8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a

Resubmissions

28-04-2024 10:27

240428-mg4hxsdf46 7

28-04-2024 10:21

240428-mdncjadg51 7

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
Size

1.8MB
MD5

632170e99a4c30b8ec0d4cfb3a1cecb9
SHA1

aedda2d4339ff9a90d6b3c5438549c5833212f4d
SHA256

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a
SHA512

4a58424ac1d4807fb665397d36fee6143e20b7204ae648aa2ff996d1383cb033d2a7de39487d1fb36fd19d483ba68ef0a8a226d7d9e507f7597ea5ded30c6d56
SSDEEP

49152:8x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAykQ/qoLEw:8vbjVkjjCAzJNqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2612	alg.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
2728	fxssvc.exe
2652	elevation_service.exe
4400	elevation_service.exe
4876	maintenanceservice.exe
5088	msdtc.exe
4512	OSE.EXE
1016	PerceptionSimulationService.exe
632	perfhost.exe
984	locator.exe
3632	SensorDataService.exe
4888	snmptrap.exe
1244	spectrum.exe
4840	ssh-agent.exe
1204	TieringEngineService.exe
1428	AgentService.exe
3328	vds.exe
3012	vssvc.exe
4060	wbengine.exe
3304	WmiApSrv.exe
2340	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\818b434c5e51cbec.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\vds.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\locator.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\psuser_64.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_it.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_gu.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_en.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_pt-BR.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_et.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\GoogleUpdate.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_de.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_ru.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3410.tmp\goopdateres_te.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe

Drops file in Windows directory 4 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e22ccfce5599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018999ecf5599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c84aacf5599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2516	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
Token: SeAuditPrivilege	2728	fxssvc.exe
Token: SeRestorePrivilege	1204	TieringEngineService.exe
Token: SeManageVolumePrivilege	1204	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1428	AgentService.exe
Token: SeBackupPrivilege	3012	vssvc.exe
Token: SeRestorePrivilege	3012	vssvc.exe
Token: SeAuditPrivilege	3012	vssvc.exe
Token: SeBackupPrivilege	4060	wbengine.exe
Token: SeRestorePrivilege	4060	wbengine.exe
Token: SeSecurityPrivilege	4060	wbengine.exe
Token: 33	2340	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeDebugPrivilege	2612	alg.exe
Token: SeDebugPrivilege	2612	alg.exe
Token: SeDebugPrivilege	2612	alg.exe
Token: SeDebugPrivilege	4828	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2340 wrote to memory of 3576	2340	SearchIndexer.exe	SearchProtocolHost.exe
PID 2340 wrote to memory of 3576	2340	SearchIndexer.exe	SearchProtocolHost.exe
PID 2340 wrote to memory of 3744	2340	SearchIndexer.exe	SearchFilterHost.exe
PID 2340 wrote to memory of 3744	2340	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
"C:\Users\Admin\AppData\Local\Temp\8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5088

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:984

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1244

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3576

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c69518930d6881af6359ed48e69fb28e

SHA1
f8b9aa45ba661a1e0da4e4384b6803493f23eec6

SHA256
5a221fb8b966f66b1ec72065d76edc0fa3a938819c90761c21c32a673c485441

SHA512
3f64e8c9571c0085c477cab6982de11f3a65d6ad957f669ef22a40b102ed913c2199174a386f3fb13cceeab934278328b073396775c3a5516e16f77183efa573

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
1ddb7261a1a9873777cedc634e2d8431

SHA1
f69cd138b06b9d186d26c2d0932b3901bd8955de

SHA256
27911e8929bd287ae13cc6729624487a7fee8015b7f039d027083e7d0ca5729d

SHA512
22f3a178e02e9e73ac29434a630b921e776e0e89c42e45b9dd4a2c63c7f74e450fb058a1853e2f5d29b6576439854f1d214beff8457ec31f7163faad597cc1b4

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
b99f24e7f3cdf1f48460184d0ea207f6

SHA1
624b3da382756fa5f0905252eceec297688991b0

SHA256
258c3a52127d85c148bc2c6e9dc2bf1e25f8d6bafae3b1ea4b4a10bcfdbe6008

SHA512
66c5c50aedb61de3d9a63a405c6840655ddcd02c6f8a6de14a0cca7dea7f227a0e07fa3a61e17ea1ce04d4a432e5d72e3d0581eb84fb1e8e92045d16389a6b08

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
fda6fda72dbb9751fb534ed4a4f41b7c

SHA1
1c86fa114fc1241d59864367e32ac64002f0c193

SHA256
3b49d3b2c80046776cbda3b0e3509d447f15f7f67623984b6206e794af07de7b

SHA512
3c8ce6aef9f3c0a34a4e6d02b6bcac0ee0476e686925d83e43c0c54b448003012336599292cb8700cb0ce9a5e6e060aa39eed5e8e83afa92eef47fb69547e46c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e7e6de4eb3382b4332d2cf0438f28fda

SHA1
6c4da732cb7620de69fcdcb8301d04e1f883e19c

SHA256
27ab26568b04b3fb48b559c6b338d23907371b5ec67e94df68f641dea9b8dcfe

SHA512
f78a8f1ce0ffb08ee81f36fc517491a681a3f8c592e314ad67afe7f8ada3e03ae5600b864c57432986af1e070ddedc968d636124f045ed099fc79a261332a25b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
9994195ac94c8d3c50a75159d2a9a240

SHA1
ff4340fcc1dc2d7f6063f010ba20ef643defd65e

SHA256
94547ee698d1d3679434c9fa4e7917d265aeb9ead82d4224e79027d9230dba9e

SHA512
e95a994503b006f0137c2e3a0668a7498c8cfde0f8d69c08f11fd434059496801166dad077c154860d0e1a351460e09ecee7843a141848bcca069883fce6071d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
4f1a0cc647fd0657b3a53213b538d4ab

SHA1
e25b6d80dabe9845c7a0df7c266d16be272ecb02

SHA256
b5a48750617bba3e73def32b5875ff4e887c02b1dd8423457da6cd85776ee170

SHA512
1926f6131e7c25a2e91452dd2f8707ee0f89137e210f4083bcf19497367b3b73513d2da48bc9c1f915742793521b5dcc0f17869378dcb643575433af0f850cd2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8abf344d9632e8c5ccae7e3375fb89c4

SHA1
288172c38cb1a4529b2334126480055a1684181a

SHA256
3ebdfb9581288e37c91199631f30604d09b7d6501647d94020459a86f70f1b10

SHA512
38180a7af95993f3f8395546d570c263f04d05b097dfb3b1eacf6b809045c89e63780825a428343c59dba602e7a35c119dc3e9b54b500c8e497a6b594217cb70

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
7285418d55e3a0bfbdb98d3f2018c947

SHA1
88f4a0208f6bf7a19f5f3865ec654864d75c4a74

SHA256
2c1098ddf43090214336890b43d0c45e9f728d49600f462750c3a1f293967f6f

SHA512
a777b0eb31a7e0f48d0fb3ccc56f1ccfc62588ff2559e95877aee120a0140d8044df850ac07ee8a8dbb159e3d75ff90d604b897db609ba1e9cce2c613753170b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ce39717218854588d7fdb936d215d391

SHA1
7da8c584fc17a9382b42295689ae34eb490a69a5

SHA256
075b2cf5670024eac3da52ede314fb1d21a325bb0ec52df47c39281b6948cd27

SHA512
77e967cd223f9b93d83a615dadab0434024e4fa983d882db2c2269bf9bf31a651aeb505605f96c9622df3f6cb8bd6f8e4107b7e205272dc37fa90e38838630a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
7c19a59f5fc6fcafd58a65fca74a51df

SHA1
62848f8754aa35cc279417c1ab86bb0c1ce0d896

SHA256
c0cba1700520adcab7c4ff92013a689d0320efba146b67d2324dddb0511e4ba3

SHA512
5616b256049a8f0ccf011eedb1db90ea57321a0617ea2296b6ca4ed191d859094e4d2cb217f5f06b5ca68e24d9104a0512abc122f4690e5f40cbc72a8a2aa05c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
97305556ff20cfe96cfdf22ae8416e73

SHA1
3f6195adef8f35b93b805f4598973b9dedbd19f8

SHA256
684d66a758056f8d5ec9dbe0d9b40e30faed5c05f2839efae8e75c2a0a8cf193

SHA512
981037e1dfda2a1f12afab57530ed5dfa4ef0f56d215a1afa9b11899cf672c29953f27d1f622c926b7156dc1279b0735180626cf9a30a71db71f9a1995e6141e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
08ef0258cd103d46e8730537dce07da3

SHA1
d34636b318970c37eb3f532a8d153e5a206c9c48

SHA256
dd38cbf00d7a0fde9bb45d6a972bb968f5d26fc1783b3d5135d45e4c8c97bb1e

SHA512
518756ada29efe788d1e8c491851c65db5474f88c4beeae09920fc877bc187942c56891ac91d18f7c9133c8bf04969473c9374502acad0504914f22194491969

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
2223ccf5b84af2a5015c8c055fc62610

SHA1
8c372a9c066b688f3f95fe95d192db803c0f72a3

SHA256
00cb8bb9c9c926e5aaf7f9bd73ac944bd6b34cdbfcf35fc4205b40d2086f32c6

SHA512
04ecfba04b60619f9197330831c900ec8ea9fe1b86fd2719c65e26cd91e5bdedb039d499d14990ba07d6cb8ff8d2ef53ba34d49051ca49a8940aa733814ac45c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
78b0f62d87793d21729251ec4f545f8f

SHA1
292f95bd88799e590c7f7aade4adbeeb8c8d7ca0

SHA256
0ead8dce370ccd25262b77de97e11eaea43079b342b64a970bcda6c36a8ee9ed

SHA512
a888d08681690eb4c8c14f9c5210626be760181dc6d26da30859c9a8a2ed22774ff150736e046675507cbbd73f4e6f5508fc58b0825a5fa52500a28a47da493b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
5f04f0f40cf991589fac4106e21b804a

SHA1
e4613a4a9c3e054c72da68fa487d470b049f8283

SHA256
961c1348a8d30fb500157f0f75fa84881c7746ba421cc6888d0024ee0fdefdac

SHA512
0138996a7d488c51154fd710b59c84e868679d8b3190f7e22692b39fde8b62f58a29d8ffdeba7e720916c466d5e7d16225b303b2b03af5e17b7548872faf112c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
61b76ac6fd4883021fb1c7110368a4d5

SHA1
d28a7eef8dd70bbffae3ee4ef20170e63d2817c0

SHA256
7f2e168ab74df53a1e7f882af9c36d5a7de0bc3aa6928d9ed19c95296961a5cc

SHA512
989dc8a470acd6a6dcc133ff8aec55b7cc75b9d9c9a1448f39b50510109cbf29cd2485c5481682bf6886ade9cfa4b112ea577a860c3879ec09974bac5b2df63e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
0b41d02cbc7f04928625ea2806e216a5

SHA1
f4a905d846c5623c936f4235f726d06eb7b673af

SHA256
1fe5a37fec5ad8e7b506825847fcbfd3f68b9b1c0e8ade83201c78909fa36062

SHA512
1ece74446e664b9cb6810ee0f6c7f6b47c1e2a64c126ffdd028faf572595dd730bf174f50ca2d177f00a0c6958074e7a8f3dfc3579206ed36ab9ba933b1dc40c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
3862ce8ee0fed0f379fb3fb14f8ce2e1

SHA1
b5c05401bf14988bdb16a8d6bb9d887123aef77f

SHA256
e76aeb134fe4c0567081a69499d5c383d07cd4134a30f7eba8395c7b79182c9f

SHA512
dd82702d5c6b924a7bb4f2c9b0b35d6f78ad363663ad670f2fc79b9a79720e73a95b8280a36cd3cc1c1d7f9deac800071f7790718a55e55fcda00950c73e580f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
98d9644ff6cfbafcc9a1718cc771a785

SHA1
0d9dfcff985cfeec6373de9c15d60133031438d0

SHA256
8f4f491e21353c329888aa10ebcdeba518522c2810cc65f2d9778f3e77edb063

SHA512
defcf47bb31d4feaa16144e340761a3e7866747f1e10ef71a0a4b7c955604e5a848afdf928b2c114096fdbd62c912ef484c3543a1c3dbd3f6d2f3ac07c3de6b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
f460f99e260b98a267e8c2367831b2fe

SHA1
9eb218e9d2cf351d667a9eec7279eb720e308be4

SHA256
c03d9c4598d6081359938a8f1ed68e084119345672212c1e5a8b454554f759f7

SHA512
75ecb80155976bf004ed4dfa7098054bd76bf3e2d6e3290e4ae0e00230ca6e5792630d19a153b9d8a6c8bf658bb9c78c4a3f2146a9dab3fbfe1e33cd64079252

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
7c76f890f20539d256d5c2b52b554944

SHA1
bf046e61409b04b71688e9feeabe31d88de7429c

SHA256
0e7ed852ec987aa78f18d897e374f453bc6ce99c2493005754d08cf282078f9f

SHA512
c12cc45b87801a54b53bea2ef09d0674caa431c43e4a79c42fcbfb55dca6ed58af361c79901c66b23119a9377551ab0f240b3ec8f49f74e274975d188c8b23ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
a0c6e735965f7627671677e96ee9fe00

SHA1
89bc27b9bbceb33eaac814d50f957a6e12ed900d

SHA256
336ad3d390af54f106415abc670da8642b2a885edf60086ffd34a77be9566ad1

SHA512
8d91cc1e6281cca8f4e4ac6f96ae5784b8143801bd04beca89704085a67e4a55b3e73197688626bddbada98063c3ddec2e2cc4bc7ac7371a83e642ff44df3389

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
d326dded7d4c98f715c2d74c54ebe0bc

SHA1
1211017f95ec586cf723a1ea6bf3f4b17ec36574

SHA256
fff74d4118055f4d352f9930145eabdfc608944f8b3feb084fa9b7d0b97e5372

SHA512
25af003eee41ae858a46d5a5442635fdbea0b4f2cd991dd3e9261bcc4fa2291f37dda8ffb5e648452a3be693f060a08708d2b4aeb208cff744d3e7a2c33b7d93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
1e22780ef0ad86c487fd5b42bf36df54

SHA1
1321cb69340c68e791b35feecc364804adbda137

SHA256
097f4706a8cde91f5149d11bd2bbc894360ac22a8d25809f954ef204a1a22364

SHA512
407a633dc38bc8bc0c6c84276a35ffce3141263c51e46edbba9d31e0a161c5f7c0c76881b966dd4aa45e70bdff12bff78e3076ce2a4bfbd77c39b8f4afef6982

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
98ce85f7e7bd0052902149c7ab754f9f

SHA1
43dd9201eb9770290c72d862d46e881971e8ec8a

SHA256
d9a9b6cf3b655b756247f1c21d7d6587298207278705e93963609032e8802360

SHA512
38fcb6f5e68f97ed97871bd037810f542cd59e24e2cfa623e117cb485b087f57cb41a75a8587dabffdedc1581178ce485e32ff1da540ac6e2631758f9ff38401

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
4182bcf8a5d7e30125ca86850777a36f

SHA1
0ff326424c433460455fe67dcdd4812c94ea57c5

SHA256
32d41a573357d360c2aac8d5bc9d17cbee5d48cdfa67d37c0e5ae404c19566d4

SHA512
2ea5973e8b62652ef17615c54a2008e5070cdd80d95b02105f362470a113436c6402a2c37ff82fcf91abf78ebfd763dd5f6d97a2841d3c95794f3d6d2fc7cd18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
7d3003276c3257da27beb6c6f3c89ffd

SHA1
04b005a3f93678a33af293efa2285ceaf0b083a8

SHA256
670c4a115ecfa64aac38294b5bb1322b4a5597392747e6901c29bad4bfaa70fd

SHA512
02ed75df400f1a2f0ef9d4ca9957ff5d556a24a25c69103230e19cd0dc83d3ed90b437a42b61e7bbe55827e8ec55be79b0003889882a3c869f4a7e0ce86e1c1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
9a434923e60944093b07e44739974cec

SHA1
147c65c8a4c2274e95fbbe4ad3de9c5d0395c2ae

SHA256
a70526c4eedb51a1492fef0cabf2e5140873af22d6b5333c18f49feff8f15fdc

SHA512
5b91e9b1c6ffeb633cfa50ed074da922bdb86f86e0dfe8b88e89dfbfbd16b00436d92d6dfa05e2f785483f5e3eb954159fa6812df1352ac32c321f1dae931626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
d901d18c9a5c7e36e03241a81e27155b

SHA1
0f5f784abcab32048cb28077802c1bf141de583f

SHA256
79f3958c9e42514ab4169f087df49bd005b43f3757746fee0e05eb92fcf13eaa

SHA512
69dbef2fa9e384620244d4bd20461ac6e1b81fc4682491747824d02dc4acfdf9d07670bf9a88e357e67a35f2dc108417ceb0f978dbc033efc747573a108830d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
1c834c1fb1b23315e35f2bda158b287a

SHA1
54a5b901e90b7aa6cb64b8211e86fefc49273e1d

SHA256
6f79e80f0bb612336052385e6d909e29c96a66fdaab59e42d141fcef2fb50783

SHA512
e26b28a8240a8407c399c44bb992aa6ea7bdbc7e401ab70799d791c3889d0e74ca80462a7669f006d2fa2590f290a7bb01c3c62c32265ec0212368e84ea5b0e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
683a91bd4d5ddeddd9f6c6cb5623022c

SHA1
18061ec4393a90b285b1bf7d2bdadb6670299f80

SHA256
f304851fba3e03d3ad331c2d65ec6254a0c5cfa711b48754a2c4827dbc649e86

SHA512
16d220cce356460a8ed4f9d184ccf81023009cb347ee9d0be1db400c97d85f79b13f5f1cb65182ba46064927316c334d6334a527d94d8cc7e0346d732acf9f59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
6d43ad8cf771eb840456c02fee4105e7

SHA1
1db9a5ee49409bc00f4d4baffae111d5d8fb3673

SHA256
d0bcc60c53278d34da4804445fccae8ddb96b6e095e3a72dcad92eba8affc59d

SHA512
2e5ed833071cbe7c4bc641b5e9d691ef6c39c625d262e21d7d887c09aab2e127189c1d9646ce834bcbe22a3359fbead6768b7d880831602b1ac9f9b20222b572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
d7acbda6f8f06ca392065ed84b98f5eb

SHA1
b72f4fa8eb958c4e4da965a0045ddebdaed63bea

SHA256
356f3a3cab16b9ce0e78cb91d837c62d0eec8af6849c819f3f93cc51515de17e

SHA512
d406169fae422ed7a732b2c110122702ced95d40d2a707b8c0019731aa9f5d9ac01e8112c4c7759267605952b844966dd96b18cca023fc5f9cf17c4134b8d84d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
9784c985a9fa90302c502b84e2eb76bc

SHA1
9eb1b701f86729db5ac5212b62030171dbc06fc1

SHA256
3ab20e15665ef20ff8083023c33f72658dedc1b54ba77ac23141d67aa41c62bf

SHA512
b8ec8b2c8b5322d8a5bfc592aa3608e16bf6c3552d275684a6974c4ae116051e3b913a2b0ca9eaabb55ee94235f7e28e25ef53ab6b180e27e1f75c4d40e74143

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
bdae2d699618c0dca94c2561b76c1f40

SHA1
ea20dd4c8b37a020beb54a6fbe5bebd19eda23cc

SHA256
15ee857fe779640efdafdf6a8f1b44c5a8d94dbc71f3120838e4be6600954848

SHA512
0008c9ebd2101c47df9a7bdbe6bbcad9a088b56f8ff1555da4efaa8b6f6029f422fbde6fe7084acada963ef7dd40ebfc9daaac06d1a9e1d036199c6d16ec2e10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
0e1e15036e3782e2cc92e2887c5468c3

SHA1
b150bec3024e945b3eab7ac3f8b74da676585e79

SHA256
9efa1d8bc8813d58624cd954906e3a88a503130a8aa410b4ebab217c581d554f

SHA512
874bb7461935c5492d1f8bb62d8436ae7436667eb6f79a547f4c1d6c912f61fa4b4e8bcc299a7ed8e3bf1272f93bcea8aa4408ff8c8545548fec5f89fe144a09

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e86631aa7b83e0eb73584fc316aa9abc

SHA1
0f3439ef3761010b9a5fca7fe9a3c2545728780c

SHA256
b4757b7a9fc95ef16a5ea82217fab5cfcaa0ac9dbeab6b9489439f4cabec7a9d

SHA512
e5a672f7ea685cacb014879838b41fb51230e4e80341dd1847919015d5f177cbd0e634dfc647be8fc9a051844219a415903dabb3914ddbecdaed26fcb5672f72

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
2caf04435dde9fb7bebba505317b073d

SHA1
96b6115241c7562b3ef9e2254e8463f4128b60e3

SHA256
3b5b897b66059ed22e7c7b8b7c24d050e6e5b8e7dd69e4168039738f21ae167b

SHA512
cac95cb319e80a16a5af48073a891223a031e1c668c91ba8548b68073a8a5a57d5987ea7f95f4eef92b91c55dbc2cf2d72b367a1654366ab9d1d8cb00863ba6c

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
5cd25bb6670db543736c5a1c034991c1

SHA1
adc9cc93ad9d4f6be663ec73ce670099b3409bfa

SHA256
75a68a669c67a720ff885c48987c4a279a2c58a09637f9ef96d00c63f2e7a601

SHA512
98a0838a6560430d4415ba25114dcfcadd9f094893f5f8a0d753042c6ebc43d78870c131c31ff5719a53672214bb60ffffa84a14d8354821139068a2d22ac0eb

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
8e53bbc0c21fe076bee235b5051b50dd

SHA1
4aeccebc6a208b28b8f64b32662194d64cb63a59

SHA256
24c4b9a355370ba14c073cdbb3bdbc8981207c8619a7e04fcecc848debead168

SHA512
6c19468b3a48a3fde19180e654bb6b8e2e6f5f291a41d4e8eb25145b2f8e70bdd47bd2379945e71efb81d76e6140b2c65d377ef1c7be0fb4011d3b77b84b78db

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
8b38f87ae4fc698d327b9946669a0cd7

SHA1
75266ca1734099541e33a41a5240dd31f85e3bf2

SHA256
d1e2a2947dcf85e539da582f65ed0f7ef3ff43141f0d6443f5a27ea69fafa0e6

SHA512
281203d9de0bbc48b169bbaf673cad990e6d586e47f66988403974e153bd2203c4d4c62f92431b4a6f9016a912f234bf134dea45265d4ca85ca18c0043506f03

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b150bff71e265bd0415973690b4d7cca

SHA1
af87ca6192b026eff71c055dbc7ce1a6bbb16f37

SHA256
68fdcee73a4e7188c5f554732069ef76d7bcf1af719550bdc394ed51dcd2296a

SHA512
4ba39a6d64f704df0e3e188454a329046b2be96ea81a7577a04c00a8021baf1fbdeacb7032969745118ae1b86f6aa1c788141b9268a0104e13a2aac9cab09c10

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
b4dfb381a9a00f43ca91e923bf3728f4

SHA1
d15a9dbdf4dce31e9046be0b41071808ddf36efa

SHA256
c788ff4142585ef9e7c1bc7da0971801146554342bf8abaa5fdcfcd0cc30e21c

SHA512
7a3b79f64c6c233e6e7f97ac1d788a6ed62952ed01203253867ecaa061739b26b178465f40307077599f804a49926fc32a27fe48be9f77e967b3b03dfd27307c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
6baa9c63a32d4d77c8801f72b9e18f38

SHA1
8c5c0c2d6c7c2dd68c04e339caa7d4cd2a3c57d5

SHA256
21fc6f08b2fb4d12d2299f3d3fcd14ad2b7866d9abb5013be27957665993bf15

SHA512
002d306512e54b0849247b5757fb3f08f5767a2cfe635f34d855b01b4fc0e80c959d3972bccf533b8ffc522010a27504e91c9d84fc31f313aae7ee6c8ff04dcb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
7e51bd467eac7387e4cd8f85177dd7b6

SHA1
85ff4bafc2f0a25fcc162fe75c7fa6d10886c9dd

SHA256
e19612f379b22148ca8c6cd10ed2c03a154aed6cea029b087d247c3d5cee2ef6

SHA512
b42571a8da9e479fa8cf4dacb083e1a238e411fc4ec815ae173246605e065ebc4ed897a306d9d290c8403d3606d299e72081db0503d8182ac072b3ab57ca780b

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
b8677e2076d240f3178dfa1c7cee47fe

SHA1
6fa767f4487caa7953f988bb1c8143aaa4684f9d

SHA256
0bdacfe14b33dd3fa8cd1ed7853d865053cd0f73a56f997fc6aedb327867eaac

SHA512
b61d224fa73c55ba7b8cd9836d47a3429c5dee3866e8354909c02a02224a1015fe4a4fdce38aa6d524b615433156f7213aa85dc3388ad8552869d0160cfecb06

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
4e0b7d0e50e7ec6653403a0a2d29dd8a

SHA1
506c02ae2a7ab245e035bd8b7ff56b61b93b622a

SHA256
dea021246c32b92c01bbddaa5310bbb8398f32bb0af7090f1622438a0ab915b3

SHA512
141686ee212a8e0711009b30754f89c78151acae8155e044db288dd4888b79943b90116649f6be19d9786186378a96509cc29c2f32dd5ba9e6564464eb6cb240

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c712f741d9811a6a17edbf0f99d8c173

SHA1
275c355867f4944e84a84c97037ec84717ef6d62

SHA256
3b94094600574d6199b8e62099f80cb538565f8479a94ddb685595bf10ae70c6

SHA512
5391fa5c8d73573bc9c4791cfae056f3541ed9f9e34788d6c6c14f5c67dfc03b2ef0c35191ac83e043cf8a12d7562662a2a53232ee1a3d4407edffe5d7d2d02c

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
daf45a9d972cb305cc649a256bc0d0c0

SHA1
40b4a431a06cddbf9d62cb52485d895c24636d67

SHA256
8e2cb8321324003d969ffa1eea73bd94f9e3ab09009ce1d58fb3aaafdbdce065

SHA512
ce9077365866eece6c37c7c016394bcf36769d34cbe0324ed16ba67d1e487b26bd90449148a28ef6947adf3c4ccd92fcf1e7ebbd607031138913f843506a546b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
be9f62cd4415a9789da6e63b4466bf1f

SHA1
7baee2036deb29c97f4fd4cbab8dea05ecef5853

SHA256
dee8a9726d301092b6a71a99c73a0a15bb87f0fd9793226ea86e2b10160a90e8

SHA512
b5a4feb5fca002e8e76d95eb8475a8751353344890c760e8dcadb9e33dc39fe89e851c99bfd3fe806ff28a3a3d450d402d6b26d3c92cde39e499b31ad176a585

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
264d1f283b5e7d54074b34ac328c6654

SHA1
60a5d67779665acbebf5f8281cf20a2b15c2d6fd

SHA256
fe85b6ba5f7dcc9f2ea96330b3d00448ed10402bbf6ec2a0120b6d76c1a80f9f

SHA512
e4a1758a9b5db17aa537841f62aa4e3681311b3fe9d3721874724f7dc5fcf270db940f96ef308f363b1e3cb8460b40855cf0bb1d91ef116b6031e2f00e04b134

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
e31c34141087c35f6d1e82b7339fc51d

SHA1
53936ba4897ca1d1c9f49c9e5d9a2928da0a0b13

SHA256
c0d8ad4066efd4c9ad28cf34da1d970a6531c6616fe1ccb65fd543ef4ae576ed

SHA512
e282333d7ab1b10bdad7cfea566c2c12e0760706f5a21b9bc9f9d45e25058c2089d54348fbd4be78f7a9b47e65659a9772de73c74c9e04f8cd6c210a2fbf3dcd

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
110a0f77e630b8086b89082680ab3b96

SHA1
25d7c3b2be71db123c80f3b70191700e5226ade7

SHA256
c04ea1d32d5b47e2b38da63cfb344e19bb855d5cfa008e1170504c415924d45a

SHA512
25edc6f21ce6ec5ef996d0855553a0da325da59942abf2f91c762c1035588afaaf6ffe5991de9f1783672f349d9e870ab75486988701f0fe5eba5c09ae9af4ef

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
7d8f45e4c3361ed79945241e30a74265

SHA1
5107a0f67acde1e0f70f7c67a5c772e6dba7b1f5

SHA256
fe65c4c96250bb54143c11e8fd9a62b657b9b3042b7b7d2191e1631f866063f1

SHA512
cf1b8a68bfccabc78bd3e7a437f8109886a8f468f11dc2a0c85fc83b4aadacb1f3eb31a1ba4bf941fdbd62bec3114e9380cd2d94c49c4703aff4c505f0dbf337

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
c8426d23a146a93b13309cce61891fc7

SHA1
7881933d2286e080120f7897153b55c47c150fb8

SHA256
5eefd662b15426a196cf7376c33d398b9c2713a20c8fe57abf856d354810a51c

SHA512
f0784d33eba27db6e7470b31122338aea7727173a5e9891fce01d3a78380dffa506d775e55895f6c2d7aad076125f4e205a3099f04ad4d93388498f9ef093bf1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
2e4ea77fb79313729962372251cc0448

SHA1
819aa2e681a69126bf27862a2c13160192f2caf3

SHA256
efef5f7d801d4b4aaccef334f07e078f9de022bb2d11ce2f3ecb93dc29383883

SHA512
6523fb0ef4d58b9d22b742a4be849045630b2de42460b2dd98a7ca478541f584c6d11a9e374b8aa8aa09c0e4b68e32a36e4f5445300c271ef44375f489c41d90

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
06e4e382676e937657fef3d59e3ae883

SHA1
34472a8604620b84fda592081c756745c9eec252

SHA256
13ebcee0c612ed6d64f359bd4c5d5b91a29d77378d1e5acbf3cb8509e90a63da

SHA512
0ba433b045a25ac7459af9a20375596a87a2dfdca8c048c2a869d889d93856f73eca21a53563ba57b1d95c187e9391b25c179857abf480b269f35818183358de

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
8c1aa8da669c2957e71f4c0f98914d74

SHA1
1b1ed187765c2579a95d7520f3372a6e1fb891ca

SHA256
c56314e1acfd8c5a335c8d53da0efb45c011af8c58c6e44d9d9c2fd854add914

SHA512
c1be219e0a8ff667a60f76e1205d15f8aedc2cfde2d1272bc28809d0c6e4121db2fb7f1d67fc23460e8a31f69b47cfc125916a457935ae3f303001a03fea40bc

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
d9cf9773e5c36e3aa9a12e615aafe2c3

SHA1
8a14c543ff3cce5da81560ee914bab75c1b42a89

SHA256
67d6179a309927e926baffac5c6091e8da49be77dfc74a453e4eeb39a26a1271

SHA512
4f7dd171aee0b4bb80cc6eae20c5d5470279f7d19f009913ce525f9c90eb16c9e705862a9c2f7442cf7a023072e9c647168b804f11ca05dd61759c10e6e0eba7

Download Submit
memory/632-198-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/632-317-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/984-208-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/984-329-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1016-305-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1016-193-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1204-267-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1204-731-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1244-726-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1244-243-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1428-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1428-291-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2340-739-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2340-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2516-2-0x00000000022E0000-0x0000000002346000-memory.dmp

Filesize
408KB

Download
memory/2516-8-0x00000000022E0000-0x0000000002346000-memory.dmp

Filesize
408KB

Download
memory/2516-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2516-143-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2516-573-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2612-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2612-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2612-159-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2612-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2652-124-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2652-126-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2652-118-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2652-242-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2728-107-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2728-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2728-115-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2728-128-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2728-130-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3012-733-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3012-306-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3304-738-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3304-330-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3328-294-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3328-732-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3632-723-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3632-342-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3632-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4060-737-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4060-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4400-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4400-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4400-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4400-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4512-175-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4512-293-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4828-91-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4828-186-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4828-61-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4828-92-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4840-729-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4840-256-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4876-151-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4876-145-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4876-144-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4876-155-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4876-157-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4888-685-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4888-231-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5088-160-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5088-161-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5088-278-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download