0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Size

622KB
MD5

26d13d573632d01d744e90a65b353457
SHA1

5b4f24ef71c17bc45f3cb27cfddf731ae58871ab
SHA256

0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231
SHA512

af3d4f828a2c5c6bd32b01989693196a791a6945d4257f4b98389359607634e91d4bbf739dbca7b29b1f3bf45d3d7d5e3de24b09b642ede0b7ff5c03cbce2907
SSDEEP

12288:suJ4+/x8J7ct3z5htUcQ1MlhrmQgwwJzt5+7fyZkCtXFiWZF/3o:suJ4+mIJz5IcuMlQHJxrDiSi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1656	alg.exe
3620	DiagnosticsHub.StandardCollector.Service.exe
4880	fxssvc.exe
5068	elevation_service.exe
3400	elevation_service.exe
1776	maintenanceservice.exe
1160	msdtc.exe
3556	OSE.EXE
2296	PerceptionSimulationService.exe
1376	perfhost.exe
1572	locator.exe
368	SensorDataService.exe
3984	snmptrap.exe
2028	spectrum.exe
2056	ssh-agent.exe
760	TieringEngineService.exe
2796	AgentService.exe
3256	vds.exe
2860	vssvc.exe
4608	wbengine.exe
2136	WmiApSrv.exe
2328	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\System32\vds.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\locator.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d4821d4d1299d6a7.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124781\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{614BDFFC-C4F1-4101-B170-710D8DBAB284}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124781\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036ad9571c191da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b628f472c191da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000406df771c191da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063d95076c191da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c26ab71c191da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f05ea671c191da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000211f7375c191da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daa78a70c191da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
640	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeAuditPrivilege	4880	fxssvc.exe
Token: SeRestorePrivilege	760	TieringEngineService.exe
Token: SeManageVolumePrivilege	760	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2796	AgentService.exe
Token: SeBackupPrivilege	2860	vssvc.exe
Token: SeRestorePrivilege	2860	vssvc.exe
Token: SeAuditPrivilege	2860	vssvc.exe
Token: SeBackupPrivilege	4608	wbengine.exe
Token: SeRestorePrivilege	4608	wbengine.exe
Token: SeSecurityPrivilege	4608	wbengine.exe
Token: 33	2328	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeDebugPrivilege	2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	2792	0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
Token: SeDebugPrivilege	1656	alg.exe
Token: SeDebugPrivilege	1656	alg.exe
Token: SeDebugPrivilege	1656	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 4816	2328	SearchIndexer.exe	114
PID 2328 wrote to memory of 4816	2328	SearchIndexer.exe	114
PID 2328 wrote to memory of 4900	2328	SearchIndexer.exe	115
PID 2328 wrote to memory of 4900	2328	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe
"C:\Users\Admin\AppData\Local\Temp\0e94e3f7bf76b82f096d1d5dbdb07590d2e68502c19545c0a28fc40d078d4231.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3616

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1160

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:368

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3984

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2028

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3776

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ad81fc366d278518b8facceb308e8d97

SHA1
86b11b7f892dcb0bd2afe2ef743de2a0e2b10411

SHA256
5677f50d9cbcb03d1256922f339db01bf41ad5e8b2637b1a9e703f842d3278e0

SHA512
842f68d14b256e92c8523eb86639455e6ab2767fb9bd58ab91e0eb00865884d58697b232c930ebc982fa7f6db5a42c68d75bd0abee0422612b0cfb5c8af28e95

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
519a9cbacb26223633d7246b2bd7faa1

SHA1
5083c82b973d58a57e24639f914fe8c19eed7e09

SHA256
ab018f8edc4e08a711d908332dd32871fddf0e075e57ef77448f05d27731d469

SHA512
c8fdd47b22cd83b14060bbd0f6ff146523dbc1d2a562148fbe163cbcc2d369c4488fdb53bdf11214d2c95b75df06b22803fb14c713e8118e783fc9ac742186b8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
490f744a4b933c4b227de79faab29463

SHA1
0c3a522b35c1bf52da216d89716707b54bc7e8cd

SHA256
c7e65a939c3ea42b65ad40557070acd54e3dc62d1e5a00348137f41b22120813

SHA512
c536ea68b46a505208586bcff0950b76f4f91fed43cf10f294fadd3c1224cfd8dd624f92c26b96f5dd33f2805a27f01ec933cbf5fd3b9aa4a84b8eca828b5e3a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e462097fd76796ec646c8e25a0a85310

SHA1
3cfdae459665e0a577c96c6689fb3a8a8dd883b8

SHA256
9afbc709a0a6feda8db6a3f776c65ff66be6f5ed838448d5eefb749a8cf8f96c

SHA512
881bef39c69f98f83d06c9445f93f9552c23949ebdcb4d5216b2d3ff34689acbd703a0a5b333dcb9a2bc2e1e0a28f5d701b3f8ad89eca6a3ae290881e9d14498

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cfc65174052ff16ab6165fed102c997b

SHA1
5593e9158892a2f14e1df3c5f32576e0b4a2cfd5

SHA256
f7026d4179672e2b5581a027d026565256e9d0691803f7675f8962174883ffbf

SHA512
09dfc26c39c3ec4bbc15e9fae1d27b9905952b131ec030c9a0643297b279b34a31b089b96312ee23f084bdd5ddadff81d767de6fc00b9cee501d299d84d14213

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
832707029a0f5a51424927727290dc02

SHA1
2ada1114e913f063717fa44d1d1936ac99a99bee

SHA256
715956758073889bf1b3c189f2313ae316293bf988c4cebdefc818c2f313314d

SHA512
cc7791d50cf4bca624d074f341a504bde76e78ea91504017f8e6fcc5e77cfa2464bf57ac0b469887e6ba56bb4607ad90164dc195e0ac6dc94fef8fba669f88a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
20bc76e6ef2e150f3fbd77719fab9dea

SHA1
fa67a4e6630c0c8bef760208a853541d578ac91b

SHA256
24d0dec9940dbb334e5e17a65ce41f23a8130fe0ff147d26c4a9374763872611

SHA512
07c64659d2637c976ba52100b6e5ea9bf17b9d290729e24d52e785ed6ea328053427496317cca910ce3755de376e7d11d31710b3bf08e379c88855e41feaa6b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
080f0d477cb7e97e16d19528dc681bb8

SHA1
9514705a094fb13cf4d56c608c1709d05818c93b

SHA256
d4dae050c8c576f7beca37f42c6c23a4192dfa3d5764277820fca41f97dbd9d7

SHA512
bffeebd4fd57a1f12b17cacf49cfa11e6907d96edf66d24d70dcb6f8f8c106ebe56eb50d081a74a54f53e7789164ee9ac03dc2ceac880219b20f75a09d9fff7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
357d3942086ed45564bb051aa78e2c01

SHA1
164c2cdd85c680b1413df462b6aa96400116af06

SHA256
1ff541903701d64310643928c3431ca10d9bb48ccb09ae387b40e95e5977b922

SHA512
4c1cf930872903df7c78907a3ba74ca68005bcd8a9790922ef690bbb4cb50d4c295ffc771938c0d5e81a1234da355077f9a950218d0bad89cf1f84c675e9d12f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3e92f6616c06ac55b54591751cafb570

SHA1
9d00a5c24be94956dbb654d6838e3c58ca9e5061

SHA256
bda61b9d0a01aefb76bd0c9c963ac5132567237b5e0a706b41b398187f90c0f7

SHA512
944c454eb69b271060da8e99142929d382fd338445f13f1237bcc15d611b7676b8e5973831eef4b0d009291c8cdfe72db41389930b09b64a419a6a0ce654716d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
651438228c8968aed0ebcb592e7cb4d7

SHA1
4088642f8e1bb0a3308b02d059637e6a0a11a608

SHA256
dadfd69e5e24f100f5be6361eb4913891358a95a45b5bd759e675fa24d5a1860

SHA512
af57ac476a12c9f9c84c52e9e72291aa9f618c65289b3971897d2d8134f26fb38e4264a4867be0ccb92fba029c80cf59f0b8d4cde0ad9e7e08ec8b0770813c48

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d3f9a8c57c2f21c6adc53b6e7533429b

SHA1
00c7c90aeff32346b5f213295522c7fde74be6a0

SHA256
3a6a29e56a859f1195328f4110a18d0ffbf27c2f21ee43c985fa4a2504bb38bd

SHA512
54b214d89c32aa9cbd0d1fe9b9f282af760cccd797fd45682913a2ee9b71997ae43a00f081b55085f96ed27d9313551b30051a5a2186c8a44dd31d5118f1b924

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
67a5b954bbfa6a92ccf006fc46d8e117

SHA1
5832b0c74e90694f7abc79c76b25d173205dab9a

SHA256
0f78e732c615b8f5de19abc879731ca09c741466ec5bff14166ea7ac10a16b2e

SHA512
9ec6a699b6ec238cafceb4906266e3653a27b1fd5a622ab65122c3606a1bd31bf027c43c6b336cf60be7db8ba01da6d36903aa92b4fe1a160e02cdb3d8dd4054

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
03eabab249a8ba3cfe5ea6c26add2503

SHA1
f5510b0f3b709892aa034c5028459de8e48e6987

SHA256
fe59e7d9661ca96b77b9ce1ef60d6b7390f072b2334c9dee71644c1cdc2197e2

SHA512
5eb1e1da904516f030af852da7cf7b98f85f61b0f1b2efbd659812df2b17536d01c152e8af21eb1d679581a9ab79f6d62d4ef05e305b218f4f120defc3923b36

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1b277cbd185427be7fc6db28456d1be3

SHA1
3e199c41a6537bf338d6435aea104487209d2f0b

SHA256
0f68567e0b89bb503528094771cca51cf36e0878ce0e33d63f464a0473c97d13

SHA512
84bf445b4ffd30324c1df9ce2b323486e9bebc836a67c09312452862982023b091e0ec1a0c77f229dd97e6058968075091c6f577849459836802c9a82e5efd0c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2d6e413be4bc58913231b84ec920634d

SHA1
367cb4ac36743e858d940b885c02398e1b242de3

SHA256
83100a87571621b067af8c766a412bdb44b73f1e4c792ad75275e4f574691f1b

SHA512
b667f941e9c63136e28b05a7bed2f31fbeebf92b847888d65d4186dd0847cd0e233f8321dc5a2f3ae11cbe0af29c8298fff7e280f6fa773d08b33c3a5fea755d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ab7a9c53ac0f933fc7c4d0e16fd7b63d

SHA1
fe3c5f6506bed1899872e7825b28480614f5a4f0

SHA256
07b1f4b3d739075fbad956c551f62cd75df7b77e2bc646345839c9e74d451904

SHA512
a7eae58095e20c538195adc78ff57a9dc17f4cff195a6379ee824f3ec1080e9f8969ee767efc0b4b0b8654493409851be3f3bb1b3b06d26b7a6b19e47e8e5fe5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
311783a645f7957a537a1beb99bd4a1e

SHA1
7273075b1d5957aa2b22a5bfdf454671521d69c9

SHA256
8bf8b9ea239e9c756d787a39f5eee41b23cc17cf5819ae875bd56df234a66d88

SHA512
cdfa3eb1aed1cd4ca87e611bc0e87d17c79af0ad6b6425d0eed1852da20a75b910ed34c9e4bfcb3408f6aaa40676f29e16995032bc4586b8ec796054a96fd47c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fe39e69569b8032d317e65e792bc199c

SHA1
9dd16575e476929f177d059e00c995f6faaa9f03

SHA256
fe8bc0f0cf842b09d686170cf568c770b70f5ac891fce01ce0b0a28000937ca3

SHA512
c2a8309dd06b905bd960aa3e82eab0ae60ea5129e502883bbf843574c79a1d54be4950fd7a6814dca58c0ff056908eac4613be90a3ebbe2e66a697d640006040

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1dd7bc656d79816f2da218c97fea00ff

SHA1
e166c561861eb04ecb324c7e6eba0e5c9675a3ff

SHA256
1058640a160e239aab156af3d3ab62e2bcc5fdeac970def4b5eb185f03d5d5ab

SHA512
c172106f940f858341f31d8cf785a6f6774fcbcb93e34df82ed19a120e817be21c1c443c77d724fd31571cca8e3482ef6633cb4ddf58a4e38b9c94b3207b487e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e167b58ee2c5032d0fda5861faf1dbe9

SHA1
b5e2da6d67a5d0475e92df0c1fa57181a500ea04

SHA256
e74e17ac05e0338057619aeb9fb1a2612a5daf9b3c7acbe7d34d8e245db9501f

SHA512
2bec70bd63869e1390e030940d455b0682e59595192672fb01c2fccdca6391d913c626106d3bce9ed7dfb78e86e06641a67112ef1cc50d61820ae2499800b3c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e9919311556ab985b24ac7094ca80224

SHA1
e27fcdfcaf2d8c9d7100fc560c7f305a21bc8478

SHA256
9dbc197306ed25665c6683bf24660c9072c75c663dc69dfcc1332fabaac65e5a

SHA512
b9c4422d2711bb996b80ad9139bdde0931252cb8b1817748dacb29aaab55ff1ff2f9a874dae5e87c87e43f87399c25d96dd888c54c8386bdca7a25f7574ac47b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1552e7932d54d2136409bcccf51a8040

SHA1
c8200f4084505339adbc7681b73f57af6ca38882

SHA256
7f3348305d8cbde0603e130f3eddabc6ad4bc2d19e47865fc37d0f8a51c49a06

SHA512
4d5cb4246eca3f9ec174e36f8bf643e84900e90f79380652f70cc5cd35087e44a41a4f5a68b210d49bef0204493291ccc9c0fb3dd45a3cbacccf3d199936b7ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
be3bb8e31e61f43fc6b0f8196bf5454a

SHA1
2eabb97207facd8c441512a5ad48674656033106

SHA256
8ac298aa11db48a0e7a4be7af99cee68a76d93078a6dbf570bf984270f9df600

SHA512
95ccde918aabceb9a299f402a2fb9a8a737152214e358c06427977cf76236f12a74254d45e9b8f951b0d793417ba5c08a58dae5aeea031d3759beb270ad97b50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
fb4c3f75ab6c3c8ef19557f6b9f84880

SHA1
1aebb1aeb996e60e36d90c5c34b50be40cb21c30

SHA256
eda760d6372e0e5902ac0f5f6b0868b369369a97e958e649edd294804953a727

SHA512
111003ae7d9d7ca06063f5e1c05a74e65a05c9f3ee173389eae2be91ad3139e281f227587600cf076fbf7ff5e1a42119fd9ac4da414633a1b664371dc6826d2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b68d5059fe4c4aaca4e9fda55f5e4bed

SHA1
d46dda8c3dcc628b08b8ebea80e0dee6b9927e4d

SHA256
45974351d14cdd17633671ea79468e51075862fae07972baf7c08c325b1a79c4

SHA512
75bc83f171ca88559763f33cffe48dd91bd961c957a378f8a431da81c0be337cbed2699f4da6a35732dd67b9117d90e30136942b32c7abf380da44f3ece1e493

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ecf33f339e2d0c76921327380a0bd7a6

SHA1
343bcaa271aa30bbe057a42985881a323e919227

SHA256
4186f25fad2a9380a3836236034969fa41fb6b318ed5fc76a4336d8c798c0c65

SHA512
32f02bfd65d770cf6b9031b54448adc8f229debac5ab752dc08bc6e8a7b44573c0f199b399c37f82c54cc6867b94f5a1b619980501d8a01ebaa5a006e9554075

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
85a3d1c2154f8862385b85ca729acd69

SHA1
58873bc0ab9fca477e615bb9b3078d2d879950ee

SHA256
f69c9e0e5ca211c86e090e095dc2ff9b1ebda98df2d4edcff9c476af76236a76

SHA512
fdebf8517269651f4f82dcadaa6b25ffd144768ebd4e30ee8f5508d4c36f354bae9fdbe5ec5e9a73702a3e63060a97654f6a9207685e8d27a0176b4470e74dc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c440d99dd050e3ef3026f0bce3cffe8e

SHA1
049825b4b9e57e2599eae560ccfa8ce4d0053f8e

SHA256
6a75b5e29e6db31b313478a067f9c355611141e62a05bf35c6094667e2a2cb4e

SHA512
4ffe031756cd0cf35ccfb6373177e1ea93cb52b8b1640963d82740442c6c24de08ae1940070bbb84cd9176ab7063b8813036ac98f67d0c6a0f814264724fc864

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e4eb38a1c8a991832aca301141142477

SHA1
1a91e6cc43e7687bf63663730d82c11d7170fa4a

SHA256
987d979a4eb7ebb471b0034772a72e8c1dafaf48b2da0a01da15796a4ff57202

SHA512
b8fd3411cb66f77cc090a4f46ea558aca9f677c53ef6d87536ce4043cbc6e0f867d2467fb97585b42e54680a3eb8a81ecef26aefe5c679b5e5af48d49ea794b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
71f2b2435831c7c95623ece7946a93c1

SHA1
27cd2b0aa6f3886a94259163f5c7172c1669acbe

SHA256
dd563892c3da557f9129c15e50c2f80371a37304b7c186a9099a0425f168fd9c

SHA512
f7a83df277bc93633b89accfd7ca16b324e67cbeaa803e1e9c522d687aab3530aa64de08cc6c53d8e11514a2ddb9ca9ffcfdc97899f33ddf688e8ed4aa728005

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
5923b777238e00a0f2c918c76199908a

SHA1
6fda9cf6caaa2c9fb06a0eba653f93b5d3f10a3a

SHA256
d1dd4db22bea00cb00210110d4ff48179f543366509ad929ef0b6e9bdb07658c

SHA512
bad2e4ba9a8c0c5e6473c6027fb2e1ea6fbcce70baf84c1d0066b01f0859a26854160aba6e519df67f750c29904866ce5a8cd8e85446eb251b9d68df0951a6ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e6695059bbe09db58998d15243adcf3b

SHA1
f320f41ce421bd36cbf1964c2bf25dfa13d54a15

SHA256
84a1052e7c21f7203ebdc5ee5a9c0cf4fef43922c543ce209ec002a6dfe64dfa

SHA512
9d3fad59d071052514f7197f94d1aada2b7e9546c52e0e1066874f9151c22b4ce6199741c5c4fdab7be81b24824d980e6539fe72b78ad82a825c858408b755db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7eae3c8ea1db8178169809ce97f4d9ef

SHA1
b1aa088c724673064bf028c61009cb01aebf431e

SHA256
dc7477f8c56265825dee637329af15cae5b86c0b7e2a6b887891d2b20368080e

SHA512
abde61e8bb8fe6bb3dccdd5e0c56e42ba8c8e91ad0231557a969091c17d4a0d89713fc69538c692dd5967221881cff690a9032e8abd6a43ae2bbe637fd1d7adc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ea57e303ced0461df41a7dfc3780b5d7

SHA1
3cf7f8bdead292ba5542bd975008682cfce10e61

SHA256
f513b7c33ebbd469fca5e25c3256d71bf0e90a53b3e7da0cf674d2490337b240

SHA512
bb8e3089efa6704a089d6cc4f36e7b80f0fbe830381c34f1eac2a70d283f2b62dde08719ab61f232578360ca95ac6166db3c5348a993a07c612a3c41bd507a68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c800a427ca306029c1f7167d0688a5e3

SHA1
6299cf311dd68abdd81868844be0904a36db73eb

SHA256
4b3b0c806796370ad7cf191b7babd8c99f9014b89681dde9aff6f10c7ca1786b

SHA512
1d4f86808ffd8ce3f80b323fc8fdd25972f52cf7dd314bbf52aa847dd0f5ef9346dbff0b253b1f551ab05c86518a83a976e4e0c78f3c49cf81a1bf1062becad3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c8edb92d329fbc59c502efa8f7768b94

SHA1
661c7b7172078cbfb4a95f1646441484f550ef58

SHA256
158b4796dc5babbd410a1cd17bb8a3f8790d92e85aa80d55adb9be06ed29bf00

SHA512
60bc04e91d1a92cfccfd7cb814d03a319710dce3fad22f6c1856b54c1bbd09c785768f357f8ee24ae1374cb578d6b17c44c5850dd3cefc366b642a31f2ba361e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e863e24a0335edd8b739229c3755e0dd

SHA1
4091d41fb017990db3bd049574499d8f41065fae

SHA256
1ac2f2ec87c4f2a9b560ef2fb9986f33126196e4d9f7f436f7db1e2a6da42b2e

SHA512
7488c5d2d2f10c2b264f8474c6c877c8a0f30497feb8326298b308e49147bf1e3767630dec59fda5a7232ab6bdfe001dbfefd30a9a0c6d20314a52b3f7912d69

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
fe07b03ffaf5ed5f5f4f9628bf40d19a

SHA1
173478dd07c5f6acd37a009b0344eea78d0f2588

SHA256
0f07ba116131e949e11f1e68eed602403c35338d486943e776567239d73680ab

SHA512
c406010fefcff15bb3bdf7ce555c3239bd33da56eeb9dacd8bdc21558930552ca2b1419728794b7c3e3e6e6eb0bab65728eadd5d0c4c4e86bf378f653531a8f3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
747e4895f18f2c22043bd2e0a1604bbf

SHA1
8255c3909000a5554c38a5bff21d06cd1528b633

SHA256
451e2e54ad8ad82d0abfdd58be38fec955f8913310093d53311d24907d33938c

SHA512
00c786a8ab212ad13ceea81a3a279f44eaade8f945f23f47106d58cae182c156290023255d7088a75915ce5faa498468d6fd2a036d2ad227b4b0ab9f3cd61cd4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c4b7cf1c62f8395c9dbec35083088116

SHA1
c7d60cc2c35d7ec4061b3a838512032bd49d1558

SHA256
a4b8b1b6134b0c06cd4e2aed67efc00da816fe888eeb328f77cdb86a8efde2ee

SHA512
ca08f046ad3317edba38a1c5ee2ea52b328de5def2cd3c95aa7cb547706adfed086cad069107874f5b1dbd828eec994449b0e0891854e538b8feb053052a3f65

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8eff6abb61a87fd064d08b837ca72f9e

SHA1
4730dc414ecbb8fb3294d369834a2ef9d0a55b58

SHA256
b84201634aeb6e45a8004b4fc403ce69b8a74589e3af7f7c1c321bb75485ccb0

SHA512
e591ce66bad042cfca85bde094c11f385246534473a0361f6722ddaadcaba7c09115eb88220d2b60e21118565842d30d42513d2531b333b84edd5f7ac7dc5e04

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9074a17e441667fed8063eb6cbf0b580

SHA1
58e094a60becea5ebed455f9de4de926eb0a5bed

SHA256
8c6ba277bd02e6410abb4bf85a1b11aedb849cc5e669788124213c245cf96304

SHA512
01ece1113259992a9e2bcd7d1d9af222a2ddf37abf0641b58b55737adb39333baeb784e2b49bbf5412b2f79b70230f296d13fcf15ab076d5d5156be1960fa20d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b9c755c278f41299816571935bea701e

SHA1
7669c9414b6fe874d838194624e9e5394826b212

SHA256
a813297d3586f1dd8c79687e7bb882a5b4e5d8fde7e2bbec79d35dc574fdd057

SHA512
f0ca5104f008a383fdccdf81d960880f7073e1e81ad851f99227d1c81d32e5a2aeb52ab52ffbcaf3dbe96f46fb96680a200c913ed90a154a8957a6f692e8cdb6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cbff145107cc1ad9cb45a81a5061ed8d

SHA1
111df3ee9575a6d666cb21e038c5e49038294077

SHA256
5016d90dddb088a50fcfa7d993b6f3162687b20c9946e8179f26d5c6d4f801ba

SHA512
eb2ce0ecd2ce30507b0ebbd44ed1afe1438d8cb57427e8c8b8293262beb452629a62e422eb582fe7a17b79e0e217260d33231bf397476c52da74b956d570aea2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4f17087cd57c386a0fccf5764d9df91e

SHA1
d3897ffcfc3c1e99fdb50c876f1969c8cf7db936

SHA256
9d16d2f4fd9201490f138a8e2639c4e75dc8fbda4becd1e5595b574503a2e420

SHA512
014d30e4d05a31598ec8901d7d374dbff5bccf2ba906956fb90b4dc31a5d7bfcba11665f0e8da4446f07bf03f13a68e7c8598859b2bb3163aa9e5bae94c4687a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f499b7448047e9454f6ebae0807a4ee6

SHA1
5978d0496e1bc4d63a8f2d66fd4b5a0654bf8fc5

SHA256
a7f4cafc5fa291d51cd773eefe01e51b4950452cd5751e2099f3260a2311d1d2

SHA512
954fe94c347ff8e61a495560ab030468e1abad13c695c4ec39bfe1f4f9b18737b2ab56bceed972ba61463a798841b060406d80fdd10711beb35b5870134ea16c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ada416bef3c39ae54108e4e2462a1dce

SHA1
d13199e7f66016a17e1ad349b1cadabc87c5cb37

SHA256
95d9cf80773b09bb59c29b4f85cc2557d10b20f09eeceaf1cf92ef0a09d7a362

SHA512
e824b7b39315af909cdc56ef8de62409bee3c44b16a174ad886b6fe38ab8a14836489e7503af5d6949c893242acc824c17e8234ab97ee1a65dd79bd6c2cf0b78

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d1c9f2561bec60c2b6344b8dc3c4d3dd

SHA1
bc9a809170bd45083a79767bfe0c4bce04f73223

SHA256
8d416dc0a5bf0cdeb03b31183528e46a5bdddcfad599a6ea3740815319d05b4d

SHA512
1d8221f68b20dbc5e199c33b94db9c648ed646527469cc3a46eca1ea3fd9e8f0a934d03e2532685e31c0ce9502c1624d5cb0597075aee5f42622b2ddde3f8e1d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3e63a23d9859928cdd5da1ce16a7ee14

SHA1
08ed09c51b2edc547347063e3a97cf601804c308

SHA256
9207924577cdd387ba2c7ff2b4fcf96a5eb6114ba5174b194fac320083f3c42c

SHA512
13a18cd72f01f026e6b0360d3c01d6651e6750a84306bc5babc7c3ef7560cdc461892fd769a8c52114b1d9661fa687da264f019ab40ae9d8315e1e7b05910fd5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0f8dd895946ba73b6bee5fc3ba9cb0d8

SHA1
6ada5db41b42a1d7e0d004170ebb5c316f6bdb6d

SHA256
f01cf908fa14b3dd3b47ebf1c96b7bca95341a7c1e6de9b2a2d58616040e9d20

SHA512
de072f6e32edc7d6cacc12ba058c56a70d9a3813bf195d8f939b375a7a8de04475e63bd3390c6240b6940f5bec84838ace171b0a2d6e5486107b2b8a6ffefa45

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2fd579a5782cc2707bd9bbce3a760312

SHA1
b5504656b8e8fd42383933f9f923be05010e5414

SHA256
9f3faf5d30242a0c07344a5555adcfd03a352d70d258a4c53c1193f15d8f782d

SHA512
618963cc71dfa2b132fcf07a1b5e987adbd7d8599e3e5a30bdb5801e98c1e907893a4f5ba23197a855586ece23ff37d7e02e7aaa33bc0b27866ad2381d13604e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ec35626792e1061125c1a0c437009725

SHA1
64ba61a68f5703177b03fbd04399e31b481fc345

SHA256
c4fff295c8c6c5f35be3b51a613c7760ca75a4220153bcbaf678f980a4a71e30

SHA512
1fdf792d9db54ef1846bf615cd436fab1c9640f9f7e92cf694748ee851555872411be542e9ffb930993a6c76febf6baeb9fd93e1ec96558556db1c381d837a6d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
169d78775f8a7a8ac8c5463deb94d77e

SHA1
43b83abc08d0cfd738892ba9eed67a5c7e7f374f

SHA256
d5694b980e83d8ce9b338ed0f47166746fc5d96a5f7fe5150179eecb9261fa59

SHA512
838f2ebce5a32787219ce659df1acea62ba473d0c9c12596362eb6c9674958dd3fc5b591418ffcf390a6092a37ff1ef6bbdf2b325870e0826e17e8b8bb5c5b61

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c35a8959f16763c94d5870a87f61ed53

SHA1
076aacacc34a43a8b0bfa805845fcc90fcab5836

SHA256
7c2639b6f8992c1a9a3895da0598bf34fd252e33c6374d9515ba9fad4d65ac80

SHA512
09b36c965f833e9f20cbf8ac208e6a610a2c647fd3eaa40e7bd0d64852b10cc98a2d3964f27580ca6fb35360cb05a19b86f08ca3cb02016526a167c460dba9ce

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
30145ed6d656a04d54a901bc5f8c60ad

SHA1
d6355f6053124e5f7c51c8fe93b85b89f3a4e6d5

SHA256
258980be485ec67c496778a3e326bbcbbc28ef7671790ef1e622d8bf086d1323

SHA512
e10d9bd956eeeffe30f09fe657cb588c55c56812ce3cb551c81cd5cd37641bb30febb2d8d3c6f0bde34651e6f18f140a5a64edfd83656ee2818e18202c912af9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a78dca7887a9130c51d742f06ba83ce7

SHA1
2e15ead87c9fbc61a53f96f7dcdfb03746b8b95a

SHA256
adc9d479a2121cd3e71021bff232b973de05c52b223bf16b01b86e72810cede7

SHA512
131eba7150411d1b20c4d3c44ae258e51dcd5c6b71b951169b28e0c2457fdab2e53c4e2f0b3026f4b2f14b0e5dfc2b4198c505dc00247ae29882ca92b455f7f9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a61ff9457ec838284d7b37bf34a103dd

SHA1
53800f84481f5937388a3bff01d8510344584396

SHA256
1033e7848fb34f9a931d5fd39f38de88352c184ee8e0924c9e284d8491862ce1

SHA512
1d75cdb3ded88d72af809a5a5f5bc14797803c982555788ef1b7a2dfa347fd36e655c00bb3db1aade029e5816d49a92880538fc2e3eb59f4f7addc1c1984b3d7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a573ede4c734423d64ee2e46eaed328f

SHA1
6cabc3dc716066a01ab40dca6c4132330a5fa63b

SHA256
c7d0112e435355812c22844db1d021674a82ee90391b4f1fbdd2b269c1415df1

SHA512
b8b62e087ec3953beae2bc6ab35460c437bd8b422b44ab54d32fb97282660def42e3c3093ae8952d02f21b794dd9fe6e619a5f0e61811d0573c685bbd5e75ffd

Download Submit
memory/368-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/368-166-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/368-465-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/368-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/760-281-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/760-221-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/760-213-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1160-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1160-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1160-93-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1160-101-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1376-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1376-208-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/1376-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1376-140-0x0000000000690000-0x00000000006F6000-memory.dmp

Filesize
408KB

Download
memory/1572-212-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1572-145-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1572-154-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1656-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1656-74-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1656-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1656-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1776-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1776-91-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1776-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1776-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1776-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1776-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2028-255-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2028-185-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2028-194-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2056-209-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2056-268-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2056-199-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2136-289-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2136-284-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2296-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2296-130-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2296-184-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2328-303-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2328-296-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2792-6-0x0000000002210000-0x0000000002276000-memory.dmp

Filesize
408KB

Download
memory/2792-7-0x0000000002210000-0x0000000002276000-memory.dmp

Filesize
408KB

Download
memory/2792-62-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2792-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2792-1-0x0000000002210000-0x0000000002276000-memory.dmp

Filesize
408KB

Download
memory/2796-240-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2796-234-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2796-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2796-239-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2860-264-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2860-256-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3256-429-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3256-243-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3256-252-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3400-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3400-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3400-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3400-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3556-172-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3556-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3556-117-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3620-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3620-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3620-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3620-90-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3620-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3984-174-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3984-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3984-181-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4608-278-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4608-270-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4880-44-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4880-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4880-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4880-38-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4880-46-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/5068-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5068-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5068-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5068-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download