0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
Size

625KB
MD5

3ac6130f20a232f2897b58cae7f66fdd
SHA1

02cc3f3ec4f7810238c6728431cb28fdd673ca8b
SHA256

0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd
SHA512

bca745cb4ad9e3796383801b7f440fc036f4515ff2ee36db309c9064f072aa5259f6e4201fc27f39b3b4d488f43bf2aba2a9a5679b534c5ed17ab10f47ba30f4
SSDEEP

12288:U2R3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:hR1N3RUDHNmdPCAaq8Nozgi/rE0TOj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
5036	alg.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1824	fxssvc.exe
872	elevation_service.exe
3412	elevation_service.exe
960	maintenanceservice.exe
556	msdtc.exe
3068	OSE.EXE
1748	PerceptionSimulationService.exe
1436	perfhost.exe
1524	locator.exe
3348	SensorDataService.exe
1532	snmptrap.exe
4340	spectrum.exe
4704	ssh-agent.exe
700	TieringEngineService.exe
748	AgentService.exe
5028	vds.exe
4524	vssvc.exe
2532	wbengine.exe
5032	WmiApSrv.exe
4436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\locator.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\System32\vds.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d374d8d98beeeac9.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e11afd9d9899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076a94f9f9899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003356f89d9899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cee7669d9899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000491fa09d9899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000489adf9e9899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c37379d9899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a75e3e9d9899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1544	0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
Token: SeAuditPrivilege	1824	fxssvc.exe
Token: SeRestorePrivilege	700	TieringEngineService.exe
Token: SeManageVolumePrivilege	700	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	748	AgentService.exe
Token: SeBackupPrivilege	4524	vssvc.exe
Token: SeRestorePrivilege	4524	vssvc.exe
Token: SeAuditPrivilege	4524	vssvc.exe
Token: SeBackupPrivilege	2532	wbengine.exe
Token: SeRestorePrivilege	2532	wbengine.exe
Token: SeSecurityPrivilege	2532	wbengine.exe
Token: 33	4436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeDebugPrivilege	5036	alg.exe
Token: SeDebugPrivilege	5036	alg.exe
Token: SeDebugPrivilege	5036	alg.exe
Token: SeDebugPrivilege	1568	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4436 wrote to memory of 1228	4436	SearchIndexer.exe	SearchProtocolHost.exe
PID 4436 wrote to memory of 1228	4436	SearchIndexer.exe	SearchProtocolHost.exe
PID 4436 wrote to memory of 1156	4436	SearchIndexer.exe	SearchFilterHost.exe
PID 4436 wrote to memory of 1156	4436	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe
"C:\Users\Admin\AppData\Local\Temp\0575598388f7a7a0cb8613feeb78ba9e1f30185f5e6cf3519516bfc294e76dcd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:796

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:960

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:556

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3348

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4340

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4200

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1228
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
603f22ff21b950f269d7b8482991d56e

SHA1
ec4b4dc200767c382bd69a15eeb2b1d1ec6d7cff

SHA256
669ff80efd5fc773d056e51dbca02794b55bf33f4acfb0449ff7423a1cb293a8

SHA512
8675d80e5bf4b62f113a33966c36cbabd25f48f51e73a6984c725118f6443a8e2dba206982505e463a338ed0729391ba9c3c4a032f8c2db15bb7cd78d66b7b01

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
fb7d7b890d3596f176281d46860cc395

SHA1
8e6493005c11edf271e8e511811de6822dd7d292

SHA256
694a8bade272f9e91ac937157ada43cfbb936a21bfdcd929ffec9e0d0408df11

SHA512
a8375510edd1c15764c7ca49bac291666f980eadb3193f995bca2dda7a5455bb40ed721766993d5bbec4c475f852d658ae20fef292c515b9df36b0c7c4042722

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0d66c3416bd4e07b73376ff9122a7d03

SHA1
7f93053b87d5efe745b44cb43e4574314caeac46

SHA256
16f564e1f4576c64663db58c31288057672476d15f2275af66ebeeaf262dea76

SHA512
db18a6dedcf0866e653bf6ddf649b4f932b59cb23cabf3e2ca5909f18c147236830bda1d3644c6faeee6c87fe8e95a21e35a51ed7878212a3df325e684be36e2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a8840886985d75faa08b24c583fb6d97

SHA1
6026e4c31f3561994aeea6a56054a8f33638b504

SHA256
8741105c44432f9369946a85b23b83b10b388f2ce5f79e93ab38ac25285cb4ea

SHA512
5021342fe4f6380cef6510f78b87fccf4473736ba002fcaac7243d1dde04e0aa17349f9fe5ab956216146d2a9011908494c5bac9bc594dc8a8f2f4d627ccee10

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
170dacfb54543386e79253e5b058bee8

SHA1
884f516ea78052292b288301f6831e66fb9f463d

SHA256
49d20849a728c6f11d447bdedf59d4de4fad9424a6482e7fc4244a43bd1905bb

SHA512
ba3ccb36734815318f711a509cb0c9435381b42f6ef84f507c95f608a23e089480023df8bc694675e05c1d9c0b5966db3ed0ec35097a2289ebcef84715d02ce0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
be4b4a362a38eda9f72525f20760b382

SHA1
4453757fe5fbdedc6c30230cb87a204c511bac1a

SHA256
d98a90a4f21da513c606a8264285ed11860a72ef1c3858a155923786d53d42ac

SHA512
a1ad3806ee4fe7316e8be38ef2b325e63b13530b0f5d0122323d93a177126f31335cbd9f792fa50523c3fdedd03e49363bf24111a6ceb36cfae5c5a30e66824c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ea46939796fdba85da54b928cf0d6935

SHA1
6c5ac11653db167a8227e0cbdce4146f5fdf5695

SHA256
7757f43f90cf0abb47530de10db31cb57fd5f5e32ad0ce4a6d9e2f03c8533948

SHA512
a1d8dfb7985961b3a2e99c2509e65d39960f080a00c503c4d956eb6369369e3832b31d958d201c8e2e1398c04c43d854f7f6728202f6385021339c7ab2ab8781

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e7b850415a2b78cf321321cc8c1442f9

SHA1
89513709b4943b634ff7e3c597e8ad11ba4462c0

SHA256
25a10a201e11752e2aa37a801e3f14f2a4b6dadb721f530a8216bece932adc8c

SHA512
2f50bf613dde603c0455c2c6ccab09408a9680999342cdf079b111d5f4444e656c1ad210dfc488554088e0d9a11671432c6e69a42d1895d1ee3af2ab1ad0c070

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b779461b6b8bf8acaaf53b4b7d3f6b37

SHA1
2c1a4bac78a324c236fa46812cf8442c5d491b5e

SHA256
3d2601cf053ed9ef774eb74af3abee8fb6cff6af5e077ce27e63c12f5b9e0fad

SHA512
5f2ca6921ab86416b56f513ce899ddc375809f55e0182afa26778e7d6753e4bb7654b81e605a221892d07883ab1fdb37438baf092a560acc1128c2157c383a76

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
39d09892dc0572c057e2e229f847d11c

SHA1
0a50b02667ed5de61ae3f3f9543b7c490ae41781

SHA256
7f04dacbe4b58238db7da6606b7234ffc9a7718a6e349fb2c0c1043d8b66dffe

SHA512
b6b97b46e78b04a024e81a62a2af8fa1873751560b367b2162e23a0781c847897ce23753c67da5c67224e80f9f94cefa19017ce7a296a1c3d702cadfb44c47a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
65c44ce12c333947293ed18bed04dd6d

SHA1
2d12c0c95204f5e9b603df3a9072278782174a06

SHA256
2b19df3548862ffd5eda36bef12f7cca2775685655674212227b4bd4c0310b57

SHA512
7c7e2085dcc094d646e89603a71288f6e88295dce5c5e2d49890979faac27291bb9c158365b32218934ab4b09c8dc1183b3afa8a44f6e4401b7d975a2f8657de

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
695a8935ac847d5f04606205cee84148

SHA1
8fa1d1c5af5bd1ace8edb4b2ef371afe6d89324b

SHA256
5457842387480ecd9fc5fe4bfdd309500d32d886a7aa14899da4c92684066180

SHA512
f55353c629dcd6a2db7325bb537eaa93025005a731bd16f6a2af864f00708e1c24c55e8bdfb82e999c4204029dad34bd038079e8f024634849ddad3077cc5bb8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d6d5bc74a57f816285f153bd18001853

SHA1
0954d3100919dbaceefc058f6eea09b2043f455f

SHA256
c864b898a7af800248616289ac3cdb41b6f7191713579b4dbfc5090b540af4a2

SHA512
b8be4e8f7d8ec319f4e19075db487834252a6cd3955d2cd012b30c6925a3c8c8b587fe13af0cb6792a4780609a7a85d912787b966b549354be2c710dba8a1fca

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
bd46e825ba1bbf0f6ef9b35ad7e2de54

SHA1
d604c35509d8e80c379a7f119c7b5e8cae2248a7

SHA256
14738c9364066e9733799f942e42fbb4b323fd044e32434d4c0be964c722a806

SHA512
4385d021df1c6c545e2c3b53f9ab109e02891fd0f9a1c5c2005bd3a01322b52451c2c062340d7734823ab9d8fe555846f5aa451b530abb958b7ceaadcc3661b9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0a1851a56baf9516de92c17bb188cb80

SHA1
f9dcc153d127e60224144e55a806e3e7c36ce55f

SHA256
53b8bd793fd4b1e37ed8f72cea050e0d8df162c635b179775d8bd0bebb4404e3

SHA512
d53ee1e5592b6b0f3f0aad58b73ea13428f7e61bac1e2c424bfe0ccd4316235affc65ea6248c6e270392f56120df4150f0a0f7046873f8acad1316ae94eec3a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
64462bcd191d6c5573e2451c1ac2e357

SHA1
eaa3f4c103e9d536033dd45d5b7f26ac9c2855ba

SHA256
caebac184e84613b00c07ea73bb0e7519f8ceb5c76ebc5a0c18a484062fef6c9

SHA512
8a850a6938e893e86f06ada8d9c17024b4509f38b57c7814c366d5ce4a748fea7f438897d71b878c44ddf4afeb3b2c5597869d471a6fd44f4d5f3b0ec57bebc1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e7ed077064b7d5f60e52fc4bc445767a

SHA1
7fa7b1c9354e5008720a7616b262835b4032f3f5

SHA256
3e4baf94f7214de50ea6aee94ef79f4b6f6f0f1b75767fe27db1b720003c3238

SHA512
001384b2f51ab477d4cc843242000a880e0749dcdddab6de558280e6e2b948b0b6d72023a0e76555115492dad8c9852e0fb24ff8e219a1f5b92e116e8ba25551

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
02688617dba41a0a503e1b681762f3fe

SHA1
61b8079edf7f511e097c4fc736c35c8088b5290b

SHA256
8c15d544ffb897cad89361c87d6d2b7eb2f9b31337b0055c8a1d77e919ef12bd

SHA512
0b74db31418c60bdf7e78db02d131d1a9987e006198f6c41bd959f9bc4ec4cc3e01cf4e8f6e2e0f88020faf28a0302de6857a7c4da73b9faed9fb0765cfbaf1c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
194f52f4301875a3a178c3f954b83c31

SHA1
f555039d7a485497b105905d2281b5587c27253d

SHA256
408980f4f8a5eb169ca572e95f4e538bb696b553acfd66222efa612b7c2bcb7f

SHA512
ede3dadfbfbb39bd242da9846571b660adc8e5c070276d016b88d35d786a5112f12f83d8ad5634b41f2c6d9906b9e2580188c34f8e7514b951991be82d74b7cd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7c26807a9f6e78db72feb5f442e47d8f

SHA1
0b860cbc70046511d698125b52eda93e54150927

SHA256
fa15d2137902428d9f748abcd01569d8d618c3ae40f5f640d9faf2f63ba4dddf

SHA512
72204ddf1fafd0785ffbc88e75c4aaae0ec9fa90967967bb5ec50d5bc4811da35c58d9f6d11cb5f3852a1d87ef961682ff2738de19cb64125909f7b68fa90688

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
702e5b8d09d615885bb8022df1eab86b

SHA1
ba9e85852c4825486d6a0ac5b090094a4911e250

SHA256
29ef7c7c8f064ae45fa45265eeb4871eb31db89b32561c07c3c986b2ce538447

SHA512
d39340211ecf7736ef99e3f8b5cc35fa65edab9572a2f65b8659bf9ec69cdcb261bceec00a99214b3a5fa49a0f2f033c49a01718125f1092ac8074e119564658

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
95f821909ac50d10cbad6e2572da77af

SHA1
12232abc41855e14f40760749282ba31c2acdd7c

SHA256
c196cf3574d932c7cded3e59f75e9aa46ef124c13f821bd3277fa19c036fcb82

SHA512
916398468a705279da25c922c6f43a21808f85110cb4ee81614a8202d1bef36654fa172ae4a0e07f96028d2b0df2f2b6aedace54c51cafd51f1aeb513d5dbfe1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ddb1cce881eeebfc6f28b6cf75de875d

SHA1
368e3ec965570ac61d16e6e27486d1b8a2e2bb2d

SHA256
69d61cd1ce7abe23f06e6d4b83e7e57afdf7f259adfc61ee0d23f197feb3b2df

SHA512
d0e247554038c1c80f4cf75eac2ff74ab6d5401879aa5cf2571bc6806899c2a6136f27681e1f10461bc6fd71946f54cef74e3779313892107c69c01c52241128

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
bfe28be093c8ff0e3a8b652c60e94e2d

SHA1
9f9b42394d2e6ceab2267a6c3ef3205aeb36a1d0

SHA256
2f1c9c7a86f2c4c1573a5010309beffc67bebaa4f27c8d98d3669397b2e2c65f

SHA512
fa2a62eea05087e03f47a02ed95e71cf57b94691f7278121ca15314645200baaa05217ee3318859b767405e70f02009f952a5a967de06183873059c36d3ff984

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3aa3c3ac0c5953fbbbe849c94aa1d768

SHA1
ed3298a09617f7ed82a92b15ab3d19772538d973

SHA256
3ed5062c122dfb6e54d2fb629872fd48ce6b9008ec7339a8890dd19a185fea16

SHA512
5a88c596db4c249efef898c08f2d09d5b2645553075211d90876fd5182b9f4cbe7b9cc1c1e08960e364bc9d5536fb4f6a8616f711f4f0cd1a3102f85b5a5d7bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bda82af52777e2a99af5aeffffb3a90e

SHA1
c05c1c16daf86c73a344b8b56b67e1d7884b1309

SHA256
066c2c4f5549b7bdd7b6a53d8e871bc426bb0ecdb3632a9bd4c9faebf8684938

SHA512
3c86aa47dce334c9bcc3aa114c94654ecfc0e271a8b715cdb3ad15794b75cc6dbbd9391d83817460289caf84ac2b752f4d8423df59352d73891d43e8f4267fac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
92b0d37002e2aad0b51825bf41b0ee17

SHA1
064612395b29be97a9e92a24e9540c842e0e691e

SHA256
4f7e3c75bc9bb386e0a1b961cf7902fbb02b50eb0c55257062951ce33e90f04c

SHA512
e44e7b36d04b23af488fb08f9a71cf9d434188579edcc5ae40a7a06f6d140a839771be3c19f722208d2cd5c3911297bd8c99cae6a6abb904ff69620fa813867b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8cc878acd002f0fea758cb16869f42b0

SHA1
aeba4c54dfb24a06a03446b8010e3b72cfb13fe7

SHA256
b3755baa9282d130acf0f328141580f0a5fdffb0268a28a386c4ad6719aaaca2

SHA512
6f12aa21a926bec053effa8e00e3ce03455b933ba782e46b169cd57886285504c6731d049a2cd9d6e7d0c311f5f91b314645de1a96f35c25df0c13cde8d3131f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6beb8226e7ea2a6fbb9c1a050eeaa8c5

SHA1
dcfb900fd43ec12342111a62b503110cc6467db0

SHA256
8d29f6ba1cfbbf6c36f76bac46555d2206593f0a2a9b46b914d3cbf5789ccfae

SHA512
c42ab29d35468804c9e64d4bc74adf6bce2672a2eac963ddfe5598c0884ff04bf1cb078e9f267f4507fc795dcdd46076b67e1eaa5132755f3b0de2c055b0f686

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
43ecf4cbe3182fc2c12aa7cb31f1a6a9

SHA1
e2857989540a74a342a3b34828ab4a1b024fecaa

SHA256
bf3fa873874ccb8079bb9af4705ca53b1ae8ba3bcd27b2dadf1b6e6ed5b8d057

SHA512
e3fbfbc1b55a7a93101635c39a778fadd1c05e34a0f5484bf9b7f60d87586b61cfb420a0c47c8fd9fb4c5b78007e15631465f484dbe951d23a37c46b6840f214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a49363877b3c175713b9bcaa5ed93683

SHA1
4ccaa4304f77bafc0ded688e1903ec0f5c7a9520

SHA256
eb70c5befab257c8d2a7d7e0c59727783c5e221cc743f6616e42907f139cf0b3

SHA512
166913e2460fa3988fb63771e7c209b5d83745b79eee566fcb930d9f2e327f595b32302a39d721029cfd104552b2b48c8935dbe1e5fd573d2805938100c17517

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
552ba2ce90a412ca64d4ed4c99c33e17

SHA1
254b7656bc7629a363cdcf851cfc3aa9a93af126

SHA256
b4f31d6d29037921677f6022f33e9c122006e123ad137e7d5e90a1979afd3306

SHA512
bb3422c26085d459f849f1f607388a3660bb571daf3269960abc3844e4e768c452564929f59dbcd446d83368cd65d9febe5ca0cc5b4c92176c89e6a575e937fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
73c5ca775f1cd91a37df540e15fc8012

SHA1
12748b27580fe10648f388bebad024063c7912b0

SHA256
ca6023e174694f26962e0489c216bad31c8fa2a41bb38a936e50c9b3c9071b84

SHA512
398d49a75f6a5a1d5834a62344f22bacd0fbb9a3c61d02dd52d76d810d15c6d7946d6c3e00c40026233683b4b8c6f59d86158b1fb2a975d0c22ee109beac88c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e22bdcb7f6d828cfb87958d360c7f1eb

SHA1
cdd9412ef4361dc8eb4a44ddc69d637c8c0e1860

SHA256
08737e09eb3323c2e8e47cfead80212bdb582d97f0ee16643f26265747168202

SHA512
cacc306ca4e15ac001f280aa1a67ff2fee920253628ceff2b8ba121c3977ebac15b83e83ff008133f9ac08d8a6a35d1f94ce9fe9895510dce326ea5aba5c05f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c07aa838b5d0871804f0211ce3e4b7c4

SHA1
457a8ad9cccd00f9e25f3fe6fb6f5c3b246f757a

SHA256
abe51957faafd846cd1a50eb2ac782865e26cff9aa4e12b841a64299df937891

SHA512
2c06a5b047e084b21b2f1c515ceaf1fbb004fb31a00b1c0412ce853c08dba2bf31a6a5ab06dea69c1fb2e59f5727c518fe4647b6782b92a73e960fd934b79838

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
76fdb60d5e7e46b8070a473017f015dc

SHA1
756c6a62226c8e22189454e6a5c4a1deed1117e4

SHA256
5feb31d254c65fe0a96cbc43f7fc6206406ed4f4330cdd6c1c4669c74614dfb5

SHA512
dd0c474adae2cd9df897920ccf8ebb175d96738940427fffb21f3b69a55fb56c9808ee599566c88cbf19c83e07632d1fd75ed37efd0b11b5e7f6081f474a35ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
5e50bdb9b3a74d029f2bb7a7eb5d3980

SHA1
49dfec6e9c374959c4b46b5c2f356d04a1846485

SHA256
f8b4e7b3bfd5953259cf2b172c995747b049b19effaea87ef8f35b631aaf7ed2

SHA512
25fe4105c91669e5ae60bf3a8ea10557b09ee7538e8d45eecfe4a07525e377e028f8019f84c6acf10885ce3ae170b554f226340196caa04a246c6deb72df41cc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c7d96aa493f38192352cd616412bcebb

SHA1
0508d9c7bf16ff184f19fde32477c6d7e059e7bc

SHA256
55844d0c5c7a71890a62da96e95d8b32b4fdb4ecaea041d255c91043fee78f90

SHA512
6e55a3fcf497876e0ede9af029f82547a503479254479597f9eb04fa8a43fb3d28dabaedc043e7b9739388089f665b9ffca2d5e3d89dca16ed0c948a720fb476

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
55c5a56c1fdb37db99e3f200a2fdad5b

SHA1
09582806e736395d1fdb39d3d7063027d7cd7684

SHA256
a67c19a57f24619bf154670e848cd9fe712bc14c2ed9d85b28ca46591f67fcc2

SHA512
f509dbaf6508453a8c180fd7a0d09b2e0fc2e2b2ccacd2e3543da25b2b3aeca9c2ea8157042e24002658d427f7e44e5692a031da449438882d92b3e68b29d514

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
491228e189fd12f0ce4888f6f6254888

SHA1
e86cea342c0c13c1034087e7137f5343b817ffe8

SHA256
5f949ebb4feaa0e811e4cd4961a2ecd2faedb5153cb5e81f30b485138153b237

SHA512
334a8b64203fdca68b3c771ac31b9d67a664275b1131a2dae7f5290e5f106318bbbe91799b19d3e1bf52928fa7b6bc53e1f98de435e14b1f76ac5d8cd3c213ae

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c6419f53c64b3f7771dc1cd9f9fbf508

SHA1
9e58c1af2d646a1e8a6fadbd5f0e0185461714fe

SHA256
054d73d64230d4d0bc39c134ba9975dd8e18572a739593e60e1febff046f9ba2

SHA512
df531fb80a9a47cf7cc1970e5f1a79c195134f275d9549328a8ec2f399c40f7cc4ed6417b2ed326cd866f7188669595ad891d80937d3c1dfc3cda8838fc57f66

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ead3ea889887ff89eb9d4ca2e50331e7

SHA1
a8f05751fc363cb2dd07030f56a1c456495da244

SHA256
eef4df9990c074cac1510e2af6db50d26307ad3e23ede68a268db2e50d528320

SHA512
2f82479e2f048df1309b5942a0bd45aab3c75a7e4a3c365a8497db27df331a5a1238b1a7b1dadf94db31d20bedfaf2093425b127267f1ca28add349fbe999c48

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c5c389238cb31cd7b384475551d427f2

SHA1
4332e8f8637ba0f85d19976e8e530d421864a634

SHA256
c6a6b7718e7855456521e185eba9d4e708ba84fa073c22ff40993f910ebd03d9

SHA512
0ac86a197211d095d44b51cbf3ea267df560d2d6741f892032877680bfca28f0581c46c36acb8bb3425ffd834569312707cc8455a9216fb1e945dce57a5ab132

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a28951f19e40a968d4c6421147787d84

SHA1
717aeab37d1273eaafbcd1f6a5642b8fad4df767

SHA256
33e74ee1df34ec981633b9d39ae3122b842a15f88a0b41919da9e5d534dcafb0

SHA512
a6f52d3aa8ce6c3f569c2c4589659247cb824f3cbad6399fe93b74b9b8803133c83f2dd39a7f8970320322abfc8f993055bd5054e097b0b23cab8aa39925b4fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
aff6ca501bf7cf7f5f7c356aa0b3c1e6

SHA1
6b27ed4a51600d77d5c4efd611bf925df018b4a7

SHA256
62497a78f6615991f97af15ac408709b5db290ae954d1db333b09a3b17b9ea4f

SHA512
37dc90b5fe08e0613f1c74be67f4ff345475dedb17c733dd1dade7aab23b12040261f5987caacd5aaee75aec4b4b60cbfab1d230772bedcfdaad87c224c0ce2c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0fa2addf4b93975aa5cc808ec50982b4

SHA1
ffc8c6c0e5b4cd1068bd0e8abaf1fa02fae10c9f

SHA256
78ab86341fe0e78ea57cc0f138d754137ff218ca0ef51222026df4326a5812e3

SHA512
47cdabd06013b850c89eb25b02bf9723e1b3812156a4cbd162fa36f3b77dfd081f3525d33dcb77cf24b6289dd0c887831bc9a6fccfdc3c620db1ff366f67666e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6b3fcc3030679ac09c3ff75a347122ac

SHA1
125bf925d31a3a6d951eba9df72f5d37a6c96d90

SHA256
3dd1a0ac02728a39b301a028fe43f2d644556cfcde5505eb933c25c625fc303e

SHA512
7a8bdda27ebba7df7d943079f7bcb9ed779a50cca8acc2c561d6ce8a0fa0594de4b37e84264ecdc92d04e4c924280f070552d2783ee00a9a2b6b8607958feffb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
196e4431c3a91a299c5e059654054019

SHA1
85257e43629b3424c909038831c1807c08e5d49e

SHA256
1849f7cf9fc1303b686dc87845ea26a8b0f767cf6c1604cdb56d1f5f9ec19a2a

SHA512
dd33668a5ffb7f4f8af62da4934047f6202586a71b62864ab383e66e06536eda3a803f3867a19fef9640303466e2a2201168dbf6a5748f99488c6bceb3489efe

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
522a08ba7f19144e3b3e947dd2d52a8a

SHA1
5d3db05de11190759689f7b797d3deb00a23ec7b

SHA256
6fada699aab5b4edf57655ebcd45c3032f40365e4a40160a96379362eab891ec

SHA512
a00635f6a0d9362a3b35897abc033eb754457be257f90aa3b9113face944f295c516708899b433a9aa03015a38840c8455ad62bc5af7b2c3460d9888f8456c0e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9dace585f780443cffe92ae1bf03afe0

SHA1
68b1e22190a29bd9b566cf3e5895eb38556c660a

SHA256
debd6a17353d8f6a09ae8c331b87a4d569ead32691d4a6d6ec7a28ef418e3cbc

SHA512
9ee092056ef1edbd4ae97f053a25c37cdd1e539eca1345c62c6eb20b6e294af08bcdfd9f27c336534e7ab7ca7e2fb4f105f46bfa9796195ac3a7aa6c78f226f1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6a0083ae57667b75ec2aad37824e317b

SHA1
1f1f5ede522fd492ee182a39b95aea734d58cfa0

SHA256
d438f6ca870400cd1be52355c7c85cecaa420a9433d4a1ea647b317e022cb843

SHA512
1c534f65b2f8a713d5bb100501ed58fe1400a7483763c1c127d8fa743b0b798e4a42ae2b7fda188a8a0a9f5bcbee114f446b2ae70d51b6d049f11fa26b4e4d71

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9b708be81d2efce699a15259c14c1d90

SHA1
a950487bb02c6de88b30332ef1facbd62dcae979

SHA256
856e2ce35ad2d1357a71831352aad15076d611f24899b861a4a38e685077eb86

SHA512
4922e5d48d5e71699a26744273446a5942d537e229b09fa97d2038d335e08c9b488a17bb06e7910ae1c63d17641aae034e65c73410e42b583e1a48984a473bfe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1115b505646aeb3c58c519e8e9dd7218

SHA1
258b4f855ef613a32a3e8bd74201496f147c7cb5

SHA256
78d588e8b254c8241a0fcb13254161469d81f45536adc02ef572ec6378145cce

SHA512
14fdfafc6e030f581d8a946c8f5c7b9be356a288a9508002ffae60fcd2f725fe9ab5ac80755ef2d88949528140578734102d73d6e589540433dad892598763c1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
276b63775924804a1bb92dfc5eb1d156

SHA1
098791eee7c0200ce918203d17d5df0d9b790fb8

SHA256
1144f0ecfa44c0af3b5fd8ea89392932a39e61907a0717353e2723732a5e0f42

SHA512
36cb4a1ce20771c97cb595fac343c1b581ae3e79a1b49493490617773163a6dca07c7cc4ce7821234e5648543418f6ba4f442e6d362dfeff326923becd160ee9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9205aca4c115dfd937762a3c185df3f1

SHA1
d5fed26e1470f26191e69046eeedf78e0ec098bd

SHA256
86b0d718449e4aeae1bf2b096cb82336a9d9cb52cabd69d910c22be72967bab6

SHA512
1dd5553e930f53abc43027f35ff6f05e4961def26c2cf0356841cca943b5435446b2f105d1424966d68e2392c276973fdae210777f08aa7e0e1c6a95e2381fbd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
47b8ade0803541d6df9d212a481c1dca

SHA1
c2d2cdfa61b27c448af69837b7a5fd23fb83bdfb

SHA256
5eb9f7475aaa5f49b6b907522ce7450c680b912729f03d0dbfec3957f3dc2b45

SHA512
f798a0c306957a7bf3e3783d1a752701bbba5e0debfdc6e2fbf2f8588d6a561044df5f2fd90dc4080731624cf49e76dd009c1bf8ea0cfdd6994b415afd707526

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4d5affbf14164ef3c041b652e36dfd42

SHA1
f61920b0781d643adc48633063db4431fcc7e938

SHA256
f3a36dbd9b9e880aabfc14ee685d298b80cf5c890ff3c49e0a4fbe25cb8a1353

SHA512
239861550fd1bc91078c78587567a1ae78996dc2f70170c14e28ef5b0e145c0b87740c200280dd8d58bff62601db9fe22deb0aab669c59c6d0cb50808c750c16

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5ba7b2e9d375e20aad32f415fe93c4b0

SHA1
d53f76d48f46342db18b7a9efc1203c902da3c06

SHA256
eccf9fc880b1bf0767e7b240552b9f1025b8804c30a48bd556436d1adfbbd8d2

SHA512
f464e2c6dfb63c2b2be8734e47d40a327c77aea23290c7b3b5e47634e4b4fc00814bccac62b7c5e62cb93ce443bce4c4e6fbb1d317b9e74c74b3c3e1453c9d6a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d30fa70d039f9d73ce74dba955709b35

SHA1
c01cf2c59dfe33debae940f44bc7c3c33507580b

SHA256
85b7feb201853422b1244b8443d16ca9da35f19b376c606b2402456c17355d4a

SHA512
3e7985c64b8fff5d9b33874994847db4430b69faa01b592810f55199463163b34a7b5c171e2907feb21bb895b7327609b59cbcd3034dee735bfe3f8b6bd7148f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
61264381b7a7996169a7de0677e8d514

SHA1
789235e63e3204ca8e8aa5fdc445c2aad3d07526

SHA256
f3512c4f768a377c3a51d9a334e67b6e7aa1b96cd3d258fcdec107abe8095f2d

SHA512
3ad9a9b5ec41c80aebbcd006af239f680547097cb6b81d28bc26a0d2d295e53d35da4e8017d5d6127763807f672f8bb4568386d7a3efde1e5cb5d1d8ec8dc37f

Download Submit
memory/556-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/556-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/556-91-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/700-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/700-607-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/748-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/748-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/872-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/872-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/872-48-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/872-54-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/960-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/960-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/960-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/960-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/960-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1436-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1436-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1524-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1524-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1532-446-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1532-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1544-74-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1544-498-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1544-8-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/1544-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1544-2-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/1568-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1568-117-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1568-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1568-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1748-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1748-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1824-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1824-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1824-44-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1824-38-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1824-60-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2532-612-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2532-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3068-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3068-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3348-605-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3348-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3348-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3412-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3412-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3412-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3412-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4340-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4340-600-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4436-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4436-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4524-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4524-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4704-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4704-606-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5028-608-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5028-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5032-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5032-613-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5036-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5036-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5036-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5036-102-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download