f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
Size

1.8MB
MD5

57c03b365a011681bbd71794496b596e
SHA1

e1b5081913320faaee1c44bc1a7311a7b274b37f
SHA256

f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617
SHA512

38f4388beec81aabe281b6b809a09cc234633ac4d30c280ac2684c846bfbbb0c8d93fef7f0d169d1cb050edad82693824d4b98504d3e6a3f4b87959842094ab8
SSDEEP

49152:Hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAlaB0zj0yjoB2:HvbjVkjjCAzJtB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2556	alg.exe
428	DiagnosticsHub.StandardCollector.Service.exe
4880	fxssvc.exe
4060	elevation_service.exe
3732	elevation_service.exe
3264	maintenanceservice.exe
3268	msdtc.exe
3640	OSE.EXE
2012	PerceptionSimulationService.exe
2084	perfhost.exe
3412	locator.exe
3928	SensorDataService.exe
4372	snmptrap.exe
1052	spectrum.exe
216	ssh-agent.exe
2428	TieringEngineService.exe
712	AgentService.exe
2840	vds.exe
1036	vssvc.exe
4884	wbengine.exe
4112	WmiApSrv.exe
436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\System32\vds.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7c6f9686234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\System32\alg.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exef9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2C6F.tmp\goopdateres_tr.dll	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM2C6F.tmp\GoogleUpdateSetup.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2C6F.tmp\goopdateres_hu.dll	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2C6F.tmp\goopdate.dll	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2C6F.tmp\goopdateres_sv.dll	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2C6F.tmp\goopdateres_cs.dll	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2C6F.tmp\goopdateres_ml.dll	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2C6F.tmp\goopdateres_th.dll	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exef9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003805c69c4c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4b93e9e4c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020a13c9b4c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbaace9d4c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8c3a09b4c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c113369d4c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001015179d4c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000142b469b4c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f779359b4c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2272	f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
Token: SeAuditPrivilege	4880	fxssvc.exe
Token: SeRestorePrivilege	2428	TieringEngineService.exe
Token: SeManageVolumePrivilege	2428	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	712	AgentService.exe
Token: SeBackupPrivilege	1036	vssvc.exe
Token: SeRestorePrivilege	1036	vssvc.exe
Token: SeAuditPrivilege	1036	vssvc.exe
Token: SeBackupPrivilege	4884	wbengine.exe
Token: SeRestorePrivilege	4884	wbengine.exe
Token: SeSecurityPrivilege	4884	wbengine.exe
Token: 33	436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	436	SearchIndexer.exe
Token: SeDebugPrivilege	2556	alg.exe
Token: SeDebugPrivilege	2556	alg.exe
Token: SeDebugPrivilege	2556	alg.exe
Token: SeDebugPrivilege	428	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 436 wrote to memory of 3912	436	SearchIndexer.exe	SearchProtocolHost.exe
PID 436 wrote to memory of 3912	436	SearchIndexer.exe	SearchProtocolHost.exe
PID 436 wrote to memory of 4040	436	SearchIndexer.exe	SearchFilterHost.exe
PID 436 wrote to memory of 4040	436	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe
"C:\Users\Admin\AppData\Local\Temp\f9ed5c0894302f47b8788d77a2dcc475d9d7ad4ededc063b47be3ee08359d617.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3732

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3268

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3928

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2588

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3912

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
65f903b64083d1f9278c09ef7e2de1e9

SHA1
b6a7f668be63a6a8b61108fa8b66c9f6cbba99ea

SHA256
c5f5776fd0a279319d7202ecfe1febeb8d56d79f10408ca9d3abdec97cbf89e4

SHA512
a970edc573b9dd1b1a273ae3b6e761b78bbfa4e9f9b6003300733fa37f2410bcb62d54a82cdbf5b66993a127b5c43bd152c88c5f2fbebf24960e3ef5a49b1ba5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
071e6f162a503d84fbaa29c2c6379ccf

SHA1
7ac29927a9eca44a9f9f44e6dc173d43be051867

SHA256
4fcc119699238b5072c3eaf564362d146bee74ecb192a90fadb15bfc8c84da88

SHA512
fdccac3d1a8262af3c89a6f6492273a8fd582d0874e1a6616c867c6859a95271396b725276da9dec7d9b86b2dfb25b7a2b2290e906ee213554e5d5e227c2cef3

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
8e30e69c24be35af6f3dbbc3176fb979

SHA1
0f4792161594767c10e6cd2ae124ed48ca0166cb

SHA256
63968ee89ea9e77f4449f2fb73a7d46871c668d18f2b14c576b598ae68a04952

SHA512
f384e120c6b2a36b4e0d4bf26bc8d750bd0b8b90a65474e1431418939fc6a66db45bc72b10359e821586eec6e2123f71dc8f6044e06c5404ced4163351550a88

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
d8240c07d99f46bf0bde44f089f80df1

SHA1
52c48005dcd297566ac1b95a9aa6e718e7fa70d1

SHA256
f9d6a05dcd022930f79d41718b0502a721e3d82faf8d931c5432d91f9fff7583

SHA512
73dff1b62902895c3407ace3a7d7c201844e215cefaa3c9ec2ee88908da6c354fe18660f94195884d001e4c4398ce31db87fb8a076a5df6c6a39cfd2b7254dde

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
513d4d4fc460f8c38005a9adb5a3625e

SHA1
3d0c9018779e088aad2a4be731660295cc60e5de

SHA256
350f72c7d06a812deaa6fb999354a911eae23e63e47acf7209c18e405bf2e762

SHA512
0faacfc68fc5fad042cdfb81f7acb1fd556bfc613e26dceebf8de4e22900ed84ccaf6c15bffcbb53f1e8d105987009aacf3bdbf039e4769154aa947d6af04210

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
3736767c71d0973bdc3d93ff23d8e94c

SHA1
8d9797b94c8100f3541e5f67458bc4ae0cb029c2

SHA256
4e03e3d8cc4f9d7c3453f378d88386d2a1311ef2b6d867d19fa4d1ff4c01bda2

SHA512
a580e2b81ce05f977dca440d4384a7fd32d8337512456703089b3e13942095ba3cd83177aeea11918b43dcd7fcd506bc2c26432b5f0257928f096be9517671e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
a63cd9cbd2d290e2e1cb1ba1abdd1466

SHA1
8199d14618c58d205e10ffae111282c1a985ff3d

SHA256
956537a0b9f8feba8f92aac21c31fdb73cfff7ba2786d1dc4e8f195006af0e55

SHA512
c7f0118ef956b82be40ee377e8fdeb333ae7c53247e5b72d80fb22939ff2fa0d43fcd4fa7d601d27a4d793f114fe1c28d17bfc4d672c3ba6e2089d81ce79e9f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
d1914b951c097fa748193dc5c477e84a

SHA1
3087cd292966bafc75c7412f27a73d6e03858725

SHA256
f45d3360a18adda57968c1669d1bfa14c55bb43d455a5d7e135ca1f232890d73

SHA512
3b5b68ae0d652590be3decd40e5b4256ff570adde8cd6b8f896fb83ec78f5364a3ca0c690a9d12fb2cda8f4618d267cdf59f9c8dfd7052184c4325a56961515a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
ca528c216a39b968ecc7a74ee21879f8

SHA1
c18576d79f767b0ebdea57b5a350aa614e51b71e

SHA256
d6acb53cce6801ef1857ac57060cada51a030429f1f4f0ee927dbabf24ce5e62

SHA512
dec200309a98b7d2a2b5760fc94c7bee765a0e15fcc6c5a76ff66899dabb22897422e9f78561647e940ffae35901055d4ae1c6771da38eb3f2fa9a6c428f860d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
4e52a09c7ecfa3345b7dd6a7bee5be38

SHA1
a1b77eac4981bea0b6b1be533204d66fed5e7cd5

SHA256
75bfd22b76ef1cb51d36d45fc97c73bf4c45015f21d5ea15d4183964f8219051

SHA512
906d0945fbaaa552a34cfe698078a3cc2cefe648fca426a1d3e9346b6f48bb7013ac9b4438a55bfeffd926f5c9504c8b9d1b4a60452f6b906193d4a03fed7b72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9c7550e366ae34038c757e3cb43712b0

SHA1
dabddd3b6358e06171af988e42cbf2c2c8b25389

SHA256
efe3c10f8125076bc32c6d7472ad21014b3f211587eee3e12bad98645bfed719

SHA512
4c87a1e4bffa13b81c00d85be361ed5e7b9288161d0f2dccbdcacc0846c38fc94aadccbe066b35531701622417b6063c526b6fe7b1909d38ef5a59fd3bfdaf6e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
716f66de761979b019f9d52a783a0cf3

SHA1
2061c74d1050e2ed1ff0b6967ca627af2466b9c1

SHA256
62fa2c100d11820f25c1d8d21434dbaefc27f69ee5739c48f1ccca6ae6e90c5c

SHA512
5fcfaf763f1a08c95156f9017c7b58e09db77c8f0aa27c6c39b9d0f9ecdf36d95a2a84808e4eb23aaf4ad2befaa557452021549bd9c1a8b494b13794db660075

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
44ec0fe2244eba6c40de0277b2caffbc

SHA1
5b1c1d7ba70abf7d7c231d904d610dac98d91bd2

SHA256
612ba2348d4dd2a99f78bd6da84674b40eec99c7a981c0aaa8b6fc9d625d2c89

SHA512
7391cdf6e2a858b5633221423733bf9d0504ab48c0ed2a4e68b32487b9914bc3223b1bef08dd0fc7f62439c3e46a3478d22eec5f1e2c31571accfec5f14b2e0f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
f03bc325010abcd1fd2526143a72fa3c

SHA1
91fd4c6a9738c13e53a75f30c5dbe714e58fc9ba

SHA256
e1d340ed336462756701bd9e9c0417c1a2e5d3b0b4aaad237216a1c19473396d

SHA512
63d8047d82ebc813c21136a6e48b269306cb5897c737c7c37efe5fa581f23147da92415e2ae2749b132b208783fdc7999385f00af86a55ceec08f5638b56530e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
00796595e2029f94924e95b94f99ffa2

SHA1
0cd2da6fdcbbc459523759d69071b5ea07304bff

SHA256
058e2d32a91b8de4036c761d2c4b420083fe9784478be73c573e58cf5c06f731

SHA512
1a961d4afa8e62130f3eefa04071ffaa244916c3819ec14fee4469f9d3cad8263fb45426d95555c0fffdd5390aafdc4a900f9f234ff03c2d4a874ec8a7b63aa7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
0481ae76356d82d3bb15e76f2a7d0ef8

SHA1
e0717c3528546c26984c9607721d1bd30b18dc70

SHA256
3e1051ee6d1ab9c30c5103df6292cea6e90129763caa7584b0f2597f955b4472

SHA512
6ec481b8f793b4cb0cb0321ae30361b816f7da509df149c5ee5438887747d61ac6a6c3c4181e6fe2b34c078af7956c6d5ac0b55c15438bee2bd67c0e75ce3d96

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
ae6b8f62908431850f984bc66fd1b466

SHA1
a46d24550f391fa97dd8064c525d847461747b1e

SHA256
77678176cd5d1837a0731f178c4cf1e765c38ad2ed62fda6cf5d2689aa982a4f

SHA512
b007744591a14e3c6cfd821f8ff7cf7300f6aecd6da7bac9850353d758dd7f5ec4fee6cca87f87e4bc832d50cfe1f703e97d6b2ceab74e10a382e1fb4ed0fba2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
6c53fe2366c52900ae3b16a7207b771a

SHA1
55ffd4290ba52b79eeba990487b2270e9031064c

SHA256
76576a55b64db9337a178a16ff4d42541d2d76ca3ee94fb3aebce09d2db0d07f

SHA512
92a682ef223daebaca73d218733f565d49796a11e6ca7bcc91686214163211d8992f47164ed25526a815ce1bf1a9dfdb8c47877144d3f16db0f6ed6ce6b66b60

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
09855df97b8f5a2ea4e2cd4321a9d004

SHA1
b5c76f17f51b56049cb31ce9399a8ba7498582ce

SHA256
18e5d79e774ee9c28548d4f0e6adcad219e1365cb2c4fdce3ec5196edb9c73aa

SHA512
5d8487595878a61a0c4c68c22be86c51d54b5780528971c0653d0d82a5d4f081c6b0bc7968bdd42cb8871dc32b33cbc0902a657fc37177fc4bc6fc9fcb61fc4c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
aa81e683cf4e6915011cf1da337cb38c

SHA1
84d68577a658afd9fef7ebc2ad74d387c72d3431

SHA256
1faa5b66520d4dcea49ca054541c4e37def0df1ce26aad9091fb2c175ae98ac8

SHA512
909c77c5e06bd589a249d20850a3dbd0e433531dc2129e4a8e5251d11ab34436a448a65b40b361e6bc4d572ec41db259be444ef5782c216e099a0b1a1d0d9dde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
1caa568534f7ddb86beffe1e69de4205

SHA1
1d5b4f4ba62242f01ea5e6d08f5f7107d362cd39

SHA256
3f728900a87938b19a9518e10cdc842991b1de877f3cf7dd1bf0c4b1737a1954

SHA512
f57ade53319608679dfd33f323d4bc72545a4320dd6090fa771807ddbb14efa7cf8bcc56f6ed43cd22de5e3289cbaf14bfbe156deab349760d58f9162fea474f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
1914bf87fe723f8b59e7abce543761bd

SHA1
c59958c1df83546b4a947b7839d8d86128c1e609

SHA256
e15185749c51e27e589c35c6aa47984c9c31d6342f998b6ef3029105683175a6

SHA512
3d69807cc03d926c143dca472ed3499c63f45ad24b76e6bc8deee02a3c88ef5c54688d7e0d5474c4f8d61e1c5fd151cfce5a06b2279befdd5f052b37cd37ed72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
68e2d12649def2cd1e02012498cfb8e9

SHA1
8cb4fc506418c23f7e117d91388039582f89de11

SHA256
4964d0a8104c849156f4f07bc72ac9e7c3494e29d081c01b4e075eabab9f2b8f

SHA512
05fb1c99ef2bc8207765d04f5ab17d00492a305ed7c3d86b6da6b14d30bd9a7f02bfd7a3f42b0cf11f143bf807a678e2273be55d75b38d2c819eb21ea5c1892a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
adccba82f41b2430ce90d712cf5184e4

SHA1
005906eae85a71e21b4b84694b9ae9899dd51049

SHA256
551ff87820c77014552877f178c9c1f2a850e340350b06fb7726d340a209ee3f

SHA512
51f3ef6c21688ff11c7c37b2f2067d97253cd78885f6c31675c225675bd5f1552d454888befe851274162d7ea0a0a4e8a2ee819b37e52fdcf21d12ffc58b8a6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
fdc2e768545292ff7ca67caed8478f10

SHA1
0489faa802e666dd1f9f936bb0b1256098fbf6a9

SHA256
5082fa9266aa69f7abb6fcc72b1571c4f16d784071bfeef32f3540fbbc83fc6e

SHA512
112c9553449d7c69d8581e07fd7144e4b66127da4512e75839a92ecd17f7910f4f5e21f859eea7cdded558a825544d739dea77b5b510a9e5e681805c0bd6dea6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
87142baae561295468975886d509e376

SHA1
6c6a275ef73477cf8ed146d68f2f41195150248b

SHA256
8a17291bd714931baa9cef1be26ba96ced7eee5cff18015a9e9d72ca731ba87c

SHA512
c46908b0a8cab29892a263d7122b97416a02e61a8298bde521eb599940a0e9b29d8e623ec9e7a758d533b5d022b143adc54e3d14236d0a16227619684251f390

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
8731b629437815f3d44ea381f8f7fc0f

SHA1
89cd0702964de1031b54c5a45fdfe0ed7636b4a1

SHA256
a67f512d7401b8880b28f4391985d6ccff174bbcc8e77112126d0872539dd465

SHA512
6cbfa73b314443da3fe88d3539078a93226239b7b8d57d46340b0fd57b2ffe5e406055b6e2c84644195bcb4747e4e0061aafd72ce8529e8886af7963ff31518d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
39644368fa62f9353d381865b449baf7

SHA1
fe823a58b2ec5c74bff1e4a72211bf3581247a54

SHA256
424c89438c56c10be9e7e69781ad667c72e623b2352837043f3e4496456c3b4a

SHA512
44925e40d9154bab8f39aa480d785098907c59d13ec431ad2185855caa90e902db24b315a8b01528737ce2666779af02f89789909a3facc090145e41db410cc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
259473c7eea2d1e5b11d416a25551b94

SHA1
c9321ae6067552420d8eed77c96005b47f2fb165

SHA256
9860f094ddf395bfc22c50fb6880967c287aee1671e0a55dc352d64f955a8187

SHA512
3be0b1c794cfad72ba56573b8a6f961632b6926dec16cbe79dea9a81b2957fa698445b43f949f4023bbf1e9c4dd535ead60bf73cc523233690abc5d726dbbe89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
b140a52d884b9c982734a3b4597107fe

SHA1
42280c8357d60cbe838cd4fca15404a9b5df9a12

SHA256
217345ee8a36cff0f2459fac2bef445ae309bcf69d17a05ac081948e4b70c6e6

SHA512
58476cdcae708e7857d922da6d4dc4b67d3095f571d70587116f21b26fe3309bd808bbc4afb61ac9b78c382c22e20ef6e15a83684163bea2663e0e8d642d6435

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
b69f9fb6f664c625da5b27f50e07cac3

SHA1
08e8d73697918e42d4d013ce808e752ebc0c3e5c

SHA256
76438eccb36575771bed56ae535e340d7b4a9fa1b16619564eb68826f2d8d38d

SHA512
58400945585ccc94e7c995036e0900d95eb443584b9eab3b1e88ac1786221dbfa220f21d72f3110e54656a628abfdcde2aa42ff57d1701853ee198cc41bc284a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
6eae78299d4f5ad4a03dea2706ed34c6

SHA1
8cd12f575f9ae8dba9ee4233ecf9cbbf47112200

SHA256
65ea7f10957118aca15867fbb5a3e9ff41cc296ad5853bf76dc47c92658cf631

SHA512
50dc26fc1d3fcfc89750225a0cdbd913d7e3013b3d70e059ab249944fcd7808c954abbeeaf3d350e01387e2e1e910b84eaea8092a498ae0eba590f64e0a9aafa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
cc0d659d9f260e6d7ad607fd869277b7

SHA1
1f787f5679c169cf67a4ec12f43ce4fb1a1a1ea1

SHA256
8d4e349b616e9387b224843f6453e8f22ee86e0a880ed5f47a2441a7346cfe7e

SHA512
3af0a3a1c1dd50242a9672996b813fb895839222b0c7c837ced47c07dc225b2a82b1aaccb55497b44601876ce8f8d2624a9ad82b79766c53b0ca21fadc956755

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
ccb766d754335ecdd406566677bbba5a

SHA1
672e296701dc04ef331402128ebd63578eac4a2d

SHA256
40edc99d133c173754f15ec7b34753bb3dd28cd46b544d7d20de072b0bf1eb1a

SHA512
61265a9b2f8576f847c239709bcc0d49e78130835b831924ba12998c4998fd2d1b45639e89efb399e47d5888ff0a653114cd1e15ccdfcb41bb1d1613972f029a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
65c81ddb074e7cabf73ab858fd2bd58f

SHA1
8361eefc7fc448a20615f105fd5797f0bc76f056

SHA256
449d73492d60893819738a9d7583a2f62ed25116ccfe96f3b2c8cc98071ce315

SHA512
fb707ed975d31863400b05bf0f59aa3b3870d0c23e5a79554b453adb2179cb2a99565ae1cf6a9b2de5571846c7e8d7d41265fbb1bb2250fb9faba6e392809610

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
f4c20967f09f23b5ee21c25e420281c5

SHA1
b201b6e45cac9ace3acc78a3a0c2dc6b61629da5

SHA256
04f71d7f8a17f9eafa32b6ba1fb96b01f7d0ef4125a72a993e0a7a2aca4cae48

SHA512
33794d9d405d9ba9176e42e0f10830311ccd8cd922a4afb6606a8f2ebdbf5c9f4d30e4cc893a03bc7221f9d6e7ffbda783182ab7648da328fa6ccab1bffc4afa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.5MB

MD5
0caee87825ab2bb7473147dc3338c658

SHA1
64ca50d2984b2438c94a86041db61e35911581d8

SHA256
c9c5ebc592bab07762b3e5d44f4a31ebbcc6c4ebd474a4066f5cc31012f46abf

SHA512
57c7c27312931d36333623b073a9837692ba3eb6133bc84112a8c5f48c2df1314e3a09f9172f2ce540dea24854d9f1b3103c0e27d79cf29962d86b401a0e5f25

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
6136daabc2b0fb1702f840fd7dd6cd1b

SHA1
c4075078f9e5138cbfc75cca996c615980291d8a

SHA256
f95f8b24107538070862fdc5517f00b412c401a35475a202f2b090fbb37335f6

SHA512
380bb38f50ae11d08647dd627624a2a873480d2009e61c6e96d0903fee224615584c9ed0389ad965f683ac3db2d0bd5dd2afaf9dea06bbcf021e924a9aece775

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
bf0cedc1a97345d2d5599821461ccfbc

SHA1
42bbfea914c3e6399dc73244ff7af9baf056d1bb

SHA256
0bf3e5599b26af96715ac15af055cebfa1506714bc10eee4b0132aa10e428ea3

SHA512
02634dc03926f8f0a838a9302bbc2a748fbb78926639b2dfd1a5cc6c3d83e74cbcef5e9ba7d60e91615847cd17770233320e42fab432828ea01f12a9367543a8

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
6a97c7aa11ab58e3f175d0f8ed04fd32

SHA1
4668dcb7b110b0a2a7a789c5eaae9e0fd638f340

SHA256
42ce8ecf6857d7cf914d7e26610eb90fd3d54f49b8932c3f69e3f1e7e20d4fa6

SHA512
01741ea42feb762a9234dc18bec4edfd728b555c3f4c15cc71e5bba5a26eb1f56256999caee372b2d3c1037381d335d1c80fcec94a2382d926739f3ab54cf870

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
3617a3424c71af7c098d250304e0bbe2

SHA1
f889b53f30e3169792235cf313059f205b49c718

SHA256
b0a6618c176a515823d97a4e2d4a55a11ed5923bda2b043330d87c3f652d361d

SHA512
bc652be5aa61d4ea20842b23cff35e08a743e9c61fc55e56795c1f75433513b975d0e5660e8c9d1a1bc0eea7a9c5b3e4f74214d1bd56a1d11da5b9f52fb23cd0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
186dbae3737498455f1e616aadc7d1e2

SHA1
25fced814739287bd80f55128850823e30d02b66

SHA256
bce50a88db7278d72e5edd5584040645e3e06d16fa12725def0fd3ab5319b75f

SHA512
aacf1d21aba76d85039485daef2333cfcce373d94ddd22336ebe8750ff693635f2823287a5906772a4460b4cf906fc75386d1113d008eb4383a799c9d8a6e7db

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d050de568f6243bf0ebea0676f537ba5

SHA1
babf0333256aa70d87c34486fc6d92f250f049de

SHA256
e45bddf76421a51ddc08b55973fde3d68edeb3c22000526e48ece6e319e73587

SHA512
aa98ed291555e4a2ce1e5a2568cf350a97390e1db6a524777e1576fb61192c817cd26864120868a4ca02a545edebee982017d4a0394e9d479a64053ec0966f6d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
0383beb6f9936ebbc20a10b6fa2fbc0d

SHA1
ff4fce8183260c877e63a805bd052f5f11ae425e

SHA256
36bf831ad76750dbc30d3e35401f164a62bedfaffbfe81a0693ccb41b4200f1c

SHA512
4192d9e93ba654a27b8b889fed1b88dac897fd1c9d73d5613ed67a8b4d17cefbca41cdf74d3507f3b64b954e747b93642a97eaa408450a42833d62dd6a35a3fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
70b79ec2044f7db124d13ee061037b9c

SHA1
21716f102b045ed08a4c0f88284e67f701d58eda

SHA256
4c2962672b81b8feed4a369cc94480e69db5b059cce34438d5702aed1f63b53d

SHA512
6df39791164e94c60467344eda9bbb5d28ae8030abd5e3609c75096d2c81c17897206581120fb2739e4bdf3497faa3a068f8637fdc79b9ef5c8cbe953439b709

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
6e70719eab11976903c57277b3f1af7b

SHA1
99ad255d80db8d34c7036d556fe0fcd99a4ee518

SHA256
2be8c8b80d4dbf2ebfd6da438fd53ff3dd9611d3800218be6e072d74fc8d79ef

SHA512
5cd44550c4230ec577a83921134324c660fe40c591b0519ddd47605b6b1f4161324b2af180001ddb18a68592745df3686628c5f0688df8fd235e7c1cdc69efee

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
500816513f3a5c4aabb89ad33589ab82

SHA1
0d9bebff087f2172066538c95b67b3c495aa9401

SHA256
61180c497c2b0f05c5cc3530e8bcbed7e41a2cbf4c02df8cd64320fb49470c4f

SHA512
8892ce41856581b8968ab8fbe1c7a60027845e47aeea6e366ac9886f2a986f5b03d9736e3e54715739debe7247c7cca038548a451fcecfd16a3fff05e14369c8

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
4374f2a46225aed5735133a27eabfdcf

SHA1
aca48730f341e250550e73f31410c6dd4cca8e7e

SHA256
169a586555643e6b4fd1338e79383a738b040889c381a9933cb23540cc9e3b63

SHA512
d84418c3f8ca7218ab7d64ac02d000308eaa55cb49f2ffdefb8eaf17f11a0d325677fd96c95c5465746f845d81c3142a893674df055a1d1b2ac80adc74904c8d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
08f413aceb67ebef9a1685c79f67f49c

SHA1
7e0e48a562e65a103d7bc8db1c56e7c02f4d58e4

SHA256
aa0c9fbc68fd540aeb9e15a920a3cf4a5ad4f04ffa868d3013a04c90ab406390

SHA512
804355c1582bb7c13cac4b2b858096618b5a85b1bc210139a97647fa56675353849127a2e00209eb6b35e52b62f41a7c1c89355d8d0dedc8f8964173cf60fd2f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
bc8bc1d0baacc09ac0d5fe0a4eb6b51e

SHA1
bdae33cf66090d09430ac9c5bc065c42d7068344

SHA256
491512db1f8325c64e96f13dcc8a3a8a4d25b3f10842b0be40643b451b4e8356

SHA512
eb10de153cef5113104e602d3a35903d25865387c9390f757bdf6a195f050bf5dbee65bc2a6547bb6def626d498b03f93c4308b81dc4830c31d83e4ac4621f7c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d4c54996e86b55e7026971d3ebfa26f2

SHA1
eaf478ce3a34917e157345335452ec0d2a2ff66a

SHA256
45bfd086d8a0e417f238f4798bda61bd068207ee0c87f61b431b4a132f49dcfc

SHA512
4801cf2f17475152f5ee9149c1839848cb9d89bd52d262a35cd87a1004c54e9a8ad54362c1f0aaca0283f5c2fccb5881b75cac4cb8fa04ec96d320874c37d3bc

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
a910dcc998268790b9302bce4728304e

SHA1
36915fea032580313d0ada40e4945f884e45ea48

SHA256
edd9079c3ca5435e1ac6cd6e51d71616f2e75c28178467ec48103d5558562800

SHA512
2b43ba2c3053265ac1cad5a80b96394bc6b450409e58211981c6c6a42645d532a6a9bf9f4a1b56e5af523511dc1221fc3c15e670a16a6d6ffa60f19b3684e25f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
d38081ea202a8871c0dd67847cc67a09

SHA1
f07ee21e0f17e26e41b2cab2347119a09f275741

SHA256
16f0dc95da6d7d0524e3553b3385dca1c407e641438d31b0f4583a81482da52a

SHA512
a9e54857084c86c155ac8a176ba949a88dd351d8f38daa23a5b281fdd015963eddf65ca6581e0876d7379805c14d279adea6da34a75f844fcf066bfe01803986

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
c3bd19e9bedbc7e113adc22b2ff9bdec

SHA1
124ffa5cf9c344661889b931fdf1a92db13995eb

SHA256
3704d5fdd4dc755821f7e123b78fa30e148612d4ff8964bf345fcc589258dd9d

SHA512
4451968899a9f6265770d47f62ff9d46dabaebcdcafa49bca1996d4c40576f8dc42205b075f9c397bf218463422dfb7f3181cabc62f1da8152471ad15fc0a8d9

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
adbe5c182019bfacf1aaf501b97b718a

SHA1
09fd91e4d6884af0426e6f712e23c48370ed13b3

SHA256
11d09894a991d92a5d6d2ae61932d588ec330e3be5fe0f84f5ed45ef8f939995

SHA512
efa52a330599d8a56a48a95fee8cc5be9e6269e93817a806b9fbc358415c8667100f679a71ad466411a032692da64ca4883e1b3b511f519d1ce02383dca846fc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
2a2c177f0b42996a859afc7a778cc1b2

SHA1
4339793be3923d7f74125a0f755001228517620c

SHA256
cca101804d757ed0aedcfc5896b016c214cdf3e6fc57ca829d5e3fdf2a429274

SHA512
6c33a388bad681222bbd99becdaab1f430dc00d609c819cf62f81469b63a4da3370ad618f93051570bba30b70dae902f4329540aa34063dad4bcb0c411c00805

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
751a35efa899b0116ec868f1ff69730a

SHA1
007e1b9780809c61be9db6d04fc3ba23500467e7

SHA256
266e0f481309382a48aa15925f01f8f1b30474513ff998fd4f5edffefbe1c6ab

SHA512
b57e2c31c092f57f159482707f444733d680db5ee4e84ba73e0b53c7cf5992686108521406d0696f96cc596664dafc369b8770ed76e43b8f9c98d289744f37d4

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
2af746a63f69a0acf5eaf9316c868748

SHA1
88deacdefc6e1c11e7fb7ff10bc07746d91d2da0

SHA256
52ce7eca3892df44ab1fcfe427dde342b339ce0b7515846ada6a1a11fabae4c1

SHA512
f416d6b1955dda352ece0031c6f1ad10b5c391bd92cfd852061b79386a9dc4021d6ce8fe8aa9626497cf7178435e5fb15cd05aaa95a220c5f441b691f1fcb3e7

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
26738e2657e18e4f246edc8c5d4bba96

SHA1
bbd1e9b51bddd5eecaf00c8d189e6c540a5be940

SHA256
ee9f1519ddcd4a8d63fea591c90421708fc5abf7bc7948cf7ea657f06ddd4ad2

SHA512
f99b475fd461d6bc70fbedcbf0e0159640b20d9c2ae67341a9dea3e0e7161b7975b75549358569dabe3de4ccdfce36211baebac714bc1bb08d7ffc7fc90f9009

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
7367571a0e0c5913dd1e8f4236df1e05

SHA1
3cff86d97b40db77ceb57ec3122e23edb811785b

SHA256
42a0488297c3e9d61fefa99432b9b93cd34b01a8bda795e2d57a4daa22569e90

SHA512
efabfa4e4e1a48e74c3208b4cc67df79e14997774cf5d19ef620780f4291dc541902676e57e1b65944444228ce39047178d0a2df275ba84f79f0c2a1465a9b44

Download Submit
memory/216-251-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/216-719-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/428-94-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/428-103-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/428-100-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/436-727-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/436-333-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/712-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/712-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1036-297-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1036-722-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1052-717-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1052-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2012-296-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2012-185-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2084-197-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2272-0-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2272-6-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2272-494-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2272-166-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2272-8-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2272-5-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2428-265-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/2428-720-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/2556-20-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2556-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2556-196-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2556-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2840-285-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2840-721-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3264-143-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3264-150-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3264-155-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3264-156-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3264-144-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3268-158-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3268-167-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3412-208-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3412-319-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3640-180-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3640-284-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3732-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3732-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3732-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3732-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3928-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3928-332-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3928-714-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4060-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4060-121-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4060-126-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4060-128-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4112-726-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4112-320-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4372-628-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4372-231-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4880-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4880-120-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4880-113-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4880-112-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4880-106-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/4880-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4884-316-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4884-725-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download