c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
Size

1.8MB
MD5

fabfe8a052a3dcbf21a431fb85a23cef
SHA1

8a32ee7c3ad97bdc494ab215b06054e14e4422fb
SHA256

c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f
SHA512

b121d664a29326fff93f57723768ef0d05886af1e05255b8d027fa399d2cf79494372714284ce45c94388cb11a274c065901ecb92140f61f21ea4dce31320f12
SSDEEP

49152:TKJ0WR7AFPyyiSruXKpk3WFDL9zxnSFrfPOkhqvq:TKlBAFPydSS6W6X9lnuOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4576	alg.exe
4372	DiagnosticsHub.StandardCollector.Service.exe
1944	fxssvc.exe
4212	elevation_service.exe
4656	elevation_service.exe
1676	maintenanceservice.exe
1392	msdtc.exe
760	OSE.EXE
4060	PerceptionSimulationService.exe
1076	perfhost.exe
3236	locator.exe
4820	SensorDataService.exe
4636	snmptrap.exe
4068	spectrum.exe
2856	ssh-agent.exe
2376	TieringEngineService.exe
4288	AgentService.exe
1956	vds.exe
4716	vssvc.exe
2280	wbengine.exe
1428	WmiApSrv.exe
4400	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7107e3e57489627c.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\System32\vds.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\locator.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exec16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\GoogleUpdateOnDemand.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\goopdateres_fi.dll	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\goopdateres_fa.dll	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\goopdateres_sk.dll	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\goopdateres_cs.dll	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\goopdateres_fr.dll	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\goopdateres_ur.dll	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\GoogleUpdateOnDemand.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\goopdateres_da.dll	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AD6.tmp\psmachine_64.dll	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exec16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051356361a099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b3d1464a099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e477661a099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a118cf63a099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e477661a099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0485761a099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000510e5c61a099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4372	DiagnosticsHub.StandardCollector.Service.exe
4372	DiagnosticsHub.StandardCollector.Service.exe
4372	DiagnosticsHub.StandardCollector.Service.exe
4372	DiagnosticsHub.StandardCollector.Service.exe
4372	DiagnosticsHub.StandardCollector.Service.exe
4372	DiagnosticsHub.StandardCollector.Service.exe
4372	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3208	c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
Token: SeAuditPrivilege	1944	fxssvc.exe
Token: SeRestorePrivilege	2376	TieringEngineService.exe
Token: SeManageVolumePrivilege	2376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4288	AgentService.exe
Token: SeBackupPrivilege	4716	vssvc.exe
Token: SeRestorePrivilege	4716	vssvc.exe
Token: SeAuditPrivilege	4716	vssvc.exe
Token: SeBackupPrivilege	2280	wbengine.exe
Token: SeRestorePrivilege	2280	wbengine.exe
Token: SeSecurityPrivilege	2280	wbengine.exe
Token: 33	4400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeDebugPrivilege	4576	alg.exe
Token: SeDebugPrivilege	4576	alg.exe
Token: SeDebugPrivilege	4576	alg.exe
Token: SeDebugPrivilege	4372	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4400 wrote to memory of 2160	4400	SearchIndexer.exe	SearchProtocolHost.exe
PID 4400 wrote to memory of 2160	4400	SearchIndexer.exe	SearchProtocolHost.exe
PID 4400 wrote to memory of 1280	4400	SearchIndexer.exe	SearchFilterHost.exe
PID 4400 wrote to memory of 1280	4400	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe
"C:\Users\Admin\AppData\Local\Temp\c16bafc5c77476387948d5017422350b011f3c838db6b8a50dcebfb208a7a61f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1648

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1392

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4820

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:208

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2160

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
3aaaf3c4bde1909c9fbb544a320ec64f

SHA1
a7156e9ecc259f655e3963026feeb07408619ea1

SHA256
e0f98e24988dcd5b0b6a5d72754116f081a94e0165835669f2a268837e7512b6

SHA512
e32f1a4422217368db304e6872fb1bd3f6fe2e63bcab27973e99e5efac049376c993a06e7b4e664a2267c0c1f3d3d148858ca188c52e5b18d51e10f8ad0c846e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
9867c4949994912434aeab22494f17d3

SHA1
57201f35ab847264f63157e6b5f35d2d46986459

SHA256
037e4ad4bf0be2d5b308fd914212f64d9586d994f6bc690b5643631b1a3d6034

SHA512
2b46bdc3d36b70cc4734f435c2f07c336e649828e6a1302680f2a64e998bb732852578458934aeb1010c3ee8c2d3592d9d9b13167b45364f40bbb7a79fd821a0

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
d7729b879cc7c3bf4e7d4e8ff7bc5bb3

SHA1
ef49d1ab484e827dcc5dd150f6bed34d69fbe92e

SHA256
87a19cfd6f59ad7e026d1788e20764e4fe3d367f99f4bf6bae7b897c1a3eaf41

SHA512
27029430ca10abe6897f3563b05aabe5fcf6e4f54c68778d8ee7d527ed78a9d7dd403da3ab4bdd691b55e85a7d36b79687f79ce7955caa74c555d9c840e9b902

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3db8ae637f8952304832ef5c64ac0c39

SHA1
96346258f4d4fa4bd5ae0d39ed890f2fa62903e0

SHA256
0988ffa4f993a288d1d2b2c4275e6b9af5b367a58200fe6b34c5359d45bdaa60

SHA512
64c4aadd93a51eff196ca492697abdf2f34f41801351a9539f43f0cddfd12eaae07702778895f7b47c7eb871baa9647f40b4a19292396c2eaceb9883468c83bc

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
3e5ca1db361e2009e517c0e8880bcf74

SHA1
289b1bc691efb5fdf92420246fb7e9f1ee5a7774

SHA256
56af867e83c4f792465ec5cca72c95cf2cf0f29f3b2747974a6f1f56a039edcd

SHA512
9f9d7ded4084ad60e90170fd294ffa128c1bba9ed24d43f3b50d777d049b45dc241773458ff9a990f63bd846892df3886bbeb3df51f8b3f01aa3d4793edb0f28

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
9e86c61f16203c6b491efac372adb78e

SHA1
792c38ed26813a66ec9b29550d20e9984e62fc40

SHA256
45ed910a5d7213b1b8180cabc7ad9542940c7f01224c116fcf17042678337dc4

SHA512
23339354ff62b7ef9cdc1d837f8cc6b9f9f09def5e44ed3ce892e042d8ad4d08b6c393e49b2a191d9ae45c5595becfda22024e2751145d49f7796a0244ad0283

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
21d6895affdfc1d6a6e6b0ace4475edb

SHA1
031e07294b880133eb1db0ff53fb57c0f19e3eb5

SHA256
e4c77b16291409d48928e2d4aa6bfc9d5df285e21f7971457a37ccb4f8662499

SHA512
571f66e980c1fcdd3ce98408cbed3609317402878f7469df35d678bbc29dde8eb769acb93bd0da71dec7c7b668ca94ec29b8a0a154ac9ac94548b7331d859091

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
59a6cac9360901fe3d155ec85d86aaa3

SHA1
238caabd4775150671c6c1840db16b101d48ad39

SHA256
86c9fd36f232e872af0200bec77c05897c3ec9879953297723072e629c50af85

SHA512
716693ec371249ac1f0e9943cfb2e289a025461a8724acab164c335ae22edd1c2c1d850e09bc2fa64ce63ec306c28e3aba9399ffe5063ff5ed1267686a108563

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
e89fad76b0ac24cfcae7c7d4675afa19

SHA1
cc650d0a08069a61c57aab83deb7b8a7a3ddf7fd

SHA256
6e8bb9fbd90317dff37c6747bf4c1d593e496b7129c46080c53c84cc77c2bfac

SHA512
e95c7d785d602e0c47441ae816ca8368a25162a882d2c4381981487837cb846428d878e842afed0f55cf1c8d367f7ae192e8daf388b4943af04a62129c49908c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
66a3e02c306a62fb19d2ed19be418021

SHA1
12e98b38baf1f7d657336865e0075ca477940fb5

SHA256
f34f1da72b4ad7ac0c22caad98b5e0f3ac39d3e1c79fa3d56065014ebaa2fe44

SHA512
c8af17b07c61850337a0de64d1b2cb8217b33e13295dddb5cb5064195610aaa1c0c0833853ea0429ca583c36018208973dc3a4340ce9b55c69230ee0a19e6a9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
c4cf4b8c574855c19d715b45a12166d1

SHA1
5bd274fca9a040b1103769c76049ca35e2fd3e17

SHA256
64229ddf1c017eea803fcdc5cdd15858b279401370e3b23a42eb182d95a29c35

SHA512
75909e3184acbefa355df4d2a83aaf7b4cd42630e92fe2ec21ffad2585ae31bb775c069c20e655e13a4e48b6218b6bbc859defda5c0b69ad1f2518a568092668

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
083f6d02b31eb9aab2477df00571082f

SHA1
78883bed50223b2de1d26d291a8e6279db43829e

SHA256
a09ec2fe2f80cd4b640cea482ed477078816c86c2fab6266612adcb62ede50d7

SHA512
2847ecd0ca43c033e91e9d5e8517545d09e2c7a20b142ddfe89b2a6234267fae66bb25d33b23f06b125c3d99a7e657a03353b96a1c588d4fead11a6b640222b5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
e3d7d0a1bd1090864848ed60805f1a0b

SHA1
76323eb079772bb92e55626cb33e7e367e7a5035

SHA256
e9b4b5cb4f4443b963845ac3afd26deb4d01d003dd87f59e2772f26939f3d6e2

SHA512
45d20bfac7959ef5d0cfa57b765016cb741cb99d7451320f67c11ac4bb9bf3fc1dd3b8203b127d066b884ca36503eb6dbae013fb03fb2eee741cbc1080abc7f8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
e062ea34e8b6b9a50d5e0d0d9e7bd5be

SHA1
46baf72fe80adb4582b37e53b8e87848c876679d

SHA256
4c6ff3db6750404a9db58acbc9e5b926d4fe6658830a5f80cf7bf629394493f8

SHA512
21b28e4567c315818df6cc81e52a4e07850d396c3b4f5b23890a38fecc007ca1e816fc0b3361a1d4caa05726aeab8d713882d78280226fee8875dc15a98f5fd9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
13cf669ab39abbb55d04bb79200adeea

SHA1
009ee9b1a115cfb87e04fa6ecbbe0e093e9fc81a

SHA256
ad45df7eaa4cb79ad6071d1ab8e13c823280c2ea0e2aa2d28449610f07ac0893

SHA512
b82b5ff5c48b9d65e56891d26aa46ab50fe3cfd1100cf3c6da206ed924fada4046404c8daab986c6b5494e877c190868533958c5b3951f154ac5560ce27b0ada

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
fb7f3224bbe985ff9edf6b715650405d

SHA1
bc8c1496e9b9431075222b2e0857889429df3b9e

SHA256
4f8aeb6df7a49b4dc754732b0034323779dfb1e935c89644ef351b3fddf0de82

SHA512
ee47774a24b3eecfc80441184ecc1b0bdf95d91aefcccf43de735b3aa2750f2f851954ee2a0007a45d4cbb69dd7f251e5227b9cbe9f8015736978e0b7d218b8a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
cbb7a2bc58f9f1f8e8f0d4917509c787

SHA1
123ebb4a546a220bd9bfce748487ac444ad747cc

SHA256
bb519db929c8db7ac50d512ea0a9c63d971862232e81d26b80485c201b70808a

SHA512
b358d2e64049a372fbc26b5ccc51de5decb442c639844dec34fae4bb1caa5260267efe111c99665cb448505c2dd011124c14bce09c44783a321c4d4d1a497ab8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
b37ee922151feca898d3e05018fe7c06

SHA1
1c396c61704b84225a891b2038817e522301e56d

SHA256
06ac7f954fdc33bc85d33aa241ee971acbbdfa9febf51f654af6a26bfd14e635

SHA512
5f499beb517a4ea10de936fd9229dc3bc50fb8f20f9bb7e3adcb051e151b7db48f05b7ef77fb768f1ea85932dce9a0bbc9128cfca246ec17625aafd75ed92929

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
3b93c4f742f647da0840834dd288d36b

SHA1
099edd28a1be4b7cff6becae829237cf325d0f3d

SHA256
34abf6eeb60615a9e7b4179d0b072df224bb407268001da838f8b34d2c5b5a00

SHA512
d4e2dd147c8a37f58c8adba7a85a4cc896c0e3131c33e8107a8eb41d0cfbf88a16dfac4328e863721b834f8d26de9c38a569c4e5f3ae1359066eb095d111af3a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
cd22c57756fbab4479905d8f4d7f21eb

SHA1
bc8e8fb17828e41e875c2179d41995e13de86991

SHA256
98a54da398009370b9c515fea8dabf3ac4627b66cb514f659458cccd20229200

SHA512
21f66474c8b1b12c7886a9011a110b6e16456c430b98858ae65f3b95eeb963f65ce7d878c9432081527984267185c650075b26e6f0b4c4a0102ca9f80c1ce151

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
7635b96a21ef6f4c5ad0adc3f36921df

SHA1
c0a83ecad1289fa29689051fee05c51ce29adc7b

SHA256
c9f1555e9d9541f9d5951ed69984d222528c203f4af3bc11fc60c2a00bd45f27

SHA512
7f2ee88d732c6168fc195175cf04adfbdd22dadc4254090c2e9a3a0f7c02f649f419045cf0e91e24278308d60e814bb99582c3e54231c3622ada1298fff117e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
d2e5148bd69ab7cf9dee75a06756e2b5

SHA1
5751eb3eb64aa3395888bd98ebc49bd175f11fd0

SHA256
81b17fab53324c710e7713eeb9d77e8a408ff354746349f1f5e8ced0c0860503

SHA512
ed8e4caf900a81af316df44d8be7e22d008c37cae1a615888cdb538b84a72867cd863c677b1da4644c545f7a4bda6a682a06016eb0d384f60064b0ea40c16b22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
a1278c02cc585cb636386c9223a82717

SHA1
f940643e43de94d5e2b0a1ed55d6617b7439821f

SHA256
4600ca4cbd863243c14f8f35efae9f3d2fbe96718f02817fd9ad38bc12eda936

SHA512
ba0706590315b485d6ab2505d1f8dae6e9771c4b3847aa059d33d341851e9c33b50f0bfcb5bd538d63c8ab0d33e92f206f7a59387935a81856165ee97fb99ccd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
f63c9af6812acf73af1b2a5c54a0e791

SHA1
6786c5eb84695c30f1575617d6e519d00bde975d

SHA256
a71ac2571226c1a23373f705d037e8c8ab60a613fae8ee9af4d7f7f95edcbcd4

SHA512
74070571d2b9443955d055c03bf1e0d74f48ea393f905d455b253dcefc98fbcaa4a124fe7d79199366515c3336d0dbc95683c041c4c514722ad96472bb1055ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
21e53922408899f339e99c35e184f333

SHA1
797aa37dd9e72c4d4c878aede1346c6dcfb4b399

SHA256
f10ddf3c4b297eb584109c0387538b755b14b731481f59c699fef0c8b5184fa5

SHA512
404a87e0a088f7d7841b88ada28df28fc41589694cf1e7a5bafd162e1146b2315dcaa57c971aa1ada560dadcdfa5f8985d9cd98e42f7289933ca2ae8ce99771e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
42cbb21c2c1ecd155951573ca998762e

SHA1
3cc0a952a46d54f34b9e821bfc95f819ca0f9166

SHA256
4be49534e81ee80718f50d201dda70e5e7339b3a3d47bf242fda7db5fe53dead

SHA512
37e6d40b4a770a60c3c2d66a41877ea4f60150702c2bc281c0f5f29bc79d664a91b34c029ed0bba605f59ad5492ea4eaa6ca4d8eb0d9e5b590a22c6d9d23f3f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
da0137684f0fed5deb322196f1053d42

SHA1
23a06770e3d803c5e3a7b04c7445c85fec28cbfc

SHA256
4722f7c726b0021bf77f3c68fb496b8da7b02d72d62ab040d571feb2eb059a3b

SHA512
a6a4311ba09f6a8d5293282ad9c05e644a51aec9594b04bd8f60f41911032db3cf07ab91a56ba0608c26e79a5738971f7b391a29c4f69fdf0a087bd39f960430

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
a1409acb452bdc5510b07a6a2ad65540

SHA1
d5bb1f197489eec44b61841ca4d78779f41f9372

SHA256
8ece844061ea9f1b44490a6704b1dcd76c8d5710fbcf0e346886e665fc8d4e53

SHA512
9404fd109fc916510ebf1a1881cefff25f3837062f6fe9066892aad8881fa9777524fec7abfe58fcf706f43cb004c06f4b72df0576fc2fd8d9eb2a52c815df04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
f8b0eff04a983cb8998eeef22f0a47ef

SHA1
8cbfaf8fed069476f9a6879a67bfeb77399be6bc

SHA256
0fc4d01e2ee402e6670321552f8934734fc5f3dc623bfd273ddecea0891cd899

SHA512
4707db74614c693f129be3129e23f47bdded4c68b16baed6525cf6f138d35fdf62fb1935b535129dfb07cc99d699527d090916817a20e2abbcf2fde252a34217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
e2a8092a869dea090cede4f345c818cd

SHA1
7c602d7c8fe8acd80671792888bdaf690515ee65

SHA256
93389b17216cf28431d9bcf228944c968461915869665e3c5e26f37a2c19cfd5

SHA512
00673b9bc1529a5751338bec49490b347c49ef7c6ac575b574533ae3a4bae14a75558570f41247fcfd4a58585b5f197219cfe695eb530f4a140cabfaf4bec95a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
d148c98fc52b995eb129a34513e64edc

SHA1
15a52dfc2110bea94fa8a9bbd7b997963b077985

SHA256
0934c50ec1edbefd3ab710a1e24026207d4f0a62a364b6eb051f3682805534d1

SHA512
67974944a6bfc5893b32312f7f798db1d1fadf385efbc9a54b29a4496bebbe2461098b46859ac46294bd09f7c7c525ed458b3dbba4a7933301884b2ea1bd98b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
8dbac3996a022f5b1270a02c34de2cef

SHA1
dfe9a8009c2f3cfafe590a48e92fa7d6b6f5a259

SHA256
337a325ddebeab4937f10ad4446f8a0565e42cb622fffc821464a6dd2fd19472

SHA512
2f88f51a149a3d49eac6ddd0d799a5aee366547760d04e6eba58a22faf7e2d3623330113da2c71f3ad61547b68b8578954ffb12c4ca23d9a383f7358238b32a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
fa49af8dc342da17fd5843f3cf95f644

SHA1
3c64994060976e2d6cf85d49a0de1d340c6c6f32

SHA256
c6cfc20af16c4d9ef6ee1eefb028752b5547174b536120e1068d448a55a0100f

SHA512
e28df06ff1346ae45c50f7db2f1944197c58550945fb559ec8ebedeae69526e7c4ada72e049b2a20c71e4350f96410a3b3481932437addcf78f9380395136c97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
e229f0e4e858a89b0f5ff0aadbd7aa2e

SHA1
0ce6eb37c5ed799aab04e16a83155cb15a91d9c5

SHA256
1ddc457eb9dd20b80ced3eb981202d864de68214279b6b677fd2744d6a70b32c

SHA512
b3ba38270268c579bf53fac9c04ffbc52a67d46cf22a8ec74077858fe59e2de03e0549d566ffbc13acf2576c0fe00920e0089a8a2ecfcdc2289885a95ae02508

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
9fd6580f0f25655fbe129a9fae74387e

SHA1
6c46aecf5518a727c27843247d222e0d42893c32

SHA256
7cace1526d07c80589fb6279ca8e570ca0cb4bfc5d55add027142518f1dc7132

SHA512
1e0dcc19398955cfc0792a4b126eb9f8502f51c2b152611bb983a85698cbf0a1e08f175876db57d469285b6b169c80c6a0bc5d7800d3684d4c75311d35655af0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
93959b7a4d0eeced9c7c731d7de33aa6

SHA1
9bf04396c5de29791e75d507fb74e0afd27bc1d6

SHA256
67c6e592e8992ee6662b19f4fb80d7e57805f864a0b0e09b6c78a0140147c51e

SHA512
0b3b4477b5b006baa3e302640a269129e5802635e48fd0bbbb6a44bbd532a6c0a20f19d29163cd4243debd0e2348d98d4ea4c6ace6ae2bb91630286cdfc1f809

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
070643c74524e823f5fc536abaf20409

SHA1
c7c0b32dfb5af31e4be7c7c971cd5d4e9a597d70

SHA256
3bef0dd534ed5a402d21729adcdadeffffcae1e037040cd11c15aa660accc276

SHA512
782419d0b83939c15271e6a3377c46b0c3cc06f2118602e81a5942128bc4e06e63ee083b3bfb212fdf19ab83e5df0285b8f763378865873023f72f002dae47bd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
5b559d1abdab5ec5d8480d7aebb24c9c

SHA1
642176c3df2f61d085e31030a4f0f81aef7c43ff

SHA256
ab0870fe3a9eba2a6dc9b68688fb9358e018c03daaa6668e48688fd0a6e07746

SHA512
a7fa322ebfbd5faa0ea4b124661ca95267ecc30f9e26257233e4f3350494eeda5174bb406208d163a65dc47851ec32369d9009daf585d12fde614dad30fb8f00

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
b2bb65aa42ca1ddff9a5e6a14e3cbd96

SHA1
128fe2b9cafdf3b465e6c4bd0bb443b23c0dae1c

SHA256
98021f33472c904a59d5d62414244e7f53580ceafc7c590219efe3bada335a73

SHA512
281b4dbc74fe92bae7fedf544fad83cabec7bcef673ae68eaf1eba34b14d96fd7dfcaf16ecd28ff152e6a5958283962fb7721a1214a5ccfa8147aa579488f49a

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
c61ee939e1407b5c333b89787630fff7

SHA1
88f67b5f2045f18799ac2b2b1e85f3fc1c93992f

SHA256
649e915017ddc728337b898943438ee60e1cfda3e3f25aa8bd32dc5169339812

SHA512
89cafbf397ff592ca88a6797eb010d107388c5986bfebcec5d4ef3a5615c472cfed30cf45308edb531afb44150a3e495476db4b3aa254e80192717c2ee39e10c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d5c1d8401765e6990e6821e3768c874e

SHA1
d6ac28117e298853a95e088361c26123663e581e

SHA256
ffff0c7fafe4cefef205fca1dae1842ad383819650041d168f7e4cb6b1d8d8a3

SHA512
a08fa5e460ac707be36e390850c68805c23ebf6d76cc1e0d0a5f6e538b0ee0ddd268968f712ae46d44678e949703b73fb70dd5b99212f5552e805e2c61add12c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
20d4f3624f2d77554907fb15d6e131cb

SHA1
35859816ecdac567b9dc7dba1505032ab5a51424

SHA256
daeac1e64748716ecc7aa96cbcdaec1d46748d17dedfc23089397444f0a9e01a

SHA512
c582ccff58dc8446e4ea3ac96c68e10925716eadda5a16d1bde31c672da0b3600bb43c122bfb3e96ee248875e32b9ed9c2ea2a9001df0cef457cfcff3aaaa30d

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
cbc6efa9652702819655a419790d875c

SHA1
c780fea658d84da049ba6d1c088fc7d60a912ad3

SHA256
9aacbbe51647b387f2ca174deee23d47078731767995296f8109475958e89ef2

SHA512
c23cae85c582578be5788a2e8c1b4254fc2218f1685e2f24285c4a95388d107301c96fdeaeba8216f0e8ee69f3fa167c966a32dccc4aaca553ec4ddbe373f028

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
563a1ed37d0ac6323376e2e69de34900

SHA1
13cdb52924a18eedeb30588244360e017fbab192

SHA256
8390d5b5c7b21192b233a3b30e30172e9a3a86bef5b7836db018c99029ce8f08

SHA512
e28af2dee0aa88ef55ecbc2b625afea945ff56e1b5c85164030cc73be9cd22dc7c59c0066228c395c65e5f1f570c25199a87b3368e516ca7ba48fa297fdbb2e3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
21f1488c08be98ab9b742fdd9e6e97cf

SHA1
f86e71928ac68304a4b859ab3743063ca61a3636

SHA256
0f20ce60350a512cccfae1f83e1f38c9e00fb15eeeb210cb3b034d195de766ab

SHA512
f1a8593668bb9b7ab9917925621700ff8b293397f373a5a3dd00eb83bd5ba0136a8219a98cb2dcd9724597dcd7179b400fccd7c896453c173699932d1051d766

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
5699599bbbb949a3010e46020d3506cd

SHA1
9bf9b42ada21a72b814cae611077e3ca67ad49c6

SHA256
b5629d0afbbd8918d45a2d040e4d7629936e8009da7a7a189d5c9b2f6f936d20

SHA512
470985ddba96230a30f17423264012d7b2d5814cc3bea38efee4d21bdc5a1b9b16dede268b57a869e70e0aa019c8bbff16c87b150d0c6dc6fd39df7a062a5483

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d3ae9b80ebf2a9dd5d9e90d22cd6bcda

SHA1
7d36c3f602bc6a6178ba0b0c9bc73dd510f9981b

SHA256
b653c7bc9fa01a860d82fb9c8cf53f48007ad9e0b643f6f95e970ec59164f871

SHA512
639ec83dedc5f5bcc80575bbc84abf210a612fa7b5655410054f792472ecd73261cc9232c877665f31594cfee6d6dce06d2f5314a04e1c46994bbceb8449747f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
0583ae26abf1e15688c86958b34c2410

SHA1
02d160690f66cbd836f037f855f3c44df4d5b343

SHA256
ee03e2af796030c57d01aa56220869b9934a0ce429d20a32768c4a09d6bd8bd2

SHA512
8bb7b0f96559eab446c251c1b1456874f69aac89fc852873cd69e0ab8d20e48f8f2195f13a07478ed038159472b58f60946cedfb700d57d4cfe5e5383d573561

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
67e0b6329edfd9e8254af49403d190c6

SHA1
fdd57f2d69222306ae4bb80abbd88d873281c40d

SHA256
3a2964f4c1a20dafc50cdb5fa4f16020a80bfc60393a8122e41f48a1c5bcac80

SHA512
6a6ab27ef724287b8fb8cb3ab5d56a66e7cb66e6593018a159c28faf0740f164cd51d381aa8f40ea8d20066cfbf64c8b61a0afd9e928f3326ed680efdd74a769

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
92e0dcfe73e7ee15a049b571f9541b40

SHA1
982777124d6db3048db5c57a79aadda6233f64b9

SHA256
4845f58148f1d81380047d0eaf33d9387903d772c821b2a2b8a20efccf19f23c

SHA512
ce51a9529d3b0f882b5212cc8e83054599452b8d6abce333c1597cbf1b72d91550019c34805797c7c57dd2691f4f614038f81a9fbde4c7c02c641a3d4dbeb53e

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
cd3778838d454c32de190174a03bab7f

SHA1
e9fec2c14598ffe03d677a95a5a4506ac2a80013

SHA256
11637da81574be3f5b91ce4c2e85cf2424cbb963f19318670079eb551e1208b2

SHA512
c5704ad9a10b65b214c915bdfeeb31920468696114340e03aed5bec550bd9455d9ee0ec8876a873cb68214822028de7fa087c475b76e5b96ba5d96cbb7da17a6

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
93f5964799c8cf81007f781deff10ae0

SHA1
553fb84b150d1183af2f2e11bcb6c45a37f14fdc

SHA256
d69fd66694c3409cf690c10d1a9a24f0234c6a34887183df40c107a83a57fbf1

SHA512
ba07082b98b9faa149a7b09a7011222de4d68916fe0d72ccd3e94829691f59ae6efef3f188ca476f5889867b789ce1d02cebff4b678551b44b74423f64396937

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
c6e4e1803ab0026543f3f2f8f6708aa3

SHA1
012040b2e6d1e8cedf20476273e684bff14dfd79

SHA256
d34f0630d905ddcb3be3b2363010007df33e88dbcd380b3dc9a673003923526c

SHA512
038d4fb76896f70e252f5560f4ff1bc537680538ebcc1ff00e8e608aa135a594bb5e7e35603b7a5042376819ac38f4c07e7d31a10a535ae6eac8b52231d30a23

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
b97e832dddb2373ebf96f65f4b20b68d

SHA1
8cf7b0ce54bc981a7fe7849df4d0e9dc27f917b5

SHA256
746e4c9810c85153eb63c0a9b1d8a5bcb7b67f9dcd6673ea5840c1f6a33a1e49

SHA512
5ee63d0cb861026102e3b27440666db75064004238cb27d5547c8109e23dbd93a20497075f0ad63d3ba73d7c12bbfa3786587a1aaee3b45dea6d1a4abaeff2ba

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a159a94331f85b115e83c5b4289f7f53

SHA1
a40a313f7080861515e06ccc270746ce6147faf0

SHA256
1d823e58f45631ab65a4a7bb4a222846bb5c473267b705b3ccfe7b81e05b9d7f

SHA512
9f8ddaea6a2f4747f2e40071772bdad8dcee96a78ada0731152dc8c87ecd29ab3f6d0ead33d41a9edb60e10c3d6b7fa09e6280d245722d54185ffd657a99ceda

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
d46c482b2820ffeadb511aadef2d6294

SHA1
232cf2a449889ed89870494f58eaa84425d291fd

SHA256
19ae8461deb0d5996173bb14b630c3471f2f38a9d08c7d71f905809806285191

SHA512
68353d862d2a323d4905f8e859cf1576678fb98635cbda373183b43f321d67787b5b873140c2c185039337d2567d1636f265a10f513c12becaaae9be0a6437ac

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5cc3102cfb7c0494b2f7b341df9c8775

SHA1
ff72bf2add55ae6310ee26ffddc0d476a96bdfc4

SHA256
771f6453c51bf61886fd82b2f9cffda34ca7545952a485e33d5afc143ffdca2e

SHA512
92534d9799b6f1c0fd3c25a948518dc2f96f203dea4818fe71a31350d74dd0ab547edeafe2c4c32fa0bcd12a792c5f7e8bfe2c237e349093854a15aaae2040b2

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
64292d0ae9550321855d0d5ea2f54ee8

SHA1
9e924206c7427cfb3f27c30008bee97f616d47c4

SHA256
4f991135b9409c6dc4c75ddb6618f9e4c954eeab456f94ea316827907d444e04

SHA512
946f348989f39e4636fa1c3fb32a0923b156e9669808f200bb57743966e86f904740108ddacf9bc89cb89eb16eb5d4d83ae694785ffb99da7f2ff84e527645c0

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
0afb55d72f113ad520aa50f2801ec094

SHA1
6eb91311a854b394bd3c126eb7e729be882377c8

SHA256
c8594ea0e5633a5b76915c3f096b6c0b8a1b262a4952ffcc8a6e097fd6e48804

SHA512
2b9f7f827194b478df3ccc7892a8032fa3f667525f36ca4a1b7855f4c3f37f1ac70e2fa756719d20a49f02ebf3f50f7f5991317b6f1c0038f3ba9f7e14acb755

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
8cdd2b98555850baed815eb870eb1efb

SHA1
24c1938cd79235d6103436a31327401e86c751c2

SHA256
8fb42264942cee2e39321597f3c7e8799e86e334491b69d8c8351ffc6477b6e3

SHA512
e04a6e2bf321d1d378676e58eaeea8fe942b4e7bfab7fdbb83e226c13cea9ce2e0dec7e5de923f1882fa0c27f6d46deb22e9af1d90ec098409d84bc1d69ba56b

Download Submit
memory/760-287-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1076-289-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1392-94-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1392-286-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1428-724-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1428-375-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1676-86-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1676-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1676-90-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1676-80-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1944-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1944-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1944-37-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/1944-56-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/1944-43-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/1956-372-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2280-374-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2376-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2856-336-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3208-612-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3208-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/3208-2-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/3208-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3236-295-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4060-288-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4068-298-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4212-60-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4212-284-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4212-66-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4212-722-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4288-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4372-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4372-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4372-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4400-725-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4400-376-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4576-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4576-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4576-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4576-719-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4636-297-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4656-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4656-285-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4656-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4656-723-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4716-373-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4820-667-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4820-296-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download