9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
Size

1.8MB
MD5

b5da2041d52d50424cca6a16a2c34391
SHA1

6e1336d0549e2384b5e73b0b93084e3fde3c3c37
SHA256

9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b
SHA512

1ee7873e75c709ff47e99e79a12f8f05d267f8460594ab665450e3743571b855e908244dd292279ee94b2d0914cca7d74d4df1e49b8c130c8ac1cea7bf55f1b5
SSDEEP

49152:px5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAtaB0zj0yjoB2:pvbjVkjjCAzJBB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
5008	alg.exe
1020	DiagnosticsHub.StandardCollector.Service.exe
4380	fxssvc.exe
4988	elevation_service.exe
1288	elevation_service.exe
4752	maintenanceservice.exe
5016	msdtc.exe
3932	OSE.EXE
888	PerceptionSimulationService.exe
4132	perfhost.exe
4648	locator.exe
3688	SensorDataService.exe
4340	snmptrap.exe
8	spectrum.exe
4600	ssh-agent.exe
720	TieringEngineService.exe
3540	AgentService.exe
3308	vds.exe
3592	vssvc.exe
5040	wbengine.exe
2092	WmiApSrv.exe
1056	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\System32\alg.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ba89da96aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\System32\vds.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\locator.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2F9B.tmp\goopdateres_gu.dll	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2F9B.tmp\GoogleCrashHandler64.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2F9B.tmp\goopdateres_ko.dll	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2F9B.tmp\goopdateres_pt-BR.dll	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2F9B.tmp\goopdateres_hi.dll	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe

Drops file in Windows directory 4 IoCs

Processes:

9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a19be3783399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4fc04793399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7dd43783399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008660e8783399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009aed597a3399da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000844046783399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d01f0f7b3399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2cb30783399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cf156783399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1020	DiagnosticsHub.StandardCollector.Service.exe
1020	DiagnosticsHub.StandardCollector.Service.exe
1020	DiagnosticsHub.StandardCollector.Service.exe
1020	DiagnosticsHub.StandardCollector.Service.exe
1020	DiagnosticsHub.StandardCollector.Service.exe
1020	DiagnosticsHub.StandardCollector.Service.exe
1020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1948	9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
Token: SeAuditPrivilege	4380	fxssvc.exe
Token: SeRestorePrivilege	720	TieringEngineService.exe
Token: SeManageVolumePrivilege	720	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3540	AgentService.exe
Token: SeBackupPrivilege	3592	vssvc.exe
Token: SeRestorePrivilege	3592	vssvc.exe
Token: SeAuditPrivilege	3592	vssvc.exe
Token: SeBackupPrivilege	5040	wbengine.exe
Token: SeRestorePrivilege	5040	wbengine.exe
Token: SeSecurityPrivilege	5040	wbengine.exe
Token: 33	1056	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1056	SearchIndexer.exe
Token: SeDebugPrivilege	5008	alg.exe
Token: SeDebugPrivilege	5008	alg.exe
Token: SeDebugPrivilege	5008	alg.exe
Token: SeDebugPrivilege	1020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1056 wrote to memory of 1380	1056	SearchIndexer.exe	SearchProtocolHost.exe
PID 1056 wrote to memory of 1380	1056	SearchIndexer.exe	SearchProtocolHost.exe
PID 1056 wrote to memory of 4024	1056	SearchIndexer.exe	SearchFilterHost.exe
PID 1056 wrote to memory of 4024	1056	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe
"C:\Users\Admin\AppData\Local\Temp\9cf8b525679280fe409ce1bddea633d4e52f96d833a9cfb6f0b0e0fc02e8b37b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5016

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:8

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3024

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1380

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
9af69f1f9ee286aee7c279d14b16de6b

SHA1
ecefd9452fecc2567c3717ff170a70b38c37d5a0

SHA256
0bf404048f0106678d0d4ad36c7b71c43ebf30c99dd35ce9cf8a997840437692

SHA512
61ffa65f94c5b018f488e1dcdc64cbbc30ee730817c10a3fa10edeaef5878b62ae4d3b2113978fce3af865bdc83cc0895ef06229ba37e6c7bc685716c94e1406

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
867aac8000e8b557b2b46888b75cf597

SHA1
729e1eddd0cafd46bd935fc70e9df0da20c781af

SHA256
0b9bd7ac4ae2ec63c887cad9b15518c0627c122dec48f5dcb98767f5545a571e

SHA512
94da83aa3d48cd8a0a72a4df61b43ea4ea106b602fb5503daabe4043337d4511d2bd196642c7b42b613856160b55f3facb3beaff0166e357a6e4f5430a3dec9f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
8b9a79910738990eda3f4967487dd8e0

SHA1
cddae18a4d29fc1547f0c6b4183d8a66ec0ed4d8

SHA256
39f6b8452c5986d91d57cb58f6ad7ba4201ac07f72feb49e8c03497a264ce684

SHA512
d284010420bb0b05296e54aad64ea56a6c8471bc6d5e568aff6a134174b26e3c8e6fb665840c491c67d91c4de14110cce4128bf5e8e66703336330dcf742e721

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3c48973d228b9b1b573566a27ce35512

SHA1
1c29219b2970b693318f14c92e364bd6356d44bf

SHA256
75c2779e5922de536a2e47a46a49e7d8981b32bcb796d4433f52551a2bb99748

SHA512
c99acc280bc4fa2e6c3ba537ef7acc653c3abea97ef29933d1b469a66725ecdd88f70e2dc18a258a49a5539664538a70fac0c96bc35c927b8f1d84209c832844

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2c0c2d65d7b3a0724bcc78e25022faee

SHA1
ce30fabb319f05d275a564b8212a5944a652d5be

SHA256
d1186170f96b019563a7d53c868bee8ea4d9ac9325e62a2820152faf1135236b

SHA512
75197d543c110dd8e0217b42c43f598e522ba980e9cfe863fdb3c6dbf9a9e919804fa8840882700022493193065c886d3a50bd8a5e06d9b3e7e719247f1ff003

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
a207a3e919c3c2787859b7453faf1a0e

SHA1
96381188e623e2f13fbe139060bcc9577bb5c94e

SHA256
ff0eb1eae36dae57aba402e23d6b9c12b0d7257e1cf519ab0c6226a82d4d4e49

SHA512
ac966fbd23c49ca9028ebf5d8afb82f80037074a1bc2a9d09588b3a5833fa87ed3ee232a0f0c6e71edbd659333d8e8ea79461563ec9f752623a398b842900deb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
bf948893c6feac9de63951121b805cc4

SHA1
28a0954b7fbbd8695b55e5d17959b9faae2406e1

SHA256
4da104bbb8de0fb744c8c480390d0ecbdf535f3444283d595972d3dc287cef04

SHA512
b46f0a5e082aa25165c212f929cf761993bad2cb60150487175c20385d55719d00ddf65cba813351a17c50e042750c5a4833a455121f0fa3b76f4941c51978cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b355e23b9c201cc8fef70ed243677be2

SHA1
e2f2f58d5d362987d1088fe1f0628b5612acca00

SHA256
db1061af78a5f90ecaf9fb467175bf3a742b781701886fcbc573aabc611f4215

SHA512
a1feafd96abd4871fb2550fc68649d69c3b37a9e49e8cc773075b42b9e0b47ebf1be597ff70812b212c1c4f7058c4d84c401129c53a3865936ec0bb807a92407

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
6ac0a2415802f991bf3cd6f8b5b6f64d

SHA1
e797e54cb6f127ffd3cce74dabdc1fb6219b9641

SHA256
2afe54ba2a43283e49a2b76d3553f5673216a7aa30aa327b9a05e055a1f539ad

SHA512
327e829e8b079f7ecccb2cebebb35a5180eb02adcaccc8e178e42ad8b5ba734e3bc96db1e478e196aec5856e3d3a1204cc5edd093df785700cc9cb27aa85b1cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b817aa25623768dc4a6974a4ec406c06

SHA1
68ccb0da5aad92e58411f250cf37a357e345078f

SHA256
b8a980b878a29e0d038faa5015bb984db41a6fbc65b3f05c754b851746271758

SHA512
6e424e4361783d8fdc754276ac31fe75ab13aeff4b3d7dba2d79b260c8a0dc23e686b0400ee35b3c9e9104b33db1f11a5dd551f3ad41059b178a8ff8bae4e86a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
820ca7ab798f41fd8ddf32c6ad2c0d5f

SHA1
94deff1489424100a59022c9cbe09695b9a944c7

SHA256
adc14c4b7ff5f524c03eeb03f4fa8c5dd841a5c0e878feb50789feeca3151172

SHA512
a683ab423633d7107b8c839f8de566ba161fcf1618c136f981a6b45af356d6ac1e41fa3fca532d0acfde83a93c15001d0c29c2343aa1ea20723ad84a331737f5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7adbcd3f8b63d1f7fbc0177494275c47

SHA1
c71ebd916cb78552afc1bf707d098b581fa9b81d

SHA256
a363af0b868ae93d511b38c989885d4e7806f4e7d6afcb9cd91b0ecb9bcb2ab3

SHA512
1c37b2ac8031fd4170120f436ec4abcbfe1561667584446f5613acee0bbe480fc183ff9843908f63a0ad122c40d146cbaa6f55223e4671ba31e1519f6b140a94

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
016e2333c6a806c3cc65457977ef0ede

SHA1
9ae0412ffc0cd0d866e875d325921d57ce6be9c4

SHA256
e4f9cf90c266d3ca5ab4de5c955287827d0f9b9a13c3670ecf175cba3a49cc7e

SHA512
4f11f87675545e16d051a73bbdc952adfe29bec57acfeb4209db6488f00715856ca0fcf777d47b70e4c16ac6f3405b98cc9abb0b7c9282886a8d0c68bac66a72

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
525ca4769593e724ac458e4d3de6ab0f

SHA1
6b2810d4ca557dbeee6838196b2296c59b18584a

SHA256
384c086a605e1c9fb05a79ed433c0a944809f1e4c6f6fb78c0bd722fb5840f13

SHA512
a03aff09b5fbc680216d1da2585e2d62abcf7684ac7b455e47fa071df0fd4f4969e586163da491a864fbd4e6ff577afe0ebc02287a85815d056cb4afc3c3270c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
d3ba4dedda3a5e0f309712b79aab37b2

SHA1
9ab3f3d1af7bcfbfbb786bda93b0ac12be2a15c5

SHA256
c50d5ba6a63d21763602400f42583be32d3d311a2700954adc0e8019a7e98f3b

SHA512
92cdaef1651945112133d4ec365bb87296595215dc8447a124d5fc8be5bf1fae25c2d527210c71dab2967a2130a5d26f5788a3699cea4e754de795660e8c45f9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
592e79fbd3d69589e3f4495df5b5939f

SHA1
29335ce87c2979c1349d4bdeeb6e1df25eaaf2fc

SHA256
28d49b63dc48429fce4a67b4d3abfa4343361714c6f988e09288e0f53ee19764

SHA512
9c014356b5b1281bef1888995323c27c9f61063575c694290421209db110ff865f7559fdc4180309d8569544d502a48415598dd5ac13466cce01241c3aee6466

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
5ce34d7b2dac006d311caa46f8e423b7

SHA1
db51e4028cee1f9e2fd654ebfca27c8f08bc61cf

SHA256
75b34e8ffd0166b24d1a501ce622e69308235199d40d1dabf99c1753eb5b0476

SHA512
0c854c87f8fe1a6fd95b7dbdf1bafcec2ecb3c32722a34129b8ddeb977ccb348b2bd359d05ce97cfbabf610c8535ada0d6d9329aa665c3ebf648f6985c60560f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
c31b9033beb27fa9c17b56579a354a77

SHA1
2161692ac7e4a88a567f18a3baae4b7ba24a8c15

SHA256
39bed1487d714afb500e1e2832d42263b94563b4f93c0f03b4356a605b8f94b1

SHA512
6b3a57dfb73f2cd47c2e53724da64aa6031fae4db44282c28c649b55b52f6dcd9eb1c709dd34bd41ec0d2db38f28b793c163a043f9e4c6430f8c77f60ee47419

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
970d9b1f93fb2501a667c2a822c08cd4

SHA1
8c203ec77fcff25419b6dbf5cbeae9d38168ad33

SHA256
5e600a93ba928d7eda43da7d755331222d9df45d716f928a1105ec18443be53c

SHA512
465172381110f5bc267d7cb43fb386bfebff7f520a913e89a7c3a978176d4194f99a9e8594b81d365f8953c1447cc8c99eb3811f2a0f98fa22b5e9d6c042e4c8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
4487f7e588fc562cdbd9800ded1413de

SHA1
719b59e1d5ab7ffb707825b8a9b96615949b3597

SHA256
d17c03a0880bb870b282c0593262bf01576d028a6436dce3b9eb26096181b7fc

SHA512
507f5362793a0dc9852d0eb6bc33cd06042fce184695cbb0bec7b3e3fbb052e8f018d0be18a02b981c70ccd88e3c04471fb66ba6a647bebe48538dc88e9f2d33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
9665f455e0033822a7ba830598cce7ff

SHA1
bc7e3d78b8420cef271530ef43c6f06d31003172

SHA256
be40203aa165b56bcb7dc5ee3f559550000463f77046bffd6e8b08deba3fc084

SHA512
a4901386762d7f6e8aa50fbdd5ed6f72121395b3f8d459d932bef0ceffcd40d92939a9503bce0d2b71dc0e46e72f6566c5a85bdd9d76d7664498b6c6eb3d3e3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
a238610dd07372017e1b27287ec629e2

SHA1
963d8d7e93718ef86b1e84143ad0896fae0d708e

SHA256
6d9dc79c7ec85943871bbe194d32107d3ec338809b70539babd06ec1ac4ed0bf

SHA512
2e992231faec6adada38b322de1074579b98c9c487e60c726e36ebc778c79a58799bafca699dc54e23245bac707e38a95067c4ddc32fc5e53222d205d36927ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
00c0ee6637961b7a433c10ab2aaf843b

SHA1
dc6f70b11daba27d1f52e63692625eceba72ad2a

SHA256
aecf399f8c27d454129c57c5b59cbcfee3c95dc7ca093f82688a431c6c87f0f1

SHA512
f47d0ca54514d1e99f568e9d940dc81eeb631d5545d4ed0a224fd0eee0a799dead1dc8890354b0d5cca5780832f1c9e5a47730a66a39b26b0ce6b188f2d427a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
af3d5e6cb6970dfdc6e60a2e35a8d665

SHA1
701fac0675380af00e916cb73a6689b22cd4a673

SHA256
36131a55c8c6b132b6892d551d793f60ed89932959656af26a75501fd74b8f19

SHA512
585770e81928f51321a88e0b6d879456415854a432dac40c9b919d2595d9620c1f9e1d3e85fcafe9083c0685b114d0f6a64e4338bfaae3b895b519db5036773d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
68125cbb38390f2cbb0fe0a1f3a7ef27

SHA1
e3e5fab6917e95408e71adce9c72a183b85852cc

SHA256
5984e63e4d2106c093692f8f460b04a4f0467bb30dcde8c4d5462731699b04e8

SHA512
f64027b57d115a0730c9ee413d861713d01c258fe6ad475ab7a302e59c513450d3237b97cf3f9af35d228529aebc6b5dffee802bf2aa9397d6424195907b2d7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
0ea65768eb8e9fef241ff1d0fdffd71c

SHA1
46d1a7b449e995cc980b726da31b2a3aa61c9327

SHA256
a4e092b7661c125a856e92cc13fc32e3c753617a15a9248b5feca9f117e47395

SHA512
e0c6cd2812fd770b23c2ade0218fa5d23a59bda8b9d7ba319df180f4cf44ef946db1f733a09938a7ce898b95ea9c1ebf79a1da1e4867224f53cd3bbf2215f336

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
a0848c4eafce5eb680928672bcd3d1ba

SHA1
8d0a39602649e233ad8435329a4d26e8e2558895

SHA256
52389f52bf3a3e976b80770a8920dfe4b63b8d112ef4622ca4d1e70d97d2bd6c

SHA512
049c812cda6bb0998f438095389b9634818e99648bab723b2cf3af84049d4067d34effcfe3976d0d219fbb2fe9ced87534532333ac2a50b6d67360f7d80485a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
548634548a20a7cbad4c79cadde6f023

SHA1
dceb701638dd6189c7828387c81b6f1312d432a7

SHA256
bf53f54cefc9547c34bcde909ea78225c4ae047178158eef4327ef7565906b60

SHA512
7a6d285dc09c050f13c6e9755f30eee512a6dffb9773ea33f4e049a6d308182610aa5a114bcebb97ecaf783de00a459c3c3e63ff779bcf65fc08dbe5f3fae28d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
7e717689b37d52939967222e7cca58ed

SHA1
00a4815d8f2edbbac5419f25cca87d33555a69cd

SHA256
d76a25ae72787172dee1c20877a2dce7657c3aeb5c50f9655b53afd37c1681c7

SHA512
bda775ef097bcd0e3c6e7c6ddd20bf8f59c31a938bf568eee8f52bcd1f43722be2528c54e3d4772ea7237498719e5d67623816982361a00d0782b2cae75e0b2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
9e5e58077f461a7d6ac2ab428ae48308

SHA1
191011fc6e54471eb1df0fc54c73179f021b7634

SHA256
c7d03289792c975b51b35a71ff6e8d5be8a917459d37a3171951ba5af1fcc544

SHA512
a72115e68f1629644f446e5f190ce4af29dd9ee7400c2d79f2d5d1152d8f48f4d249b809ac94868a5961a6b3e6f9699b8701a60b10c6fd614fe4aaa4fbd20455

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
73a510d997f56daa86f3e174683d183b

SHA1
f30efcc02bc2b9c039a1ba21bb89ac20f35ee4a3

SHA256
f51531a2058f784aa029ce2f30ab68efba38e854233721292298f32916332473

SHA512
a8f4cee5352ecb1a88b76e499bbe3a8564518a82e757e6a339c4b695a48a9c34c5401931c58521c2023c29caea071fd88e9e93ad1fddd6e1cf5977d248c1bb75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
31bb2269bb4710b965c4c131cfce3963

SHA1
2cc5754c8d4b837bfd2cb0641d14b99fc200340f

SHA256
cd2dd2181b0a77e4b76e3f31945a1bc497f66e56cd4bdf4d410558cbc8a5b445

SHA512
4e9ca6245fad5341c00006855f5fd2b928d5ad619c1d29dcf2bc445c287dbc1ca58d87f91af936b324bb484751e8aff017951a92d3657717af154d9b4a047283

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
56b7203d4706ebd79249ab32cd1fd844

SHA1
4e57b8a281a3de23d2d30effd2a54975eff0672d

SHA256
822d9bd8634a8bfb27d7ef52830a9b2ed50028988b0fdbb72eb282017115fb4e

SHA512
371fee385574d9f36fd0cffc561272a387e760d015ac216a5400564bfbf487c661586c8650bbbb7630a71a7a9e526605a360781bf7cc1b82984413fe263a86e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
63bf56f742005bbb2de507e911c97e9c

SHA1
6f51c78a2dd575925aac869f82bac458b1bc4bc2

SHA256
3aec4e2e8ef489476e2a8bd835c38925b27dda1f4571a7194d7772ba4b597699

SHA512
dfe6ac2a15e0d26222d7d2fc6fa3e0da09aed7b0514ab093de6ab0ec8ec762383dcc1697d2f73bad7b200c0118d90d6496f9b0c56ba14e78f5b2a20936ed1de2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
4c9653b165d79660dffb2680bbbf9581

SHA1
239f7ca4137323d4324f9d67901af34fb880b01a

SHA256
07a3a733d49ecdab9ad122db5a51832202c50feacb72e9c11e53ea56f2819bb1

SHA512
eab9bc4dc476d51723f2b18ae9f0e5ba28d33fbbbca8fbd48866c6636b42596765bb48c5e046cda43de0c41030ed3d5f7e47bac5281c3050a8dedca3e4e0a6d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
8072008ee990f2103759e0d2d7b236d2

SHA1
02b4987982520eec3b2f35e1025bcbe4723a4c62

SHA256
052248089f194d3688d16d269c7b14b446aa8a270ce205b29c91b1aaa5552e43

SHA512
e1dc670fbe415285b516ff346d29023a313bd5d5a12249624c848b1462195655aa153fcd297275cc8c1a19fb1a94bac006d6a64f861647038d26f93c44977b9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.5MB

MD5
ee6a80baf7cbaafad7363efe3491fa1c

SHA1
26ff7d02e3e0d20cdb8cd0daea0d5690591b7668

SHA256
4b3b4a5b76026d3271a03bfd3f346e903269b04cbb687b8e8a61958dd3ad60aa

SHA512
1a453f7e7743acdaaee5a912ff4857a0c65b2a197d5bc9d1fa003777d466919ae727000ef144e80cb3b6af4e9c3facd9f5693322e7f0a9a8bc62b69db2ac8ec6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0791e19e5cf8455e743c7b88b7616049

SHA1
59256a9fa398445de08e68a24036e5f8945e96fd

SHA256
82e49301028fabf7e5033981a0ea9a67444192edfa817fbba1a8c90dc84ad8c4

SHA512
92885461d68608f796a20d53ac9ca5401617bcf3e7f1f9a16298af5391b13fc638481e415d52a512e2abd6cfd09884b373759e7713a34c339455c37fcb670f7c

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
a70c2ad9dc71af26cc60fcc6dd869875

SHA1
477366df65b883e07352608ff32546220706446a

SHA256
b3e3f94104b40a653ed706453d9605759e23cb4aa49b83d8b22a1d185eae050a

SHA512
88d00af0fdb40610b4956eed361210183531a5cd904ee0f283afb5b618d047c917c7257731fe9fe26b6e793bd56e0d06fe9b94a8045c61ab12269ba2b7000ba2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
ae5bad2286167bb544caea3bfc84a774

SHA1
c97f571a47f8b39a7af4f724528fe01f410248b4

SHA256
8bb9423762a226780492f5febcdcde545a4e238832535e306690f62307c021f4

SHA512
198211af3940e4d8d7d31af9a44e2574c36b51232a65ab4609c5ab8dc182ee5186f10142e6474d710971386891718e5b94110c4414f471a2e63a951a58bedc32

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
dedb2bded6627c3970e80e2a9621ff8a

SHA1
22af3e25dd0bf9cd101b0622b5738acd4e852dbf

SHA256
1fa5bb32d75d0eeaa8e90900751cc5d971f6ae542850e6713f58e48f4fe1e9ca

SHA512
4d0e3eb9a2c92fbe44f7a87af6051eb3aface4484d715bcbf75709f0e35c22c6c8b974b9090e908ddd71f1d12e2bfa49868eeafcd4f5f603ada1e9ff8956895a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
2e225c97ac235cd2f3759982cc64e81d

SHA1
43106564e5ec2b9cc2842d68c988a4f289365ae2

SHA256
c11337867bd7a8a73ac2d2e704ec0a5d0417d8d90d8a9003d999dfa4d33ebd71

SHA512
a8ba52e9bf3a718e17016ab1125bcf481e222939f7a8a9934fc7150bf124dddf42d945a2ced6d7b456c965ae5f6f6b52f53705ed8e1a00e2d31c3dd5e8ed1715

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a0cd8bb5a203821bf5eff61e778eee0a

SHA1
c0227065fe7f1736bbe498b842fdc92fe4b23008

SHA256
5c7862e690066eb9d80720abd439346bfe7f912421e942a404d98cde6031f948

SHA512
bf53fc9c1c634e43a0e29657ae699c7f16d20f837e199ec5b7187c8d0b86ea4d79403820099b757f3b2d98076127d0e1919936df486b383dbd7800921ca40c93

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
248005cd89f16f264988bdef4271a9ef

SHA1
cb40923ef1d2c8ab7d75fa44c8768b6888a5c797

SHA256
2f2f51f54030424b9e262c83d8df5ebf85bc18824b8a5e301c49c63a239fddc3

SHA512
8dcb12bba11417331d8ddb6e1ea9577094b8c4740af0e0152e902789e7b9ab3721ddb8eb192b95010dd0c1d6e6dc729fa79d454d36988b9029abb47d33d57e43

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
d129f8fd337b96501cb6268f23653371

SHA1
66b858a28df70f9c26ea228d5faf9b53ac298b3b

SHA256
028521072749638b0a99572524c5a1785629856f6fc56d738d582df30077f07a

SHA512
4cd8e08b5a32e76e4273b2a138efa876d851509607d2349e5d78a79ecafc4070385dc87758683d4a582186f9d7b157f22e4bdcfb6c2dc0e71bfc2ef693e8e41b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
c8fc5df564f48391bddaffe9d2d8e6f8

SHA1
8ff981e66fd0666cb68b1451d8be2ae84be0a1cc

SHA256
9c210f038658c9be4003b32e6413df1a772e44f798624a5a362750b320150eca

SHA512
b2bd67c5f326a1fef3b776a864b262cea2dfc9fec48fc34a6a176ed0d4cb2c39ceee2cf7be78b0c0e816fba37a4c8b99b09887302a7ddceda904f092d96fbcc4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
3f4b4ec208c7cdc9ee166385c21280de

SHA1
f8f77b4c32edf529df7b0b8f4d5962b83b275eaa

SHA256
e2006fc1e71b1b87c8794b8ef73d10f85a773ae53bf25f94614375c6b013328a

SHA512
cdbe93d2a4af466f606b499c41b209d2c5ea638d5e4114ea44d9f9b20719f86e091b1ef84b3d251216e12dfe9cff9f1f790f5b071fbc2f95fb8b4bfbab5747b5

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
fc6dca8780d5b6ab33b0d9beb13ddd4a

SHA1
0efcc99fc2a8d5b560f502f3458a6239fdcd858c

SHA256
243680cbb266ed6ead8f3c2152e5840bb495371c724d3303c43fb551429840ef

SHA512
7d3a9b7fec25f4d134069da942f97daa6dd75066cdb33bb2c742bf6bb714c2b6fe1613bf51927fc1619e8ca7b862bea2b8168de09d6fec9c56604fb69e1a8d54

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
ea6d87bbe43016a06172bff9b5f23312

SHA1
6e100529754bdbe729314708f0742a93a1bb0726

SHA256
da9680192e48586b42edd5ebde7a7189d897228b3707b4828959dbf78c4babf2

SHA512
99584619780c28199d324d81d7137efcb14036dfd1f33742201dea3786367d3bed36ea7dfaa88b71b284eb9ffaeab1ad2161c0d7b13c72de35e3d3f80f47ff61

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
ca142263ead1fd4836684dea18ef395b

SHA1
7da15778989dab01f0b45cd6084ddaf9194bbaa4

SHA256
d33b03da81f8ff153ae680eb45b01d4f2fd17c3e964e338fe9c0c9d531187072

SHA512
01713dd9d4d38166f69a35e72433778e7718de0cab0b49edcf29120a0ae7a78bbc54608b056d9557e0803d5892ed1ebdbfde8c1053e0fcbc4ca218ea4ee82940

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
edc7637db360f7fb119934f5144217fa

SHA1
c337b477d03bcd48709bb0a7d404e9599531797d

SHA256
5a97d0f3bfd008b366a366b31bed1003b15dcf70079f52599fd1d5550d14cf2d

SHA512
50b0ddabc8943518f4098d88fcb25460032471d44e25d24741a2e4827301343bbcb6f4b51e0f2267a22025e41e990e8fabf9004d81b55d28d41d1d94bd092356

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
eeffb115c72322c03a4bf37443b7b339

SHA1
841a704da1653da2164501ff8a09e7daffeee001

SHA256
71c8535b5d13f62365b4e7b91260eff799378a68b3e2fb5f02ce1518a43a45b8

SHA512
592c81729fe92f039c8b931e07066f4b2537f9fb9e917f0676d7170e83f46bea60ead57cf17c0c5f46a1a17fa3ea01df825117bd03c782029fdad90a27eef533

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
6978cea57062d51a938e70878467255f

SHA1
64b1528502b59b2941647b6123b3c5d692a7a29c

SHA256
16cee676e349dd2785e64c3f35d024bd158901a37532a7b64d825d38e0ecd54e

SHA512
7864e048cccd45b083b447ed1f7a5d3efcc4e2e4a6c7ff56e3edaa9e9924b1197a16c7c2ef69b7f820c37c68ff73ae6d913575a5f51db2c4f8ecbb908b90d83a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
15509ea788064d6f27be1440569e09bb

SHA1
bfd9289b5c8dfef1466e7fcb7f355acbfd469b04

SHA256
5ddc134abfbe46612a02228f15fbce6bf5740d87da834156f273d60d8de10dd4

SHA512
beb30708d7ee68ac6b1a53cb2788eacbc1ec8b8acd6b01f85bbe435739b43bc47ae7cd67c9c3663a30d73a39e87e73d735cdfe0e54c98cb0dd2505683ba363d6

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
93d31a7821faa4f3557b66a33cb3cc7e

SHA1
2b7cff54bcb49665607189b6495321461261da8c

SHA256
389fcb409ddadfac5445d177bde64bc372cfa81542641e49730ff8857403199c

SHA512
23a607c8b83229c9e40f7ba62cb1adfdd9d081825c451dec59543223b6e87fec232f82a4184f45840909c3c628d69811dd5b3584cf472f61de03fc28bc411506

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
a0cc09abb6eb6043eb3136452a831919

SHA1
035b6ab8814529f3ed22ad557815530320d1b534

SHA256
8730b33eeaaaa692af1cd85a3812db273347460bef3d06408b407f11a6e10a8e

SHA512
2b02af54507d44b4a8b7d4f7706e602631b2e6fec132c749f90df73adbacf15554ac2718547b1f21830a264566d48970545e08e370179f97b285834dbbd5851a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c47903b4a2caafb96efb198549535ed1

SHA1
84384a69dc76c575cddca771e0a842828d116ff7

SHA256
6af0d458f1081bfdf7a727b252aca71e3601ad709032f60933fd31e05e86847e

SHA512
a26a1095d16f1d73d5e9ccc984a8a6957e51f491a012345d5c7843fb997546662f6580d87da195fe9557d3a545f8e7c01c3558d1da9a83bdf90dde017ffa40a0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
1b6370c0d914d4e2c7c23c89ab9f46d5

SHA1
c07ab8103e82a697560d04b0df7358fad8050042

SHA256
ca073b7e855ae006878e3e5c2f385f29ef92758f6b8557ed74ef569f0e46bcf1

SHA512
9d7857ada9103a58d4125511fc223562c238a0746c14b6b37687676e8f775d9d4026ae7be51a433172b28459ebbe18addf0ca880b57dce0a19e9225903a1d2aa

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
58277b64c5ba110b31fe5718ee7f23a6

SHA1
b7e1b331f58a0cf1af2cfc086595e08c032983e1

SHA256
fefd4ac45d09740fb6c88d75466b98a10aeea1dc59a57359331daf896ab2db7c

SHA512
5d56179a012e54bc2f479a2f2e504f46ff8f1dd8b70924ae47770052262ff470518edb8cbd6eee46e1f2812a570e8d32b244e059cd60852973b1c4c8d4a9469a

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
ffc70f614a081f7f2750839850630e9d

SHA1
5dc49306ed2ff6fd68ecb9f44b45a2a1b0609d91

SHA256
46236cb120c33cfbe901afeae6da30f62f632951914607a69ff086c4c9624980

SHA512
a2b112584e1198fc2607c50f92386229de8c7f684f516deea8b8d7b46b306aafa061b69f77a0d80aa172536e1049bef04486a0706416232defb02d9bd87d2486

Download Submit
memory/8-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/8-715-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/720-258-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/720-717-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/888-294-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/888-193-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1020-101-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1020-92-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1020-100-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1020-184-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1056-332-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1056-790-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1288-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1288-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1288-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1288-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1948-165-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1948-6-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/1948-1-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/1948-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1948-500-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2092-789-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2092-319-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3308-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3308-784-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3540-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3592-295-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3592-787-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3688-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3688-712-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3688-331-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3932-172-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3932-290-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4132-196-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4132-306-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4340-222-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4340-676-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4380-105-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4380-128-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4380-111-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4380-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4380-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4600-716-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4600-255-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4648-318-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4648-199-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4752-151-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4752-141-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4752-152-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4752-147-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4752-154-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4988-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4988-122-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4988-115-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4988-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5008-17-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5008-183-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/5008-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5008-20-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/5016-166-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/5016-156-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5040-788-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5040-307-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download