3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
Size

1.8MB
MD5

16c92073d0b0021f4572f8aecbdef154
SHA1

a94d0ccb8e75cade1d512098f0ee2046637940f8
SHA256

3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b
SHA512

ea6e0f540ede04e71dc8b7105116dbdb76b81aafaee100068a59d6714338108158e22d65c4e617dc72c08bbcae001432cf62b1794740eeacb95855f1a6ccdddc
SSDEEP

49152:xx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAdkQ/qoLEw:xvbjVkjjCAzJ+qo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
5056	alg.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
3052	fxssvc.exe
1572	elevation_service.exe
2132	elevation_service.exe
712	maintenanceservice.exe
1312	msdtc.exe
2416	OSE.EXE
3648	PerceptionSimulationService.exe
4300	perfhost.exe
3184	locator.exe
4204	SensorDataService.exe
1848	snmptrap.exe
4496	spectrum.exe
2540	ssh-agent.exe
3344	TieringEngineService.exe
2572	AgentService.exe
4876	vds.exe
1660	vssvc.exe
3480	wbengine.exe
2172	WmiApSrv.exe
628	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\System32\vds.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c681a3e27489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe

Drops file in Program Files directory 64 IoCs

Processes:

3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM3BC1.tmp\goopdateres_en.dll	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BC1.tmp\goopdateres_ml.dll	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BC1.tmp\goopdateres_ta.dll	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BC1.tmp\goopdateres_it.dll	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BC1.tmp\goopdateres_sw.dll	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BC1.tmp\goopdateres_cs.dll	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BC1.tmp\goopdateres_ur.dll	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BC1.tmp\goopdateres_da.dll	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3BC1.tmp\GoogleUpdateSetup.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017f127c1a899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b62c23c1a899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000098c63c1a899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa6bc1c0a899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb8d44c1a899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017f127c1a899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e47e7c3a899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015b70dc1a899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f776fc1a899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
5104	DiagnosticsHub.StandardCollector.Service.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
5104	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3148	3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
Token: SeAuditPrivilege	3052	fxssvc.exe
Token: SeRestorePrivilege	3344	TieringEngineService.exe
Token: SeManageVolumePrivilege	3344	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2572	AgentService.exe
Token: SeBackupPrivilege	1660	vssvc.exe
Token: SeRestorePrivilege	1660	vssvc.exe
Token: SeAuditPrivilege	1660	vssvc.exe
Token: SeBackupPrivilege	3480	wbengine.exe
Token: SeRestorePrivilege	3480	wbengine.exe
Token: SeSecurityPrivilege	3480	wbengine.exe
Token: 33	628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	628	SearchIndexer.exe
Token: SeDebugPrivilege	5056	alg.exe
Token: SeDebugPrivilege	5056	alg.exe
Token: SeDebugPrivilege	5056	alg.exe
Token: SeDebugPrivilege	5104	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 628 wrote to memory of 712	628	SearchIndexer.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 712	628	SearchIndexer.exe	SearchProtocolHost.exe
PID 628 wrote to memory of 5080	628	SearchIndexer.exe	SearchFilterHost.exe
PID 628 wrote to memory of 5080	628	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe
"C:\Users\Admin\AppData\Local\Temp\3cc3f0a4bb40c758ad44477c80be90c1b61ed1139b024c690810d9ae9293064b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2108

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:712

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1312

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3184

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4204

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4496

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1696

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:712

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
6a177a8c4cccf6abbdd510e02140bf4e

SHA1
67cbc8c65df635740568655a8a5b43a21bcbce11

SHA256
5368166a96c6122ae22c865817823e02cad78cff88acf738d5c1a07183e50d7b

SHA512
bf1764902ae8cb4cd3b0c4a2f3c1a7f8af3cd5c63d850523c3043c345aa04742e4b454c528af35966a87bfcb808c2ff1ffeb76fc843f1a3848a7dfb43fa87919

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
43f9af71f8647b8a8d3173f90e62e84b

SHA1
8a3c032633a5e31caa4c1ba4a00d92d740350330

SHA256
38e6b81e48557a9bd4d3feeaf573853af87465510576dc82b46e2b7337250f3e

SHA512
a58b32ee87deb8f4053bce0c5095a58c0cc3c706066a9c5f3d08e6d3e6d25bbe75c7f99969654aec01b035d493014209bc13060e0b0ef87a6268466c7d202b23

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
5d84168a68cf0559b8b9d451a64fbe7e

SHA1
1c877b80902b426a0d7e2189b6c5294637918f68

SHA256
9c75285f8a1277015f1111955ed92c90dec5073a781965d72dac5797c7504248

SHA512
b8f5a98901e1ca800bef06c3e4653883f333edb42bde1b3b3670f572c647e486396d146b9804e387bacd47b3a805658eab35a70176dde24c329703bbfb4ee163

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3512ce3b75b43543b8562160914922c5

SHA1
96688fab8e6337d1ffec13e234e2a81f81ea4cfc

SHA256
c617013c682775ed4ead306770754aee6fb87c250ad8e9cfb38497581fddde77

SHA512
71e03477d607a7d93f9d18b52768c4a7a3344040cd5cedd8cdb304f6eeac9a571ca6eecdff0bba0425fec00fcac7d3d8636748f71b0fa5cc49c4f0ddd8f313d4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
ca9b02f6f5e7b21a20338d7f26ccdb61

SHA1
b4270f78ff86f19e905f9d1ad969724e141ebd95

SHA256
f9b6378e1fc9f82704fe980a3b92c8cb68954b9d97b3669fc003745c21d866a0

SHA512
ba1c990c4d528818359047861e14125af5164f92aa05e433630027aade58276f860e675ed2a5189166abb66e87028302f6f3aacaa12acad2676808187b970d59

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
7359b7ae70ce4ab4134cd03cc7237654

SHA1
b2bdb53c1cd6c2098b406b9f761ee3fc42e19af1

SHA256
46c4f827f274ec19a19d0e0b40ad1650c88b8549fcac4580d24449da0d8c84e8

SHA512
11d50a62f56e5a892f0bcb4be7f3322e6e1b61109cf40ece1979a5626350b671ad432a97174b89050c5d2ef43e41e0b65fad73d6de8cf5f4501b90d093f9964f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
8fe3f254acb4b8dd3c5894d2f5f6f5c7

SHA1
b230acb3d188d6876efb62c8e568f1796d4a4bfc

SHA256
ee9c08b1c10f9ef642c6e4b2bdee4b64f417a7c89cd8eca11150f8f07a6299a3

SHA512
b251361ee1abed0fd9f7a1ee90e275568152aef12c2d14c66de2c738a9cf2a06bb4cb828384008a8079f2d9d029451674d78d471784f7bc6d8014cf0318f1736

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
054951bee3f603ffb5fa4d20d563b1be

SHA1
12a2eeb6d41da22e8e0c79eeee3fd1e920734fc8

SHA256
b3aa7e164e5f65763476750b95685a4d03a97444c6c14fc208cd7158b655d18e

SHA512
347dd13d2e83c0f928e2bff39848d48f4cdb58a2b5c265b635ef94aee21f7433551c2f5c2b2971334b81c510592b9f4e044a593305b29140e36eabbe9044fbba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
a0b3a196d45b263bd7d01d4a97ec87a2

SHA1
81d68fac929fc069e977ee793a54e929ad843061

SHA256
dc5f52db95e956bfed397a03f08964b9c94344ce9b51eaf92a6e6ae4200375a1

SHA512
2ba3f43bb2120d9be422fea60e96a9b93b17a6008090a1f50c437b2c012bfa80fdc1e3c17f1474b5dd6a39a52fcf5441ed8137403a94b68dfde6f905fb54eae1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
fe6c73d90ba81b441f31cfd86fc37f5c

SHA1
039491f9448d1a7d8b6d1fb51354d6d75b417236

SHA256
61c51ef01110d8fedd622f44a842be024d64a797273dcd8cca0065eda74c850e

SHA512
4e50e8d5f6e80778c3d46b92923cb81c9f2ce040c1f2b352aeda72bfcb721b76051384a25f95adf657c249b3ff08a2a374be5cb0aca85c7a6b6e74e7b38fc2a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ea8e00dd39942f2ea03a571b7d3e23c5

SHA1
f04ffabba99d23a4888da73daf810a041a3d2ac2

SHA256
9b58b7258ac4a3e3064462b89829c20c9cc25b69669c7e01485cb4b3c3d55da2

SHA512
0dbcd0a5901262eddb85667ee78d2d5dee98dcb02de9951125e20c6e735a8f5ef657c7d198bbdda9928b66badab9d80e3bfd27f0909fe1122fedef9267707579

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
94012472c183fcaa6a5b3e6162528fe6

SHA1
747cfbef60e81257be9b2b6a0264c364f0bd0598

SHA256
7b6a293bff764f287b107edf1da3164417eade5b6f45be0f7dc2254612e17d9f

SHA512
c2c7db328bb48f1be67590768ad4c9c0338caa9a3d2240e735ebc1092b805dabbe6e7ddec100f135d517f9e143545abf9de963692e5b3175e6a5bb2b5c8afc9c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
e3362daecd8dc2489346ad6ed4969f14

SHA1
d2e0fbeeebadf3205cc7819540759e739ca6a92f

SHA256
7732e63cbf93040afc0bb4452af7c1d7bafd795c04d39c3f12a00ade321927fe

SHA512
f19b5dc7169946e5fa4617c0e227813d34fa52c7763178198e3b03953b65402355dcbb88d6b70d1b9acc19d8cdeb4199423c6700d899abee5c450f1f700bd6aa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
e364e3b9480a68bc5b453967a452f54d

SHA1
f4549a9f4468acf9f3120bed5f97c648fe641dcf

SHA256
eaefb5edd638d24df46f106c22b891f2bcb015ae7382b6f5fcb443094051c8b9

SHA512
fa5d4a7e9fc4a5b1c44d25c0235979ae3c5ec6396611cbfb0ab21ae3ad724efb3a4c4220bce72162b9c47d8d9548309e681c9710ccd10428f17344427a486ce4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
23ee58fe721dac6443242ed40b78862a

SHA1
c54a807f6e10652efe771cc06862ba2161fb53c0

SHA256
57378b6630ca402c45e983e2e78f3451f2460be06e43357eb162b10eb2d9bc7f

SHA512
dcc7c84caba25414934082fd5ef3227a4206db5ff313580c0cffdbd5eb7f0b24f677f4f612c678101548dce230969b309f561f8b69cbc11b8acb3ce24f376217

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
d81f4a56e03c1c42d78d8bcd8850acc0

SHA1
a5e90aeaf0ac9782a0aeceb593dfa4abde2b0d54

SHA256
7408cb945e52ab7fb2b8d257693d0ba82359e7e1319432cee6160f236e95bd8e

SHA512
cba477963f7b727ec7de9c17afde10631093b266b7cd85e848c68a1e470692815d3a9e1cee7bc1bed268276400e5d39758a14bec27da7f82c0e71cda57994c6b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
3766216b0301f0833501f511908795c4

SHA1
25057ead9bba3baca0a37a3cc35c2439beacecf5

SHA256
00e234be5e533f757226548d81742467ba0eaf9ac600d69b039dbb09f4e23ab0

SHA512
19d3267624aa788fcc18ada60efd6e056bee54b039fe1023bd844bf53f2f97deebb766cd262082b402171fb54cd9e66c1e2ce91233faa3d320a00a9a2435b2d5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
d06e141b3d24e10056d733197b785363

SHA1
5d5379b015ba7b2d0aa3d143f34bb685b56f3960

SHA256
4418eac864a10ddcfbc69782deb045dd653700b2954f3c69f16e62057a7eff63

SHA512
5cc02a8bdd3ab24e78f76b456b454be7f0798ee2d18529b787a2a8c4392bd1861f64d7801aa1e5460e0a59ada68b4dfd291593c6c2a2f15ed51121d95a6ed49a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
306a9edef8a70fb028da1cd7d87407f2

SHA1
f5235c145cf596c07cf3601f79014dbc634a12f1

SHA256
29a5e38354aea1579ac7eab46fa899bf08e22453a6b341973013388636f1ae15

SHA512
77ac1d52f2c58f8c3ed404500eaa8b6e8e311c9776eaea9a127cba5a0b256ab613e7ac6db11d55188895775bb27315373032e85711e7b427ab03a945ce22876d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
da9bfa9304519dcff1fd8fb9bc08fa0f

SHA1
113f0913e42056c35984580d5249827c518f48d3

SHA256
07a7c8767b5292dce92ea536323d8dcd173d6824ac404a6c686cf54d9f1b8cb5

SHA512
ee4c1a3158d36caa8681d97e61c72f5e38ded618f5b368a078f752183413925fbdb1489f3a4d0a8eb02899b8bc5fe0723196a5ce3ab57ace1ea5a8c85fa6569c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
a02bcf40bfeea8165b4e9b77a2125842

SHA1
587c5d45edde2098d9653ec0b7e6f599703a1c12

SHA256
628b7be7ee04b7b4ad1c798a45be634b05c9cc168ae52eccc724af13d28be99a

SHA512
3b77503cc08a3e81793d633bea91fab6a34b2a22aefb4c21578f976cb199b6d85b91fb51a64798a1f2f8e47b57ec474f794efd8b68a198f99acd3188fef81da3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
ff97630007cc5482dedc30b8320a4f4f

SHA1
164c424f20ed35f507bfddee989124e4e716b9d6

SHA256
cf0947e4c6834cb8d1d7e5d8f45f526e83c43c25ef832b4f80aa5b53f13e6a61

SHA512
c81b7dfb3c4eb6230fd989706281c3ba63880cf97c898624adc71161f9921938ff309d9995238dc32d80f47bc4a2cfdefc90f57c1dafe95bc2d28a1254bbee15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
60186f2ae50f10ef465e6ab177b2fd29

SHA1
e39433bf4e46d5fab001750de90992e2b403e59f

SHA256
6cf3b6573d101aebe5663dc088945e4d93d50a8384f7109c789ce6499613b1d5

SHA512
d86b64ea6a5ba033c217759764b32de5799be4633bbbec726114e95bd8406fc9781fb11dd21817979836e25b7b2754ad42b0ec205280d49ff45e8ced0078ea80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
fc678e47970c192a5721d014009edff7

SHA1
e471056054996907aa9f270bc65721e0eff87e24

SHA256
c724f4e0397cce2de90b745aa427a6bf639cbd037a6824515b2dd03f990046a4

SHA512
81db337af3e4cb0c25610137aa03ec46739ba0ae23a9119d6c2a0c19f43d846000d82484dcd036fd5f50bc9d85e6d530c0b9778659ba22dbab5676d6fd6dc98a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
f359ca620f655e1e751f7e82400b1274

SHA1
8c144983f953a7faee295540c9e3902d80f53946

SHA256
29d57ac477cdef9e2b4a5f35425b10d8b6872166a13ef9e199a16e31a96a601c

SHA512
f8797453b881961cc71e243e08b794ef158dbb22f13916a8f88598a21aa85bbfc2151c2050e19ef7c1d7b729fedb438aef3d726975526298c0baeceafe558d6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
35378b9bd5d607475e561f14fb644580

SHA1
0713bced25e6bf35afb1ab9692ec2b9d3f0e451b

SHA256
3563549f068b6250f9d6dda216f7ff85d7b74efce7e47d00f3a49ff1f4131df5

SHA512
a10e52245d69de7fa8f11cc1d29aa56886e0379c0ffe8e3564f6f76991b7abe432f3061b2582ffebf0e598334b780c4d80c2db388ff5a9453d3ecdfe3dc5554a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
72b193050fdb8f24c117e4a7bacf24d6

SHA1
e7b08da8e1ea88633ad70af5c26e6d46e3a8cb45

SHA256
22d2facab33a8333f59775eb91e55c297f9c7f2cc1d3d5d4d902a68a42aeb042

SHA512
5d37c752242519da3ca07be949e34aac0ab75b859390c4623ca658e3e477d498a322642acdf9ffe48e193c1e6855414066e91ec1e1d2693dc13313b3c44bbfb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
3eed0b950e95568b0d7a515eb8a82f7c

SHA1
a0a484610621aa5d6234e69c52757d999fc21a09

SHA256
51902fb2f6c0c01ee8159a2f9d2f33d4970f46550069e033487106ddead2c249

SHA512
0840e064c365d05755cffc1500c3c0b35f0d05f337c79db4892201c736371d6e1b3a5c8355f6b17f65eab08b185999a891e9e3eaafe6551ca0dee232f65ac27d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
43b5a71e0ff70c3e778319e2b8b85c5d

SHA1
7936d5cc28c423133f66f773bd90c679c8cc06d7

SHA256
4c580dbbb934064c090539eb2df49b8e2fb6cfb63f02931835ed92bd6e5836f3

SHA512
00b622b1dcaf096a6e2e9530cbfdc8653f476afba968ffea6a057f32533926588795fdfd735a81029c719254b3b76f9d4521dbd23f3728aec3261cde05806f8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
28a58f74617ee0c5e754cccdb88d1b24

SHA1
5fa58443a4cef1e49643642360eb02add5ed6e16

SHA256
c7f28ce5501a08126fbc242119288303eeaf0af08b4554bb488041a259cddc98

SHA512
47a80210aabe48b711db89ce062ab8569d9bf42539b9040af156604e3098c16530824fe1f99399eeee276fae9d625754333def4e5d556eeaebf1337431d765ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
c7775aebe11c5dc48a5fe9ba2d5fcfbf

SHA1
b7911438ca7b16f6e3e257e4c66e70236453cd06

SHA256
21ec1bff8a48e7097717c2ca74dfdf5e72638b7d33a70a4e0a143c228c80c746

SHA512
236dc0cb65865f5c96933859457e98f58173f28b01e02b3eea3c8ec5e22019e15e1b18605af6167a3194076db61aea5d568ffdfda7cb69ee70897926fdb01697

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
02bb7f07ff7fcad379398c563064c22e

SHA1
133d17a8f2cdbb2d7fb7347ca6b96afc83d2b2bc

SHA256
1e28617ad26702cc5fe09240a8fa811baf4d52487cf63b9ef5b834e8ac279bdb

SHA512
68f00bfceac0418659f3f159d9745cb9360ddd987e04d753755580e5379e3c0c728cf15e94b1b1b747bea16ed3eb01c3ba8a24c607d2fb47f568b122edf9de5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
eea121d432e6a194a67f360cbf03ee4b

SHA1
4f6170cf18e2c6d9eb753288bea63908db3b3a98

SHA256
ce91224a11004e93fcab105359387549d3ccf16c89589bd4d7ca5f65f623f73c

SHA512
1ab6cca2db4244f15f06379e736e54358a4bb8ea856f37c1276ef8a551cba42ce2ee0a0ae2f6657658c8a772dc53ce63b814dc43e1fd900145003810eca1bd76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
aa07c50362a35211d9a337ebdce95f1c

SHA1
3b7a3f794694c4578f466cad54b2e9c721282df4

SHA256
b09f5abb259f456c09b0ffabb7d7da0aefdb9175f1e6288638ef94a364391d62

SHA512
072a6a79a4317bd44ac3211d6a3cdc445efaaeab5562db8fb26a024230388885a8a365c94b6ea22670ff6b1cec772ab8fed357d4fcaf79ec7bb797e8759e1c67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
dac18fda4a20580e8caef5e28a8792fa

SHA1
402a72b3b744159615c65724618d190385a84eae

SHA256
ef7ad0f19003272a2fa7173282d3fe811b2e24d45d4f67c2515da9c7c0a9d320

SHA512
7380f0b00fa07bfbcd96ebe5db775e82f5befc8ff77163fc4acdcc09e652906ce3c22ac0a2580b4ece3de2ce1d8355a9cae00687d5b14713c41141b7c04cf015

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
cccb5d01e45a377fd5ff4f86dfd3d2fb

SHA1
22b8e8e7b3de9c4a8cb821ea92712bb7cb95a6d9

SHA256
978e2c7bca8eba880deb6323b26ad920be51a7ebe1ff2c1a415d048917ff9a7e

SHA512
f249ace1e0ebf7cf1a7096f5831372084204d5c747e154afbb5d225ee4f29c27add7157f7bec0dd824fbb6ec9cea6fdcd756d2c41aa3e58256ae23063db2f04e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
e5f9aa63128b438db9baa989e6dcd8dc

SHA1
b817f85c16a930dd12bd4b61e61f89563c99775a

SHA256
6ee3bcf44c9e8620629f73d1d40dc6bf51eb872e37f0f139d7e497c723973e75

SHA512
c621e6837bd73470b3781b1a0b37d91f6b56918688dd24e4349a8d38bbdaefe883396dbfda456ef8595e322d0e36f084e750eff27396d70d93e449482476a1ae

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0ae2a8c11fcea334bf59ce49a3e8da61

SHA1
a2231f196f186e54d642f4b1d9a77b0f0a79e8ce

SHA256
2388f847f5fabf98554793ff4ab126bec47c9ac927f058f1930c5921d62a073a

SHA512
ac49dcac8b4464c86abfc21db930765897559a59cdaa3a9d2f39b27bc2ac257332cf505def15c717f3d697d26011aa1a1dea32e9bba3969896f025abb1cbe12e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
4af4c9517ada6c6c807cd7e1aea72ca1

SHA1
3d60a35b8cc0bee584e9b5dc0965f872d0abd1ad

SHA256
fc1f7792c79a08c1b5c1691c795668ea6f0d845be851eb03254337c2aa62ddf2

SHA512
b6a4242f4a7a74d9b574d4c30a989182db3c62534058909a68d696b9c3515447e4565a363c64d7d7b68739a8b610acdd6b049a6b9dde6ae633ad5b904a122d74

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
cfad14ef248d4205496dfd27d38be99b

SHA1
0c19bb0ea7e9c63980b4b26ba59081551c719012

SHA256
d7c172b9510354789e7c910e1416ffde992f124f0ca4766cc99bd9739844329e

SHA512
5a1baa95e3ba4814f5b9cde31d02b295a7cf7e89aa1b16317a5d38a644dcbae74e2f0ef751f95873dc9e7e0ebda5908a4915d0dc836f429b13ca33c99a52b93d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
58c152bacfbf4200f67a36b9adaeb965

SHA1
b70d1724f5d02afa24f18e1caf044eb1888fb2fa

SHA256
8537fcf335ff1305aa9bbc1b8b49d1bb960aadf9b461c4609c5ec52180040463

SHA512
99cd079b4a3099b05a7341762c13dd2be629ce2cac2eb6bdb6c59a1a69d68bc590933105c321d55e473c1d5088840872a95eb13eee46a27fe372094537a499aa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
0f110fc768b676eae4df212f64d9bc63

SHA1
06e92de81c23c055482371df912ff7f1beea3dc0

SHA256
562e0ce83f9cab9ea8496d2ab083225b61d2bbf5ab978095c13e75871f1816e7

SHA512
cc021c9f392bad757945eb4a9a5f8073756f311d42768ecb8bd77abfc7307940f08c2c037337efac1e0266365e5ba239dcc7612b39b6e06b90f7838c2373d682

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
db1d761ccba0ac3b4966ddb1bf668281

SHA1
751e7d38e5528fbf1c3fde2ef18d339b3083d551

SHA256
7a9c035989237f9189b4b939293d87fc1ec05bd2186f64cc0d5520f682c585b6

SHA512
a6f11c140755d9f00984efb78fe22b6a8a5e75b0328012ba2598b8eb3c4caf9cad1e4a3b668312d3c706c79d24cf435f82bf92d22b3e9f546b9baf878bd2abee

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
06b0cf10c03ff7abcc9b07af94e9c6a9

SHA1
e2cdad1411bb92691932037ecb2436523b93f96e

SHA256
0b91e2b77395dade97202fa371bb8f2e664915adbf7bc5bf717c251cd221639c

SHA512
5200e6d6cd49326de987a83c0e18b47804e8012796c2d24457be937ddeb2d7c34863296608de04ad897c29694c19e4404e0e9e23a42b1ed45ec98889f4c540cc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
13816ee6281060a0385b82c132ca6b9d

SHA1
2c3da8ff6c998725332348e64163edf01585af01

SHA256
03a11326a176f9201c5e5f226236608a02016c4bec0dc864e99a01deac62e526

SHA512
1e5ea8155eb397d71a264d33baf89197a5a4ef489791f46e4678d8bd34d2ae4402f3568523d3dd4dac55ff144ea761c1d810c12dc8aa63e5105445ed706e5cdb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
1306d105a591db241a2c3150a3215c65

SHA1
26f8f1a2dcf8f0d7f534844eaf9490beb06467f3

SHA256
a359ab0954547c11d18bb507ef230f54f4721983ff61c4461e45c7f5e526fc4f

SHA512
f02fd1c1b84829239c8c26a2b55ee2e078672dd6d52296c3dedfc1ed7e7917f81e7b34bf79522da40b0ffe2b47d31fadb981ea9bbe6bef7ae9e0356f2d11e865

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
279082d2f01175b8422f71a7475737cf

SHA1
dea63931fd36206447946860534aaaa0623f273c

SHA256
699facf5de1a5781dd5d2f412df8eb981e524aa2270e5293d0228f11ee1f65d1

SHA512
88a3067d132e1b27ff7a7c18dc6f99d54ebf8fd83fd667a10acda7371c451d364aa548a45aaf3a82236926cdf35b356b660214cb95b16bfb69bda7825d86cbf7

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
30e0133264482877a119912c3b584646

SHA1
dd32236c697a777c652bf244e4907857b24129f4

SHA256
34932bcb57fe8feba215b0b51edb9bb3e319f8c967d3e06bbf591b46387ed290

SHA512
68d74a16ebbec29d2b392509d0af4eb585f6781640c4376b7768ea6b0d62ac02579545243beca012978cb6e80cf308b8a3723a4ae3d988927051f4cf4d9cb639

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
148a0353d93ae464e871cd52a229f54d

SHA1
afb050eb406de64bd6f875b19b00185ce8e3bd45

SHA256
38dcd8bd580503179b1e2aea69b88bc4cc02a72c2cc2cd1331a188e1dd274a1c

SHA512
79a2caf867cec06985d4029029ab1775b3b7b780a31f6e9a9cf696aa13cdb038b461ad2c3d8fbe7165a50db2320a87da0d207b96b78691b90246843a175b28d6

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
b9f4815f5a5dee188fd3fcf7142e0818

SHA1
9edf2660c4f172162b336ef5333451a66138b526

SHA256
1c67bf7ab161da8f8f02545f875a1b8920bee2b3e72a5bdb3581e54be0dd105e

SHA512
07757737818e5593f14ba5c60c7c2b482b8d79a97053699c0e369c7b0f7c55cfb2d5ca372581e6007836f2349afaab2fc161190d3ce3701921803dadde1ceb7b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
070cd9fea506a7dca7f3d848fbb1e49e

SHA1
85310ec9af529bd414bf9f6e9861845a622d5b93

SHA256
90a3250aba98de761933fecdaf7cbd9201eb8c783d217c518132fd5b3e6e410b

SHA512
b721cc19bff46c1a7a37132d1734798729b52d83b562057b92ef1256625ac94250e99bcb9e73a41c54694500d0850cb7d8ba2a58aa6d5f2e66e45b0e241e2dd7

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
de6b7f04f830739ed3895f1bd29cdd55

SHA1
fdd950486387a3861493f0032d219ffecb80611e

SHA256
c70e19893a938af43f51fd2db7ae5f019d68c35423122531af7140d853aa3ae1

SHA512
cfa1de2d4dac787cf92bea26999d3df0bd69ffd063c93b98cc301fab9d81f737a91e499d9747df9be4fab94bff8872c493e834afd251bc26847f27f532287bc6

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
d346ed4f2d2534e2d8163d35073f6625

SHA1
74299f2e34c754aa93ab8721983c180714c12936

SHA256
ab91ad6ea588ec191cd580f0f450b0ada2ef363d8dd87aba7d7915c866fb3f84

SHA512
280c74a23d40c0d57ebb4775b519afa15c1fa4f93677012d9fc438980f50903430e74aaba3ea435dba1b725458a361c698a7fc6387a90bf2b6a7b5ae5b24aced

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
6a3f5a6e15085c45e0ac446a57269b3f

SHA1
f22ade881f1a8c637ab052d47d4456e65ab426f1

SHA256
15048a0c933aa5c24331f77e3700d8772f8bf2272251bb585bcb67c3d4a887b5

SHA512
45bd77ec70d1b1a5b6a534f1170fbbeb45fa665a05bc7c41c29ea9b4e9a191716d4ebba3ca1bb46ffd06fb9b94915ffce7f2778ac9dbc65998266f01f2fb4836

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
3b3af5de3232810999af6a3b30496856

SHA1
03a50ef1fb169422225d57134116cda505031d4e

SHA256
202f7d469930779d6627e3ffaf30f01fb771879c2505156ed5ca055a448d837e

SHA512
e25eb84505f42b3f740df271dfd86e0f006e863ecbf9fe826fd3bf4d0671a0b33b2529d90c991a1df2f91407642dec4168395194679239e0a0b5a474cbe1a962

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
d6a859481ddacf4ab28ef779cdd79801

SHA1
2a273fbd097a75345745446b92bb839d53dd9a8c

SHA256
2548c43bcc380b5f793639b7073f40824300ffd3cc3b01e2f4c2c6614cdff8ec

SHA512
ca42e656387e80d93a7352ae093c15b5fe5e99eee564872afda3579d3e6bb06c7650da152ff0beb2c64842b993b87d78fdf45426778c9a3847067ecfdf7567ec

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e98c22ac1ce267eef2d4aa16ae6db51c

SHA1
c70697aa34f600ca95dc012d4500774f27ecf81b

SHA256
4ad018517aab0cd1a7699c99b9d6b9d71c191ff7c6f50634ff32fa4a3d0fb0f9

SHA512
82e7a628d32a4479562b5eb0d8e65982afbf18f8b1a5c087d7b18469b0c083cff8814e5728e45b50aab274aa94ae437b67f96d2fcace197b5c7f2d086af34eb4

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
dff578711c021d7ab3ac4886c983cd7e

SHA1
376bceedcbb1fae81b45ecead1f44586d7fada65

SHA256
dc9299c810e58b1563994cfc8613a59a17fb73aa98331858b708545b561fdeb2

SHA512
02db17e233ce8dd44a4d714809797fce69dbd05fac940548acf3cd076111ba7788e0b84ec31419d1335759909dd8be21414241b0371b4432d637bf54cfe8fb5f

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
79eb833114509d19ac67d8d8220593be

SHA1
c5b0e8178476c439edd98d70c204e0322b7b3439

SHA256
66d2f7cdaca1015f487df297f707c94d27f3e0b3ce5cd5ccc7a7d715177c2598

SHA512
68b02f1d379a520e6d4877ec4f424d887000495824045a307fff2358cbeb9f37006879675901397a4751ee902d937d285896ed20b4926824abdf6f2e4200dda5

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
b656560823701717c218aeba163cf2a0

SHA1
bb9c0a7a5acd99b141eaab3c08fe91b80ff98349

SHA256
618eabcebb6d46b899289a805ce38ee6902c704695cd10beef11c6df6f252f9e

SHA512
13544f27f7118e1f89a8be2974ce0dc45f5e69ba144cc1771761674deedcba2d678bb7ee19ebf0654868e741ce33b60ace32169b6c6fd6e314df34d26f842725

Download Submit
memory/628-725-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/628-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/712-150-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/712-141-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/712-176-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/712-148-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1312-164-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1312-159-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1312-153-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1572-666-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1572-117-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1572-123-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1572-116-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1660-342-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1848-259-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2132-130-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2132-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2132-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2132-717-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2172-724-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2172-345-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2416-718-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2416-177-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2540-261-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2572-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3052-125-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3052-105-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3052-110-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3052-112-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3052-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3148-1-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/3148-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3148-147-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3148-6-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/3148-587-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3184-257-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3344-723-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3344-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3480-344-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3648-194-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4204-258-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4204-663-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4300-719-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4300-195-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4496-722-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4496-260-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4876-341-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5056-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5056-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5056-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5056-193-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5104-65-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5104-94-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5104-61-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5104-256-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download