7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
Size

1.8MB
MD5

11be7beb7b5fcc11c8ffaf350a972921
SHA1

1de6d04de5f3e92bc02d71d97eab87a86577d80c
SHA256

7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902
SHA512

2141bfd6d63fc8a06cd702d153746c40e3c5d4f331cb4c3deaf76691a30ef9dbece1732efcd9032429fbbf814394eb42e5384c2f02a89065e607465557626eea
SSDEEP

49152:NKJ0WR7AFPyyiSruXKpk3WFDL9zxnSvpAHrVQ1/fSNvi:NKlBAFPydSS6W6X9ln8pAhQ1CNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
840	alg.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4108	fxssvc.exe
3484	elevation_service.exe
636	elevation_service.exe
2820	maintenanceservice.exe
2756	msdtc.exe
4840	OSE.EXE
3192	PerceptionSimulationService.exe
4568	perfhost.exe
3404	locator.exe
3252	SensorDataService.exe
2956	snmptrap.exe
4480	spectrum.exe
3752	ssh-agent.exe
2132	TieringEngineService.exe
3232	AgentService.exe
3960	vds.exe
1580	vssvc.exe
2596	wbengine.exe
1976	WmiApSrv.exe
4708	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\14006a6b85ca13a2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\System32\vds.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A86.tmp\goopdateres_te.dll	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A86.tmp\goopdateres_ko.dll	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A86.tmp\goopdateres_fr.dll	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A86.tmp\GoogleUpdateOnDemand.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A86.tmp\goopdateres_es.dll	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4A86.tmp\goopdate.dll	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

Processes:

elevation_service.exe7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005730597c7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f324ab7b7699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023612d7d7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005536837d7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a917a7c7699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000616d357c7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000116b737c7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
3484	elevation_service.exe
3484	elevation_service.exe
3484	elevation_service.exe
3484	elevation_service.exe
3484	elevation_service.exe
3484	elevation_service.exe
3484	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4248	7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
Token: SeAuditPrivilege	4108	fxssvc.exe
Token: SeRestorePrivilege	2132	TieringEngineService.exe
Token: SeManageVolumePrivilege	2132	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3232	AgentService.exe
Token: SeBackupPrivilege	1580	vssvc.exe
Token: SeRestorePrivilege	1580	vssvc.exe
Token: SeAuditPrivilege	1580	vssvc.exe
Token: SeBackupPrivilege	2596	wbengine.exe
Token: SeRestorePrivilege	2596	wbengine.exe
Token: SeSecurityPrivilege	2596	wbengine.exe
Token: 33	4708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4708	SearchIndexer.exe
Token: SeDebugPrivilege	4680	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3484	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4708 wrote to memory of 2172	4708	SearchIndexer.exe	SearchProtocolHost.exe
PID 4708 wrote to memory of 2172	4708	SearchIndexer.exe	SearchProtocolHost.exe
PID 4708 wrote to memory of 3124	4708	SearchIndexer.exe	SearchFilterHost.exe
PID 4708 wrote to memory of 3124	4708	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe
"C:\Users\Admin\AppData\Local\Temp\7699b290b13f69d61f8a8271e386f864193ea0d2c6f02a3d4855cfa30b1d7902.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:840

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2172

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
2⤵
- Modifies data under HKEY_USERS
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ea3fdcbd50650ef5a5775cd43367e01a

SHA1
d06d78aa903c7efdbc518f65f5412427c1cc96ab

SHA256
b1af3d2c59e811a808fa889a501271113e68c136a50613d3ff092231c38ca317

SHA512
ee70746338750b15375ae54758dc0049fed4650d6694883f2ce9ede740a04bdf3035cb0f3f2ae73505ab09cd42285e06d7d8d02514a1235d46753afa07b0feae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
a661492a00b3b06352da69525e21ecef

SHA1
5c16fd6d3a27ef1ca370c7bd4da50975a005ea72

SHA256
2888795df8ee5e66a1ee68972a86047e37fb89df4a4419dd13aafa953fc8dc40

SHA512
aafa80118feae7701f640ae848a9037f35aafcc72fedf041a708a0b2ac0a474e8df577d3fa53ab91568c1235fa78268839ea2f1cad84e905d76c6bc394fa874e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
a62c6be5efe50867c13fced4b271baff

SHA1
45d97de6f709401eb0c9d117e0e72869f5e997ce

SHA256
a007ecb01a7d8f5073f560390195dac1bdc96b232ae318155d7a7a28bd5cb8d7

SHA512
a9c534b81793a603a9b7800a45f474b7649386a01bc1fe451c0e8d977b18a0d998b455e13e4aa29c634f744b6532c8857f1c037379d0460bf6e81846b3d64528

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
fd0fbd70e9671a7526fb1fad12995b53

SHA1
88a7902d4223f034e32ad26a4c85ff3e859e627b

SHA256
b74971e8d0c6093e6f7421eeadf9f136d59c4609aa36cf3e27e8d2213fb3e775

SHA512
1cda3716be067dec01eaf94a83eacf1781263beafa7e2810b8975036b10ec5d172751a08aa2279419564de0d53d100a4d74b9d2c5f30e1dfdf82b0a036faee0b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2b6164106d529c9561f247d89d9e9405

SHA1
990ca5dec8893621e4cb935f0fd33b802f30625c

SHA256
20c3f2ae45bd7306db79a5cb3eb67b0859ae699c2ae60be3e1c7aed616f4a357

SHA512
2b64c93a1df4fa6eef1c119915a6f1ac329abb10dca659d68b02dfb7b0528c22b50523ff76d029e129284e6938da44dfecf0c14d6bd81d9046886ead573d7e64

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
374294c81b7e409517d5cdaedb053623

SHA1
35ce0f6a98b15d25ad33711bba70764ccc87cd0c

SHA256
14232266ca8b6fe55b79d361af3ce4edeaea79fb0f394b8c9fb311c5287102a3

SHA512
0384d8c775d88eddb2b53721b0d38306296bd5ee1aeda08fab2f6a2decabac7c276976fa3a994043ab56f68f8a089c7ca4228e581719526b1c33139fd1ae5fa1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
ddc85820a993e5943166725d927383ff

SHA1
fe23d516d1898d511e07dc3a4acfc512b0263787

SHA256
9b8e774c3d8124296c70cb2e1532c43e7947203d4a888200024c0e3e4853865f

SHA512
404e073fce07661ec8be48e108bdd6e52c92d777fe398b74996229b94e7db17a15a10dc8452d1ae8f2859472008161f0c321b013689a2caa448a05795ea680c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
2d135b5f70b076658746fdcf6b22bb6d

SHA1
304500e8abf0dd85a8405540002a242b9f2a086e

SHA256
ba8d97d5f4780831ff1072e2d68659b806b8e75243abe78e3b30034e2d8ceeba

SHA512
10aa0683b060f0249fe97ad62532711c9ebd64e1a5de43c68db7f3be668e5471f6365acada86e16580a487f880271c3b142867a644174b50492c2a0ceede002b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
58b50739368ac951641fdce1f0092750

SHA1
27a22c11c94d4d8c034f11e4b8bf18285da79b8c

SHA256
4d3a4bebe9ad191fc6207010e5953cf19d14e4aa06d1b5a540f774951df4f0df

SHA512
f88f1d0feac1d4ad352c99ce34e2dcda87c999feabfd741aa8cdf0b6b900ff235722616bd495f2a3025c02e6cbc0e38d8385cf7a840adac19844026b4889edf1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
bed1e523da28289dd5816290acbcb957

SHA1
4f4cc1f0c4a57322c2d25ff79f43edd778351916

SHA256
6182f3e68dfa894e8ea22ea44472bf2f460926cb4ba635e1cdb6dca8936baebd

SHA512
befedafb55705d457f1ab3805e04cb9588dd682864bf3d1802c086396ce855d44fca6d99c456a37e9055dbd2dcfe245eba5171114e84e9be91a92080df85e0ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
24288ee2c69aaffa90fc841f20d05dc6

SHA1
6f615ce9ed15a11ddd299995db7074d3ec49cc95

SHA256
c387abf32f55e61d0da8686d572322e1493f2c529067cb0ba95c0060cbb3cd4c

SHA512
0afbafbe058969c2084e2eedfd07dbc76147551f1091d8aeaa1c178a8167ca893a27fe6f76a4f1d995c85fd071b34beb884377d517a17cb1f2b76dbea200a54b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
86bad5b8f566fae1a76af7683ca70f0b

SHA1
a07af32400a003b79d9fed6f06a16308285f9e09

SHA256
622047827b72af4d8ccdcbb7dc7494e891b59183f042e94ea32676a77cac99cd

SHA512
508f0f28269b8d0c47ba88c7ec8115242d6c3221461eabd81f3790b00183dc7256a9c5b7187a681083b64ea6f46d518a0ead81ad9ec0db5e81a87e838daeec00

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
5b4650c89d81e90e1b9d46d4a3409881

SHA1
a94bbb327ae622a2ed55937607de10846979bf8f

SHA256
e11bdb07a5b3d5f52d1aa60efbd1c6008024723483c5713e418e9051078102fc

SHA512
e0582c5b7d6f67a143c7316d1eb5119d6f5d7a61d7a3fc6d88c5cfb2541a6c9865c62f2b6025867e7759f870cd50d04872f599711c7b622d9e1b28f3c4a93236

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
ee6e73c8dfd437b8b9044451696c2e7a

SHA1
bf3dce001e64eb2c3c112e52f99a622a06af272f

SHA256
9800124926fb8661dd0442367a73596efc170e038270a1c694d1222ede66d6db

SHA512
92ebd686bef9c50b62b11c5af17d20a8c3bc70121952a2e02a18a4f73b7ce432b52a00355f5c420dd6b08b820e02d34a227b6974da5342205285e61e8da61335

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
d932f61d484c793f519b1ec6023e147c

SHA1
44aa45eb836b9ef33684302401459c0665e7da20

SHA256
2a1372fedfcf746aa50ac0e6f72e86ddef06cf64f9546eab33cc88efb8b27d66

SHA512
ef1b4e5fb80e720e8bd46a810b76dafc64205a80dc6843a4bca8cea54ded7d4b9de5e3be7d4abb2c703369fea07c4f1004785d7b143b9e658e0e1ce6dec7e095

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
abf4a323f7ad035440bf8561d3598bbd

SHA1
9f677c7160b1a461c4e78f9042543fa4dc2f4d68

SHA256
e144d1331cdb7bd545d43f67f2a47e7c05eb25d16fb825e2ea8482e6cf10a8cc

SHA512
91e8bf502f81ba5b885fcd3d922c74e7ceadb346ae0b9ba86a8b732c62c0a17b89bc0def41384db0b53907f9b80ed5cc9f572cf3feb923f9c6395366446b4ea8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
f89825ea0c8276eb13790910fcff461e

SHA1
2a696aa68773084df2ab08ef54a2925c74e86e16

SHA256
08e71fc800fdf460ec8237540610bfb18dc54bf87921b2f06dc4826e18930f6b

SHA512
fd198e9ea909371617dfc95bc5822fa32ae7bd8d92e50a4b6cbf478ac778a548add2bd982f1f54f3105a16ae8a4c3ac814f045a9ee75d0917c0edf102c94a3f4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
e6cd6f57a5109c36c93086e1bf52842e

SHA1
43448d9c821b1159957fcf5f0421c06b03c2b8e6

SHA256
cd2f09db6e9748e16c496f91cb171a5103d5da00c6563b5a7463e895ca53f570

SHA512
b41a88d0a7d1392ab29b414108bd9929c6880bedf6f86ac67db702a3884f6681c93ba4e030efea9fe95cc8ddd464d0b654dcfb1734361c248c7b3172de58deaf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
5db9280ec0960ef86f137bb263bf441e

SHA1
5c9aac0333b29d74abf653bd317c5df944d4db31

SHA256
f0babc3ed1931729465d12d36e394d9cf6912bb3be307a2d8fb94cc6b406ed5c

SHA512
f4d450d6601616f6fcf3eca6e3837797bd24480133b02cd9f28ee10d22ef095d1737bc45ea55b7ce77d688c2caa38a86d5f1ad5bf2bfdb5c3d7e3608fe8961a9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
2385a533142f7c71a8dd77958d46ff96

SHA1
07dec28cb918016a7dcb04a5c2c2246cd3db2ec1

SHA256
9925a326a6f5f3ab0a1291410f4d3fcbcdaa49a92cf103d12f43d8fa027a1f62

SHA512
c959df877b38db99d5d305772ccb0ad5453fe54093a6373d2f6a01eadc9b5a6953b0a19500d50bd22b527e3741208fc1bbf9d8ff0b1d7c37b08e8a1dfd9b2519

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
38931f17ee693dc2abebffba768c2811

SHA1
250b7953e94ed18334a384a7aaa9f64f13248845

SHA256
a349dc43899ffc7a4f65993b8c119c9a7463d4d72bd216ccaa14f0f822a2114d

SHA512
3691f0185d6c13049ddad609abd54615bb6a594d8b761a629d8eda492167002f317db2debdaafb2e1362fa572ffbba383f941262161fbb120a14f9e3076b4a7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
becb412afb4879aa754345e20334eb4e

SHA1
cfc364357f47048635926fa2c6c890a795909c88

SHA256
cd7b278e99307afba35d90ea8ce0d1d6d60ae406deac40486297d1284ac162e3

SHA512
2cedf28edcdc4dec6105ed580a1715357dd921b16b9966e46e7dde4116e787c1539ce29164046fe9fd1794130de6a97dfe101b590006f5a75b126c2a2ea3d09f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
6a9bd0168ad2e0776d6c47726c4b8c90

SHA1
f21ab34598dbcb66a55bf393723c5eda11b8d8f6

SHA256
275cd4e40beaed03061dd288a888db5a7c0b55d56fb92c7b809cc7b40951ca7d

SHA512
bc88640c8d9c3d4648a72fa466c7539584b323317e012ac1a7749bdda21cb99905547a281d4ed231ee7f9d259a7387948229a8905c8d73791ffb5ca8668893c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
7281d87855c8f24e9e0164942920e5c0

SHA1
b84eaf7693a0804bac469dd49f8c6661fdf3a46a

SHA256
da25b6a33f4217591861760de2b976c9c0f50e04e1c441dee31ec6832827bc72

SHA512
d7ba7097b3a1a848cf388301b8d27276be81d9d1be0a713038076c58f705be72b39844fa9f3697ebbd94a538e5ec6ef34bfe6103eab5beb60503827cd8aeddb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
3db71826c85c2eaba96b17bc9bf7c66b

SHA1
8145bb67b37abcf3f99b296342c42b3cada58d35

SHA256
db2084372dd2f52b99b793d405b2c1a2a8e6ce08c57458edc24457fd51f10b04

SHA512
8ec44f5b351a8855b846e18835ad9a2cf515281cb93a16b7b48d28772f8ee9e842fdf4a75b409fa7ffc0744368c00cedc822531e83d972cb1ee6138dd8c58f96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
905d6609e0e7a633f9f5b51db667f02d

SHA1
163de820f251f311ffef877dc2d859a22f714b70

SHA256
11b6cc401d902d5bc6c864807bc3eb52e0e017762af4b07ccc4853a1406094ea

SHA512
8bafbd03d609fc0a50ba432d812e52bcae90caf2c0e5783d94bdd6a4945f3626b2e2105e82fb83ba8691617fd51363308837caac6ba02217f6d59eb7d73683ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
75773f282eafd4daa538e904a43e29bc

SHA1
6be214ab0fc18b0fc61aa0f770209c1e35394977

SHA256
559e6c83802c000bae741e176487e9706fee58e22dbb398a784388e5aebf395d

SHA512
363f6073c0b8f9c2eff663fcba42ff65ba9a2ba04d369994699ba6a04f93de1bc6843e6fcd34d7cc468c4085450dbe64db56792161333650119fc4c6e3cc0718

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
c5f2a06d582cfc4c13c2476d668f305e

SHA1
9dc8198d7ad43d9e44ed5818006ce947d36483ff

SHA256
2d1856d4b729eae7b7ec323eaa4551d1f46c3eed98ce909c480319da20f51e49

SHA512
cc072daf7abd2a3e2c1715eddf25062c3cac32f9fcbdb1c9c2c6a1233188a701e1603eb79345ccc4839876ccdfce0a7dc049982f146d984fd57ff19c00ca1407

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
3e8769def9636684f8df4537d24723b4

SHA1
ed443d5ecf073c75f19b68d6124f43a36858357f

SHA256
3a0e2bc9b3beddbfa7dfd50263cf4dc530cdaf5756adcfc5040c4c7db2a2058f

SHA512
517d8177c441e2b8e681378f938779bb931b114ca879b55814ef05409b96138edb6ad666b2e8f97eb5650ca42ee63921c72a0ead3c9ddb1170e6cdd43ac75bc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
327c5bf5ef1ca7d9cbad442f8f222454

SHA1
5e23f31589204a014fbc1eba603caf6269ab12a8

SHA256
3d3569872ee81e877a51f3cad855e3a3c97f6317a7d1902ddc7db543e39d5cf0

SHA512
dcc18d03f08dc2e11f17ee51e6533adc6ba65f0c500cb93773999075f65915c010766f047e8a506667660d5ef34715f63b0b0353b27babc3c81082d827c7d7a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
6ddce945d90edceec8a9871a89c88c8b

SHA1
eb086205185510da1b145a27bf5e628d6d8498e4

SHA256
21ca4ae5f07b072ed6ebf0ae5fac84e8162dff62128257d0a8356bb6d2308cd1

SHA512
2e1759a7be26d648862142d09caba736ae36df197692c60a54fe27a25b1c5df939b27ffc3db07f261fd81c7953d4b16b23ce601ec689e0f4349c79004bfa90d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
694de022fa36fd679c3212e294b1588e

SHA1
53a1104694a85c86e2d358c0a4729019c78be68c

SHA256
9ccc2c868ba7a92bdf9920f752eff8143128092d234c8aece8326cd67cf441a3

SHA512
f026e81b4a8b6e95017c843ac05dc5db1eec16332e08d0a4b4c1d88e83d9413ad4c1362f48db2a67f94bfb54575526b8764af91ce94888880b0cc7bbf9484b91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
333c918dd676b4572ed959cee1db9291

SHA1
cca1726cb3e84848ac8d89bf36ca08ee0decf402

SHA256
b1af0821976175a073619010a0e919d7586f8cbfa930e836fa5b31f8219dbdbd

SHA512
05c605b77485bfb909e36996b960eabfc14037918c592e5416c30947a7223af57603a3f1521ce8363a8bdde160e14db76ace193a933f677b38817d1834fb4fbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
b1d3d20da01e285ffd754b69eadf36fc

SHA1
ec5d0a7b9736dcee1ce60366d0c31f62b41b41f3

SHA256
d8e213d14f1a2b2f5d41224628c1fe02ae4921a62c8601ab29d3f98e90b18e05

SHA512
cc68e0f4b6936cb00cc9cc0e4f59d5898853258bfa3a366ec38243d360aa0c9e86c5824a339a65351dfe612173545db447caebb28159ccbbc12c46f5f4c6eec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
4e0d732ff1af954473f3caa4e32d4c03

SHA1
144e6db91629a946af413d2a399bd375a6b00646

SHA256
01b079e6ef47a0d94f964d16fabd9d1b670e56ec393d6db004ae47fb45da5c91

SHA512
2399711f0ff9a33c198da66274fab2a6c68bd784556d4b31da760bb825569595398e0018e7f7ea365bc2d4c2cb6fce1f5a96caeda6181ab1b8f817154a604567

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
e39323ac9700002a217ea18ca038f01a

SHA1
d833c20c436bec9bf89de000a6dd59353f55bcee

SHA256
cf336d51ca3bca07da782c247f61048e044317c50a6e67b3c699cce68f88eeb1

SHA512
48930937c65808573b9973d5b361da99fd6c5644aaed4ac6ab9f08a7c76badaae5b584cf6afd55fedd37ab7ae275b76354a521e55b1f64bfb195b04407cb5c8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
8f70cb609e7138848075c95dff6c310c

SHA1
c7c3b2f248fba524e78188be73cef0c6618568ae

SHA256
a1f1775746e39048a7985149ba6af3d350c82988f1c9e9dff6a8bd6926f80b1e

SHA512
b3716a10c5493e374e9e871b9122c14ffc79fa57a431d5209d8fab1b3a3ccb5d8892eea2640a4b1b5e511a3d32538abf448cdbae097d43c9ddf955389f7ff637

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e42a34931f2a9137b01ca4817c355085

SHA1
b425f4f9158a80da5ad8ac3715392405de87851e

SHA256
b312c77cdd713d780b13f48e392a79267f6f82f88dcf3292ad0ceb2a2abb040b

SHA512
dda50bc10383025890357aa624466cca9081929a501df022b1b817d13176f6be37c64574c96ef9c6347ed1fe38051c35889ad6fa324350c4277e436f95fd2fc1

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
bf6c303cbec62565b5a9bace70a781e4

SHA1
45b1257576cdb21791fb08d6cf51f8c160affc0b

SHA256
2ea382df5931fc18b0dc4bc3f08d0192fbb56591b77bb55ed8ab896ab28c2d30

SHA512
641623e7db7eab9a7761d8c64525f6669c09f36b6541014f16c91a7f86d69a3077d809d7cde6d97bb0ffaba6d948f80d99159d03d25949dea55ddc6d78f3c41b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
8ea90be444ec5a40cc969ae16e7661c9

SHA1
a283b5a799a9d57e89ffb2f5eb650effc989ac5f

SHA256
7dd0d8c6e13813b3cb2dcef30f3147aaedf469cd94ac57c4d6ca6e3e895671bd

SHA512
04a218eeb05705474d0a312279df0d2fbb03f59fb4f07aba4aee41d89a40fe30b55d1aa8e5388aae0a64ca68647bced121583cd5e769a6eda01e2f426e19e4f8

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
7be5279a25b35c5ed5bc80fd7cff797b

SHA1
37d2d4b8766ea4586d2f79aa3825b68c257fd2a2

SHA256
be3d1c4f64ae061ce8f4707dc5e34f9a0123c72679a464d97a99aed55141e31e

SHA512
d306f293fe349fda964110a154f489d22cf99235ab7b60f681d2db74a93cc6fdcae0f437a1daf6457a2baa850792d213ec8fbbb795047d71a335c71335cf9f35

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
45b09baa3ba24b81e509e8eed9cb3736

SHA1
6c753eb4ef2a7762d74f8ebfbfedd48fbd1c3664

SHA256
800f83fa627f0c6b13c4cdb428f67da4a8971070de7ddb0dc396285c7e232fb8

SHA512
6d7a9bd8adc48768559888935218e42f6e9e138b1aa2d3676772c4a6df83809ad46c690fec77593724e3b782fe8d533b2b9b699ea52024489689b734042b6d31

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
165659cbe5a088f46558625f3f86b8ca

SHA1
949e7e43fe95dac85880dc7fcfb2b53a40a68ecd

SHA256
fbf39d7d9fe02f19c8e623f1bbf061dc83a26dcb6e4456da7a6a7e3f08a1619f

SHA512
54a8c021ecd902f2bf1123b351ccb29aa2829bf87189354f89ef0e1165885544b7e037c582a4971eab09c37d9f3532404efe6e2e1dd4af84d9e1e2775896bcb1

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
68fcad107a55b4fcd043fb12d7011912

SHA1
6b36d26587e4b82d0d3f0ec914e5cee3690e45c9

SHA256
ba943dabe0acec435aa72d4317ba36650c4600225979952427e044ea382556a5

SHA512
f26cbb6db9c8df182126170336c990bf7361e2264a140a7efa3b9b69725799938d855d0dca496e63bd9410c026f56d806e0854fa377e21979ac7880f2d92d9e2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
1bfdc246fcd248eae9869e89cfb0e96e

SHA1
b1221ba42c70b7d58af92b6f7836cf3ce386cacf

SHA256
9b3f12276d6fca9ad61593543fc62e01749493fa164570e7a78335db2a55a419

SHA512
78d91e79b1442185eb624921209b96dc1f05b277dc7ccb876e4cdf286e79f13869bbf6bb69533aefa133023992f737391a7109abb441806e113f2ebdd4c2ca77

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
01d32abb4719eb78551250ace7d660c3

SHA1
3546195ad28e412def36db9e0b82ae19149069e5

SHA256
adb8230ae871da0d161e045a63be6f1fe624326267780f7d0fcdb8e9cdabd846

SHA512
ca69f9359cba3b4a5b61f0f4efa9d69b8ce28e14fe6f4ba7b0b9a35f5c730c47a4657d9434289e6cdb5806f5f7c9ff407143226a7111a4537cf293a9fc61f32f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
8c1cc2dcbed5847744762b85ba81563f

SHA1
28eb1c2214221c7e6b9125a0773077140ceca496

SHA256
0765e47ae6ea592af532f0b80996a79ec948c6099b674401a675f73ab3efc7b0

SHA512
052a28a78a2895e81f1efa112d3bb05cce5487985db7f06896bebc6ee2d04d9349161ba81be89a446336554b37661a58f98e2c785659385844b996ef8b578862

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
8cca72c8c9d215fa4d40728f214f154e

SHA1
9b2376c81d47a5d37742b2e7cc35b27b0edbdab4

SHA256
759fc62cbcd6a64767d360ed7ddc49869f860d3f52c296243c0c0ad4971cc050

SHA512
89b47ae1ed21dfe9eb8bd309fa1e54e1808a15ee9efac090a9cf1d658861fa43c46d2c03cab651ec72d85098d1d3f93d4fdc8ae4d85ac2aa17708bbc24c2cd15

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
2595c977253872410f098451cdbb2518

SHA1
da62200221424134af635c1011ec83c4b7583957

SHA256
0a1be195e96c325fab743dfd1bc3053672573c948f8cf1480ddb532e1be5689d

SHA512
81f2002439d323a660501d844773a8d2bb1c1996a23e2cee269a14baa72b652d4a3d3a68405d29477de540fb51c6675cfa5bc2cd93683ff287c819ce5aea04e2

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
c3ba50020e0c15568f62d12fd8d2933d

SHA1
8c31036fa326bb19e410698f37a5a75aac7ecee8

SHA256
d459ccc5411795e7137cc16b511011228208e6bd1ce0a05d8b9894888e622cdd

SHA512
5188d2c80b9ff8f12ed3a1d3e974245df8ccbc29c3f61a1ea1a2dc5b4a6a85b9ce55e7d42454e458c905f06fb14b60d1ed29563e285e662b3eef633ddc7fc10e

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f092f51a393055b9da9e66d7b095e0b6

SHA1
e857a1ef65b9ec6c01c55381cb937cb10ab8b658

SHA256
6cee0f34cfcdf6dc745eaf809fde08a4be256a7d351b1f834bcac68911df36e9

SHA512
81b5863703fda3a552f87e28315b6deabbb634166cc6cbe5dbb67661eb3c3ecc03e2d93d67f93f7efcc714a35e8ae0fd9409bc990482787ef433fe4da26b16b9

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
a30a5631c250035c9a2b14c01f5567c7

SHA1
f7b48ce4f6ae66545d4330c03e457dec9968abf7

SHA256
091e39179bfad92a22aa93357e4e4d933add4777d1bd4be5deac3ebfe0130e7c

SHA512
a2ce8929f9d7d30843f2011358bef741d7c55ca7dad645ac33b297c3b1704423442a85a262b69fe7c785ed1db6c1d033b2943453f270491faf7046e366f96114

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
c7ac6f3278beaae98323d0c9cfff0bb4

SHA1
004d5478e2811f45f6229434acd8619ec15a94e4

SHA256
ca0162d61fd55e7cf2eedaae6f87e66de0d29f0fefd051ecd9c7294ac833999c

SHA512
1218571a952908ea1eede3be9e7babe0034022a20c60eb2d76631a4d60914a9bdb08a260386015b9ebeacb5b3fd3e581331d8de79d1c9aefb297971c13dab2b7

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
ec103b60b77c6110fff063070eb8cfdd

SHA1
1fe2984726e56c56c234b18661eec87ae83fad30

SHA256
c9de39885918b59d61b96e4e039deadbdba223ea607876e91f7e07c9f7c3eaf1

SHA512
f7134f826c04b35cd5dab58ad20d6e62a0325321fd7573a48bda57b48c6d1fd3ae2e3252c737d8d0bf54bfb6ec40cb8b57aa55735c7b26dd30709fa79ac8dbaf

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c1ada8c039d6262ac65e1528820645b6

SHA1
ed1d680f8a32dcc883615aa95cff5c5ab242f934

SHA256
82504e7f288b8f30bbdcaf872f9f0eb4ecea9f06e41ae96a62cbea4227253a6f

SHA512
b232eb7ec22fff5d33116469300b67109296ee6fb01d5516fa2e1db03be17d00f20c5825bf10c98a69d75bca8d8dd5aea58785b5db9aaee557f1a01be1995e4f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
b0ba97ce9d7283ed96a8d8dc481a9231

SHA1
b62a3e135dbf0b57f3a7cff85e182e99934d75e5

SHA256
73d97436e421225dadf6b36f6d6226e26946097f2d0c5bd24de8277e2018a7d6

SHA512
f13d3f721fac739ad1b1920e3be6cacf6556dfb75df3de83b0c6d5e457710d55ae44ffd1cc33cce146028c3cfb7a49ef7e4bea9b3d60b37fb4fe4000957fcd6a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
982118835a3dad3d609a4ccd66774682

SHA1
9d53f10be29214847db57e2f07af4f72e670f9c5

SHA256
5c5dfdcbb8b887c18043f75694f1b5e22a07beb3b0d5c215b8c42f051152ff6e

SHA512
a411c606466ff560f20b88d65f6f94ab0e94e2e54045e7597913c750a6c92905380e37195c9a8f70d860618094f7da1cf6e9a58a45eabe18eea306ed0c08d098

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
024339c0a0a72ba869915b865f47acd4

SHA1
2e5c72621832f2f6e4fec77aa2a86123e14e8324

SHA256
da24a3d7384b91bbce8494ff019db34bddbd7cbc640850449d10612324bf8357

SHA512
ad1b919002f3f718d30eacd18303c2789f3f255d447a1b3464d18baac948a6d46f1de123031ce5d1fbea7cae3057c4fbda98e33dbe2b0cab66325b05a0d2a069

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
2cb3caf48cff7f5c543ee3daf59d6628

SHA1
1c31585fd60893b6d5476d20ccff5ad012b23eca

SHA256
513e2eaa2261b873774cf1fd48b2c207b081a15764fd002f077704c968e012d6

SHA512
fa129e5511bbca2fe1a42b6fa1ef66e4395905844b98d43a597e4cfc56407742784826bfb7256c0e6c83822dfd469d8e3001e7b40fe4a37d708b1ad561455d90

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
2e76ebac82104581105e95ab614ebb6e

SHA1
67e9bfe9b95656c916aecd76738515824f34a58c

SHA256
5f5b04cec625e4f25bc78394bba68b2dcaabc0eb8ef50f2a11e469c1f4daa157

SHA512
0c57ccc51d26834e89f9ab72fd35c5163fa29e6339ca93ea6d825241f46907dcbf650ba769823fa73f6c644d5c696a7c2d2e9db5e18ed2f324167fdf8089e160

Download Submit
memory/636-110-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/636-200-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/636-118-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/636-116-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/840-176-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/840-72-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1580-225-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1580-617-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1976-236-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2132-212-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2132-613-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2596-229-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2596-618-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2756-215-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/2756-136-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/2820-121-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2820-122-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2820-128-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2820-131-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2820-133-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2956-184-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/2956-572-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3192-162-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3192-155-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3192-156-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/3192-224-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/3232-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3232-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3252-559-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3252-522-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3252-180-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3404-177-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/3484-104-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3484-99-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3484-106-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3484-187-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3752-612-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/3752-201-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/3960-614-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3960-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4108-107-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4108-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4248-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4248-154-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4248-1-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/4248-6-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/4248-403-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4480-611-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4480-188-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4568-166-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4568-167-0x0000000000950000-0x00000000009B7000-memory.dmp

Filesize
412KB

Download
memory/4568-172-0x0000000000950000-0x00000000009B7000-memory.dmp

Filesize
412KB

Download
memory/4568-228-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4680-91-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4680-89-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4680-83-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4708-237-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4708-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4840-149-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4840-151-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4840-143-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4840-221-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download