fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
Size

1.6MB
MD5

a3c0d1b7fc5bebd106361df406f34190
SHA1

517a7663c2bd33f3e44a5d66c42351bd918d6cae
SHA256

fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0
SHA512

baf061b03b36c6ca5e368c1d47dbd32773bbd97a4b8626657205179690783fb92280205f681e0c103607e16e8a3e4330f9c28c2a49f9ed32cf21fe6109887eaa
SSDEEP

12288:TbuJ9fcXbz0TfxSUw7UbwviW8me3f8+K4ue61E1AsTwn4t9sjGIB1nWWcXlP7G:3u9fc0TJSUAUbLMevZesQ4+nOXVG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
688	alg.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
1508	fxssvc.exe
4128	elevation_service.exe
4816	elevation_service.exe
444	maintenanceservice.exe
3656	msdtc.exe
2864	OSE.EXE
4500	PerceptionSimulationService.exe
2168	perfhost.exe
3032	locator.exe
3996	SensorDataService.exe
4836	snmptrap.exe
928	spectrum.exe
1484	ssh-agent.exe
620	TieringEngineService.exe
3236	AgentService.exe
3560	vds.exe
2164	vssvc.exe
5036	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5d84ebd92dbdc151.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\locator.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038ac6d9ec112db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be84669ec112db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005a9ab9ec112db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	776	fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
Token: SeAuditPrivilege	1508	fxssvc.exe
Token: SeRestorePrivilege	620	TieringEngineService.exe
Token: SeManageVolumePrivilege	620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3236	AgentService.exe
Token: SeBackupPrivilege	2164	vssvc.exe
Token: SeRestorePrivilege	2164	vssvc.exe
Token: SeAuditPrivilege	2164	vssvc.exe
Token: SeBackupPrivilege	1256	wbengine.exe
Token: SeRestorePrivilege	1256	wbengine.exe
Token: SeSecurityPrivilege	1256	wbengine.exe
Token: 33	5036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5036	SearchIndexer.exe
Token: SeDebugPrivilege	688	alg.exe
Token: SeDebugPrivilege	688	alg.exe
Token: SeDebugPrivilege	688	alg.exe
Token: SeDebugPrivilege	3212	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1824	5036	SearchIndexer.exe	108
PID 5036 wrote to memory of 1824	5036	SearchIndexer.exe	108
PID 5036 wrote to memory of 448	5036	SearchIndexer.exe	109
PID 5036 wrote to memory of 448	5036	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe
"C:\Users\Admin\AppData\Local\Temp\fce36cfe6fe9ac9fb1e7cfd5708aa8f4110572f101942e15a7bcc9bec75524f0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4828

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4816

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:444

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3656

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3996

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3692

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1832

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1824
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
19f687f948fe74631302b51e3f7f2860

SHA1
ff92e1e51bdd4fe19291866115eb4743d1e60ca7

SHA256
ae30d5730d65c828f964b3412c35ac0f55e7190d825b2c68cd9cbb59fddc142c

SHA512
8f1aff88f375c9d7d7ac1b267038e6a63066492283edd8506e441da2ad231b1e192b835565acd4fe80b6b02e39c1d9a2ecfa628bbf6137409e40b0247b328e77

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d38a044fa63235e2bec581107808cedf

SHA1
354bd2701756ceda80be283c63a230acec2d8d85

SHA256
c57332a61ffd953bbbcf364a70138b51d31a55feaca518dc55aebc19b4f73442

SHA512
777f302ef0e60b5c5ecbae60fd09cfd2aeeb58ebd68abd26b8a1f80d10df711862ef36537f4f7fe2930058f959a5bd01f8216ec40a386e925d9d1d8d6e2f3cef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
080ff59822b28f1139d83010ff4e7fdc

SHA1
8df079e3ada035cdb098e15247ae350d5f7d91ee

SHA256
b6a1954962bed61af0c03f1dcd025c63034ecfd2005ddb8c30338be83212109b

SHA512
d314e930463e8f18098e4a32295f2ef908fc54f3ee01b99b27fbf0efd5e867ef2f0ce0567dc0e5ec0887199b4ec34b3bec5b574fa696e7b3f2b1e7211114661c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
14335871bd02d1468e6690d27ed5a7b2

SHA1
9b51b40726e2ed0e7a97dec507f04271dd00a3b6

SHA256
c8333406891f700befe4aa14c9db04be85aa33811a49da39dcfc54273dcb3134

SHA512
4f08cc206a68a876e277c081a79cd8dafa3287423467026022b3fd29339d28858783e041732193de90305a93373a1762ff82fed318da3896fb6e2f937fa0d286

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6ea0e08ccde6f6493376e10001eac71a

SHA1
4253b413f3c5ef36b70c86720c344f3c1c59a232

SHA256
5b0d9ef6d6f5cbdbf534ef5fe92fe72fe4ed062cde7c8b734d5d601fbca6ba21

SHA512
a891286fab6fe8e4919e69ebced9ee98b6785fd9da2cfb71c2384feffecb222a5a4ceab8b844e6ffe4b478bcf710a1aa3d5f0f5eacd855ff3def71bc794544dd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
60075c0fcd1d9bb1c35b64909c59134b

SHA1
c4793fa0c6e86f0708dadf994a5f368c6829a279

SHA256
89e016b7ffdea2670a6f352592cd0e4c650e5c65bfd72a1966063b9d749acaae

SHA512
17bbd3801a098608f7e749f3be40b7cd8e50f7ff56cfab40c8e94bc768fdc260004eccae31ebd03914e6022f3083cfcfb357d0a4bb4dc0a31a7ea631b8cf5af9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
1793ba429e7b92e99884a4de0a58a782

SHA1
0469485c28ae360aa81c4d4dac6eb2368c124bbc

SHA256
2eba810a7006c893adfa9eb81b37b8f6debf11286b6b0414b16bf7bcf4bb892c

SHA512
ca2b1e94be6a170231aa296f19124a2336a0192183ef6084c97d4df930d322c3f56617292979bb4341095c65a17c4c58c7514694d95633bc8ea51f52e11aea8d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
2b7e185f7eefa88e21e3c11340e577c4

SHA1
dee0941f4d4ca0789c3e148ea0f32aba85109f4b

SHA256
4a5e77b9578c5c37d964665564b1568b67d7302df83eefb6c491db08d480b58a

SHA512
8c0706d4b257923a676b1512683bcde15f6fdaca0751cbf9e93a32da3107655797660b837960e2c7eed50dbea5ee3b535ab838b175b162931d49d94d31162d1d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
99a097012c22853370401a9fbdace7da

SHA1
e7d323724e9428a60e8aa8e7bec26fe92be72aa0

SHA256
103d2de5a5bc6eb66dacca0915dd03d09bcdfe2aa50835f57430e3fdc889ceb1

SHA512
851e57632c50f66d07abad5bf2cb8c2cb45576466d2ead063951e47ea4ed28c4dda2cd9deea664947992fa1d5e7226ce2c227bd1aa70ceae0e2d0cbc5945f0d3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
0865966ad2f01b5088bf562a1d21bebb

SHA1
fa74ef7614a749278a2c30280925cf27d66d64f2

SHA256
f9a050df1296e1ad1c16447fa3509ccf8407bf840a9ec09ebf24d5365188a853

SHA512
0150877523aa8027b37f03c9f6d9056459d98786a7fa6e2c56ff4ed41da64f5bef5e6ad5453a713aef59762a40e4af8c64656dcefb0b3f93c4c7083cfd9c272e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1d994374faa2815db4e3568386d5abd8

SHA1
95b550b94b31378fb3bf3f32544a2b8ab8160424

SHA256
ee0f5b7b1c519e5639b2c89c681fbaa7100cd2968a1acf315bee5f9699c93bdd

SHA512
f4231074413c0af53a5e5cb5ea50bcbadc283a441d28834b056b9be0ff7c07fbb03d4a1f068c51a118ccada9c8b27ca425996b65fc7e2100d9e65b2067e90aed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
837b4944ec0d9e97a293341bfcc8eafb

SHA1
8c31372ef48120f678bab031e79b59bdb282d57a

SHA256
9f566a1f8c103f5dcb06b75f2e5a893a6c803ef22942a42300c601108fa5e2aa

SHA512
079d133e3cda316fd9df2e0d0691c9e86168b0bb4890f4a24bcd6026fed5397fa7dd7f1ae01338fa2eca3e97585d3f26933f99d821bb293242048646e7e4c7c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
5234bc8bb2cbd4eec088d5f0ad78acc4

SHA1
39ee041d1c2191bcee28080d931583d67ea9572d

SHA256
e565ac6bf35a574a8227166b3ed0bcae7a55606cdbe4d2c4138982fcda118365

SHA512
aa41f85781d6819fb1651bf6ce005b38066dfd77e8e665285d0eca9c65619f4c4f5ada6c8f8b67b04ff4e644cd7e8128a1d5e51368a8461bfb599ea13a549fb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
122ae69f3a6d17aab0772716bf3252cb

SHA1
bd72ce6ba44916043630121f37ee1d9d9594a023

SHA256
a2debffbef8cd3f6c852cf17b538e76159816437a4d8bc1e672ff537a679f1de

SHA512
252c41367dfa5ba64936c12a117a53453342172eadca9e45c5de5a21b1a1f32abb9b8c6a61d541adb6fe0b58a3c1aecbe4606f0c88bc264de7a12e10dbebfe3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
fee82e9d633019d3fb344dbc078535ab

SHA1
ef1e60acdec90fe0693dbd089595322843c6d328

SHA256
aea82359f2f724348b0377900f4577c4f636de7677469b8c3f425817647a7893

SHA512
1967ecdaa2f44994952d9034d7ac61d919128f3f4b93c76e977759fe22aaac7ccb1ad8c507eeb4e7e754831c64a23c972fb8a28c18dba3cfd7d3cc57e9e4f6a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
3173f602b75fd97cc4e408e44d30d702

SHA1
05fd6000be021c76b8ee7413101e06dcaf59d7a2

SHA256
f6e3d0605500c49e0077f356f67542f344bcb87dc350849d732abde7a2991f0c

SHA512
1ddd53a21c41da95a14fe24e3b4ed48d69f4b42ae747226a13a5f267e34dff659ba3763026d58c849d01bb3bda9b9f81c8038fc2b1aac375ce3e3cb08cc90d02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1256a8e4b6e8ea4e9b0e465c3664ccf6

SHA1
ec0167b15c2b9a86da1c14e0f32b4814f55b5c6c

SHA256
3e49025f33d35f928ac002d9fa580df6bd14fe293619571ffc37abab5f39092a

SHA512
2ac0070f40bbb06e9c280d427baf52504d86cfd0665fbf0ea8a66e85ec9af13d37217ac2f375cae3568ffd0d65218d31b18af351b74ea22813647c9cecf60bb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
f7bb659ae6a6f9b776b83b03ee2af1ba

SHA1
4267ab8bc8ce121198e227ce1b258c2d4df06fa8

SHA256
20e8265c6de568121c9e66211f3cb442906f9bae034a86c1b4ddf7b91719eb54

SHA512
60004857c1492169579ab954134182951f2b7bf3c11eab101c8e6e894be21e9b628cfdfb10c9a916a9d23f7db51acb526ed1488c020d1519f505b1b8f6a00d1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
ecd1c33def01c1088a99b207d8666c96

SHA1
5d0fb3953f2487971aded3e6ba665de134d32b59

SHA256
d8d4a2e86329eaf398b41b737c9b501dcc41daa64335358067b9784f7c369002

SHA512
43c835617f8fbd5a43ae91ab6beef3ebe58540f0fc923e5c7d666e181f09487020eabddcee2b50d549ddf95cd1fc4a831ccd70af0816d9b86f442a24b132aa25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
89a21a3886eb61bc58c851c274ff7fa0

SHA1
d6e4f077a3719a611c97861762481c9cee2b7820

SHA256
fa4b3c4bbce647cfef3dff5c08ee2935d45db6ddbb10ce0ef721d2fe616b0ed8

SHA512
7d9d884516253506ec842bae6305b24b63eb0b8ffb75ef2888de2e9480925d1ed6651d6367d42a411cfa1de6c02d7e9a3218a8da6b24e3ff858eee0fcbaa878f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
557e6e613ce7cddbad228fd081f6db76

SHA1
f639e8ac5d07872a6d6b9b8c66bf5c6f5fca80b2

SHA256
87473a13ba4f81ab32dfc54e940622219ad58ae2dfa6f2c4f92bc65b98fb1381

SHA512
cfe5ca2722ed4714e9d92dffc2f8af9451ca39ee44f531dfc4081549c7a3da6bf9fe08aad21dabac1fd877bbea957802931e587d84d22e9762157509d80133ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
8e05b7b3eba8e1212e0495ac98a4644a

SHA1
75afb5a8e1d71d1cbfb20561317479a1821d1e5e

SHA256
777c3b1c174145e1a0c847ba67720d2f3ea839392b2911f4980a6db0516e41c8

SHA512
185849389c0f8ca3fb8391a95a678df8fd80a9591ed1a7a552e6544122a037d2c311873c303bc47256b2f2777d3fe21c5d64dcca82cdaf5abf8d8ce6afab8c57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
8304747409fbb6b86b06511e8413a77d

SHA1
494cf4fac66fa5ce5ed87df4444fee90b693d477

SHA256
7976fc8ef652912f1c0ad5270a3f858e97d072567bfe8263cee4676268c8f3b2

SHA512
5a960584351b7b421c960eb9bc9fe1e03378029c8a3263986f2c3cae86afd7ccaccdc049e3e9346c7b1467564e41918cddab698d39b06eaec237052445ca621a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
5cebb36632cc456496bf93711013f591

SHA1
09cb3428cc9a8e199bc4814130eefdfcce7137bd

SHA256
c0e4afd03c093acad39644e3f240feecd26f8f46a3f386f6d73d504dee69ff8e

SHA512
3c76115b6df50ac6e90d2e53c99f9e026c8ce7ea7eb1ba5974a66d240b2950f4c0c9944047f6b650a7c9e2f9a0cb298080d754fca1458c2ec9f91dfc87a45b10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
8a69903b53cd01da08f833a4e8047b67

SHA1
9045c192633846e4a394ff31e36bc9791ae3bb24

SHA256
0660e23fc221dd579a0403a12cb9525571dd089a86072b440a5879068e80167f

SHA512
6f8df7f62ae8b4fc3e4c8c06e06275994c4a68546019afeebe5aa9edb1db7d657e4d90972b234050e836dc68fe1218a862c2cb4813000b82cdf902a5605fb26b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
9cbf27204a3159084669e114af3a5981

SHA1
f54796212f7df2e9b5774e4f851f189099e1efa9

SHA256
c0040a2cbb14421ffa01a321c957719a30910b0068c3116253230b8db28fbc10

SHA512
8dbebee654f67cf0632275d761843f38e6a4d856f49c92fc0db7f32c027f9cd81022958232f43ecf96d274968ecc6d2cc9dd93f5d8c90adb0ce19684459e8815

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
167e057742d9508d601e4a1ce99f3e15

SHA1
85d6d281d407c353238714929fbf78c3605824a5

SHA256
d18f8ec6af6333f32ef08185116d1735377d65b746945af1c40dbd504d88d645

SHA512
7a03f0873e5fa6fbc755bceae8f9483e1862ad9256f29dc344f91286cd5f970ddbf36356e1090b8d3bced78d4128c8753e1cfd70409cd66e40ff39d80e1016a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
a3f6c07f7d11f28fb9f2a91b1456b2e3

SHA1
d24e0b139c3be80c3eeb05f103254c9e58adc54b

SHA256
dd97ccb64929169f56d10703daafebb981c9d2f2a1e6e0786d5d01bd083a1042

SHA512
0618d313ffbc536cad5404a1949a17e67c0ec5b6d3b6c2b7d9efeb8803d1ccc211ab868ed595dfc96e6d823f9b0ee0f7ab8769dac519f1a94e4a386ed2a729ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
bd79f14f4938f6475f2454c23e7e8eec

SHA1
48ba80405e8f9b53fa513f927484d114811c87bf

SHA256
753c2a8405ca1ca2501663d3e3421954d14124183414978ae9664f00305133fd

SHA512
393d6351e20d69709257c1d1a6472c756e999396184059e14e2f38308e423835e843dec62a5da5522333ba93d030eef8a668ad77ed539d9dccf325729b4b6bd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
3c112e9d93a367de1b42de28b334ac33

SHA1
c4b6e76d1bfb3f1b43fe40061fa647919cabd080

SHA256
8e2e6db93d70ab22265820ac082e5b451c74bb053cdbc5cb71a15c7a972620a6

SHA512
965a65ce8707c16d201573e25ce7f43caa724ba7af66fc7924a9e36f3235c048086eb9a03bf59a3fad91e0e2f85e9fe4cab02a902ca5fcbcb3bd448917602cce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
ab343c8a68b9ab7caf1c466d2cf081eb

SHA1
0672cc4a3c548426fccad5b9578677b4c9bce9ce

SHA256
9cadf9c17e360e28c25ce55972e433604f2d25717d003989dce47f22955d4eb5

SHA512
277b9620ec8d4392f68265626eeeb2452730138509f960fae968cb321b5e01afde733ade00ac09b29eef13dd49d92486fdd334072381d564eec976ad6e5741a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jmap.exe

Filesize
1.4MB

MD5
87a2a1d436d8db4ba32eec62f3b48f90

SHA1
79ef920b7ba204ee72415eeeb614398c54b615e8

SHA256
4f1d244f8e9c0090f85c83b3050ee434ea04eb4cdcd4f0a3e92ec971e2ee852a

SHA512
432cba307ad6e1e8bc6b478266fe97ef26a97f0b1b06b3793d2ff0cf92fab6568c0551ce1ddc96dfaefd5568cf6422ee45a0933dd46b5ee9c0966a5b808e04b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
1.4MB

MD5
f7983e4c713f251805d108db7fa13b63

SHA1
a76beff68e8dcf025cd9ed329769d005545755e3

SHA256
2174c3ef5671e48db0f547a423765be877ee947cbeb47449e0ede4b39ad204e4

SHA512
24b8719f1cd300b04a893cc7cafa9d22d94ecef2ac113af87b11b756b4e02bb4de890b158791682e6a8fbc29b0698b7f8fbbf2ce0675ee124ddfc2558ad3ad2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

Filesize
1.4MB

MD5
9ca2e7c6537e7c4eaa465a8801a89022

SHA1
cbedd008f71ddcf3ba7aa8cec4ab50c939726a2c

SHA256
8e8ec2906c1ec5823f715fed57bc71f1d8fee0e6c018d08d46ef45bcea788be9

SHA512
dbb5ca7b1679ad454dbedabbba8cd39091661dfb7c1dc1972655b6bc5a6e90f4f441f08e23e15a061729f489632fcddf391e6391090c252bc0ab50029300a1c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
1.4MB

MD5
315f4a64602cbcb7e6a066fb28ee8100

SHA1
7c48f1228248705b529e40501a67c9188b966965

SHA256
4b789e8b12a5aa3859cc1ddead8c3d47b64b1e09142ccf30430c6ac44d7236fe

SHA512
1ccf8ae3ab301ec744479722477ed3a6830fa415a6aefe388a315c1e2e679d867868741ac9e1cf3aa1f13f60dcf10ae0ce70b94bb25157339e9af7da95bc573b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

Filesize
1.4MB

MD5
7627854a22dc9586214042829e205f5c

SHA1
845bb795a4831dba1541eb44ab06e687e46d22cd

SHA256
83b70593ac476606098a64329be8b9e5981f0ebe023df9b5dbd697f5792c3d29

SHA512
f4518aebf54f7650b422fa8771105d1c671122910bd35935bc640c97b3b5352fc01e5230521f47d1cb3f2575d4b75808632b7ac80af6f2cd9edfbf11fa33d36e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\kinit.exe

Filesize
1.4MB

MD5
6cf6334ca67ed67aaa2450034a49f2ee

SHA1
5dbd4a2823cb12da69af8dc8e2f03c4e17f9a4cb

SHA256
b0cfc56e2af28173b0cba77e00c80976f8412a76fef3e45d366ec4102037b1e5

SHA512
9d384c445042dc1c075e2c940941b056b109d895d6ee42544c7d3f1986a2653a8d0570b0f13786a960515a37fa086c689da7141eb4c2556869ad68d082792c14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\ktab.exe

Filesize
1.4MB

MD5
e461b541d1663e26526a3d5028213ddc

SHA1
d9ae02abb4f8b9e32e1814ff8123bf750c9b3d3b

SHA256
452b80ecfa6ccd4aa38881b2bf3510415d5c6b18b591b32062721400bbf6b67c

SHA512
ca763e93b34ac47ae3793f7893f1a8615584bde339243c5133be1f17c3335dd45633d9441353e58f6a22999564f8ef60914be690fe528251dea216837e8db373

Download Submit
C:\Program Files\Java\jdk-1.8\bin\orbd.exe

Filesize
1.4MB

MD5
d7abc0d883264aba9f4f61db9ceed4a7

SHA1
fd4e44e3e502367af49e8fe79d5b160fb1023a91

SHA256
a30736104841dcbb7d34bfef260fec4aa760955acfaccea9469c3b75d7841673

SHA512
79c60edcb8015cd621681d3c9718aa45e3a41bda4cdf19e037b362cc13418196fe37f03e352bef642426ab53db68fcfa4ed6e12c09eb627593a14b4c23656bf0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2b437e0fd6a963afbd08fc12626b92e4

SHA1
7bf3b1f20fb47c85d31161c17604136acde2c5db

SHA256
760599cf178971d300bb865e5d967d51666ab9600a110788c9730bb065937458

SHA512
78047ea07e2c95e67cae758bfdd8116ef6bdddb10d8b9dac78354a89d11bf1d5c2e474b6d89ebcdef6cfdafedf6dcbe9173739f4b557f30420b06253adaecefc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
7332570939803c7d3cb913988c38377b

SHA1
c72b28924101052fef06a9e65d9c0a6ed975461d

SHA256
6d20cf84b6db101fe2ee27dd620ece5222290084e5ab602e9bf9ea94b963bc70

SHA512
e8ea23aa55d3faefb05a7ee1e5603c673d8fb6789a6170579502e967038eb1a1685829de665c58c0809cf2ab6ca7772822eb0a576d5f83c62a67306d324fbf00

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4205362f4f699d4dc39ce1c676c51e84

SHA1
6f18d5ba737b7b4384d2cf06d8b7b665bf742919

SHA256
afbf7876331629b76ecc9539fb27fc747524f5cd6f16fb43f65c06f0c997cc7f

SHA512
c604ba67edba70bb5c89a1d5f8e058ba7ddc442d149c1f8cee62714f7a4ca426b914f3f50a3067c936db8e736cbe30e2655fc211b131076459fe3fc05aed9c9d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bf9ecc0aac5005e881aa47b5082a37d4

SHA1
3f0d878621f74ccf309d0acb548f0b446719b80f

SHA256
92d87d85e93f4887b6ed19d4be25c22b57f3f6724410a3b5837c2feb0614ba4c

SHA512
6870c25da9ff83baffe23d5097c76ee3b0dc8af5146bfe1991dd7a7e076052e12b824d0faa82213db06e4dc46d12230839d7b28dfb06e16b585f982457afd7b3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
259bb2c617a66129040dbcb1ac24b5ce

SHA1
667e8c706e08683c1805a15b12437d6aba88fbd3

SHA256
d842f790e3a8e306bc857b3b2acc7354c8c06d1e9ccbe5c9fb44e744a2eabf6e

SHA512
b955d521a7bd668e7ecb89749d8935b0b68a34a5c0b02ffdb2b3153d86fa1b2ca55e816c77653592ab151fd7013aa7c44b6b9b495704481ce2891f60617c3b0b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eb0d7704ef5325cbefa63ef526dc6ed6

SHA1
a569c592f9ec89ad885c293f2f494a58d37ba20a

SHA256
e84a395f8e683e0ed80d1c2d0d880f6d24eabb2e08741371d7380cccde7ecac2

SHA512
8067125900d964c8cda367136fe930e0f2254e695e62b2e2f9f09258b9e7e0a00839177b10f9dc6eb1e7c8229b0c1dba834d55a29480919cb475cd818f77888f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ba14d676b7e6542321085dd816f6c17c

SHA1
efd15d77f095a00ab0cc36986266d1b737bdb96b

SHA256
b54759e8e96ac83325495721a8e6b84e2784ee17c2b4f21e33ea6a06e2ee0964

SHA512
6c1ae672d6a6d17a260877d943e79c8999c49b5026ebe8e156e363ce550814480f314051a8e9e2423145253334c508bd49e62099a304da5c54a6c36aade267df

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
5a8ba665326435838b6e9b2c3bca6b4c

SHA1
3a821fd27e6e1b6fd7a716a43c7239a0539f0436

SHA256
36db22309b505db0d318647fb17164f90ad003dae580828fd6266fa1aee7f893

SHA512
5a1d1eb3dc00663b1ef6c90a325b8311e189f9a1190dbcf9aae3f48e2e6d07715198df58bff6ec285bab126b177b92160aef312c9f25973f4f0422f4db1013c1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
68ffda4795f7d7ae10ad7a45d1d4e537

SHA1
55849060b47549a7789d1ea54d86d5cf800fb757

SHA256
29da61e9f0e2a2f1366cbfbca1feb13d630aeae1366d448ebcb8187c00c55f54

SHA512
baa53ae0fb1f48f80d7dd52ae35bf9cc323ba261cbd7e12308a802bb4627bfde908ed4bfe5aaabdf5e763fdcd7df358879eaaafe63ee0823c84c1bab1d6a0bc9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
255f0a066e3457e02e506a9d46562eed

SHA1
f353d7fb70500a7f489fa165b051b368e415946d

SHA256
8792a982b93c5ff29c77b2f0473f2010e56c591ba7ef51a3f640314df5c38978

SHA512
fa31d2fcf27f7cf8ff72e31f0b72844e0fdba6c95d76db3b48009cd9f07d76be2b002ff9569fb2e75ce46d6e24e81785b6695f6fbd4c782fae1942f53edadfe1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
84de7d30a2408fc9d52a9330ec0620df

SHA1
0bbe4df986e0ed9f2ce70b30466664964d7e0e3b

SHA256
db1a669070b2c05eb50e507cb29caef196c71017f54f0f3074115b02d87d0c25

SHA512
ffcb0b66ba34c4f41bd6c4cc9e90c1537c872807ab51b4a69dcfb7c9bba2ba9bd7df3cf35f2dcd719dbd22a612bd188522bc91583319ec05785d2d66d86b63dc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
84ca2958009367dcbfb8798ead497981

SHA1
3e806eb18b943a3423b02dcd3a89154821decbca

SHA256
f29b14ac23b9e09f5bac462a1782db367431508219b8ec52df1d323fa01da7d1

SHA512
28f7d35d10da9e892c72da21ffff87d9ba4b9fd3899da543ebda253b773dc59f2e7b24bcdd2dab344c2af5c0f88db78f907c9caa0678245cd023c4ecdcb53237

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1414119280fc37b0feb4f09869960a62

SHA1
809297775d9347a58e622941aff22f2c67fee287

SHA256
d3c753f79aacd155cab20ff673ee33f13572cddd441da236300fa0d7e4777b3b

SHA512
a0e27d1542c959ce86aadb03465059feaa222435b780963ef8e0bcb40c9f0d0c09d00490a0396604329ed7368b32b98ebe374e1a1aec7f5d8bf6d14247b197fe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
107995d25c75e5f9654c5d5f57a9f8d7

SHA1
49dcbcbc649b10ef35aee830c25c01ef087c6c77

SHA256
042e6747189f36b32f047a41fb54effdb6e85a5a11f877f9f5bbb4f2f1e1f003

SHA512
89baa0fe36ae99280fd195b77ccb870d726531f4a53ac3cc3a407222a430843ac87b6c403ad6e194e5448ce0fe35193ff2c05325c5cf2fa70f12de7f10acd073

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
dd9cac20010ede514743e207fd758f89

SHA1
c53590f5b7a4c90924373e7dda24681c7d44c439

SHA256
07ae290e4cfed71c7d06de271f1355f66fdadb7cc1af9faf33ce8b5cb83cc596

SHA512
4298debeb716bbd9c44b9e287fe1d28b9251755ab40c57f3fa6b7b1f649fe443a341bbf6df149c6fbc0d71df440425c7c0fd196bd8a35fe5402896720d68405f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
271730c6fceb03f55883770376e6f0f4

SHA1
b30eed5b201f3f70b3fbe20b3a93f6d066850386

SHA256
267b38fdef159ead491f18b995887e8421477f250c35d1d3117e1ff1fffc875a

SHA512
a34b854c8faa43496cc053adf8b1b75d0be3faa29403c827c3a8601e2d67c950cc4511f8f09325e6c1acb27d0aaacb6abab9ebdd18ff55b1e2e44a2370bb4f85

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
ec72390bd3cd00867525a3ecaf018c3c

SHA1
724de249e37a251340cb68c36275a37c5ba72db7

SHA256
ee96b45247d758ec744604cfb5fc4b886d834a5f21720aee3d3f10e93aed4037

SHA512
f9d8cabc1e8d0cdbcb84259306d7f7d234a09c90c1d0ac73c8ae65753b5788154de8453619666182fa51a6bd7a11192854cb6f5a62a02c3711a34f870e920626

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4312d89aa53e680fe2a60f66169766c5

SHA1
513bd43954236b96e499773fa0d44e5a7db4b071

SHA256
f0779b18955e3e3c4f9a3c14188d3f42474b287fa19b9de9890462d671fdef5d

SHA512
e9f9d2ebe70e4e800bf2b4518e083d3085b2a85a8369a9ac8579569afb8c67fd732e4f789230750de8580b84b2d5ccef2a2f5a04de2e8b4bc289b73a41cdfbc2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
41e56e12c7474ef0c3e90bca104ad8cc

SHA1
3e2e889b8215dba3c8021073461d018ec5783337

SHA256
155bdd895c40809f82527ef9af4ec2f96d117d03aa875a155bd54f6c49da078a

SHA512
691acb349ee47b147661b3329b2c934ca569af3dbddee03f7c819300aadd4f7ff1e2a33903bcc229ba283a8695bda4e1430223f28a938923c8e8b7ccba5ec8ff

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
8c17c562fbbbd6db9c213bb42b206221

SHA1
1f37d814d204e5abb1d21b6dc9986b4b0c9d33de

SHA256
9db4ddb804705b42280d1c4ba56aae8bff58e816b594b89c142caca5ba46204f

SHA512
a2d9c493d4b98f4373dec7ddb62e165e22cb51b0054bd6909e492280b0f8ca9c0aa2ed39ac50095f43c0b361b188723874f5bb2c214d4f33df1f24cd39ae4688

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
02b60eacc89ee6e22d4fbdd3b228d8e5

SHA1
4eae95dff07bba5597ebc5c149c7b717c57e655c

SHA256
d0f5567f1ae4aeaeb9a56db1e06e3b27177e1f01d05e8dac33eada09ff2e1150

SHA512
077ce6bcd0f9cacf8cf304ff49977cc0a3933eac0487ca1945061ae5c0d162db13a2e366e90cbf6579859e668c71da00576dbc9fbfb8891b9a028bc07e204137

Download Submit
memory/444-76-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/444-90-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/444-88-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/444-86-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/444-82-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/620-191-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/620-437-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/688-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/688-85-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/688-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/688-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/776-397-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/776-6-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/776-1-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/776-399-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/776-9-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/776-70-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/928-388-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/928-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1256-589-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1256-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1484-436-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1484-180-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1508-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1508-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1508-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1508-50-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1508-47-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1832-590-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1832-246-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2164-224-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2164-586-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2168-233-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2168-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2864-104-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2864-217-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3032-132-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3032-245-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3212-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3212-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3212-36-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3236-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3236-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3560-502-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3560-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3656-202-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3656-92-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3656-93-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3996-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3996-553-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3996-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4128-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4128-59-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4128-53-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4128-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4500-118-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4500-223-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4816-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4816-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4816-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4816-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-371-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4836-163-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5036-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5036-591-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download