d6f0f50c6ba3832e82b7198

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d8104d384c493cdfc5a6a4ef415439d2

SHA1
5591f0f8f67f1bc8c63f7bb8251b587105135ef6

SHA256
912b6a04ecd19510404655b92eda3fe91b0ee426c2adbc830ca05bdda7d128c4

SHA512
0c7c9960a8ec76d34978396caed5390470fbb6b0a99fc1e4420689a78ce8f28b3cc61ca486452f46436ec87a06b67de439fb49c4c6d20eadc1f0c08c6f2880f3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8d73e01fbef27c71cc5868c1fa24b576

SHA1
46768440e64f3f39f5092070d524e73f754d0824

SHA256
25a6d3fb425cdddc3304d292dbd6d2048cb552a4d74764e02df724a168141646

SHA512
24b8a81636561f729fb6720dfd298b8d2b946d20f75a92543158da1345dcc374946bd747ae818ea7851dd7689cd42a45778d4e90505de78dc9ec187494b5de8c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1c511e821dcb795c71fd3a42cdcbaac8

SHA1
ebc802f42d7062d97485d993a0f9b83420e9e507

SHA256
b57b1f32ff634d260401c90780b103b2c9980ead141f05100f5176ed2413e905

SHA512
cb348f0c5506475eb2355cc08776742e8c1f89c2f60fcc6f7759935a6eb4289f2ff355748f725169c83aac4ee90d33a6d16773223d2fc635efffa382317d9990

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b54dc4a03e8ddfb0f003e62a27b9ae18

SHA1
83ff2edc8ea1f5d75ed6c0bd67f313ca19d3584f

SHA256
9468ca53eb9d6b8dc5780e7cdabd92e9c3fe110597cfd037b79c5419e74a4dbc

SHA512
b4010c2347b1cab0831b9cdc298076d1e06b7b304f1190eb3a133da2c673e72b44c3c961fd37cecca884d1639d869c742527c6c855c5728bc2fc6ad13be68cf8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3d28a1a7e5330e37aa5761ba9cae2803

SHA1
5236c58c1125e7b6fa874bb5f2c4a2c4ae39b229

SHA256
4c4536ad6efbcfbf89c69bf79ceaa21a16b8724cc2e992c2653a3367805cc4af

SHA512
b05b83c7121da4db16bad4b2e3230e556b8fa7af2a11a713fafab362df2576d12044c40fcd00050e0a2bc05abd2a097c731227b6bf2027047625d926cf9cf6c3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9c9c5e65239ed93d8b15b310c2c8feb6

SHA1
7a20e1cfc0cdbb50c7d1b522139f5f17de9477ee

SHA256
1f876370d58e3854a896b5c7b75571b6d09a16d1330ec334eaaa122a95bbbc3e

SHA512
92371da1536b3493b8b07fa0885d0f51c52ffa795e6aaeb2753f3deef1819b8297de3473b33f98ae8b3895e59a3434e97e8ddef27f7d0ab89bb0e4ebc466348e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cc50139830bc7a1b03906460d87b250d

SHA1
45824c581e1f3f5cdf8620a2062c936668ea8507

SHA256
c8e5b8b61a91ccd7e24eac354d47c6f248a4a959000ba906b8df85ad9c7ef764

SHA512
8eeffb758d14bb24066b0a5fb9ba90e026cf730ec8be6d3c43acf16514462574bb43fe030fa82fc29773989d7b5dcf20092c4fae6c745181284a7b3b8a50161f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
53b8f60626fba3b6bd5efada824feb63

SHA1
4c7fbc828891d2d3dcdf5dce78983b32bbc1cbf5

SHA256
7a6824f634ea79fdecfdc3145bee453ed79798e870601bf5609c8670c1695101

SHA512
75686da42bb4672df9f5f880b8ecfe203807dbb93a9933386fc7afc2ac13a80080df666377369dd219eb266a96df83162c6448769c1ace5affea5785e784cedc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
38c8dc6633f2d8644e3fcdc7c479c418

SHA1
6b5be18103f694844205f44ffe9837968ab7a4f1

SHA256
ac290c961a065f264333258324613db8d4042ea190b3771d0c8b651bdb9e20f1

SHA512
0473424e11b899ffef25b30f9880c42c24dfcf1599dd8f4a696d92c4dbaa43c69525c1c090d970df18457485f42c2d707aae8d019701c35fbac0b2ffed827cf9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ef7cfdcdba3d8dbcda159db6a734da1e

SHA1
dfd0f7e3ae0d1d72af951598759f2e9f5abc37c3

SHA256
0d26ab70c63476fc9292c4e37d4822640f322946d88d48d1384bfdd29e677a85

SHA512
64e9ba8988d649e1d8b4ab8f379d4d845c47ec2753f7644ab25dddf833f7379e9e4d34f1483bc0a9e2f56b126044b22075148b171dac02f9f779f3d4bc223a5b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
350e12983e648abfddb537c24a393aba

SHA1
d0cc93c7e4025c0b06f051275309f9e12824106d

SHA256
36772139ad8595b3f2606d9d1329f90183d6861758ad72ec5aa73833786990e5

SHA512
510497dd2243799782800bfc1506fc0ae7d87fe5b536c81315ee4da4544d16e9366749a8591a1106a53b34538a69b2253a53c690c42014269ced5924be406c2b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b6d715a22d07f389840e4ce47b9cbf0a

SHA1
cfd27d6b58875a019c524d09696ea9b33c9804fe

SHA256
7afba2ed798c1686ba6b784897bc85496bbfb0cd47ea9eef0c6c82399c72bef3

SHA512
1b49bbcda40634d342863ec35fc9cd0e3ae27ebc06c98f96b96f1e9ad8428b03b0768830b1f021c38b845ea850cc8f464982de6914898655293ab5a473192963

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2f144d12abacd77ba0914175fccb454e

SHA1
f0fa117de0cc25d154d584b867863f969975edba

SHA256
9dc89839da1a86ce900a937ef365d66deba0074046634fc540a0ebe77897974c

SHA512
ea92261167e3945246101bcc1aa04267578254441f3e1bc7c48a6426bf40e0a78bb166d02ff58d0bf5a8b75cdcae23a57a3a4a95d6d6deafdf8eba6746afd130

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
18f5a75d3d44e01738b08fff6ec3233c

SHA1
8e1780c3fd89b8b666a97d0f17f98d446ee9f7cb

SHA256
065b1a262bb1c9171b67c4ee525e93fe307346bde88e2bb5197ba0d29750cab4

SHA512
77b1cbb086ad3ff6c508e3a6b2124e48ffc11c6faddbb692b62a942015eaaf3efb53164b47ca41bfa4cdddabffc4a2b279ecfd4fbba166f261ee6ff54b5b430a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9b9784fface431650b32705813378fd3

SHA1
c265013f47c237cabc5a7d268d10120d3943f4b6

SHA256
c6c4ed610308b722635332e4f2abcf6ab93937920fc19dda55da4e1d22c45ff4

SHA512
4f6776c5724f20345157e6e4d9e5f1db0bd157611e0a5d5f275d9eb613a423ec2c129b34b8e6a618425e5435d2069554d708fcc02c4456cb27195fb3bb9616dc

Download Submit
memory/1144-206-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1144-318-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1432-221-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1432-510-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1748-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1748-203-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1748-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1748-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1928-295-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1928-778-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2236-43-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2236-37-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2236-116-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2236-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2236-87-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2272-268-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2272-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2412-282-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2412-168-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2892-709-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2892-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2892-209-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3016-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3016-784-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3028-615-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3028-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3028-182-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3028-6-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/3028-2-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/3192-194-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3192-306-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3532-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3532-245-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3532-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3532-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3588-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3588-704-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3816-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3816-128-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3816-118-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3816-124-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4708-183-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4708-294-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4768-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4768-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4768-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4812-745-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4812-283-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4960-783-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4960-319-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5328-254-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5328-710-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5336-166-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5336-156-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5456-712-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5456-263-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5756-782-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5756-307-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5772-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5772-147-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/5772-141-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/5772-152-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/5772-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download