7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
Size

648KB
MD5

a98cc0044d4852cd4ed4d1e6c5054dcf
SHA1

ccd77ce023a0c3c8ea8ff118588cda73f43131bd
SHA256

7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993
SHA512

efe5d971bfd34a5258f15211bec0706af5a85fc34a98ec283b16fa3ff4d5cfdd4d5d716555ea8257c6f028f60ceaba4cf0a6549216b26c9ab049e53fc4ce641e
SSDEEP

12288:/qz2DWURFqXCRQSjMU3O5s+N6NhOlFVlVsTot16+DrgAPs4F2Y7YJba2EUYhsp+Z:yz2DWnSRQ5UOOU62FBnO+E222YJbNEUT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3700	alg.exe
4252	DiagnosticsHub.StandardCollector.Service.exe
3064	fxssvc.exe
464	elevation_service.exe
404	elevation_service.exe
1296	maintenanceservice.exe
628	msdtc.exe
1476	OSE.EXE
4584	PerceptionSimulationService.exe
1872	perfhost.exe
2620	locator.exe
468	SensorDataService.exe
3944	snmptrap.exe
4516	spectrum.exe
2240	ssh-agent.exe
2948	TieringEngineService.exe
2392	AgentService.exe
516	vds.exe
1268	vssvc.exe
1636	wbengine.exe
3672	WmiApSrv.exe
3516	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exe7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9a2e43e8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\System32\vds.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\locator.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe

Drops file in Windows directory 4 IoCs

Processes:

7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed173e8ac099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003aa8d89c099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4339789c099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6bf088bc099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a861a98ac099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e7d028ac099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d6bef89c099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bdf048ac099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e7d028ac099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088840d8bc099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4252	DiagnosticsHub.StandardCollector.Service.exe
4252	DiagnosticsHub.StandardCollector.Service.exe
4252	DiagnosticsHub.StandardCollector.Service.exe
4252	DiagnosticsHub.StandardCollector.Service.exe
4252	DiagnosticsHub.StandardCollector.Service.exe
4252	DiagnosticsHub.StandardCollector.Service.exe
4252	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1180	7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
Token: SeAuditPrivilege	3064	fxssvc.exe
Token: SeRestorePrivilege	2948	TieringEngineService.exe
Token: SeManageVolumePrivilege	2948	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2392	AgentService.exe
Token: SeBackupPrivilege	1268	vssvc.exe
Token: SeRestorePrivilege	1268	vssvc.exe
Token: SeAuditPrivilege	1268	vssvc.exe
Token: SeBackupPrivilege	1636	wbengine.exe
Token: SeRestorePrivilege	1636	wbengine.exe
Token: SeSecurityPrivilege	1636	wbengine.exe
Token: 33	3516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeDebugPrivilege	3700	alg.exe
Token: SeDebugPrivilege	3700	alg.exe
Token: SeDebugPrivilege	3700	alg.exe
Token: SeDebugPrivilege	4252	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3516 wrote to memory of 2176	3516	SearchIndexer.exe	SearchProtocolHost.exe
PID 3516 wrote to memory of 2176	3516	SearchIndexer.exe	SearchProtocolHost.exe
PID 3516 wrote to memory of 412	3516	SearchIndexer.exe	SearchFilterHost.exe
PID 3516 wrote to memory of 412	3516	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe
"C:\Users\Admin\AppData\Local\Temp\7cbb4e6e7efc10b61e1acfdfc7ec68746fbbef453373dc94abd16fec39812993.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3720

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2064

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2176

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 908 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2253636778f9f8712adb233ed3f18a36

SHA1
d4ebe9efca6b050589c6aa838e1fb21636cef5e2

SHA256
fa09b4491e865ca39caafb9cd8fb1fe162ec00e3691a9ea86e0bb6c8366b3a00

SHA512
0c64caf1025f1b426834214667d8e25d0b7c65b35ad3ba384fb456d3ba7e7c0e24ee2787cde67d058e13a6ba289f51364da9d0433ac66b058ea68869d1126e1a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
352b4fc4a979744b8f32a20e2b45fe98

SHA1
be32f3be4ba387684c567feaf9c09dbd87c89f81

SHA256
07e9d7e83aff3ed3f9b0d3bf669d918bf75109247170ef70edb619725ceeb760

SHA512
e065089ba9de45c7997d279f011257daabb59add2d799d96839b9b33b2fc027e4c677595d3bd3eb530198ba798cf9323c60d28ecea9981d0b61bac1f566f09b2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
16484455cc36cafae2cd99a64aac6459

SHA1
26a26b4abcc251fbb3c8fbbfde8e47e623595f65

SHA256
da2992db0ef1a4ab7bae6939571b66b397a21d6fffd8cb1c13357222aad2c5cb

SHA512
ffb835784ad5ecafc8299a20e899330d75c8f6f5469a90b8264cb234ff752a78dfef196018cddf3bd3fc00c26631e187603a20fcbf85560bc2b0fa7c8a46346a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
54904996bde421beb8158a643ab573a0

SHA1
63433e8271879c0803dc385a2b637399b6651c17

SHA256
a810b00b62cf88deb4bb9df7ee945d1b137e539241a2634980fa7ec7d3d8cedf

SHA512
bf13d34a871fa33c730d6b15b00ea7c07d0c8fbca17ab611629876808ddb128898ed91a07704a530c5455a3ea58e6923bf8f6427741a88fdf58d7c04450faf53

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
730d39aca2b875e858fd1432bb8ffb1d

SHA1
f0ddb6f07bc2368c86bbca2ae19b0b0948808507

SHA256
2d75d9c01f4b345efa8ebf1902ff5abea0eac5cfa127e44b27f030b571276d1b

SHA512
dbfb585abace2ed16317af7631293f57b8999e070a019fe4f1fa6ae4d3ecc568c4892f1eedd50a91298c9c9cf5f391068f5a2fedeb271f797ff6ff8344d6c289

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ff408284df38a1253693e33bed4293be

SHA1
6cf30cbd2f5d60bf3b6908901c00a8f1a017010f

SHA256
ccd05b0abcc2f6f18f58e58a73f9e2f180024e11782f58ac07f2b3a20f538441

SHA512
c7196cbdbd35e7c82c5e6181a9cb305b7da7f83cc46e3ba7351652b36073de49a6a85fd2ef9d3f5ac9a116006fb469850e60bed77480f5fa075e7aee7b3913f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
aadf38da6fc453c3b05d015f59853cd5

SHA1
773003e5168f31247860b15902169cd82f16ecbb

SHA256
5c5e3986a29ceb77ab9f223cddea1c546e5137272444fca133e4c94f12ed67d3

SHA512
4c7b12b1579bae649ae9caef6f1779ebcaee8022e2b82db8507cc925371864ad324b2a549046f7ad7869378c6c52009a8a3ec31c096600e4175f7433436ca0db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7044d5dc710ec88b985ffac07645cb15

SHA1
2d58c58a1b1b6e16210ef18ab900f21ae5185438

SHA256
a57f045f632ee8ac527b1292bc8a3e667d925046b4850220d8ecab558894f5f0

SHA512
6f16edfb7ac67034c6a82addd883f5de845cd77fc77cc29a5e73fc29fcd5af837facccc65924d921a61bc220d010c9ac942f49fdf733268980260d3265eb492a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
86524e34ee2da281b18c43700cf96891

SHA1
3d96dd30f582aa4d2319dee85106807134270d4f

SHA256
80fbc9462251b4986d76750a81f519e1426a98ecd3b7736dd64b57873a1ef5c0

SHA512
6613f0613ee6dab226dcbb8a25a872641def0fac57cc0aa1d01e649ad1a49f192c2a593924638725743d07865444a51af24fc157a41a358d8feb64113af86625

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f27cafa765b192e98939cfb0b181c079

SHA1
51b4aa4b0beb90d7da570721c62602640b7980a3

SHA256
711049b7a69011e161136f554327a46bd0fe0a9f0ee2c1c92d0e67a832bcd702

SHA512
b484a79ead21d0f0185566e67c8728799015c8524ab55c5b9460c454a73625a178769a93cffb0b013eca0c4ec560fb8c3c0f5333de826bbdc4dd2cc145b46c03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1b37582b37a21cba8351bde70bd59646

SHA1
d07211b43777fb511663302563ba6b9f2c8aa723

SHA256
051e1acb58e786263e233c877e3328b94d9a07ac8615823fc06d9360ba4f4de3

SHA512
76fa9f8004def37077381c26233bde6c1d043d95dafa4c25848e962d36bbe4f8c22d1f28890f3cef0c9f8979c90b74b0254d262e9ed4b212e6882075feb3118b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e05bd45bcf39f6d0315b31f6351dbe74

SHA1
e191b0a84d8123088e3bc6675aeda47ad2bab746

SHA256
2321bf2c7766b115374152e05d9e0c1ee9319ec4c90e4ef218133a607c62a747

SHA512
cd1ff427f219cb68b3b10368235a4e79d09d52695b5be4a72aba91ce242453fbe624cb335aafaf5d20ce7f52609b0ca98406d987f724cac1d70d6067341f5af4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
271d2d5c502f2c991273c6d7ca5e8b52

SHA1
7b39d048ba2b3ce3fddbb61276346002865e7f6d

SHA256
998351c06c86975d010ea6df60000d00b1dffa184d1eead8c636a7141c973998

SHA512
622aa540f4cf38e2ec21f2bc899daec58ccb578c649791c49b65ab9777d223f0cdb6c5b70da357bc7c526f743c18c8397af83971e3258c24066674d894c7d777

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b5b68574ca20623584911a2191dab874

SHA1
09a86acb515fbc2e0e3da530ce89737c6c876d45

SHA256
65a379a637d4571b014aab02f7cbf9edf59abf442251a1dd2a9256000189666b

SHA512
22b0ef0f418e9814d17d07d871d2f44a68a0227977cf6b9a35ee47034613680a52871782ed42684f43e4b9701b466617405b55e643144e7c60bcfb93fe662549

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
11f9123071013f24bec31a4a42c12bcb

SHA1
f5dda58fcf4c88c84aebee7d6563477abf10fc1a

SHA256
7995bab6e3c4e49824472f1f8769c38f0f2c1148b3f81c0bfa02df07bd17e260

SHA512
8f1666591a82ac3f32fd89a8d436d377131e26bd2e0b4ca99d22e0e037abb498a4235718b3c5f20d7091d25604a7e29ebafb24c63b7788bdae020ddef3a180fa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2832f75503432e5f9a45eea34b5648d1

SHA1
6438db25aac2f87735b6a53d92b8f1ba25885572

SHA256
e2adf6049d159f86fa2d973d9b2db7352776e93da9a83709753f5f884a2e3006

SHA512
f8793c1efa31f1d71df6a50971551e7243e0d8d3392e52f849351841bd57b5436f86bfd603d8322ffe8007dbfa79a59e14da2c8cf3bf3c898cffce9109299598

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ea671a8a3ed0691429ffb6eb286eafd3

SHA1
a7838e3b3247cef72de27fa91dd1f286ebd9f777

SHA256
aef065eb064431e8c19223ab9790f4bcdf780a33bad32872bed104322c16e1d5

SHA512
225d661d6a7782618771a1be96de22f902a42bdbb2fd548618269713cbb1fe7492d6f9f2b86d19f8a21a888edf92fc3d3e794e44d9d9c93e18244b51f7058244

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a4daba0d2ed68dbcafd7de215db14f28

SHA1
1b3a3a51d0d926d0efd0ae5f0bec123c2678f715

SHA256
43603592718cf73f70740faadf89438d01e295e505c313cb81d694d85524bc04

SHA512
5f958b99677eab326adea81ca1e8d9e4e9691b003e3dbe8eaa75bbd47a1c4c22f64c277b768892267b7ad4b9e81eddd4d0ad71077888a73a25eb88953bffec86

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
35fd9fd3d40dd85186f19b928c0993df

SHA1
9e05ec6b867aab3add2f002fce55f5a2fc7e45e3

SHA256
4aa5ce35477c8fd659164e01a9642fbf80b63925366a6e07b51fa15911040652

SHA512
c1d9178db80f991b438442d1d8d52b1cfc7139eb1baaaa81130d6724817d64be401827f75afe170b913c476a9f546dbbf497cb9f457cfd279fd3f28142bb376d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
43ce7d2b7a06925f23a3ecb38bb816d0

SHA1
ae92c3b585fe3aa20e8af802b3a403159d7deb17

SHA256
2b3ca60edff9369a09cd6074448fbc4f02f09c1d22517cf566983db08adcb7f3

SHA512
16a1544edcbe6d9e74d367256cfc90f40c9565d10ca0bad624d32a8eb94644d424bcfb5262a52c4b17dbbe2022e696c4a38b071fd00aeb2c1c67566c203df3b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
174442afb2f544c38fe4ac07b7e02761

SHA1
772fb59772c11516344ba75ecf22ea214c5a4c78

SHA256
7f31d88fbe5a1caf2cd4542e0102f78a16785676826b5fa1f2d8ddb3a489a2c6

SHA512
480ac20e2ccdab9fddb4c5854e7f9a0a39c1719d01ed46644f931fb8cb5e4a3275eeff5144f35a322f1a7a5ff6a2396f9e816d219a4268e6d83e1ca265fbaab0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
796881789887122fa2b7d2f4b6949b7c

SHA1
64058badc08e4b083d1ebfb461f131661af7e18c

SHA256
4dcc469bc48e66fa6417d457f81577002f2c7191a78f28cb05081b98064c0d3c

SHA512
889c0f270fd062577cb8e65632df72a94b096d829ae654bb90c2ef6cf49b68e0ee8354b12c7f44ee542f05098d03454f92a9e27ea4e31980aa4d2e8f66104e72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e3bc3e9274da53dc7636e74475076d03

SHA1
6956476c863db0ac074427abfac291ac6a290c05

SHA256
33bfe208133e305e4a94d2ec6aa28d5ae9b0c3baa362b3c607112c31883607a7

SHA512
259e20665ea51635b08cee5fa184613898c34a200b63a22a9ae29d767d48c1630c5ea85b9d0734f44ebd449bb6a01eb4cc86ddb93ec7969a36de9661780d6111

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
10633d69f1388c194c1bdacb4ceab628

SHA1
f45e4db2330f15b5577b1dca78101b26387e6afe

SHA256
bba8826c64378bbcedf51b118d3762552b89f519d7b4994ce74deb72a3a97c02

SHA512
bcb2730786fb9b24d50e03add0921c98e0c0c4d3c4e60a2e5b71aed1a1e62c29febb4eaa17ed1ac606a2941fbad19a14b6a778531fd34f38a7cc3089f3a74025

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
43a00be682921ce947de2816e48b2489

SHA1
8535ffc9fb86468823681cc938bb7cb42030f11c

SHA256
4bce1db2a43677f4461fcbfbea80df89047c2493dd7e138c2864ec2810a20345

SHA512
60ea1c815e1fac0d4e9aa0a4fc6597a2eb8d81b73582823a20d13accab39ec1acb030a2f412a130164acfd668ae2a2b0148289f270ce4b3588c58ddb7b88ff0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
adbb9f0d7b9df28cf0251bd812a571b4

SHA1
487324d30c3143cc6889e68786e9173604edeb0a

SHA256
c6b98d67814b15d39c6c4542c33df622e24408baf87ebdd09e1eaf991421162a

SHA512
2f3d5c5c31e071efc22f678f2ccb330f7da135191ac217b43734c5469d6a462ff09021880772e29346e821be0bac53b0a56416996c31022ddbe88d222a5530d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3ceddcf0691ee4454143f628ea402a4d

SHA1
f0798dfffc8fd0f244064a161a65738739fd84b8

SHA256
e52d1e7655464ddcd79cc3a16acb95c9cdca22377dfab3a31a5ee7f9ee6cfda5

SHA512
377447bf50fd6a41e9f078111b6d5aafdf8867741ebc838c0d1f30660062b2788d8489f5a145fa54d852536dbf4912ffa3023b62fd8df6c29120dd38c739db33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
93a6c97eebd8197fd88423720ca16ba3

SHA1
1a83c6ee5af9e7bcd29f90b0b57f2fdfb217cf41

SHA256
4d41a9b6bf7f7c0d160bc13e6d910a7380b27e5c7893553461373fb652d6c52f

SHA512
3bddf42293685afab18453c3b6a36e80e3aa2ed59f4f2909a55dcfbf053565a5fa9343b938c963b555a9780fc3b1994758a4ac25a6e0aa85f10acb82111a59ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7f40ad270e92c033c17fc56a1e121b36

SHA1
606a1ba89d681d0f8ff1562b550851c993a5886d

SHA256
36cb4268e822494aae7522025db7836befdfb1fcee4d60b8537b737f6e35d7d5

SHA512
4566fad116ab97a1df7a5ba8816249d018cc70eb4fed4a84aa621af7176a7380d252f5d2c154312f556b3fc7def6d45673ecd8e80543c2faa8c888be391cdd3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0a52db4edfb5d885cd8542f2334ea31a

SHA1
436769616e360c27d616941bdf08d4ba20882129

SHA256
08639eb141b35ad3b41ee5676cf3f1468afad13f8c56584478bb70d5f53470e9

SHA512
d54c11ceee0b7f0897f72f55b8506257575722b1908e7a0ec4d8efc3dc837962a0d81a4817cc05f0693ca522dd0f8aedaccb4abed454a19b53e219be115b32e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
75b4318359629d19dcb08e52da0ff259

SHA1
866c7a1f449303b359ca678e180a33123affbcfc

SHA256
8e2d6c19cb3b79cb70b12bdc4defe2a8f9e9fe41359e0d17d04ca51ef32db4bc

SHA512
76fff0bb02aa2bd41628b7f23c1378aa6bf6c3fa093249f65a4bb090c07b6800809a4e6c64db0f9ef3236f3bb6418c638a6216830b36759ef04caaae2a9d262a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
57663cf99ea9dea0a0c4d6f8c3f16aaa

SHA1
0ca7e7db752ad45b679694e7aa0303cbd65b0606

SHA256
91a8c8d49109cc57a374e6375c57544fca930ab8bf9295ee336fa88de7bf9e83

SHA512
aa97054bce7d011bc150e0519fa5548118dcfce4d92ad0bbce75c09881279ea050086dd69eeeadb10ed6ba0eed4e0be698818044d3aecaa8012aced5a968a1ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2dcb24cfd192e6aa49a04c6d8915f2d4

SHA1
8f0f99d93d76ba0b349a2484fc79cbd026ab523e

SHA256
70de0341de98a1488509073bfe9ac960857badce6387d11506505ac53322fd97

SHA512
7e2a66aea7d6bc4e020ca9b7cd105f61384064fef9d7c6b306da7ba3c201fa09580320a09e5c631e214318db6404d292a48e3b77c06a13417b270b9569c7483f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
832ade1a03a3c0eee6977efece649135

SHA1
9231f1ff15b3db52605956ca4b36ace67746a0e4

SHA256
d89b61641a4e3b5a9b4d0af2f2e69a56ae9b77f8192db2b56ad284a2ff4d1410

SHA512
e754daa3d6f8542a4efb6f43ecfc95bcb2a766c8986daf12edb162e55ddf9d9a220553c789db65b163d47bdba5252e4a904fa26fbea69396837099c577747dd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
adabac31bb8f183633bc972cd6cc50b7

SHA1
fca7bbd54109eed5d69857896c5ee6a4710595e6

SHA256
08206986413bcc937470872fdcb18615d27c354f066aa094c271ebb813852e5a

SHA512
37cc8f760a4da4bb12a37ac3c8274c8e68e3751b63403d281f11b29ed070cd6c40fd23661c34f5723588733d19bad830a29dccf4e70f9e78dd972a1bc10348be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4b4cded101dfc49bde6adfa6aa0448cc

SHA1
dadca131d2494dced8d66122b9608c4b0e2f793a

SHA256
c6946eba14b2257344452190175bdb0ac8448fa0bb4c72616c9815d58e2ebeaa

SHA512
af4b043cefd7af0d5fa68b6c044ada07fff59caf47afe5e81d4d4e4cb38a49c659fa1ba08875a935111bef2c01c15060e5ec2a173816c5c9e844c50cdbe50724

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
47906452aefe2a103a7faf2564095528

SHA1
c0eb11f6bb7a0fd2e9ce5823917749b84948beb9

SHA256
7d5a20d387212dcbe98471da56257f832b4731dc872356ddd90f05beb4c1a2e5

SHA512
44af214a6c433b270ecf24981a9b899ca78e0a830f5f9dba55bbce46d2ab5c7a70adea1970d1d8cf9ecdcc32969680c7c000d3bb4cee2aef596b3503b7b9cfc0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ce9bd6c4b35d60b893d88859aee5926f

SHA1
37bcd566aff50c64af5757801e958353133c209e

SHA256
d839371cec43aad295051d2a30420eb52a2233c437435f968ad02983ed375321

SHA512
908c5777f0cb284db2146541c50142f0cdb64ba6c119a5b77332647d7685c8422f0b3e6038238e5a801b3b823152397c912ea4232d6ac003e96245fa3aba6ab9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e5a58b5ee22f81adc1dd3c353ebad3ae

SHA1
42cc6f546f0475e340df114d95387a7c44156942

SHA256
a1dd220c55f44abdcbfdb5d63d4725ac14c6acdaca6a11fea4f8472a68b5bc4a

SHA512
23b84c12af6bdd460dcee58678877776bb0e2f88e22c2b19572fb1e21feaf763571a1323013a993b531f95e5388e76b0f3d6625d9d656e2d8175262e002ae59e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
317e090cfdcb2a21251f5a018ca9f5ee

SHA1
21b12da75c85b058507185f1ca5d0ae4e78e2e69

SHA256
c608624653be703e8f28524c81f83a25348f28a525248828df68a9b65ebb88dd

SHA512
b5858e633621fe9af3802c7f96aac9802638d64f9edaed287432cad2e028f1bbe52be914cda855e6e397250799e1d181e58d6ad6188501a7c2b21a7fd909b17f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
417c2ba9688ae8cd4bad545dc5a1a02b

SHA1
d61057a9bed2268b31944d1f99fd4dd05c684c56

SHA256
5fffc3035c68439f546e04b02e39faa759939119c9024a95a0b6e7e612528bbf

SHA512
0cff4a25bf919a2ea9e8d20970bac8c840fdb424f3ab6aa55a286c2db19039c73edabc2cd6b2816dab8461dbf1fe1ae6feae62df295c88a8e3f449da292d9481

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fcd9609f39d8c9a38ae224ecab99a689

SHA1
85157084f4258eba39b33d38236c35e72f7c613d

SHA256
7d66535b78bd28f21e2d45a655a977d97b1fe89c576f7a8d40dfcbc57d1ba7d7

SHA512
7a972261e3869e696f245f05870ec375b57489385e84b100c850077cce3c87d49518896d32bff6557bfc1425cb16584645990f26875cf057a187130c0452df54

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
70cc84a495afb3afbf219d38389b1be1

SHA1
4653aae676f6b34866101b17de099566ac539bd6

SHA256
e0369118a4ac71aaaf7879a50d0308bb4f3af4f8f90208155aea909704f5a7eb

SHA512
7aab544b4fb4ea31ad732df256acbccdad78330851a1bbaae07fa1746329ea6de1056a5a8cca0dfddbed68cdb5c396700cfed41d605efd5b5c722fe2d2e8a0d2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d21d4006d44ebfa1b4afd53971c28f70

SHA1
c373757a4d93404c5ec5577b76ae5dd730b361ae

SHA256
9d4316aea11938fc69c162de8e27ddb3240ff1c5a14a033600afa2d33d6df470

SHA512
6f639051d6c876744e0544afb4135dc0796075562d1a7ad0ee6b1ba6030e953ade542489a96a997d2c5fb1cc9e2b26e702b44d13c5f98915f251d830305638d6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ef8f8f1da945377fe08e4ada0009d909

SHA1
887d5e770c63ff207cbed5537b42fabb4f55c0f5

SHA256
b6aaa036e9970529905d0c6d3f7cb1adf8ba81798d378d982425b8bf5c6e2046

SHA512
76fdfb7bb6cbe7f0e5bb5c2b72c2ce1e92330040009839a87bcbaeea982c7cfae599448c6aa4b78ebf7017d76c61b9c4b5fc9b2d7652cd6f826f8911fa8249fc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6a6756abac3edf25f82d0e8c8eb76d05

SHA1
50d602e77f3586de8831a646a2adc4335c12580d

SHA256
8bfa8e00b90bb23c6927327fd682c922328503313ca7a505de6c482154051eae

SHA512
1df5ab43fdcc60debe9d5fabbc17b436efd1525ca4517eaa82c1d34bc408ace6d6a382e9c0eb35f7dccc22a70ac8f68c31d7d135a9d23c7e1b3352249ad9a929

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a2aeb0f0568254f54de4d24f73b35278

SHA1
92b70889672f3da514d2f37ff085b916d20afbb9

SHA256
cc57885427f5797da48905d6b884474cc0a585789295f302d26885024ebfaa70

SHA512
0acc2ae83cdfd20e16fe706fd8428a9c3b676e9a227ca6dcd9db1988161f9538e84fe290234a514b4f2f4c150b0272331640e4fc88c38397bb3eb23ec87dff2b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f0210e932bfc977681c65447d4328f43

SHA1
c5e97a7e40f5bc6453eeb2a0877923137390e832

SHA256
40b421a5ed36200c7ff8a6636f39e701599e693a02543a42c77429fcee39285b

SHA512
b667c9f222461d8863fdf70759055a02a2f578fb9e26f8d21911a4cbac4d6fb0b6b4784fb940f3984be19a7870b82061652cca3fff359dd23c16940056d5d1a8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1d9f0c6ad7082692bc14c0a780fa9a37

SHA1
d8391b6ddd47cf3af8471e9b1907fa952e8942d6

SHA256
b89215569ac409c712a9718b61f097695d4c93f1c899e3652924fa7608601c46

SHA512
206b8309fa5c236a0e97a57efd4f048c9c4c4a9ef0f8daf76ee42ee285571d4d4f161ffc26ef28883afaa55d498cd527d36ebd91a61b87d3db1b1f1b806d41be

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
36d1dc46c0151fad3f94886417ef8206

SHA1
b4e0c8bfef1e17d906c5fa046c78c78fc0a12584

SHA256
85b856d182a587433f5345f6f98624b901b2ede69662c845346019607ac53adf

SHA512
58e0f877d7b36e04ed6a2fec5517a3f0d6604dabfab3c6a64ef2d45145f83183374ca10a8c79da44ab1666240f8ca9ddb2ad271abac8a3c6449d24f49876a27c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b5f572a627eb6ec88703cc94aa6cb12e

SHA1
302113ca09b382c3df0db728823f3c2267e2839b

SHA256
3be75c9399349aee166fcc22a15403b0252f0d3545c23a23f087c066c8ef5172

SHA512
fc83a513ec6460a0689506d1e1c6864a89b0c3b03a7a0160fb4a85a53af147eb485f14c376c1763f76b4d669c877366d47738179a2ec869b57ec1cba54cd0a63

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a6e1cf6a7eee88eb505fd4a12d2e7f4d

SHA1
0ee6fc0835272c1721ea0b048750206d3e186f16

SHA256
f29316c7f0244d5a462a1c85be53460329f5b15b267cbfc8d42add2ecb8d7595

SHA512
49ffc47e3c588a5e14c0b6a253c3ac989f3e6b8467e5517ea4bc6a5cdf64648a261e84fae0d7d2cfcab0449a3c28c652814cf6f6c18b13b3bc9d465b0139055a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ee260c9d43ccae1cc97c777a231d6cd5

SHA1
895d5a11d8b55e75b1054888e02b97a9290cb42f

SHA256
dec770f8ecb5a1e63ae3f619129718b97fe4149d8b9a20ba4f27872f1328fb08

SHA512
5de5a12dc0eb78999a60167ef42d59bc32563a13e04e1a047d3f9906b7c4b7802acb9c004028839c5a02e62ed2f8622bc9db3c211976e559fa99497bf583b465

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
cc125346ec0a9bd9a5b25208d12f7437

SHA1
95e0ed3792bcd0d28122568a1f9226d968db5a0f

SHA256
9a42187ab8c258ec2838a7d7162d4bb107873bed79a7b499aa5f9d6aa870bd6c

SHA512
e5323537ab5305639422e9c39a7dbedbf414b41f850bd93aa213bb527fc8e0be4a8fb19fefa7d8be78773f4de023c6ee7043af7c51fcf3818cd77502675ec51c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5ae658ba105830a43438fe9cdd417d55

SHA1
7d4a4e355a7f2f0e9a375eecd03e43ba35a66b8a

SHA256
362d7cc7702eae1677ae7dbbc246970df5924fb3d91f2fa2d5ff47bfad93a2fa

SHA512
6cc46e9997014742c1b77f92d5effd74096073408d198fff47e6232a341f6377690c5fd080a39c304dde6734e5189a3101f5d28a6e99cb148d8447da0e45994e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0c0dd2bb159a3d6be3cff0f0757fc992

SHA1
1b1022ce9545b70189df34a771d7dff7df8f307e

SHA256
db31d3eb8d2ccc22645919ae0972de029c912782935e4c50e567ba64cb926e12

SHA512
9c0f8d0b3947b2b50125c32912e75c0e2a24eee8235a92a3d20ff3bf2dfe5910bed15874d233b1e358fc05cddbf112575c1ccb2422c24c05fd4e8565e47d0dc4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0746ad68b299938993bb2ef5ee192aa1

SHA1
8a36651d1160840b68d70d4aad6abd3a667cd834

SHA256
8fa72a48c3e973f60b248e31c9857c434e305d0752ad6013ea3003cc275e7582

SHA512
b46b0fbb37b4f4086fcc6f61109e9303caf088ffb428f7bf01ba100d6f850cb38542b94abedcbaaca268990e1b61439dc622a86a6d5f33014b2fae4e754a3f25

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5f584bd4a121abd2c9aecfcb2252bf7b

SHA1
d0bba2b147b077d1ce88c2b79f1e055b0ef5d4d2

SHA256
34c57a7ea272988aa8a860e2a7696725b239636ffc51d6af44b897ad15822a3f

SHA512
9e26a148663219148661b89811c8b454d9492876e396987f4f8d469ec12892c3c66aa16d0d40ef49879168be7df0a52db080f87b6744c7f6bae578c79b36e07b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
96f4ad1d6c21f7805e35e474678ac22d

SHA1
1c0032743d38853b9d334ab1b163282735bb2588

SHA256
d25b38e243fdfbdc7c8909bd2f7b3959a1def62f0a1b6abf972a15aff6b51ec5

SHA512
f85a8b523e57d696503dc1e1001f3239add95e40f3e202b7c83310175904be8bf32d9f45c35156873491acde9f07712501ced602ae256fcd9abac5bea4c90edd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a65494065e037be2490ec253370c7bd6

SHA1
527730edd1134ee580bed610e6a200551cacc885

SHA256
14c12e7c8511e887f12116aca05c3e7e1138be4cdc191a8a84c58b6586a710b0

SHA512
12146870a530204086dc4fbaa0c13f9f97e777be68f7d6b52ae7db6519f8bb73801eccfb2521352cba9491514a1bdf1bc96191ce77a29ae14b682332ad4d0158

Download Submit
memory/404-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/404-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/404-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/404-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-56-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/464-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/464-50-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/464-175-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/468-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/468-649-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/468-465-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/516-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/516-652-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/628-225-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/628-92-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/628-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1180-542-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/1180-541-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1180-90-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1180-1-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/1180-9-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/1180-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1268-653-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1268-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1296-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1296-81-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1296-86-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1296-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1296-75-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1476-228-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1476-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1636-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1636-656-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1872-252-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1872-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2240-181-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2240-650-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2392-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2620-265-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2620-141-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2948-201-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2948-651-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3064-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3064-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3064-60-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3064-47-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3064-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3516-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3516-658-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3672-657-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3672-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3700-117-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3700-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3700-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3700-13-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3944-505-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3944-156-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4252-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4252-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4252-28-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4252-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4516-646-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4516-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4584-240-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4584-126-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download