254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
Size

1.8MB
MD5

fa6e34d4c0a211e3ac39692072d926f8
SHA1

f338a007849061861fb11fbec8f50e9ee024b5b4
SHA256

254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab
SHA512

930c2afed1365585e1f778f08432ce98605a8d066ff7b161e98a2c76441b86c6b9448e22da48b6df104fc5f85a3740f7d473b9415a90bdbb78d116c19cb3de88
SSDEEP

49152:1KJ0WR7AFPyyiSruXKpk3WFDL9zxnS+pAHrVQ1/fSNvi:1KlBAFPydSS6W6X9lnNpAhQ1CNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
5012	alg.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
1732	fxssvc.exe
3056	elevation_service.exe
4040	elevation_service.exe
3448	maintenanceservice.exe
2260	msdtc.exe
4220	OSE.EXE
1612	PerceptionSimulationService.exe
2900	perfhost.exe
1960	locator.exe
2588	SensorDataService.exe
1792	snmptrap.exe
948	spectrum.exe
3752	ssh-agent.exe
544	TieringEngineService.exe
216	AgentService.exe
1968	vds.exe
1304	vssvc.exe
4844	wbengine.exe
3248	WmiApSrv.exe
4616	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\wbengine.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5fac2c5f92be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\locator.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\spectrum.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\msiexec.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\AgentService.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\System32\vds.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\vssvc.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\goopdateres_ta.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\goopdateres_uk.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\psmachine.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\goopdateres_cs.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\goopdateres_lv.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\goopdateres_fr.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\goopdateres_sr.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\goopdateres_ko.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\goopdateres_ms.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3393.tmp\goopdateres_de.dll	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038b0ebacb3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019c493a9b3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d76e20aab3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f9cf7acb3abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba5e3aadb3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cbe0faab3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d867cabb3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039f7eeabb3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
5004	DiagnosticsHub.StandardCollector.Service.exe
3056	elevation_service.exe
3056	elevation_service.exe
3056	elevation_service.exe
3056	elevation_service.exe
3056	elevation_service.exe
3056	elevation_service.exe
3056	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3216	254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
Token: SeAuditPrivilege	1732	fxssvc.exe
Token: SeRestorePrivilege	544	TieringEngineService.exe
Token: SeManageVolumePrivilege	544	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	216	AgentService.exe
Token: SeBackupPrivilege	1304	vssvc.exe
Token: SeRestorePrivilege	1304	vssvc.exe
Token: SeAuditPrivilege	1304	vssvc.exe
Token: SeBackupPrivilege	4844	wbengine.exe
Token: SeRestorePrivilege	4844	wbengine.exe
Token: SeSecurityPrivilege	4844	wbengine.exe
Token: 33	4616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeDebugPrivilege	5004	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3056	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4616 wrote to memory of 4208	4616	SearchIndexer.exe	SearchProtocolHost.exe
PID 4616 wrote to memory of 4208	4616	SearchIndexer.exe	SearchProtocolHost.exe
PID 4616 wrote to memory of 4836	4616	SearchIndexer.exe	SearchFilterHost.exe
PID 4616 wrote to memory of 4836	4616	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe
"C:\Users\Admin\AppData\Local\Temp\254bd56e07290cd1ef923103a2f9aa9e4da85e064a275801fc5b1d15bbc40bab.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4328

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2260

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4208

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8a765a0833af2963f513d8cb770fd1c5

SHA1
d7be707599088639ab9775918703d3980dc1dc16

SHA256
97ea96cca7fc48ac81d46a0949c5f63e846f3c996345403004bf905435d9ac9f

SHA512
2743c3b11ceb1b252b5362b97d5b5ac8dfa605bbc837e497339f553eb657b9e9240e97c89b090aaf758d55459e5fcaf9e3e3820c4e503beec8d6244da16f7004

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
97d530e09c1fce209343062a1b4fb086

SHA1
ce5bfd051893bad57ccb3a891371948c074e9a7f

SHA256
2229c2273c38cbbae51f04d98c0ea5211d530ac273f53c719ec755b948a8f460

SHA512
5554c577f26d8b67723006c3931b14c45badc2e16454d63de25fa92c89e91d29a6e415aa596d7c5332bd30a40a1684de8f0590af045c2e8318a84ead43b7a56b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
86144c5b8046f9f8ceb15a31f27d620a

SHA1
80cb4a1980a30a762ae1e18ad42d5a9af5945c5c

SHA256
3b93b8045d83a1a016f37c15eaad28e11f17cc2cb23338bb31403cfb60c91a85

SHA512
30b66c3f45ec6e77acf6243e6983eb9d33162bc97afb1e6136a25d186178a61374dfe087f0030ab81f44b6f1b6393f91393255dd00d73930f1f984f97e48c3b3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f03d0a3fd256074784876004a4848c47

SHA1
9a4cfd359aa3b24047e16ef8173f9792334e2218

SHA256
1aad4026693e4d6d21be39be9566222f6220f0243299949b7df32efa1cbdc1e5

SHA512
987cd03fd0eaa25e9d804fee22672ef307d02e5992c36da80a79018b525da09a27597db755a997089f71826cdf4ec2e1b0caf8a7d6872bc8335e304b91a5ee18

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e520ed3791eee77f8038909e5480a91b

SHA1
1e71106b898c7766e381d4d96226d11a03f3956a

SHA256
60bfb04bf46d1043ce5b902aac8b992c25c81c3c9e6118f1880d4e506f4bc447

SHA512
b341111a267a6629a3f42a3bba041df61e6044c854ee3ed6bdbc3d1db1c66f9c3ee18ca554071963ada21af577f3393ae203fabce06d30f30832c9cbfb251986

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
be73f959b3acdb9616b59bb5062a9776

SHA1
1f3c1e4c0d20b0c6eab6a06f5119af5e78d9c0e5

SHA256
d28a7aa45e73d5b6da1a6fb58271aabd62cffd13e8248fcef997aea94bfe258c

SHA512
d019489a3d01a77acdbe74b9a84d3eab29309d04fe6c74711e30dd0476eca76a9238afb01fd6014226bfaeae35403ebf37907cc69f1ea96645f52399173f4bba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2bb4c58ce9954b341c22dabda7e2a889

SHA1
95aa4a42b5cf259a01719ed346f72192e723b5c7

SHA256
6baeb89ce53d6c524bc36dd83c05a6c2bb8a892c56491689ee902e75a84f25af

SHA512
731edb15750599fb5d9003188cc2fbeaf3f54b2e5c4006991c6852fa4f03ec31993051f1a2538ac0253d541ce4b12d8eb6ab5d18f0e1ae879006e397536f8d8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
82a41a396509b844c69106d7b6951026

SHA1
58921a49fe76d0c2b898e1b22c2ff372ef790ab5

SHA256
717f2c1e56d69ef7d9cd1251eded366c45f276d8de214609e08be8e2fb6a69ee

SHA512
134deff7a4eee344e92436c8f7031bf236121e0ad59fdb497d4788a09f787c8324a983b746f6ac2f299059d3ea4b62173e20e54253712962662fb162cfd6ffb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8160017388ceac81d22c2fe28c51a9be

SHA1
39d649fd85ca7e2c1104e4ac4fafd1af164244c6

SHA256
700073bd0f9d5d4a941e7d6f323f9d0c64bbe37072374801570b8e3ef029c491

SHA512
aa45888744f28e071670ae39e31d927e9106aa014a200b4382c3ce045785425e3c888c9a9ea69a671a9b53c0af1374d9433e371157c6b63ad3512412a4bb7331

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cba0907c4726415434604bcf5fc1ad5b

SHA1
2268904ae3290ed033bc27a8d4ba661d5061060f

SHA256
1da8e935768264a19f5500ea660475f8a1b8d9017bcf5c71e359ecdedeb5b0ff

SHA512
7db619ab8d82254df56a547574c2059dea9147efd9441907fb35506e5e86fdcdbe1c324c363d0a3210614977e491f7b43f14ad9810ca772f31bd8f8e458c65c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1263f539553117b41ad482c51e8c6350

SHA1
894e717458b366f0bde30074d25e8b87eefe869d

SHA256
ef767725ddecd821d9d0cfefca5420e4031915dd6076f39f7b561b09f752a27f

SHA512
a9f0be28a3ef706f6850e18dbe99012c06d6e3224345e054a4b535fbea403f48ec26c723e239fa6f6c44e484db8bb8f23b0a8f7438009b2d30606de024b6cb26

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5750bbf06669931f5a098b79efcd58d6

SHA1
8deb4675ad598b3e81e4bae41deeeb1c89b8cde5

SHA256
239a3b57399a8b8ea97887d2543a1579350d58e48e92968304ed624f4e59aa7f

SHA512
f597223cf26d40e7bfcb2bee5b1f6c9103f0fead0d9ce8da845ecdfd778eaea4c542ba2f32a65624314e3ec6561709b1085fd5fa07d4b941d764ce652dbd9396

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3aa43b8464f4a1e9dbf0c25a1939419b

SHA1
4a2eb04309b991a633bfce3a0de4780313873235

SHA256
a7572f7d17ff57d976297e42471c741a8d3896b77b9d350b8f82adb6780a9f85

SHA512
7b46600c9190ec6c658a6427f774f7145b9c879d549060410da1a749ff82e405830b69ce56432c1ac09fada2c7b8ebd70a4bf70a79ef61a2e5d0cbc93c7faf1e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
bec70694f0cad3b15690e7e1c8dabf3b

SHA1
167e8046685a4d6ea583e98512b238eba493767b

SHA256
732331fd93e4fa378cdd3b1f069c5e9221953e207244217064e4f602d448d401

SHA512
d44272b0c76762ba9c31c4b284e8b26ad0fcdd4bca21ce123b18e9ef958125ba08d06630c5651fb0d74fedebdf339ad2f8c2069b9ebeef58bb89dbe4fd007807

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
11c0bdad0f3fff7743764aec9aca811a

SHA1
01d276fc1a15f7927b58f102c95425c68ff623c4

SHA256
003113817956603739697e6775227a61c0614887dadf85389cb13b1dbe82e01a

SHA512
6c7b2352a7ccf549cfb854bdccff69bb92d125154048dc0057b8dbf704711f450c5dbaa85e2a892ed4907f49b7e30576034f895dfbf051788ce51e1b6468bc56

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f5afa2ab18ce43208d3c8e0a38d30acf

SHA1
c814c5507892400eebb9bb2e2c44911636bc0e23

SHA256
b5b807aa95a763fc8449228490b7b27e1d71e8ec11203565d129bd733221488b

SHA512
a41f18ee5373ed71ac8dfa3664d14e3086d8086328dec2f02e2748b6b6193553443538642a095f9dac5ef7ebdba8dc83da5f30634ccee6069b2f8b5f64aed2bf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9230b7859f4d8fc6b9fc6dd2aa50259a

SHA1
c361550e5b2345b7d79df7083db9a908a08dac98

SHA256
12b4f420971ba78bd41dd80ce973f9b0599f87e0f6cd4ffc6558c4df2fb62731

SHA512
8f2f113d9c8d47d1955fa41e00322ca871e88a217e3d54b7b5281c3aad13eb8c148503cfc415c4464282495e1b8dd038688f6863479a81554077730756ee5eab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e93e27945430d35d7278e1c75db66e0c

SHA1
8e630bdd6d60ca342d0d0856face31c07c9413c0

SHA256
ab32365a237756e8031416886496619364ccc6f88fd43b5dabfd93227143be0d

SHA512
70ed39703a3cf02c986b22feea986a26d899ebcc74b25eba116dcf9d0a147e1132028fde93fd8739d51bbfad3aeb1d8cb168edfd57b8242f37d9f0fda16dd325

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6471a2bf92ec72b8350cd8de2b4956eb

SHA1
bfe8ab4d3e9fda8a2854eaf796bfcff42637a072

SHA256
8fec55d9632f1775d243407f818bd5cbcab7ec68bcabe5fcf7ea575d414f0fd9

SHA512
1e783991c677b4efe8600428318fd797b651fdfaadff9a847b6bf5a00bd7fb4aa8fac34384062ce83a76aefd4a3ce261baeb06b37b988c04d16310d18f622779

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c42db29003c6e1d90274757661b89bf7

SHA1
21d0912e9fd0a6548422b56462ade009e1f06529

SHA256
02afa750d7270d5e9283e1630a77e9eb913c962f59237e5ba8c60c6a6235097e

SHA512
9ed31602a23374b764cd305a1fbff34364a63b97e6df5ddfcb909be629ce012b19efb07c6724c574c926a1c3a7e64d0db2b2018c53079e840f9884af1d6ae4f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
97fbd0f3d63c079b98c3533217f86bd3

SHA1
feb4382d296816dcd723816691a05c963c6d67ea

SHA256
93f3c81529e2a4e6d123551436a58884460566ed313421a059f7b58a2c4d23ad

SHA512
5b8e393ed31968c330fe233b459cb9980292cebd2281de532cc0b35f3e23c6e6fdebd4f49347281bafc18e6011f120ed002fabcb6b6486a85116c5fb70f2fdb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8c5234454ef6750c1fd61b20f2146242

SHA1
d84aa410e73efe298b27db7d9070f69c739433bd

SHA256
d2b8bb619592bdc26808f4df151f76e38385fdc955d5bdb8092f02fcabeceb91

SHA512
a20329f1386a1d1d4bdde07779caaaeeb31fc34a635031e99fa5686a4b3384a5300ab9e09f47bb7cb27dd2b15d76b86a975f7c9d36d4dd1d96df78cf085118f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0b8b728e0915b072cf8ce049efbaed3a

SHA1
4fddaa52b7e2a29dd933c3d09dde85dcec7794f7

SHA256
0e2b09fe5604c03264fda7c8fde09e34e42daeed96f4a5a60984391ab030b43c

SHA512
99be98fa3acc3de86bd57a4dc0f094f879dc4f6503943f08883d7dd7ba0b12364fb88ba601f50679b2e81d2a3851d87aa34456d0bf21bf3701b47d4adb03696b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b1e2dea42e19989bfc9d74295121830e

SHA1
1b0bef7bbb119d041585d948d71f18450bdb5931

SHA256
10420ea6aefc9ab768b594877c219e288d7dc41555bdf43828023021136f5594

SHA512
f723305e47514b85fdbd2516cff5871892aafb0fe33376af081c72c74f36e4e98307454c30ac4e0e29c14d3229dd949796b71dd51ee16389495c5b168dce14b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a7d72d511a7b836bcb1e73a8dbd85a98

SHA1
f76955504dd2423b05da71930924764d3f9a2dbd

SHA256
1dce0d3bdb2aced47c84ff7138d99d2afff3502f05555a6531e182bea83b7b3d

SHA512
c8860559c7526cff3457433431ee10f84f9887177f0fb1c5c09bb0959cf972c598ebbec5b910c156741c0a3e57555d9787edfc1f8989c121e9157f4b3bfff059

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c00b089a71e0612a09426bf664e950a0

SHA1
a65af9399e7682084cd58b782f49feeb0b21a2d7

SHA256
8ef4af0afc911c9835d1ca1b810e20be874bab01f7a44bd58b89420a667fb947

SHA512
b9795d3df2f7d59fa21e2990a807007527a1dacb5e2f2dec075a695307021a92fe3dd50a3508372dc949bdaf3dffe30d76e7afd13f4bbbc66729f598a1b023e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
6e3bdb4027e35ba554bb3458701d8c39

SHA1
5a4ea362ea5beca25d863d2100694cd32165a6b7

SHA256
cc46b67a1cc8bbfb85f4a8155eeb024a69904b332aac9cb513e40225e967aa77

SHA512
e0588bf70a1994365be3b2de0781d03f40d1b4fa4e9cf9b304dbc269668f8e305b575b7def61d076d4a368752d32d6ded93611ddcb0cb8f6b2d3520b179e8827

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
80950197719d65de376c41dbdba2f74b

SHA1
4bf4f957c419a7d42ae1b03006441b0991d6c3fd

SHA256
cde03d74de7c88374afcb9f9b1b82ed70966ba522067f7f9cd64ab11a7fbbb3b

SHA512
f5a9929995ec4de187e494e1100e4feab3e22cd753145f8345a131be44c3ef0b82c12427210db138da6ba5bbe258239323bb2a18ebe5e85c0167f121b3276221

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
e4eabdd2c698c9fe6a8f3e836584ae91

SHA1
64c1f8928c8e515ce14d514b167b606c12088441

SHA256
7d9f602a6b1829055423ffae9bd2121e80bd830b4d60ae77970df0e8ae0e4a1f

SHA512
673da51a13757807ae0e38fb4cb83aea16b559da6835e2e75e9823fecd09b7365428852f8966bc3d02776701319d33cc8ff030018c67e2b6c8ecd1d365200136

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
165577cdd21f06bf857932ac47b9e32b

SHA1
92f20d47284264de4d037e83e5a1a4a4ffd376e8

SHA256
30983889ba96439a4a1b877504aafc16bc3cd400f30d44ef339323c0fd2f28ee

SHA512
bf01b51b9e29f2af33147d1a9026c0b1ee449437a20037636ddc31c2c09b9d9554693d54eaf8c20e4c31f40bb379d21196a9d77a5235754d595b12ac57cfe7f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
91ffaea3b6dffc14debc0c82079985e5

SHA1
a8b4f3111c36b58476225dd6f7daeae451f690f1

SHA256
156ffacacd09ae1e6cb8d1d28316a17ff0bdd989bffe8d1d61e4ffbfb5e73f3d

SHA512
ff39e05c2b53058219ea5632cd00ea10e7cfe679f1717927159ddb1815815468e00eee720a7d665487353b6205c2df608b39cd5ef41bbbcc60a1bc1dc443f955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
24566300373769809aeee1e5b17c7e68

SHA1
5c1658720cbc736db65ed5c0271ed369047d4d00

SHA256
3998ea3052c399f20f28ebce533abc08e83d15ba267d04beb77a75c2730e2f9d

SHA512
2826f2e3e1bc66d470c2a9cbaea960d9140d1e5ef6cbe926ddfea7da8671f91cb483fc6e3e546903c65153c018dd3e2877633e807a8ee9319a849d1b207c952a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
79f8a16b9de3060733501f1eabb4a888

SHA1
240dee597085839f6af1088a3c4a606c5ff8f746

SHA256
aa8f28fee362b611d1998a4bd9a5806661cdbef343986f4a2d72363785df3b79

SHA512
fba5594506fdf7ae32a83f775c6abb378aae8eef1b567d5aee1fc75e08bc220304253f31bc98ebfa934a91f1ce95099eca995042e004cdbdf976644ac4d304fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
54a3d39b50e696fb96feb686d273205e

SHA1
733318f5cd9250eae0c180388b04297cabe2e026

SHA256
d4f128e513c3dd584dee153c38765da876aa74d1c56f643651bfa58747b60a2f

SHA512
2b6996e3c6973d464580310e8513224de71d28c32632f1e5ef6f89488da3c457b424f33678df199e73066f69edbd534e14487cf1067afb989cbdf281516b3e39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
15c9b28382540a1f8d3d6d6336b58ede

SHA1
bffbffcd2e4c158d8568f7f4c2163614b65a18a3

SHA256
465ef9670a8622789c473abbc3c468ef1669bf4d27d414cc7e4d670eef722bef

SHA512
fb80234c3c6535612974a5368f69e5c57f76374852517de8db36d32d83ee2df7f2465e95daebd51704abe4782497471c1539ac50a8af2a1dbca7569471780489

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
2771545b2ed47804afc7036291389174

SHA1
74ffb6b624928beb70b4d6cbe6b8e2bd4b212089

SHA256
42c411fede4ab472e4c89e0af520e2b9bc6358fcdfd920114505f31ebf382024

SHA512
8aa9722dd1d1a0e774ff860fa360d70e35b102b91724c5c68d6f8767506425d8288bbfaedcedcdffd13b186cafd1efac6b8c5517fd169cccf0f31d4e7048bd36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
77c28ae9c97903342c39cff72710d557

SHA1
963179a7bb5f2a209c06bcf9868a204ec6c429e5

SHA256
2a8f63dae705ded76f03a1973e1e10618647a9600f976a56a6aacb400650a622

SHA512
39b2f27b435f78b4887b2c382cdfa4ceab9f5684834864c3005185b4218bf9650bf5a775e222bffeb717ac17395c3224834ca1359b68a5df8ee590bf346de272

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f2ed9de9bb2d2322da72fb860c3bda94

SHA1
cd2ecf5d6dfd3c50a259079a9d5b604aa1140811

SHA256
58e80ad966aa37b8ba1c7eba0748ffcf13bc7cf57dcb4f550c8fc88a94aa5ad8

SHA512
cfc2de7991244220fb7be7fb164ef18c2cc61adc985b5efa4769435681f8e19f7c09b64776bea8c630b149b51ce3c4aaacf36c7628b13058a3ae7abb40cbbcaa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
f86046c586b9de281717d55f8162386e

SHA1
38f2eabbbaac1723d5c55ee65efcbaa41dbd4db3

SHA256
8d916f6ec84a8616a7347b7186f164b02300807eed46d3a2e90a4d9d31231592

SHA512
3644e1b181e91cfe3bd252f29cada3190f2ae865da0d2839c71f1aa7639b2905316a7fe4a39524e522009c8949c1357da1ad95727839337b4c11f229a4e7be78

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b9472714db94aba6d285b9df33f22f40

SHA1
d721c7806f27e96b3efb9b8d763df2f9cab00ce1

SHA256
4002fd9aa2e862e5d564c0d7e089b21c46c97452dbe778702383b89dfc1375e0

SHA512
f3baac19665b969444068324a20d580c1fff1ec704e82b380e2d86c23931f23cef18e0baa62b8e12a88774eb347782315250a1a4e33a7689265b47e9b2964891

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9b6c936448c5000f241c359515bc3187

SHA1
ed4c7925d0f7092de7b6735fdd641b97a9b57017

SHA256
39a33035326ee1af1d1d109f0362e963c2717e4ef0d769784863e4e583a29748

SHA512
92aea77cff5fe0e04df2d7edddd023139d05ba4e55cea33238e734f78382c2c16767131fec277c0a3a4a96b4f6e79ef38ce9e5d795a0c782b1448f662f00b122

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
dd31341d7a1737b1d29b0f1a0d3a36ef

SHA1
4e6d36fab64603dd1d4facb0cc624c10cda23eba

SHA256
db7a8b9fe4958c8ba5db57d53ab4d7945732c750f8065a4a2a0d939ec24ea900

SHA512
c40970af7cd994d005ff49be9ec1268f26627b0b2c738b428e612d39827a6f7f42c3358011ba27acb7f576c84a4e87a0f16998cc2708910175298dbf125b7655

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5843167e5c1100a3890914acffae968d

SHA1
d0e194ff1bd7094354e0948cac3cebfd5898dab8

SHA256
24c37a5559cddccb0d8b1c5bb30a978e757d74139ebddc700d0d4c0a710e860a

SHA512
c8a0ab3dba1d98dcf06b70728e2894ab11c361b85b09b2b552d1f894ba6f11d08e5e83092d99e324a7e0b19bfeab47af98c7408b72724f3036357263a6f493c8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ef97c5cd7d159d6ef888d764ace47ce8

SHA1
3ed04fc45da26e3698e00c09d4065bb192a2236d

SHA256
c28d456d247b4a8137c9fc5fe7c5ec1580fa4241c630f3296f5acc403bc2d7fa

SHA512
63d6774d714e487ba15ee863080ab26d83ec39cc4746b519743d49f9dfa6e891254285bf2212fa475e287b45f109be7a862003113ca1ad44a44ff51d7c83f123

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a5900dc6e9e5694a7b4eb390dcbeacac

SHA1
c132d758c5a2fa4480ddd978b156f39c3521d81d

SHA256
ea536ce09cfec5b602e3a8ccbe1437f58afc725279f5e4689397610771290a8e

SHA512
b6f6fb476be3fa17af8cc53cc229b5d7ddc798103c645497664a958157c714ac4b967e207d45cd0e2d6161bf437b84e9657489636084532c6a4508ee83f5e3c4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2551f67ec87c7f34e0cd169a2a1aa638

SHA1
b10d9022d12c9956b655a15835ce7475a8a07f4d

SHA256
ab5942af0613db89c5c8656265c30e0f23d87898e934a3b152c4ae4dfc96a846

SHA512
f62fc759c015aed68f4cca958a78db5353888b5dde479cf4295b65a83137c171b2af0a85b80c74dc41d8dadf65ff4c2ae48c6887362f0cb8fdf6f6f99c4a8334

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f7a45f9ba64a60a247f99e077bef94be

SHA1
f777d935fc4b3e1040268baca0b804b0baf183c2

SHA256
da8b41e37d79c3492ad604429d21facfe9c988bce623214608947d86b8b7d92f

SHA512
dc937a7a5787c9493625f7bd880cc2b5c96266ac45363dc0e11ccd34a33e81b2f6f7d8107c504c80411c0dd1c9af96527789aadfb2cccfbc9a44445676e5c72b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9f28d3a7094ca72dff7e2bbd5736c394

SHA1
52f141edf8f3340476b4807ec76aa448fe899f65

SHA256
46b56a9fcc440c9bdd96c45070e02aff7ef314deb6c965648300a7fd030cabc0

SHA512
6dbdb06ee2dee294b80139de13870df54f453ea27b4c0993fe81843a0db31f53403de49f8afd62ac79873056cef936ec70a1d040444150bc1ef3b2d175f09556

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
af80ee2d6caf93a535a153309d12a952

SHA1
2ae40255c72021a411cec31ea0f2ad086ed5ee93

SHA256
1ce0462c602c2d91e8e0107ba6497ec6a72dcc96fb73b5240f0e1176a50ac670

SHA512
f84f288359d2cf7fe9b15164d1184d668038af43c807964ad257e6950b81c61c9bf4da6af64f9906ccfa768324c06e92f5e992177c04709f59d0ce33c0282e3a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
431c0b6faf4f606a36b21450d8301bf6

SHA1
97e8f75177625def95c9117a1bd75e9f91910872

SHA256
cbfad27189d75c4870df221d576a9ed79a5781f0a202edfa88119d9e11079a99

SHA512
8d63dc5aa6f41a51066d8e52526bc7b04e23792206c2a0a0656fc7108d9057e103bf21864ba3aca5781c10fec8702efd27d21f5a35e7a2355a83f5fd7d7ccef4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fa33fee6f855f2e5062ddaf2da9782cd

SHA1
6d693cc3ca60a7bcdda67197d476b98d872cef7b

SHA256
a5219ab1e1b75d7d6eec829401dc5f74148367ce0505eb05fd395ce6c4e2b9b4

SHA512
2ebec149b7cc32b10c3a238d4da6a3ca1af7699ea9bbc737b3b6766825d5894649ec69ac2f33611d165134e304744816b431f010a6be2de3e8c24bba60a99cdb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
a1dbc2861faefe5a69c2fb23ce30d061

SHA1
8918ab128c3fe0404a9040986619d6342d13eab4

SHA256
0fb658b780f0699da62a8002918d84346bd114bff39925347d776c9c1460bcf0

SHA512
a4a81b95df2fb561c4b03570026617c70a465c3d5f6a38a8279ac52cf2913d31a7769ef085969162e3f40e5049a610cc7a9912037e6293e5f9cef189b35a0ffb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c99f297336faf3810f5e804b4aee8933

SHA1
0eb8ae1fe943467649b3a0c8e3465026614eaeaa

SHA256
3642078410aa01fb414cc934411ab7740f89568a38c0b3e6d6839991065611ef

SHA512
550049b15c8786ad491d70c39201e9bd75c2c0f8ba6918d75c5e3e2455692fb28d029e5081711264583eaab89a4f4482a21402cba02ef6b99f1717d76d007d6d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e1fda0c7745f68d72f117288be100e92

SHA1
31efa5a4564deeedcc3abcb7b0e5010ac93e0c84

SHA256
976d0a993791954472ee6238148276f3876464383530f9b2ed810da08addb37f

SHA512
d582d222b60299b6378839d2946b3fdf7b253e2e8519aad7ec056caa910cae58d185816d144415084c7f6a75e015f87979749503003b850aa8289dd1b44758ee

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e6439084b7c00f0e387bdd20682ebc76

SHA1
94d1d38366f25cc06ab8ca4d74ab4cb4e1ed6590

SHA256
710254c7a128ededca093768d7d2e3578bdaa37902e5129d7022e0e04a9b83fd

SHA512
9d9590f4add05254e3b9b19ea4ea5ba3d2150b6d0f358666973119534ab5247849b0f57c55029d7127e7e4e295dac795d7756a3a5ca9e2861c2c7b19397dec8f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6a49ee62abf725e920ee787fb71bb433

SHA1
26e58b7ea2c43808b9c1019f57f80f77b0e73d96

SHA256
461c51ec0117fef7a5a9e2dc38df7c18725a516d14ce6649238af199807e8b71

SHA512
23e4ddae5da381c381b6586185facefca7bffa6d68d61f5e1b1503309c809c2230e4b879c2f9a4ab839b04e9518e17a52f91d9bed903774274f6efa000f2ce37

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bc9fbb90b519b4c0b63da8f4eb1aa5ec

SHA1
2aa8b32f82ea7af10deeb9bf00e80ea8fd1bda39

SHA256
7d08c7309b0a0a45d929bc9f2cb86b4a77ea2404e89064915a9ffd6750a19073

SHA512
9f289e15407760df3e2e65f39dc7f335b21cdfe7e8e686768ed5aa0125d7af5f9b4adc98e216a3121be149d073c6e4bee9efa3e5fea0162c28e427faa4226c1b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e5d94b5514c326eee998534d1fd25851

SHA1
a60dd104f86ded3a8f0532732667935c9436fd84

SHA256
14206907b3ba1d4ba588eca5e9a9185c45e06188d07b2fce7e24e95369eb9930

SHA512
dd9f9ee8234478fbb3e6a57fde6ee46d07ea64084f41daeea69a273b86be6c1a63481fc9de38393c6513662760a2ff22ed7e452b579a0d0e834343a415e53e79

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
4aeb9a80f5e96255886fe2a509834baf

SHA1
5945efc9f171a621b210a520a1e3b6b1b3578fbc

SHA256
a6303b11617b835a298418ceafaeca2bd2843146fb20320d85d290a0756d52f7

SHA512
61e7684c0d93b9a32eb948fa5457462942d33fa8d45d9d10559aec58b67d3582e10974952793e049115c9708db3cbee05036bc863d40be48e73e71d2a4082e67

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
7a6baa4b72a7d3c63e9b43114aff8601

SHA1
06cdb5576b12836702377181d616f618ccfdb452

SHA256
aa527bc3c6f182528c52436f207474254257013fa52fe02dc7866bd6a39e4f77

SHA512
eb0eee977f486d224cc547cc52d28d34cb7892a29c836058a5f6b975d163e99b9f38ccf71498c17066c5b53020d9d520c5c836dc043395cf51b83ea0f364d7a5

Download Submit
memory/216-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/216-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/544-213-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/544-600-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/948-561-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/948-197-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1304-226-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1304-602-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1612-225-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1612-155-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1612-162-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1732-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1732-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1792-186-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1960-233-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1960-178-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1968-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1968-601-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2260-136-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2260-216-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2588-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2588-581-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2900-167-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2900-174-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2900-172-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/2900-229-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3056-105-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3056-107-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3056-99-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3056-188-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3216-6-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/3216-151-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3216-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3216-487-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3216-2-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/3248-235-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/3248-607-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/3448-127-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3448-121-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3448-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3448-132-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3448-134-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3752-598-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/3752-210-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4040-209-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4040-116-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4040-118-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4040-110-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4220-152-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4220-144-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4220-148-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4220-221-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4616-608-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4616-238-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4844-230-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4844-605-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5004-90-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5004-84-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5004-177-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5004-83-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5012-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/5012-166-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download