250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
Size

1.8MB
MD5

65192eed5dd09789efbc2e94f6e19acb
SHA1

9a10106bdd6d010e4c627d265d702cafbb140d67
SHA256

250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36
SHA512

ee139914625205c3b0ebe76d8747d7e15d4251f4ca0d9230179c99c5adfceb47da22e07fd70b76f9c305cb369abc8ca70be6b8b5d0d1b2bde41a4d56aa0a5661
SSDEEP

49152:Rx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAPxu5AvOAze8:RvbjVkjjCAzJ+xKAvOAz9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1200	alg.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4904	fxssvc.exe
4980	elevation_service.exe
2912	elevation_service.exe
3116	maintenanceservice.exe
3492	msdtc.exe
1600	OSE.EXE
1520	PerceptionSimulationService.exe
4652	perfhost.exe
3672	locator.exe
4180	SensorDataService.exe
3180	snmptrap.exe
4528	spectrum.exe
2500	ssh-agent.exe
4960	TieringEngineService.exe
3004	AgentService.exe
2688	vds.exe
3164	vssvc.exe
3340	wbengine.exe
2716	WmiApSrv.exe
2252	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

elevation_service.exe250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fae6837daa61dacc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\vssvc.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\wbengine.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\System32\msdtc.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\AgentService.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\spectrum.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3326.tmp\goopdateres_hi.dll	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3326.tmp\goopdateres_ca.dll	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{544CD458-F493-4888-9A56-33661A7F5454}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3326.tmp\goopdateres_en.dll	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3326.tmp\goopdateres_fi.dll	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3326.tmp\goopdateres_fil.dll	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3326.tmp\goopdateres_lv.dll	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3326.tmp\goopdateres_es.dll	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d715563a099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000318e3564a099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd68c360a099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083496d63a099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cff1cc60a099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4c93064a099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5dbf760a099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b365a63a099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec07ee63a099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8d09563a099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4980	elevation_service.exe
4980	elevation_service.exe
4980	elevation_service.exe
4980	elevation_service.exe
4980	elevation_service.exe
4980	elevation_service.exe
4980	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1248	250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
Token: SeAuditPrivilege	4904	fxssvc.exe
Token: SeRestorePrivilege	4960	TieringEngineService.exe
Token: SeManageVolumePrivilege	4960	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3004	AgentService.exe
Token: SeBackupPrivilege	3164	vssvc.exe
Token: SeRestorePrivilege	3164	vssvc.exe
Token: SeAuditPrivilege	3164	vssvc.exe
Token: SeBackupPrivilege	3340	wbengine.exe
Token: SeRestorePrivilege	3340	wbengine.exe
Token: SeSecurityPrivilege	3340	wbengine.exe
Token: 33	2252	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2252	SearchIndexer.exe
Token: SeDebugPrivilege	4280	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4980	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2252 wrote to memory of 3860	2252	SearchIndexer.exe	SearchProtocolHost.exe
PID 2252 wrote to memory of 3860	2252	SearchIndexer.exe	SearchProtocolHost.exe
PID 2252 wrote to memory of 2216	2252	SearchIndexer.exe	SearchFilterHost.exe
PID 2252 wrote to memory of 2216	2252	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe
"C:\Users\Admin\AppData\Local\Temp\250716e18abddd4f2d352b6ba993a7b6335bac226d3afdaa058d73325e0eba36.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3492

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4180

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3860

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
f7ddc6a03d77b9c7d8688eb2d6dc2910

SHA1
a2b7c2f1347212b10a4061cb6eafb576c336dfe1

SHA256
5d4aab1a9cdfdbed4a4c5c480b2e92b30f92174e7060f66117aa3ae980774009

SHA512
8c773c2ec4b47b880e4a4803addfa9d79f82635d7066057ccdba6488780faac82ba1eec54925eeabc9d581837fc2038aa047ffaae58611f5ab5416a8de33c586

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
3309b0edf2b14f59852eb020e9e13427

SHA1
2f1b171620e9120adc5fff2b71293f83fb23c722

SHA256
7c387611291fc292e133b073cfa33523f1cfd1469fee2410d66cfe991a102df2

SHA512
bda4c2420213d569794b205a3ece7017fd81f87f21e38051709a058d7476c1f10d501348e394ac97c8e81dcfce1dee13063cfd1372d795d7b24d3dcab9eead08

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
e8d6bec95458b6e9177dc43802944799

SHA1
9c85f1bcb0879ea7c160314d396968988820729d

SHA256
d6552e97def19d72c7c47e733d5461fd28f609c019d156ef1ef5dfb71f0bce55

SHA512
5e7edebd216def2a4ec2791d34a720e6796ac6e98ef680426173dd89b755eadf80891755f272e2c001031649cb266aaf1e712735d937ff43ba6a4af0ed63806c

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3df159e6385508774c6df08231430acd

SHA1
e8e182780f2048e4e23af642b3308763aa427fe6

SHA256
fc5b092f3e518619d3bd5298e4a3fd85ba90f753a83e8e4fa9b96a7541f24694

SHA512
b63e142cf8c3bab04a5427ee0604463e9b2e3b814eb2da85e2fad95f0bfc5b99046b1ce5472baf8b9ff89d0873ab9a815347c6668fb90e47cc597cc5b2b29104

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
69c85a746d635bc102ccfe98c9610d8c

SHA1
42c18b5b5f0e2756b020de20aac61bda9fdd765e

SHA256
46061615caa0804f9720d8b58d3b45b18e05ff2a45a7e0f81c77d7b542e11f14

SHA512
1e39519108d92420c173c2d379a63155482def16a815499a3ee60b14085e4351dbef0c9aa4c8f8db8c9e3f5e66e666c7a65e58678f35eda3cb07e94f09b5b3e5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
012bf72cda891080e88550a08c0be8ab

SHA1
8beeef0eba589bfeb5e7d2ea172a744f8257a7b4

SHA256
f6ec278e9ec0bc962ff35b9094ee25cc727938895639dc021ecc4ce33d5f609f

SHA512
27fcbc270d157d311e2d80f943358253a8092a3c966922c19d5cd562cd54ec5e0735c466a21014c18495db07402a5826a3abc8482ab75d85fa89c14ecbf555a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
381865704892d929e993274c3d6fe33e

SHA1
eb538584bd57fc9bdcbce549e37b4d619c9873b1

SHA256
1c7856f4a0f25508a248025c38b1030b9dfa831ddb2c634fa372a9d782d19244

SHA512
77e62b810a2cf65df0a73a05682cb02e76ed0f92824cf1f69d1ddecfa4896d3044f8debc8084ad1d99e9ecbcc751c5fe3edb5f58e91d0549a1e4cf47f44e2173

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
3657bdc3c0bd70aa46aa6ecd1b113b37

SHA1
184b7053b981efb232e4802f7de36f8c647f0bd2

SHA256
2c851beb3792150c0687389743e4c35d6d619e6c4becdab66467aba9a9ea1a4a

SHA512
dcc65c20f7eb9e2a6c7b33c248626c856a76b2da6c73945274416b6ae6a3eae8b3fa40618a216ecdc2ac08e89143eaa6b2b5f06ccce78c4da807df50ec93640f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
9b2892aed40fa7189ade854a9e4f0048

SHA1
22443d69e99d520a85cace47625181f78e75acc2

SHA256
5f57f47d4654c7d4da509f469157293667af86b66520c2eccf321e31412a0092

SHA512
ac272ba0b1b62d795765ad058631b0783fa98e95c6daa9c8aebc19c6db44d9e571e77733bdcb9f6dc2cbbd4551cec0411eb67777c43458f71e28729f2b751327

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
78aec8f15571d31ec866eb5da8da80c4

SHA1
e0b6c9cd71d03faa691977b9a48a0f987c50a2e0

SHA256
19f547c563c9cc1ca2b901ff8ce5ed0c2e19c991c6c2bfd2443d9ece76ff7b5c

SHA512
28982d397fb7df42200dfb217da386c4b51135f426a63de1a0ace24371b554ff25139a4c52cb71738adaa774d2d54810acb8aace116c487b182254b35779ef03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
6f6438dfe2377f8286a19feee38f71b8

SHA1
8147bcaf6bbfbd699853f3203ae5b5aa1c00e67d

SHA256
17c10b65520141579bfc6657cc307e317ac08afd244f690fa43409f5fab0bf22

SHA512
4004a40f4e10e37c203919be6bdfcbeba69956d289dc77fb1eb900a130cd6caee8b3ea6c394c6f922d43305c258e0d3aa3f00c3253ed1cdcf76722ae44c43689

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
55579d8c2cef7a4a9fa86c323195efd6

SHA1
7707131ea182689441c80dd7afa2f0a23c345c1e

SHA256
8d0ade926262ae9e82201e073e05848eb66c70faef9c2312b440411dab2b2814

SHA512
a141d8de045f63c15a9e20a78d54667dadeb2cfacdb4384818118a4539b465a73bbc529da0ac301fba0fea19234ca6e3026919a3f33194f9b1333b8d148d7df2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
b7898beaf2fecc833b2be419cad1410d

SHA1
6c25e8690f7c99068502df69201131378081a690

SHA256
e9986ddd4ef0dd7f66b97ceda84162c91ca56fc1fca20b41751eb2a095e878b0

SHA512
372d7c5e54b02dd2f86c9c2ac8698fc357f98e47e84ae1022e2cfb197ebecce1f8f8bbe2b6fb2806cf781e674303696602a548c0ce0402a688674a74e3f6641a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
af74c0a204cd7fe77ece5170c56dae44

SHA1
c9d10b8505e6caf5b1698df74f96f4b43ce5a979

SHA256
7f4caede10f43fd7b33abe96827519dea12ab512542c5abf9b8e99ea826d7df8

SHA512
994a72498456a72a19bdfc763ccd24df38e76c176842829ed28d41776f1ddae4aae69163ca959098fd8a217027ced5809acf8ec361222b75bcde4a7312b75f70

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
800bc0074d767047068a809d1d903da7

SHA1
17bded475f4fbcc92d4976264259cbb02fc840d5

SHA256
913476166342ad3244e3462bdfe666a9f9d01091139a8b168c6f77ea7fbad9c2

SHA512
8adfeaa7de332b8b654fa4bf604d16eaab946d4bbd5521354a41b4b56b35f574f80c85eb33f7c4280c0259e05d6dd42565f188db7411f5af6de9f37b5fb44135

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
7542589849b12a78302364fb3e796fdb

SHA1
1eccec098992b0e6fabb0f3e524a2b0a085a900e

SHA256
5a7cf466d8ce2ec5ceca0b4ac71c4d60e8f6e902ada23ad3e8d441c97194d754

SHA512
79dec34e18d492b6c47cdcc3a9920759c675bbfd84276a044d548b4dd05e51e403505533bce7c020a98abdd562726bbd93591d3efdd07967207c2e87bf33d018

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
c7a0c1ec1d250f1ea826b949ae2ece73

SHA1
84725965441bee18f9741577bf7ba7769b441013

SHA256
481dca78f26adc5067879544e5875602e0ce85bc55c8939101841e66fdca12c6

SHA512
4b475f24918b1b3d53dd2641404c10449ea2afb8bf6471ae680fb0a176e994efb799e9482115039840359cb6fe165ec00610dead7eff4da600983a225f57eaad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
c5065a9b53d479a862ca5f4b13f1ccba

SHA1
3d13c807d07bc44aec0add163bacd6ec5107826b

SHA256
56d680d15c0179410e3c5fc76fbd873179b1df84e31a40c38d1a65b5efd55717

SHA512
543f596a2bf2ad53dbfb27b446650ca90ecd80135e56c2c13e0e16e8ab782debee30ac67e3ec54ccacc2985f09e09a5071a15eb43ff5a156f8c222182f31d43e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
93b00ac9313363819faa28d467c1f7e0

SHA1
7840b0f9da48af42d53c0ef5880677d40fe5faff

SHA256
fd29e865ab58c40a5c06b5dc648a0377bb9c83a26ee0a8b4564d64fd5a569fc3

SHA512
27bc5482d537d952673e5431c5590c6ebcef92abd8674e2f727fbf5cd8c462dcfb6bd7c5d8476102877f6e6db660f479cf2667537dbc876327abb73b241770da

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
2dda75653adc7be0013afa7c4b4e0d5c

SHA1
d19e8c2a1c832d66a848dbd45f9dd731a6908a67

SHA256
e608ce8cd71e72d664d0c80b21c8f5761cb1c97673fd40932a47db865118ea06

SHA512
f8f3026c816efa5bc489a40613ab4a41f7b15fdd107c268c51104887b6d93cb07532d8c639b4671b8ab7dc0b629a5916c9797351e0c319b9397962bb7fc98fcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
a60b5150170b3f0e057a24f5eb918458

SHA1
6e521f9e6482032269f6cff88566ef5854d12325

SHA256
377abb462e9a72b074c0f524ca9c85b1be81048cb5d4180901b3df70731c2942

SHA512
f8d7efd3dc04aac38e883231161aaf21ddbc8ff09359540c3748769270b122b1f9756ea1cd43a928d5004164b42befb8245e33bf8c42e573229a7923640a788a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
e1531c5160e4349c875a403e6d260891

SHA1
7f969a55e2baca59aa9e92e372a260a3ebe475f4

SHA256
42ccef548624c5900fb2511bca48592883aeee8d747d998159933a2cc287f5ff

SHA512
744811a50e9fe7de510382962d02d0ff50e0c10345be6a95ee7460c951bd96d40636098f4ae0fae948d9225d2980d7401a5879e2e7c89da0b7d2b32dafca3f5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
cb30cdd949aee9f10d9a048766d4b698

SHA1
875557f61240f3d38a31040fa2ac4f96585454f9

SHA256
8c12d0711bd26eb59dc057df6deb3824b71e57cc1f1f107527d1335d0bd5f78a

SHA512
e80f4acb56c837f38112769f7d81db731c1de56292089f821c18f65eecd2d120cbe88db86e6bbc487cb5bd7a3258cd93a8f9a56f4e18dbd3a005078b48a49532

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
3bd2f8728800bd502af062194a3af780

SHA1
c6e166d222c2f187e1ab65c982e668a98ce75444

SHA256
93be6225bd9ac65ce58944faae06ae4a9e479e612a81eb678cb2e2b4fb7e354b

SHA512
79a5971e65a8967a5be7c47fffeaf042464bb8926a4e72f978a83a18de51b5c573c00d7866be1c97d27a7dfe51dbcb0ae49e96877bdeceb0284b55d697d1233b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
ce9232ca490663eb166c63aaaa4b292f

SHA1
10c666e756a5f1726040436abc7e16ac7b9a9322

SHA256
2c529589b9e61b2d19e2185a4677d03d9010556e9c3ca39a643940cc2b4f4ff4

SHA512
78428dea2b080994a3a02c6ba5ce43001b0fa4b6e67033c5b48f2a41acaf12821e62e715fd96044027081bae005d1772968fddf7ed6bb95ae64f267e749b8b90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
8f3a244d177696f7e90868f106716dc0

SHA1
6841c9d30c76929daf29b0a637f02af11b02ecc5

SHA256
8bc81693ae367b41c772a0daad7c4c9cf8f6566458c8395759baa0963a1dbffb

SHA512
36e6337d63f5354d77c05e828f0a82ca9fee05cfd9e96ce43526d91ef1a07f46301ab5d93d2a4761e5cbd5c8c9083c971226edb45853bc3cd72bbb0a0c535877

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
28bac88118b579cd713da45c28b6bad0

SHA1
fa6c95193ed3fc1bc77e1e6024074fca49bf646d

SHA256
4203f9d66bf5742566672b5174a7215e609a37f781c4582ea810321cfb3a59a9

SHA512
a7020ef53d6b154f0d1b366cbb757ee2b29a00ffe37700309bb7ad3283ff8ef0d336d6113478e13be6b7fa1cad2a7268d2fd2b22be0b2e298da51409e610e2d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
983569b010ed236f08665a6a26257eab

SHA1
08191455f942f584fab2802ef02cebafb2b32220

SHA256
396172e353447d41a01ded07deb6f901a7241b1c063a3ef964c836b6899d22f4

SHA512
97beafbedb8ea1bb9e4cc112ec05550e5c84cf77b7b19446db4a3cacba6abd6465e64163e8e27f632e72d0267af9fd5cbcc933765dde53d1593ebc47c254d228

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
5f73f9f5c48470e21d478e6077de2838

SHA1
58b93273f29149d0afdbc9f7965515570227b9d5

SHA256
1840d3c438e163d193dabbc463e34b85239bfb1d9afcb764e43ef37e60c1c268

SHA512
99fc4ca10a96d387d15cb95f8eb8c3b4b91dce09f4c22ee08b36777dadb26d67cb926e3ff66e1127ee1c6eac6b2136a9b5f4c6339b9062834e9b57bd70b6c86d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
13a206783eb99c16e2650c5fede1851e

SHA1
e1ad467a8624100b2768402f79027c0d01e156b8

SHA256
e061324e1aef7bf3f5cfaff44db80f72dc6690d5a929f8940c69a111106324c2

SHA512
5fab47b5337aa1b74e10cde4629187013f908cc4e48a41e3d009b01a8bef67f57fed92262fd189a54746c7c6a4ba20c9ada83d6e553fc86648102445ea10b624

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
ae069cd4a8613cda11c1347faa461b69

SHA1
f12e547f0369b572029b9721ab48ece2b4cec027

SHA256
a66013ba1b90601a7dc9d76838b2975b0ffda0b96110a98ebcf173a826ac2f1f

SHA512
f3103a30b4bf46ceb5db8e574390595a73f082df5b0eaf1900a33acc37779b8fd0219d83939da913d1a63996e3cc4965e08c9187087184fdef9b1a5c874ccd3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
303ee3532526183c9a0f12ad16e2026e

SHA1
8d72d9366e9e01e1baf4457c61f1e31d564fc0d2

SHA256
adfd81e0064329e239d44c3877865ecaf933a6fa4d03814fc10abf85ed65f16d

SHA512
9452607566ec5e5112d572b78e044152e90ac132e16afd6c61987623667687a71ac668fdc8922b156c7d8fd6313303277b28dc9ff58de638770b3bdd3cb65976

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
a06cf4b76373a97d409e0081d815b375

SHA1
2c054070d5b31c7e094b8bd7d699f960635df1fc

SHA256
079b20df4a1dcf9692ffa4471d2b7563c4dee8a9c7d790dc76f5bb65a7acabf2

SHA512
7c54e6c7e67a80308226ec02ca66c2f64ce7164ec886b705165b065444c9c91cb6f4b5e987fbe256ec1af07e49f12db215ecd35595ffe0fa395de6e69051180d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
51304b16cbcb4c6d049729625aa9dcd2

SHA1
3d9de59dd51e562fec41698b59c4a186d97485d1

SHA256
ea1372d8835ba28cad597253069f898fc473df75cb45637f22dfae46c0896e2c

SHA512
7378658fcbbc3da0c5073a10d15527711d2b802bc1f77c4ede495548664d3ec13f83f9f7487c2ee6a9dc6d6428cf53d8db3ea26b1da8e6d0718e4c899ed88196

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
ce3127e9e614ab8759a2463affa13004

SHA1
44177da0ab5fb1e03350245fba9cbde7a1d9b450

SHA256
8ab90d04e811bc0a02a34520b7273d1fab47e039ab50fec5dbd53f11bc2071fa

SHA512
eb724504e71bdbb0468899014f599037b439c4e01618e5fcc1152a212085b47e087ac2047fc5a9f77a69057e5c4c085e44b5b9c15e4e2c334610a184d1f0bd12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
025103d88de5df5e8c5678e99ffa5275

SHA1
4368136aff746b9f55a3cf950824bfc9fc78af97

SHA256
23f6c96c098deb404a56b5fa217a180213bc03bffbc2ea38c47266bbeba2b938

SHA512
9f87b9b73a514210972604d4ccc186abfaa972604ced3e400465f8e1e0ba52a3a94485ad360210791bf2d5aed093b939b73b96d19dff8c4ccd3580214814ec8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
69289605884db6352316aefd7f85da72

SHA1
34542afea06f17e9ad46513def74e89fd58929a7

SHA256
b6eb1075e72325f4428e9991cc0bdb56c96c9b6d567ecf31b826afa7efa91851

SHA512
cd7d3bde31fb7a91b9f95f0a967e0ede5748d0f49d5d1c363d171b3169f97dbc7b53e9842def7910211ded6e7aa94c8b625b9948d23adc0bf2ee909f2ab307fd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
a4200972e60038f2ff59df2ee6ebf5e5

SHA1
955ebea69f33eef30126e94f87d3b31ac62e27df

SHA256
4d0349ca508e5a68c3ae8fae980bfd68f8ecc7c90b142d6abbd3177675253031

SHA512
45fbaf831486b2661a7e0117459dee15121e5c0257c2d6d25c831bcd6dd9f4a4a26f124d38eaf525ae10946e7688e49fe76a1833051fdd2db15713002a9c777e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
907ac695fe6e49cc95dad7cca4a5635c

SHA1
a97f03a49246339c79f807a61fd60e7f778b2904

SHA256
71fa76a8be36108371f45e77fd9aa6cbc7caac857c10003e1cb57bc8b3fd492d

SHA512
c6ec4d726a05a37c40447cc32cf5d4e5e98277ffe76bb48ce123631028643ea5299a311a8e543bac139fd954d33fa130282ca5621a9a9458f24b9b0eef9aaac6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
0f940a6e15c8087d080ce0165718c770

SHA1
7acb59d911b4a1d3f9f8e5122bd53d0a33948fe4

SHA256
028cf483e448021eb7616437709ea8baabdd0fa2acd5ace9544c620d45459e0b

SHA512
c6b4d212fe0f577499cda7618fe422ea6823a5dff82580063dc01d856dd36bc9b7eaef993f29d4d6768de49a82e0d500876c7d2c53c1b157f1a081ebce9c8bcd

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
be1aae3f4301363b5e5a284a64d1115a

SHA1
277e91f1697cdd6772b29bff373154e1d7cbd882

SHA256
568038f76ff765834940ed3cf73e9107b9cb198756edbe6033ed218917e22981

SHA512
bcdbb35502283f69ed757301e0c9eff95355dc57708be6ce6fb9e9c66510bb09aadcdfd1de6a1e666a04513537983d82c06680c1fd9a9aad6845cda90fd00f0c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
cde0bc9d0ff3051f68f8aa5000550de1

SHA1
0b6cd6afaa1bfa9e683ce75aedb53107bb9ddf62

SHA256
d61a180d61a271c41d9186fa3607b2d8ddbb0b54bef3be5853e8bd99a2f5c69d

SHA512
23c856b6699fee7d8bb2f78ab45880c448dcdf38610f3909bb76a89ad284673da78f0529ed160d8c3bf91292be2c2f47a49d71c271eb7a8c28157bf95e658b05

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
cae6beb0c18922daa4d491ba2ceacf8d

SHA1
1c7ea1e2bcaaf5d39d7b6096d5df33d94b92bfb4

SHA256
8f3b2cc0ab407771eb532079b7ccbe893db0606db5f07a4f8a004055b8c8ee0a

SHA512
2e0c4ef005d0c15d4d6ebad4628832029cf466ce91c857333809721390446bab7749454b2ea2dab592f7296c3dd09fe9657be5cfb96c08be6024d99861161d3f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
37b2c0b4e6423a7895baaabe4d634026

SHA1
111060a3bd64dd944ab46db911f0e6f6183623ff

SHA256
632ed5fbef9d017464dd25f88420b097d66abcd032ee49cc8877dc9aec25128e

SHA512
a1b6cd80b8f800804c29581635a144eb6ab26b344cd865b4d62214313ee43d1ba8bc817c74cca6b44cd0ace86c4f1bbc043fbf59e59d0d0eb6a55938a2af46ab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
c249603d6cd1a72620debf378ebf1007

SHA1
8055c1b25952d7ad63731add171fdbe681c910b4

SHA256
11bc97064762f1ab02fa71dd6fa7e46efe55789d577a78357bb1fcb391de3f2b

SHA512
481a1ccc198b04d0b6c7a6df608245a181c21510c7bbe116aa63318e2643e377481285e18cb2b7c9cf0e5481dc19f098553bbcc357c9611e0469bac1ffc1e0fc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
2bb670923024534e1fe3d6dfe817312b

SHA1
27c3ab40211631f5250f59183c88e02a3aa2c44f

SHA256
00d25029fdd5f4b254331e14adf98c472c8eccc2f959f8515ecbee512bd0e058

SHA512
c077a6ad6a782aad35837a551d4723a05f5295ce3428e8d3d9365d002b1519a7e9c849bf6412cbc61a736d4d0359dcfe0b53dc6b1112bd2b1008d8805fc32241

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
0e580ef2448c8ae3e4fccef1a84da75f

SHA1
6f323607445f3225c0c7e472ebadcbaea71510f9

SHA256
1f0c82ff661dedd0756a3b212710df13a5c60267457f7636180f31c8c4a9b2cb

SHA512
9d67400e2d2de3398430d230b3492093b477684058091a844eb4725401e910a5d90f1feb96b8e5aa98d95e8e83d8af3940af4e4f268249d206e3c1016d7698ae

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d6203d76699a0a6e689794c224afcd7a

SHA1
3ee06ad671c754d52bfd7a81399f32e0974d3d7d

SHA256
74dd7241f4ad80d002bc2b02da7bab2bbe82ef701811673634d5cd0a5f16fa48

SHA512
381416d9e6d0fda2f30c7cad26edd9f7bb0af1e96b1ecce660f2c7521ee1fa7dfad0d10ab02c411d920500b8bfe2cd1df01b032e4d6e53337734b959e8b89d6c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
6b3c39fd91eeadb96b099c1f9bef23f4

SHA1
7c4217dba250d72e31c7be442b641a3eba0e7ec0

SHA256
d0f4abd3ac9ca326bb1cc999f5f60c7580934a6027ace4ccfb413d4c464257f5

SHA512
eaf7c73c9e59700189ebd473332351ea090b43055fca2ab909e94df1609f0bd0126c12111b70b693c709b7e2acba0021393428e900469fb7395721b783ff071f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
5bb7779f17f055388062c0c4ffc7f598

SHA1
ad58c3906343480f1d434574f1c1e2f660c72691

SHA256
c796db3375458d92325c64e5220272222606d04710c30c55438afe3e5328c4e8

SHA512
9e45c36f60210905f3da7596b4c36359429e6aaff4fa6c06e9542f8913687b50f1cf03bd535da1ffb9692c93b09b03fdfcbb97849ccec052a098bef2533cfd80

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
fdd67e572e2e129ceeae720fd94ac0c1

SHA1
7361474e10caa91584893a78d45dd322bf648940

SHA256
f3179fd48d5427cb9c8135e7ffa6042fb5b862f07a6ef71be97473cd3d10c44c

SHA512
a003857e113dbaefd3b17c5a4566330698c43cf6254953480d7113793791ba995004906f11a8ccd64f538578c9f1f41a9bb2ef53be891604d897c16127658094

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
7f2d476b8765e17a0a37b5818bd44be0

SHA1
691aa29d1c653a36070d6b28a8f599f64dd214ea

SHA256
100693c3e3e29cb9eab064211812370cfeb078dcf4e963ec88b0354db728a299

SHA512
ec9764b82b0f827d6f00da3bb26b15b6eabc5426d1606b95cf50255e51c10a9c5462e117807697115187578240a891fe7fc0211b20547b7f1456b8df7ff917cb

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
9e8d7b97a0a57a76e5cd3ed8fb64f3f8

SHA1
938425762ddd34ff006103b470f314477e5c37a7

SHA256
4028565142e5081b556baef9f6a22b7e093880afb30b6b3ef8cda265c1cd25b7

SHA512
d6a1ec88e9473336dbb7d898c4c9e2bb613ad5bafff24cc228eeefb3e364518356c7f0247c76b9424f0dc38dba2e7ba6ac439792288b2f26f3b59ab02bec11e3

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
51834ed7e96c0494a319cd7f3c93fc1c

SHA1
73f6053d771c4b3aa34f24ddf869dd90b76db38a

SHA256
22ca6d8d0950cd13f5a90ad0ea136db2c85f7ffe8f24e7e14e7d84db7eab9695

SHA512
bb8ca7c25f1138826871649542f13411360bcca72bb51650056b761966eba99a35825785c3adf69049e0b48c82ed03c6620f6ec07e8b10107d5554ef3b6297b5

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
95913334256910097d1f3f3a70b22067

SHA1
eabf3afc851b2c983ce009a77e0df164a827947c

SHA256
18cb7f29f8e96e4c031c5c9a6a7c3c8898ffab52f8c4f6b252d85594bcf58221

SHA512
7748d6768b8b37298a940f68db8183269a39361d1f9e2353c6b890a64516bafd4b3e8170013ae779cb0bd5e260325b85d113842dba4ed6bbab81a0282455ea4f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
6c8622904b36639508b3b088876ab713

SHA1
26a5fe8c3ce355abbe2834441532b629842ad548

SHA256
2ab78b99a1e88188b45ba4d1c082d073c3314c3f938db1561249f8959dc978d9

SHA512
0915fba7ff6059763d6979a8c6c9ab2d9f22f6c0139a4fbd26e7c01cf8d43d9247e51555aa92e37778044962d98e36176f271b2666399dfbee76acd4e2ba71fe

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
26aa56926be7ad95afa27935f00d181e

SHA1
cdc19e21f5fa0302963efe01a856bcb65b3919b3

SHA256
bb5b1526926df4150827dedd912fdba9d980ed034c40528200dfa35d32ef70a7

SHA512
c73fb47c84b7fa1b148f51a259b8e884ec8caa165b0cf6f55390f4e009e4c1b16a9e7523aa4163481720ae53df42cc5fb2bd876383953adb625cd4115a74f551

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
4f0b4a42a8a0d7639c3bfe85c1759e98

SHA1
0a121d143865fe43d33aff8ba140cdc11ee7aa54

SHA256
db7b6419ad2ea4d293a4d308ca50af8caa607fb4c578bcbcedcec53be08498d2

SHA512
e50d7d52b6b9a7275e203eaaa37713884e86775b0201da3c8d3bc6b3f86e98b2ad4a20e6318373107d2ae2d0a40d1910904e6bbe73031d18889c2243cef53492

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
c2b08cdd6cc890482a0736dd0adfbfba

SHA1
b58626fb39a7cf188a2d36e7058e009e8524d254

SHA256
64ab6539000fb4e03e6c5608a397fd6b9163c8c566608271694330fc2a6ab66a

SHA512
61e6fd931e876a40220af7c775d33d04cb6315b213cda086e93af8a59a797b45483867c28694474341b0d3fc1242350f65ce1f70113e0efb90ff601990061631

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
248a40977613ff85e0847066dbb9c92b

SHA1
06e795f8af703d7a7bdddb90541afca5c6112f04

SHA256
45cf82aa9a0eddc5f971e46b658cb865d0b50e15a051457598c572986610d3f7

SHA512
14006f041e212261dc19e40d20e47094fa4bc09b276241cfc308f645c720b600a127a9ec4eb9390e4ac41db5ab1fc23303effe2f019df130a19469c7f2bcdde8

Download Submit
memory/1200-177-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1200-12-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1248-427-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1248-5-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1248-8-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/1248-152-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1248-1-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/1520-164-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1520-227-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1520-156-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1520-162-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1600-153-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1600-144-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1600-150-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1600-223-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2252-636-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2252-236-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2500-629-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/2500-211-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/2688-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2716-635-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2716-232-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2912-119-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2912-207-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2912-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2912-117-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3004-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3116-132-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3116-129-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3116-123-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3116-122-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3116-136-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3164-224-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3164-633-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3180-627-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3180-186-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3340-634-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3340-228-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3492-137-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3492-220-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3672-178-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4180-592-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4180-181-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4180-589-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4280-25-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4280-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4280-22-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4528-189-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4528-628-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4652-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4652-231-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4652-172-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/4652-167-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/4904-108-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4904-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4960-630-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4960-213-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4980-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4980-31-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4980-41-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4980-188-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download