59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
Size

625KB
MD5

ca31aaf988b1c4715eeec5405a599638
SHA1

cb172f3fdccde3c08d791b6901787bee3c664ea2
SHA256

59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479
SHA512

9eee8cc142daf914aff86b661a29c42c86e4eafe054b92b65d57aaa984bd668d3a7fa74f96be8b0411b60281d7ec0ad76b74ecf0eaf4a3865bb4a2f57400917d
SSDEEP

12288:D2vlnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:yvl11tmlNQ2OnBdFQtP51llPup33kT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1984	alg.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
2236	fxssvc.exe
5080	elevation_service.exe
4872	elevation_service.exe
4968	maintenanceservice.exe
1928	msdtc.exe
4904	OSE.EXE
220	PerceptionSimulationService.exe
1692	perfhost.exe
700	locator.exe
3884	SensorDataService.exe
640	snmptrap.exe
2624	spectrum.exe
2312	ssh-agent.exe
4092	TieringEngineService.exe
2972	AgentService.exe
4712	vds.exe
3008	vssvc.exe
4880	wbengine.exe
548	WmiApSrv.exe
1732	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\locator.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\spectrum.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\vssvc.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\dllhost.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2c92d1495e51cbec.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98734\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe

Drops file in Windows directory 4 IoCs

Processes:

elevation_service.exe59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8d76f32b399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d15b9b34b399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f9c7432b399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1a1bd33b399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3128a32b399da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e903c033b399da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014f07135b399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
5080	elevation_service.exe
5080	elevation_service.exe
5080	elevation_service.exe
5080	elevation_service.exe
5080	elevation_service.exe
5080	elevation_service.exe
5080	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4952	59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
Token: SeAuditPrivilege	2236	fxssvc.exe
Token: SeRestorePrivilege	4092	TieringEngineService.exe
Token: SeManageVolumePrivilege	4092	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2972	AgentService.exe
Token: SeBackupPrivilege	3008	vssvc.exe
Token: SeRestorePrivilege	3008	vssvc.exe
Token: SeAuditPrivilege	3008	vssvc.exe
Token: SeBackupPrivilege	4880	wbengine.exe
Token: SeRestorePrivilege	4880	wbengine.exe
Token: SeSecurityPrivilege	4880	wbengine.exe
Token: 33	1732	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeDebugPrivilege	3948	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	5080	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1732 wrote to memory of 3584	1732	SearchIndexer.exe	SearchProtocolHost.exe
PID 1732 wrote to memory of 3584	1732	SearchIndexer.exe	SearchProtocolHost.exe
PID 1732 wrote to memory of 4776	1732	SearchIndexer.exe	SearchFilterHost.exe
PID 1732 wrote to memory of 4776	1732	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe
"C:\Users\Admin\AppData\Local\Temp\59b88e569081d41451c028a661adc54eba77b2812fba0c4d8ff5a80092dee479.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4872

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1928

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:220

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:700

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3884

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:640

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2624

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2384

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3584

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
2⤵
- Modifies data under HKEY_USERS
PID:4776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
3d9498e377f3251009fbdb5a8555c3b2

SHA1
7a09fa9a14986d92729542b09696ebd270f8ea2a

SHA256
d6379999c194f8f2347c41e13bceb5b91ec203cffddb0beda09baa11ee6dbc89

SHA512
a1c0729dc10debb1a4fc099f3bdda3e6cd9401317f426759e81163ad5777f2829aca835876d82cf2704c2f7db76dd1e905edaeddacc76bdde3cbc824319e4dfb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
8ae98d8eba3c6efad02afcd634e4b9f0

SHA1
0690e217e25c44b2d24cc4b03e05e72a07ce0cb6

SHA256
29b59adff3ed2664424a5419091bfbf95ff065d8e13b7b6e9104b7677a8b7977

SHA512
afad6db7cb6bb611cf7ff11447d43605857ee04603959cf9cc591924e910a01d6f1c5ea383ebc105a31ab92efe9053be9415abf40616765555e26e365f5f7ca2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
b98760539d31275df1d88999db45468e

SHA1
d7951c9a0f164ad127f9b9002d424d493771b8bc

SHA256
4fd8f5b65b958062f911c6552ad7011ce91ab04800fae0ab639b0721912603c3

SHA512
fda85403a86c70385d455c2053f9db2a3bbffc3766812a8c5e8b62bf6176d383da3be5d2327f305b441cfc471b76919d972a398eb5e46aba3fdecfaa9a6b02b6

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
54ead3e4a087929b3e7049a7d0cdcd2f

SHA1
c5e9e0ff223eac109046cee89861ff366891376b

SHA256
1373043b8a3dcfde9cbe577b9cbd095bfed82935f3f8d3fefc85a2d027a36c34

SHA512
41f6df699aee9f33f456d221ee42cf86266fd4cc269cbfed21c07f534b4ae3fdc39a03c4828d49a95cd3210f6306182ffd970df824e423e21588f6e4ca978932

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
a0b68be98c1551fa666199a29b696017

SHA1
3359c311a528e563622202c1580376bbb3142d2d

SHA256
37e560259632b54beb939e7ffd678d8e86ab237d6b07cf5a0ffdbe7e6b7a7338

SHA512
ba6ccaeac0275485069cedff403620bb155ebbf7a9f4a7861c0d6f472edeadecaade03dd6b9621657b50156291b3a492e3a80ff246b498df349c67a75abc3fcd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
13a21b8bd3393bb01998d58beafd6cc8

SHA1
f4c680bbded9cded39eabd81f3d0bc2ec2c046ed

SHA256
40a65dc0089f460819247a4397a9c222b818e2aeb983ea6bdd836ec626480ba4

SHA512
57583385d3fa86e160e09604588be3dc80a1ad10e2c2f9ed496ed490e3fc1a6f6278a60c1d990d584396eefea0deb0732a8ec8ab04165a2b35675c5dd460c3e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
2e513325823d1a3c8c34ee0b2f5134b6

SHA1
859d66984da0b0361bda38be6e19f4a88d88ae0a

SHA256
d3b89baa02aeeff9026a0108070a5f492729617f981d5ea3c257aa1375184977

SHA512
fe825d243cd7de8dcb0ff4bed150b5d63e7fc430694fc8bf261d8fa260d5dbe1657c8123c037c92f22242dd7a8cd0e30cbbba1610eeb6ccf9aa8731a288733a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
db53d140163890048ad73beeb04f8c53

SHA1
0069148019f8afe2fe69ab4401221f4ee70bbf7d

SHA256
7cc6b59815930c7e72ed7e4797c053e34e5d4125b977e0795b87654e23d2f33b

SHA512
2e59aabb38d750de008baf2331adf5506208f2953e21f01e5d7695b8d88ef595de7b5284f792bcfa3f43fc4bf57bff00b14075167f6ddb1079210c0e9cffea56

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
2100878836cac347b19d82673e50156c

SHA1
d2313711e10e575ed4738d5df9a2d8a1be6fa0c2

SHA256
42f7f6f955f9fc38cc2976274bd2987ad43396b0df370142255cb8ecaa29da24

SHA512
9255b6dfcb76a200bebef4314386af3cfd8f26603a979ec825025f23c0b7e9c15e73c63cf1897b7aacd5055ef5940b1399940c57ecd57bd8494d4fbb45805b31

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
2b4cf2ae452f52ff8caada347017b1d0

SHA1
bc8857c688abdff17f6f08f3ccfc93cc21ef5ae4

SHA256
5d1ccbc7486fe64dd3be32751a4a5a1fcbeffd61cd7c3c1b93a590c89ebe835b

SHA512
9f6b5e007a922caa80579d8b79accf9aeb05dc16dad2a7b2eb416b756337742f0d6c53b33909637cbf7e709aa3700b28aeeb8a94a91a092f3599dae50be40a1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
f094cf28c49b5c84c60a851194cb052c

SHA1
564222df059d98030aa3f9b6c7a58b5c0259d934

SHA256
01efeb442b39607632153af527752d3fc2c38c5b7b7e8e6c3deb0a6e96d4c871

SHA512
9b795bc8e873f4d94c3b7ca96f4b6b9a45feb33ce1900ad9d6cfdd467b76e552e50b332593817e1e38038053d3366cccb5acda2019ef07a1e0c3d1c51095949a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
2e8b6c23490d2df4e76faa3bdc8de784

SHA1
76543c69279fcc1766a8d31463e798a801caacc9

SHA256
45584248817b2202d976b3a9070fcb9d809581599025a1f243d3b2499ca71a91

SHA512
5f8e1c9d94999731aaa70558193ae2b02976f803213f8bd9b8be42f6e67c9677a1332daa0c18273b771b910906a023225ebe6a4f5d36ee241226eec2d2d08d15

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
36c165ffe65a446b60aa178b85ac1ed3

SHA1
54fa62bc6bf0ab9ea3f7da2ad4d822c6c189e248

SHA256
8554d1a7e2e6b2069148867db63629b2b776b35bd4441f96641cbaa25e8c8706

SHA512
e76f0e0bf8e3e7e938ae9ca8ee415a107a0262c782be6a21c8690bbb024ecd9e0bcddfcb7a751743fef882b729bbb390ce7346d7598c52a22d8454044001c28f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
5b5dd56592ba53bf4bfdcd50d100703c

SHA1
55d9e558b000540ded1710194c321abc82e3f368

SHA256
bb159685a00728e6be434f517d5e821c0f0e0676a69e348913961385f6c2edf6

SHA512
190ce9f330a2456526f20fa0206a7110d98275dfcff976f103cddb1589b1f12854a668c3f4e12f3393160615d7774871c5f25449ce5ba69888d0686585278d2b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
7d69271c4f7b7cda813b35adae5e5e5b

SHA1
4c715da61bcac3c099de27f444aca6321d0e9474

SHA256
bc4b6a087e9024e99e28041cc2a72101013c6d7e9cf8a5945b1ee43835c2eb08

SHA512
aa6902cf9622f064c7f379c359e35455f4a0943288562e3291756dfd99479d573f059dd30f8d8e5742b182e4552a9f36847e34c0228dabb2d3c2a1b9d1040deb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
7a11542b391aeb71bbca272f08cf3ef6

SHA1
cac382cada0d3ee6de166b6a32bd458756eacde9

SHA256
65c1c216af906c780585843cc7f19ca4362d0e414d9eaa5d160129ac9c6bb870

SHA512
9bc2400f9d1821e9bbb1682f3fe9d40e8d177e479d66261519691333851bd19c99eb7cc8036702cbdf380fefd3e9169ac628cfc3f700fd5b0a2ded3500a42e72

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
939984fa791ffc303846937043172b1e

SHA1
424b7464084fc397204a62d734105ccceae1ab1f

SHA256
b2a917695d72245f1ef808e42816cc16e64d0ee8c7405d5a779bfdf771ada656

SHA512
0b8ee7e6fd41b07b04a875b0316ef4e7d802c7221e8c9f7b81da27210050b56a1d146402eec776afc88b1817f9ace344fe102f7b34f3eedd5f1cc36b738fe851

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
4c26a143fa19632a7200b7783765b53b

SHA1
03437124215d051a3c1392533b6906e856a6ec9f

SHA256
d72013d2897937d00ce2218a94482695406765518c5942548ef0b641a745be58

SHA512
c8ebc42365d5d038d07159c11973970cc6ffeffa3cdce001817b3b8f3ddc1460965602d39469ba9fe7e0b5759ef9d216085efb4c3c956ebe24e3fd08f46f9686

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
fa296ee34e0c814e33f1958afb25661f

SHA1
34ee73065fc7bf55ac037aa206235ea06070618d

SHA256
bf037b3dbf6e54310427d4ed55562dbb537e3e5234ace95b2990cf33d39d440e

SHA512
98a4299aac254a313564180d15825f5867fde8ab85cca7206c208e9a1f47c114f14f84db54de4de63b358bd41aa390022ab5e1e58b7527ad1848ba2a3a25908d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
ae4637c1cb56757f3d474809c9d0ba21

SHA1
862a1b9a04780f25b4d5a25fdef4642d6fbee123

SHA256
b2b6cb5f1da9763626083e4aef6dcc215e055bd8a3b7007a866fb835cfd61e99

SHA512
2d8128c70a611282e20e2d4afeb5932113f8076547b3e1cd6bd353ec12fdd3b37229de4c6d191002b65b56e0b7fdeb51a6995924cf6e4ffaed8ef2a38231a02c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
9a6d3c1b9c2646b1e236ad311e8ee201

SHA1
532e0d9fb6f3a4f87151ecb789fa2bbc70d7de66

SHA256
8e8ba28ab326e468352c6e93cfcf75525432d1183aaa979c416691166a575446

SHA512
d396d52160f5bafbf3010c212549326c301616b4ac035d6c2cf676ca6f8f075a3d893d4b60e25a142d0f5cc57ff80981ad7175efb7c1503e4104bda61248f48f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
ed2c17b96d40833ec9a25cf2febe9e07

SHA1
bf2bda06a5553435ec885ff8a8a29300342b60ae

SHA256
108fe99d3d5bc42ed41e79c7200bff20e065c750127fa366c2055ad1b4246510

SHA512
620f45b88d70355d74363117335cdc44d1182504d50cd6b143f0ca313c04fb40da4e2b8ab4ab12a2f6c84b4f11d9e6fb758fc4edf7a4a4f1b93544469d2916b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
e6b9ee48ece3ceeff4162cccc28af7c8

SHA1
c54c0e5ac58bc358ccff23fe05141c084c4bc43c

SHA256
d4ca3ea3a6213871eb49cba01624059cd517600fc126f51498b8ce3b805ffa27

SHA512
7893203dd807629782ebaefeccab95aeb18ec02d08147147de425bcf36b675ddf80ea86d9d7dea8f254ae0cae830e7f62da7c433fa7e6ded7408f3620abe1705

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
b068d3e99d554047b18b94b95870232b

SHA1
ed3e0c2e8eb3eb4f144a3dee9bec972e08f99b77

SHA256
e734098b9a84533a7ddcc74e1c60c0c1e5c3f5b7d0444f57db7aa302ca9e019f

SHA512
0710d65070d7450cf33b9e63f4488371bfc6140c81276d4a0b8582b78cc2dde1bda40e282b10a9b56f1d31f21932efa6a5b90436679003010a0f5957cefae4e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
561d5707850ed098f38bbdcc895c4f0a

SHA1
c77757ff50fdc2468eb32b0ca756b18fe8cd2ab3

SHA256
aa19da58f2a8e0e7f9e06e488d7ffddc2877f16604a340de137ba65e0e830ad8

SHA512
688c65481a056411780b8cc16c270be866f839f12ef23378155d1063ad1ed5bc9c66bfbaa8d72bf002b526c7f64eb7340059b72276914cbb8f94a88f114344de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
48e279b5bccd5f70b9613c55ce134ac2

SHA1
2ecd8079b921a395fde481e5a5ecd125a0aae454

SHA256
443f45fcd6c456042b3973e17736b8243a49edf21c7dc872883202b0fa0ba295

SHA512
e26953ec64cb7924bcc8a2230b00f8011512dae10f414215806d813c95823c339863c494445f52f4955d15a96398a9e88640f6b76efe96ae78e886aa4ad8826d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
12f87b80fb81cef175d053733968bcfa

SHA1
88d1032ebd0620703d5dd429aeff540f008e1eee

SHA256
698c4a37b155b7e86cbe956a6cd51629b35fcc57cc5d4649a9235c14c11bf54e

SHA512
3b42c1970f6b9373653b0db184bef0da1a83ba54056604c77b9f22b86bd294b053a964649800229a6cc71520ae7591780469f20cfb9501fd8832c52243cf2c00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
4d0cc6794363f9430e0d49ffa2c1a71d

SHA1
9e2398c2d75e47b444108963c6f0a0fc210441cc

SHA256
75104e1b140a9fe6d650dfaa5bbb080b08ce42cb37e020db89dbe225e92a4d6b

SHA512
27cef783fcfcdfd7fbb4a2cce081c2f1cfa0ef039a3503a7ff78427804bf61bb6d87fd781b7771edcebbd5e7b02cbe1d922e050f5fed4d01774669ef6ac0a988

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
132a8fd929193308b401be1bc27b5187

SHA1
f01766786bab35e4c14b3d8dda42eb62a0e74d7e

SHA256
105bc712d368ec48dcef73597614be2a731262f670cdca9dee72f469b9a05c57

SHA512
ffea4354cf624c99f5dd92a8a51a72a7747dc529a41e7d376a0a88502c2b0f0b17da8f785236c86952c6ded68fedffa9e6022ed884e83223851f7ab081833ec8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
46602cbb197d3978efc88d61b16a0bb3

SHA1
6d00175f7339b4c0cad17a3adb8dc76aff2d727c

SHA256
66ddcbd5cac6e70ceac8129a2dd6efae350871f2678cd5056896774a97c5b732

SHA512
ee7fb442f6e9eaf4443d77817aa26aabfbcf16408396da4177393a8bc4df1dcbde53e3c9433329d59e2dc0568f1271c5d41a279159c0a838583afe5c182030c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
ab01bccaa16d70fa5a2e9670704b605a

SHA1
dfe48f7169f268b6b171be0e26035faa4997e04e

SHA256
e49d07e834f671051e6753906fe2c7b3daf3dd3422dd0d794adc3add8a369397

SHA512
5f2dd1b18f436faff271435aea71908b93c603a8a1ccfc2a1f6e673dc7ac8575e0739ad3518659af81d750b77e314f9edb0d64fcd191b6fee2eb81def6e59e76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
8545b98e201b087412b3fd552273e5d5

SHA1
34123bff789433f362a8f7e27aa446d4665682a6

SHA256
91838aa4f10dee06b9f3e1f9ea7cdcca538dac648e32433608b94b81436cd1d8

SHA512
ba1724fcd2ad06ceab0d5b863c8771cc05a4f1b9fccd5522d818e2961df160d01e57c38f61618891f2e9fe4a49aa7b1d767915a6a623d4a560a719eb87677938

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
72d5350964d60cbac88d5761600f67da

SHA1
0c578f73c6867504dfc7547d022df5889c28893a

SHA256
6141155c9b551eeee11059528bba939d2a57ef32d59a7f8eb4deae9874a18340

SHA512
adcf250c596b962baffb85b24f90341160b2b054e484e6bc1d57a0219fd334bb81d784e0c94081dd673d3fa967b651f8a022e47165ce513a391810e89fdc63a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
86c0dea54befeaf309ae7a43dae2926b

SHA1
ffbb0da6b336ce39907770967579bcdd1eef60bc

SHA256
69957f48ced0c3d304f6aeb50f43cf5ebbe9e407ae3c66f462b5197c40bf99cd

SHA512
9a2e1415dca634667419b43de2b18b08433405d9ffc4edefbfd87a7389cf49f19fee65369c8c2054929bb21d547f9190f8959876dcdd29045e373fa251af0e9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
e43390aec219ebd7b0f91d210f42585a

SHA1
c6a8ff77e35259a84508c2163b4c6e367ee913f4

SHA256
fc01174816f7288c944ea17058551f63e0a72b40b668a7067852336d04dc6097

SHA512
37f44db3db8d28bd37d368f4d34047f21c3df6961511037f4de7bf7fd9e0ad6356e418091be41f3d09809310f301e2d58460f576127f080009c8e11e33d9879b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
c41b3fb6185b53934ae2cd412131becf

SHA1
68284416cab8309e5657804d55226e7b346b8e21

SHA256
6a9925c0cdf754f43642ec0b7fe3e072203757b5e37a6c1c074c882b3feae6e7

SHA512
58ee38d7ebd46220468a5795c502432c7569295cb0aa44f8940b13e43b28a4be3117b0c84f9774ee4afa8106b7d70dce4e703719c4345b227be0f4f8de7e881f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
a924c8b01ded026d008785b66e1c4b8c

SHA1
6f28efca9dc1d863f4b8aff68aeaa83eae3bcb8c

SHA256
53b42a6b333d9b759f9e4974af0bb67fa52d879e8e39aaf315fc935b7e2482e9

SHA512
89258684b608af78c61466b72c4cbf5aeb72bfa210f397fb141aa52fa32ace642111afe57fcec8ad1bdcbb6c28a0ddcdba3706b61d6a719042aa50573550d389

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
6c93d33c6df39c0d64b6b7067896fbf1

SHA1
b6444e4b87383c4e228376b9aa7f8373fa4c39b6

SHA256
da67ac9f3deb55a87ca01e0eba6e5b2d46783e99a447e7fbd484483159eb8da1

SHA512
d27e33bbd2afc702c87c16fc4a4bb60db0a0170dc0308d2ee17a4e2fa8661f7dcf710f4030620658afbb8e44421065d4de701506a24abee45a3d41b672fcd0f6

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
25201e24433766c069bbb27f6257989f

SHA1
f2e2c4a2f2a025386ffc21a969405c4983419470

SHA256
b9ba6f42ec5f0c9daa9bc8304ac88b4a4099945af2dcac8dfb6c7e71d283c29e

SHA512
e17fe217c5736c3f9e4f8c57f824b7c4e67399f758feb599d9f2245c0d02c63bed51f4fd2b9f48695021402c03b57ff47d53df1231c7168c561257bff1f9eead

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
edcbfb83a4633c7e789dc157e5aa8ed2

SHA1
1ccf0c7bec091ee5d86920e10d0007aa99834df9

SHA256
79ea0b839919ad5461a0a32b0136fe9370174b615264d7fa0a05feb5cc5aaec1

SHA512
7cad2de831f158695967cd831cbe2112fa7ec14dbe92a3cfd61a93bed1abe2b1c2da6acd396e14480f692e4c10b3a6fb8882eb77a4a7ef38931335a14db7ca3c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
cc50b3e01ec43caf8d7f274efaa616de

SHA1
4328c7c736f1e531a5914a013de32e20629dcb9e

SHA256
1ebfb53e0d521b02d0d4b69385ffead369c2c0c9de0cf59c4760950f2167830c

SHA512
52b592e45277299cbeffa5f171f083f50bf4ffabcfe384651cd11d0c777fe937076f24a40e890d3b32527ecf1c3693a1fddc8bce2fab16de6333596a6500c055

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
97d3fe1aea2f641104b710877efabfd4

SHA1
8f21e5900a5c82f376efa94abbaaa16f6a45dab9

SHA256
c352fde162d650e627f5c8e42ed82b56984df054d78f4f521f8b4559c7e9b640

SHA512
27abb5566f038d533af21a9578f85f35db3e652ade3b53d656d14206a6a11e7a8494df8d9ddf788b6daa3ebd8e3d1848c3abfbf2090b580563b4e197bf33a46d

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
5574a16684d34ef85afd36a7f2bb1a99

SHA1
4b60b13a5e428fe89665a5e47806c422056a87b0

SHA256
32ddc51076081a94e0faa68288315391fd06bb9daec0ec37b199f6e48b2333c7

SHA512
179771c1389c61267cf2fb23ccc6ec6c244e35784d6797a84e36da22294c1ea2b427d5bbe762d98bc28cd21159d6d5417e3f607686f54e7d95a719f2a49a72e2

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
05227a32f2b75e58db29ee0fbd318641

SHA1
7757b3f418a36f09a8ea425281df854990b86743

SHA256
16979a50f6dfcbce2aab66403c58217cbf89c5a7a91588ddb6ad73935f5843ae

SHA512
b848ded5de8f4dc379bbb5a9a8a98854aaf4eb914767e8b97fa13d34f80365899c22c4f3e8276e60053215ddf9320199f4e62c1605a91f0a554126dae98fb4ce

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
55ee564f987296f99b8c486051621c6a

SHA1
aa6a8b467d56389386ba0740e7c6ac09e2bae475

SHA256
636272393b1173bf773a07f11e5cb41681352cfd1e8dd78d21dc5f69b9c8a586

SHA512
7326c75c8b0ad93e5a568bf7f7f66f0ffd0d5c2d5342f9e124f3595dd93330ce4c6c4d850d2ef0e29cae4bae528c0ba01525a1c886b9a1da911af33b8f45cdd7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
87847798059c647e6616852fd4c54ca6

SHA1
23216753524d1625a8466155288c83f5558130b5

SHA256
b418eac8aaf7e1232b8b1fef61931550e8d7c35c1265e851c72486ae627edddb

SHA512
b536c709969741cb65e113a0606d02b161a66e81f45b7c646427380e8ae7d6cb69783ce9b9dc3c714ade2c6a58c8bfb2741fdf4024f17d4bae8a8730f47150cb

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
171b6762e041dd440da12720db527982

SHA1
16d8f61b5cade6a9b2a52b724dfbf97575cd99a9

SHA256
b8bea6ff27f8e74ceedf77fdbeca239fc192aea5204e081b8e34e8eeb7f421f1

SHA512
1ad5d7499397a1f5b141181f5da0cf3d93f8ac5617105f0c68142795611803eac42059c4c7af7d4e3373ccf1c426f174dc2ca9db3b6f8c13a576d09a863331fd

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
dcdc230041bdd193517de88f6e6633c8

SHA1
4f1f592a8d3ec65dde389dda1fa55885ca5d8c60

SHA256
ec5f3de6e4f666d2fdfa80b4ebfacf9b552e4c641793b7feade44fbf0739d10c

SHA512
2bbd68fd67105e8820e1b93feea8517ddee56ddef4380dcdf81b7d1132343f8f97f850b6e847dd357c86c0d5773556af69450da902de813a3cf2c5df9caba5c7

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
33349f59c2e89ef2f9468d17d27d4a50

SHA1
ce4bdb19f72c27dcf9da7a20ac60de4d23ef547c

SHA256
c45ee95673f953dd5a0c113d9daa95ce19fbc893c4c0b2e68cd10b843a8b5b69

SHA512
9c1ec841d0ff462631f503715408d44ea8fe9ea4ae20ca102520d1e45caac026b19ec7827a2c95736b522ba0fb6904d172112a7b2b32f5d6f833d1d067c055c5

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
1885b1e3c39bbe79742a66783c9a6d60

SHA1
e983c753a7d2120099dea6407268330a4fd45318

SHA256
eb4d932037bbf3cd20a5f5a6d59539cedf9fa3260035e23de13638ca7a0a2b2e

SHA512
ada8264e4c9ed6753ac522c1b4e4fca00281853670f5d1278e6e5a3421f2d844b5006da8e0e2147dbe051976b269fdce7105e3f3b06c704166a7008919719ed7

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e7bf367d1899d99ab6460683824f3a79

SHA1
c83f200430b66d553d1346a0e93b850b8a622aac

SHA256
3117c4541ecc710247525ad75730b01a9305f5d76a4b6f96c4a925a05c4f2346

SHA512
bb0b9a295a2c7d3379312ba9edd4f4d2453d6bbe3b4293f727054b819498b25998c05a09801a6ed777032ca7089b499c5554d3bc4549dce0afae2533470ae8d3

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
aef47093227f0d190698975beb31a3e6

SHA1
b4b77d84a459eac9aa025c475b351552f51671c9

SHA256
269b2e3b9c2d173dfb5389d65a3b247010cd5a30e6d5c2953180f851f97860b9

SHA512
57482958f2c866413da560e88e10844926fab4a0e498e8e21481276cbe876a124fc47ef2721c4f9c8589b632418e0a17f1d19df7d451bc1ff708f4f51be84a4a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
a561896d6fe0c5c0ae5e70a713bd7408

SHA1
b0563af1f98e5271b7000e8c5963004bde687047

SHA256
c8099dcceefe325e37f89be6c3789035b59428cb878a167b999622849bb216d0

SHA512
22c82713ecc03f1ce68dbf763305ff6ed8f1422c78792faa8471ff3b2ade180c3c907213ee82ff646b34bc7a6f8206b21e84c875aa2da6be052e44079f5bd29a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
99ddaf72722f7f7ff263e35a2c98617d

SHA1
27c68d31645f16a451d5b57f518c88d8494451c4

SHA256
d9340e9cb808a845e199b0900d325fadb5a8a05085f1a1be4d7da5b9c6e0269e

SHA512
3bab1bc37e269e49a4af4b93a435bcaf2a87e966760c27839521f0bcdcf06fac245c04d4bb788a61c30eb744178b6575cd5af644bc65c43079e88701185a5276

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d350c6f56d825e0b6a246ab6c7b5a773

SHA1
21d06df74cfd9ebf6d1e7c7fa0dcff04a148418d

SHA256
dd21360a6f9bf2169d7ebac9ab092828a5c561634a806d4a821d5336b0179fc7

SHA512
0906cb3beb8f84ae7463757060105036dca4450e7d9a82e274bbc2729a6474cc59b549ce98b652188273ef0a4435c47127e076d599743a154c9365f70ab56226

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
ccd0054835e5b843f2f34508e38744ce

SHA1
73382cf37acce59b24e3819aa61750c4f62549b8

SHA256
b516ef616c7d873392df9d21256be07ef219a9947292b46e2caa28e22b17ecb1

SHA512
87ecfc1db1110b16cc05b10869996bc47c32a11b73d0468e80b5c8946f47348f59aefa547313593846b7b228ddfc61bf17b761d899f777c4769d38b1a7253c6a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9bf6efa1dc66b75345a7010a771778cf

SHA1
cd62def23c1a50406f33965b5523440831550dc7

SHA256
a53ce2c7e8e549bee2546ebd7784b94e48981443be6af22726f0df6bf4008918

SHA512
a4cc5ee5912d9941a76ff5fbefe61ad46858e717736750682996843c572b3bb7bb343aa47f39fc5affb195f5e6b91781407432af49dfa22c8fb4cdda95f879b4

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
1b38818a145ab39212ab2d6eb5d002e3

SHA1
8e45fe2a24319429db8eeba5c1abbeab233cbdbd

SHA256
337cbe31f151294f8a1d754c3caaf06ada5ae785c62874579e2003cdf0791e6d

SHA512
384d3d9641972671aab5086fe7ee8cae0a5086ed6bec2f9cf6e07008d0ee75b644c945dbc2f795c1d005738699c272fec40121dd00cdf886b5769fdde18ff7a9

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
af8839835226a38d46953bdf37b5efa3

SHA1
8a4380f7b014e540a18ff1ee6dee9dbdda917951

SHA256
343e7d73fd01c8e87c9fc6cf35606e5c7159f0383fabc53069b5f26c0028cd22

SHA512
680133061b8f9b7caa6499937655ff71cc82a1f0fad81c159e0b6f36c8229be78e5553d3cb0650f6e2b14cb6a73d789232c214c69c5608540c1624e4542d81c6

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
8c3e760d87724065bb2d8078f643b4f8

SHA1
1f523f77e0dc413cb42b7475d693699e8168508b

SHA256
fcc68428eed9b039bbae4c8c649b949d5fa61de2d1d5a8672569a387b69aa695

SHA512
ae2def1870d5cdb29913a015ca98a3dcd36c4e94ff1ee8491eb5e76abaabb16eb6d34b84fbd83804f81cf61f063408883641dd10b6b98d18dc632d1d0157fe79

Download Submit
memory/220-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/220-89-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/220-95-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/220-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/548-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/548-516-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/640-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/640-333-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/700-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1692-101-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/1692-109-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1692-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1692-106-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/1732-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1732-517-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1928-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1928-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1984-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1984-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2236-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2236-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2312-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2312-509-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2624-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2624-458-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2972-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2972-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3008-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3008-512-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3884-457-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3884-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3884-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-24-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3948-15-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3948-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3948-100-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4092-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4092-510-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4712-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4712-511-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4872-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4872-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4872-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4872-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4880-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4880-515-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4904-84-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4904-78-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4904-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4904-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4952-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4952-1-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/4952-345-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4952-6-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/4952-75-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4968-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4968-61-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4968-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4968-64-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4968-55-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/5080-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5080-38-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/5080-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5080-31-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download