818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
Size

628KB
MD5

22cde640af7f79e94ca4b8c55179494b
SHA1

1fc3dc07729e2cec36a293330d75ab35e928c49c
SHA256

818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7
SHA512

9874210aa5892a66b2d4cf6be400b3332dc2fbd21917ad71250a65fe34d6301cd0563ad280d3a85fa64038f008c624bb206bdb305e5681b33de609cd3f3413a0
SSDEEP

12288:ttmqTLMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:xTYSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1008	alg.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
2464	fxssvc.exe
828	elevation_service.exe
1632	elevation_service.exe
4612	maintenanceservice.exe
3688	msdtc.exe
1972	OSE.EXE
3448	PerceptionSimulationService.exe
4196	perfhost.exe
1488	locator.exe
4320	SensorDataService.exe
688	snmptrap.exe
3204	spectrum.exe
3104	ssh-agent.exe
3788	TieringEngineService.exe
3488	AgentService.exe
2924	vds.exe
1016	vssvc.exe
2764	wbengine.exe
772	WmiApSrv.exe
3376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exealg.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\wbengine.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9ab6bda92be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\System32\vds.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\vssvc.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\System32\msdtc.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\System32\alg.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\spectrum.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\locator.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\WatchSelect.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d510d9cecabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb02ff9becabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005daf6c9cecabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044c7039cecabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005608839becabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040a0fc9becabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf9d3a9cecabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1792	818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
Token: SeAuditPrivilege	2464	fxssvc.exe
Token: SeRestorePrivilege	3788	TieringEngineService.exe
Token: SeManageVolumePrivilege	3788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3488	AgentService.exe
Token: SeBackupPrivilege	1016	vssvc.exe
Token: SeRestorePrivilege	1016	vssvc.exe
Token: SeAuditPrivilege	1016	vssvc.exe
Token: SeBackupPrivilege	2764	wbengine.exe
Token: SeRestorePrivilege	2764	wbengine.exe
Token: SeSecurityPrivilege	2764	wbengine.exe
Token: 33	3376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3376	SearchIndexer.exe
Token: SeDebugPrivilege	1008	alg.exe
Token: SeDebugPrivilege	1008	alg.exe
Token: SeDebugPrivilege	1008	alg.exe
Token: SeDebugPrivilege	3664	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3376 wrote to memory of 4000	3376	SearchIndexer.exe	SearchProtocolHost.exe
PID 3376 wrote to memory of 4000	3376	SearchIndexer.exe	SearchProtocolHost.exe
PID 3376 wrote to memory of 2864	3376	SearchIndexer.exe	SearchFilterHost.exe
PID 3376 wrote to memory of 2864	3376	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe
"C:\Users\Admin\AppData\Local\Temp\818b6acce6c908e96b5cdab90edd2f7b66186393f32c7c58c43958fa8e43d5a7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4200

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1632

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:688

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3204

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4508

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4000

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
31ddff4c13a608e6dc25f51bca42a640

SHA1
2f71137976fc01e813330949660c9d0aca064b5f

SHA256
347c62d1ad311483bbba6708ced987d9cac3a41e7a47728431fea521abe2324e

SHA512
e2297e005d5153b9b029b815d65b58faec983e1f0ea6dfe49de136d7b7cea41460a9b5fe45e9183acda56ac7d5e318a6d9ca8c5c0b4f3eee3e5cfa02745dcfd3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
861daeefabc561269297f0d7d86fc172

SHA1
8d79dcba9668786e945823c9b2d034c3b8f2ea39

SHA256
09b32cbe0f780aa3486024195f9ae48bcdfeb19c1cfcdccd4751733ec4626f5d

SHA512
d9376f93e60aebd24bbe2233b106d4f9506faa75d5b5137f78a4e70e4aafe4dc66233c84cb66170280aadb46ac77334fb09b6315c9ec962e220ed7a9d9c5befb

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
9ab8a850f322132ea7c6f76ae799812a

SHA1
2a62dd60797f920d120cfd032fc2eaa054242653

SHA256
6cb84add96a548e4b41a603b4090e61eb505615edaf4ef07129731ffd29c7a98

SHA512
d12b5a95bfbe7085746bdf55b569bc73456370196dcd4099cdedc78f039dd49b688d8d353fc4e22cda06a15365d760206665b0fb3da61890a6c99aa0fcb8ce03

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
752139f13b90ac6e5876d5165bcc8504

SHA1
3ad61496f93e90968b19c0d12f44f58df2ecb11e

SHA256
89e81f53a246ec7b803d2ff2f6924627b84c6a55ee961cfd6bc6d880213da359

SHA512
9ab1541c799d9661325262ad932d2df659a275fb6487a2a400ad7faecc926777e6b301f906c5ec39ba13192816f45bd9a88cb7af2b593659c0132e5f03a69dc0

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5628709e12befe097d86795435befe39

SHA1
6b91caa7c7876d18a2e5ed7e53bf24967648222f

SHA256
0eba760cefccf31010271a0cda7b6c6126107130a8f4c2b01c2b11bec2d0eb68

SHA512
99ea1ab3f7014eb294dca44a9ac21242f1f25c349cf2f2573e455e6bfe5a7c40abbe6fbd391b55025c2015b32ee3871523eb0015ddafa64acad7580b52d6b986

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
8f509a8853fb8849cce39436415691bb

SHA1
e8e48263664404f47aeeb96efd9cb789d224b813

SHA256
7b26bf7a18a7484fdc020273be9415b3314af09cf14afcaeede39be32b27e1ed

SHA512
3114871dee54d94ee3eb29f0d770e77abb8e5b930b3fa8f47cc593ce0b5793e3da607057cea4421132caf03f34029c709907defa45a040828daee2e9783a7ab3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8f34d2e5fcb4210e68ba5178cf5ee6a1

SHA1
0bd3b12b3b82823dee9257466bf88b399528a73e

SHA256
d6b17b651be18ca753bb83794f967076d350d1ce5adb207b6a9014bb3c74e4bf

SHA512
a24593075a232a837247f9a2adcb936c94711fe27557d9ac2b3b622f7c72203504d7e65b5ab1b8dd4fc661a1a18553ccefc9db55b8d8d2189912c30dd76665dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8bbebb4296e5890e4d1e36456cd9c0a8

SHA1
abd7af4209ff94b9885929dab7090f0f2d336f0b

SHA256
27e24ebf9319fdf504e1c8012457a04e461a0534de9efe15b7931c50a784e448

SHA512
f1c323f5ded4ec8a4c3c02cc072760f5dc3dc0aff7465624802828d05d141d4fed4eaf20da84ebadec91b3358ddfe60e673921383f32f8ba2a47e5be33f86ff6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
d45eeb7181dc2680747bc3597c768ae4

SHA1
ea9f5a9441817035b7650ed199d516387d2a8f49

SHA256
a644fc7495b444291a676f1a7f30307643e8fd8507dfc93446e46ccdcb05ff05

SHA512
0e2ed5415ee2372b9e650d3967b3402a92804799d039c4e6c7f0a3745801259480643a6141ed795e01ea6d56528e8e0650fa94fa53e20c4e7762bf5e753ac1ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
bde0d1fe0349433aa9d39dccd6356242

SHA1
408060f00929d487e30d54b9ffc13d15f7c6c84c

SHA256
292329a590a1b3778b2b5d653028e44f8a311fdd78370a5c04fc3da5412d8245

SHA512
5625cc2cf43037c35d263121029ce8e92bbc361dbe803b1df4603ad08b1a2621476b1488a0d5c186c6d3b258754828f7c782080226504f74b0c088ee0f50141b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ece44d842d0c4edb426a6247c441fc76

SHA1
ad8a6b2c523350c6bfa5550bcafe260cad29297a

SHA256
4f14d1b1bd6ccd62b173448454afba94d8e8b2292d769a99acc8858cd56bb108

SHA512
fa9784bc2bc98b4540ff6161e56ef9609eb56bbef49c6e25e96a7fe499559fc4a77703aedef684dc23844ce4ef0678737764237feb04d613e7bb4351c9e47390

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f498717280bad25061f69034b6e787db

SHA1
abd6b4a5b7293f56c54738c7927bfcc97d3bcf8e

SHA256
bd5a80b0ab3d01022d80547f801501a519a955d9686e169657c88e3a993447bc

SHA512
9a011bedf14c3ea8c72f2ffa2af789cff02df707ed5cc2ab45b2d79df663d7c8e55e142ecb7d5a24216c5208a1607fef313cf6f235a3354ab9f25b5db0fc695e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
8af4dcd8da2d4ceec1c13598075441ac

SHA1
65b62d9d8817b2da6250e5d05c44b0b2d80cec1d

SHA256
688366c521991c30c0a06254774cfadc3f66405bf28c5dea7dea05f37a351831

SHA512
1a511bc9b8731f74a61c831acba3045aa69da702928332081b11c4d6325b22b9bf72adf342ea98fff9085ea27a438c1c4cc11e80bd99f8d70e77b8e9b58ec977

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
a2feba0489e7a2c4374c082f2489a5f1

SHA1
48438233f55bf4c7839443b3d2cf0ca67eda7cb2

SHA256
5d45de3146d11f2fd3d0da54c50280cefbbb29d7e19d63eb1098a9c2db3dae0d

SHA512
166ea4f88c4c50ee7146c4748ec73c9c558169940c2343ed825c9ec0ba846f200a56900fd5043fedf8f6370069879bf3c43ef0d22329f3093e7f1daac7714447

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
b74c28f4503198a4a8abb2c901fc401c

SHA1
30ed0b7988b4d07429f3d9736ab660eac2ac8832

SHA256
903f191116d26bfb5b4e07cd0814b7b70ebbf6e3f62705c80345a897a0aabd2d

SHA512
9a9ea16a7395274af555a47fa149ad03862afae05ba0ba689bff536243036e3668ab5e5bdc85457b195a17534a5ce227faa6c7cc0544c104d87ea58c912e7878

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
de97d2e942a6081f2fe71bcd43fd5c1d

SHA1
f0cbc465a09bb8dddba19fc7ec8e95b7eceb8a25

SHA256
cd9ba8508142173e4079fc0fc1c4384ac32af9e3b43e198e0c4d8ebbe2418bd0

SHA512
4695bc7cc37058a0a6f77c3e567cf655c4738f03a0fa937af618bd22933fbc163dcda38bf6df5af397f0eb15c43db5d05720587883fa40f3a5fc9103be87fe16

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
3357355fb63e85603b96a714adf957d3

SHA1
c92a5039e6bb79a7cc00d25b6300163c9afa9ce7

SHA256
e88cbe6b61a945844f09646d2ca35252b9d5c28ba57cd7fc4d822a6d033e2be0

SHA512
1cb6960743668128c4ae9f14e431f7c20bdbbea1f34effc17c7ee4b7a280cd7e033000ada263777beb6da2a9ba6e29ccca21c22c562aff86785bae6976504dfa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
906074fdcdbf20fb777273762b2efc69

SHA1
4b96548285f302658d9407fdb71e770b3626d7fa

SHA256
d50fe56339d239dea96f279da96b6a8cc568f0e67f257a31640d8f25fd1a49e0

SHA512
69ef4868d0d8dbd90f3079c1943c5085e9f5ec76ec6d905e7573206fa72204050efa27d84f962c5dc2e1c6d8a455d4115191d276bce256fe6a46579a95f531d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
abb626b91d3427d255f3320f7b69f176

SHA1
85a11ab0e9058a6525024d83f339e44eb63ca237

SHA256
2f8a0bd852bcc60492c799aff27a32e3a3571c3ff27e699f41d415b413ecbdeb

SHA512
9618deb6b2a172d975ca2f36b571b345d72a6e52471737f02257006161f337495daff12964b64fec228df31d402bd6ccad8f53badc25442391ad9081895c1a8a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
30a0b78415d658cd64d6b80bd9bd920d

SHA1
41a494564a46d8547ebdbf4b62dba3a7b8944fcd

SHA256
dde0cdce69562d28d0156e61e444e4cd88b9ba3a66f5b0954b65c669d3fa3474

SHA512
fa1024e26e01e0f6ff932bdda402b2f3c934636da1e76002a7cdba701056db2f526945db71085cc75375ec1d1f2c51881df2be8f625367e534018d3017c21a17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
313c28fc4a192fe1f91ab668724b1125

SHA1
ba121fae63aae6d0f91a31f4d706f031bc99003b

SHA256
5af43c68147c9926bd69aecc3c282b51233e3fcd721ab64a061a3cae3634bc56

SHA512
0012c330c2c8de42c1dc3bcd229aa76ad1a019b13bcb6b5d843b44c51ace4be1844e026c327e5126cea5cc2406675c20a9230bd5669781d2ef6f288fa1a2f948

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
24270061d25ffa5b820f607fe01bfe76

SHA1
fcb1f6c8d2ecc1ea5bbf14b5366b99f82d2ed753

SHA256
6adb48406ee5b5bc67a82be227c43eb51057e1b8a4c9f69bf86d27c730ff569c

SHA512
f2c83e534d27d88404260d2f07b68bb57ab16f56da4423f069123283678e07b4a54d87bb43217c25d191dcafe489dbd5164b407380412e5f9f39418dc613a422

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
e6244f81777800ddbf072239f7acf5d4

SHA1
17d5112c8e63d278c7c47f085fc5996cb9a88786

SHA256
d83a1c112b645a50cb1e960ce9e2da8c6210e0523b7207b58da0b6dd00c1c152

SHA512
a423bf0caa6b9aaa75bdc818f9c254aae2306e6ec84fe5d4e5b17a4ac72a992e9589d68643c92c265cbe81919b4076d8bf01a6ad668d44f58e3db03b58c47e5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
00dc3e69238686509061f885da47aa69

SHA1
06daf47fd86921a19e4d0d9ae3a5a5bbaf3c9f36

SHA256
f04203481c81e3be4a0599a6bcc3c12c46521a168da05536618d21b1020c0549

SHA512
6b3b6ba8e6c570ff41fbef25ae08009f0f9a354a8e3a2050e2bab589ca405bbff98512194406ff089c8943432789218eb6415fbfc12e8b9f05f9a8992b06f697

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
520470cc3055c330257a29950db7a085

SHA1
2e0011391857822934fa4efb93707ecd4c6fedeb

SHA256
44645cae9f0b02501ce7d8825268a110e6223478b0edab2519f30ba7837b2df3

SHA512
a501d8d9b3893ab59745cfbc9dc19f0c043ce3069704d21d5e975ce913376e2df0998ec7ed0ea16260b6c88eb72a9959de2dc401c32197783703b38a9aebd791

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
f4416aa8f2c4c9c6d971cdef0ff4eb3a

SHA1
968b193243583488448f34364fcd1fbf7979134d

SHA256
ac36a1bfff7771418923b835b103c1741026d9b5d818d421a305038336e57d2b

SHA512
59be035e9ba91bf9fbbe0b36f4e343d345ff0150b4c45b9cb756eade3eabf18bb2fd77180ac316a80619eebf5b90bbfb7d4181fd565e37c7cfce0d58ddcbc5d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
429d35197937eee256c8b262ebd4d890

SHA1
7ac0624111801b07268b834b03411dec04604401

SHA256
6d151c43ac2f00206258e958f64b903b8b20515585d26625bcc3318d81588c99

SHA512
4bdf363e6fe8e42626ccda201997a20ed2fde520dc1d27a1ae2823b75a644cc45d7be3f885e1398817ae20d77a50bb41c01d82ea2d5824631244e3e566cf7154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
ec685295de4b8b4ad5ae2c52c89d50e3

SHA1
851bc038404e0d5e7f440340c14051f7041e9821

SHA256
aa527224f7ef45b289ff3d113e38b6a92f2b9f853bffe21894f9a9d921bc17a7

SHA512
29b0c50a5591bc03a00ccae321a1cfec1d1c68310fad7859febf407a9279d1b1f8cb2fb068a6ae39217728165b443a49e79b1040b8d4299e7686b2922ee8e506

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
a95530d28d876b39b8c203a41d78d84f

SHA1
241233cb376795be0105db65426a18c57159ee63

SHA256
106aacdf5a4b523010ad369ed7c8c7e2cc67db18dfe62167ec4d2ba89bb98a51

SHA512
6f2699aa1fa809e7d5bbfa501394eb83643433fb8f9b67729916d7d5fba3eff81bd9dbd7883be5d1cdf44629117f5ae76c5f8a8d5868859cf0ed38bd5b87a0fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
573d24ecb74d7964ba0390209d09069a

SHA1
74380bdbb76e9e7c557e8aad387e303a6c91d928

SHA256
b379da8beabd5b0ebdc8e99036e237e041c611ecce994af7a62d4c28a3b19f96

SHA512
4d905c04822196515312369a321a5b14f7935d8a3d984f54d59084dc587f4aa1c90c5f3e08b6124dc7988bd9c96308e0e84ed08ecbcb3f85e63187a8b5c103ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
27b5fa883c75578e0a3e367dd416183b

SHA1
8d0dd5eecf3b3767e196b87dfd31e2fccd7db2a8

SHA256
f551730ee475e441bfe848ea662fd09d25290e61b8809c227b9508b51d23eb82

SHA512
8059c739a65743a48c82229e724f7fd50dd5b27ead552bda78fb53ad017e04b00002583bae0eb763cc7876ec28b94343beaadbcf1cb5f089bf5c92fb95b4763b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
254430f7c9c25f58da5d692cc7e795d5

SHA1
65a7ab0147f451ae2d2a1c6bf874c32cdbdff2a1

SHA256
cab64f6b29d5693c26fc3ce67e8a573a628be17fea863ca9755105f2c18aa916

SHA512
d27a2291aad8d0f3e0307223281a99c56e965af150dec67180b231d0735e7534dfcc6644979f2d0d4fbba608a00509d91992d396af6f371d77194e35f646c764

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
30796d7b45e8367be8a13e9a8c7395b5

SHA1
5fd894b35da1c712eb773bb0e39481cb59e03a7a

SHA256
7048fc369d92be0bd66c19b0279e48fc349be72bbac7e4840c7a9e6bad0628ec

SHA512
d2f096825657ccae6beb130a512a7029a496bdb731c4d48689784152d328eca7e85f627e580fde0cd4e697ace08fdc5eda7615fb3adb5a6d561d223ebd3149f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
e581b37c47cc4eccde3519d44bc35615

SHA1
10f8128208859f63fe8d92e4ecc63752814a1208

SHA256
1744a1d133823db08cc8729e7633de3fcec1976f053c92e5a2648b9f3eef28b5

SHA512
9f5cf9adc86695774b64b88f1096f6eda51c61dab722968199a191570afe05911f80633284c57967ee247668311bc0078a8e8dc8548b32f457cc1c2a0b747a16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
ae94230a34c7b7b9ab59e720ef5182ce

SHA1
45886f08a400b7b1a3247e659b1fda411929225c

SHA256
d1e68c88d039cc5553a29d25441bb57e90e9b83f216529609f7052db073028b8

SHA512
a2650bbe53f49192d7e8eb896015efd5e79f7827a5efc4c100e561ac58bb5ed1c6e7eb253e95f17bff7f9c9754a2ebbee495a301ab52434e057de31ac1c33445

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
b8dbc41f51a9dc116097ceef7fb9a93e

SHA1
4258ae8a803bb12b5e794481324795c7c2c36c1e

SHA256
4d04ba969166399ec37253b3282b102fa68e7f1dbf5a635194a2625f8e27229a

SHA512
45f0a0109d3fd1209540c2749b1b0a831a3d3ae691122c077176d011931120970bc39a18a87399f799b34a8feed96af6cd69a772b3624d4bd9722275e9791c2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
731b8e570bf439bd9985683cd4cdeefd

SHA1
2583de05946b8a78292d79174c672a626fcc89b0

SHA256
d2970ed5265b1eb5703db75e3cc599b1d22c4826b2f70de15f662d0d2cd3d784

SHA512
faee6649ba6f1b48516231afe3b8c9f0f2998635fe249ab549de8ce569dd73f2ad73095c4b3686039d451f2ccd10a10284290090cdbd4b8e3e9b08a4493f9501

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
c592273d23c0db2d8b9f597546a78855

SHA1
080773153b8ad38cbcf6f77fc4511b027672d064

SHA256
87f8a6b938dba61312d45841b553a1f6aa2ade7cc55f496884e1faa1b5884f1c

SHA512
fd64270e63eca3c58d6348293bb0551b0471763b7be8caa1bbf3cc481c472836c3934ea617c59df70dbc05dfd62094e07921e712f16cfd92aa893506050c9c7f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
30cea532279ffc17ffe6cf1bfb2255f3

SHA1
7614f0aa9cdde3de3301eceadc4e77af9b749eb4

SHA256
b68f2d47fe4a6c86249234114bb727c87039aac107ec11e7ce4c1d5030f6f98e

SHA512
910f44603870214a2c2792590c49c465f87c5ffb253d81876c72ff9c85241d3a017b0fc5d2319dc2bc6f7fb08f2de644fe3c2aad5bf6dc28dd64e869b0473acd

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
6d1289fb92e20bffb0354c91da1f8a91

SHA1
4d175bdcf3a1e8ccf1c8826fbc86764ecf86f459

SHA256
540138c3219261983d60105af7d05481dfc3f8b0f483a334002275f8590371ff

SHA512
aad8b7a0c9541033c297db66b3a481ef7b98bd533a8acf62efff310b99ae56d7f9c747d7424fb7d028b0cb3c2b09e0293fbf41c646037e50fae8e558f5cf4a50

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c5ccc17e073e57c95956a8e5c14e7215

SHA1
ba9011053d72d4a4824e0f521043b60f92312483

SHA256
fad89045369418b918175c04135a94ae573606846145e8ec602aa87177696530

SHA512
17611e40b20d3e7963d8504f0b947aa8b2c5c4aaa2742bb046cb187d37ef52454c64ba92d51d21e496c1beec31d90e8ad26555081fe5694d7abf24ce028a8323

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
ec21355400a5802cfcc1ad0adc5de0dc

SHA1
38222782544298fbf62580d27d17edf794d9aa45

SHA256
2adc6dc58e3044a24b0238a27018be30e4857ad502b3de4e8e11fa1b3c23e131

SHA512
be836f610e79077414198d89b410f8e79d8a9d6afde0dd894d9956a78cadb33466610f6a2f9196dcde0e98f2d26782635df63687b755ed6f0e360fffe2295a36

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2a326784ee596676210a6e883c686f13

SHA1
ff7082acc478c1e27417ee0cc76444e58cd4b330

SHA256
321e81a3502658046b2568bf84ec2cb584e5b12b57fc3d8e8df8974332d2913d

SHA512
fe3f8c2b1496c98439e9a5d6ce27a19115b6f8ece90a6485907bb2e9bae552c28e765ae8d888805268acf0c5a209d519c6f80fbb33490e5b335feb25bfa563a1

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
d4fafe985965833872e814c186ca3a50

SHA1
64cc457a70dbc51e70764963b714e190a3321b0a

SHA256
779f00bd5e5e981bd4dd0bcbb392860c55f6ffde27b44efa715a5c0d1e94ee37

SHA512
bc1943424b4e7d58603de590624c5ca0ac91219ff9c688a6ab55ab61af2481b82fddd0d7f7dea2819143ea42d4f40701e84d3fee184b88607b774ecaa99c3429

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
2c72a6ff48a11dabd5fc94493ffb1485

SHA1
0de28a6b37c4f264128d66d2cdd655c906342d1d

SHA256
8fea33b5cfa2b7c45da6d3f59a24b21135b68649bcca14a7b0709c011a7179a7

SHA512
49439684c226bbdfc86e630b57e68d7d8d2a8958b8e15be002bafc431c3e487a254a0185b314e2905963447768d2bb9e5aad433857de309bd402d4c103e343b1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
fdc3061c761364981c1bb96a6e7084be

SHA1
2022764d761d0e05ad68d1584c2a68c43b3ed451

SHA256
9e26e739e8265e4f22729a837e672f75fb2051e7f2468b79e613f0d736903d23

SHA512
c6c90c38f38d3e6dcf40dc0021f3739c769d62690b5498a06c4c64eee8a97740caccf7c72b1b2f23b0b48c03a4b2c381dcff739cbcd9193f3f1c8196f10fd834

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ac097c7f969253872cddd3ab21dd4daf

SHA1
76e962412030ba39d476ca6231056e7d0fac755f

SHA256
0b95d4dad7bbc65eba4216b56e05d7cfc0a83f1dc73290ddf0db3b4b6bd7303d

SHA512
d518d67ad22ef0b9c78dc66db8a39a4f7062b391471818a04aa456644a7547f3d4d8eba225e1f7d296433ae2474b25b1e77b89f730ddbcd996af6afd7b492bcc

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
fabbce152e941d316b9f121548629077

SHA1
25dde7a847258b213d3dc9225425ce5c6f089c54

SHA256
9628bc62e13dd950a6b38c9bd96064b97488c8ff02beef8d50a50d7045be5cc9

SHA512
490a59ebee84ff76fcc17222a272dfb967aa9d58ab8c4f97dc0ac4307d902b51f5c0b0f08ebf92580547649904b83b93962ff1a6396a960dabfcb055493421fc

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
8e10bfb998ddadc1e251ea686cce402c

SHA1
3ba79024b49adfcd919654a69ad0914acd418c93

SHA256
d334a55760ef8021c9d39355f2fa156f4f72b5f6b7ac2a9ad89d59218d188aad

SHA512
0c1301a5c50e353366fbf11c2210d437a09e6b4867aa659957a042a287b9a8bda1728cad698f4d3da8927a45c7842e41a46d645c0428d23897ae4f413b3bad17

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
5599639813a58952ec9b8be2e53039d8

SHA1
0198aa625f6cd449b4e9f9c16bd29bbef0d67802

SHA256
fabde679afe6907b2852169b7e48d25fd62161b51935444409e3627d993455a5

SHA512
c30af2950598d26a4819fa8ec5546c6a9395e45c578e8e9d771c7893a03da98a79634e213d3c07a8cb48aba304b455a0fa8395645bed9120b3dadd42a4cfe830

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
41889efa73636ae6ae2ecfea81b66738

SHA1
448271b010b051ef2e20b5d1829a50aa4f39fa6a

SHA256
6ddf1578fc70454d5743812009162e0580edc2d30fa5d0056e445bcb862b458a

SHA512
db6812b1d4fb95963cb7de61bec7420b388448bde6598b407995e72016a8001456666f547b3d8d56febdd15906ab2ebd38a660c983b8f0e60edb24a597e82147

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
1a2d3852b94f9559e5168588e34b5681

SHA1
8385c1d67be1b06a966646dc20c651ef987e3c98

SHA256
518d40ebccad3d6c0cc25388014e8ce6d79c0cab7fb4390ca30d9f34fb2e7e88

SHA512
5b30bb173608436e2459efe632c541bde0e0f8dac0d5d6f7d0e92f9558a49381642e11a8a7dec1b210656ea7be84f65c28c47b3d33fa6c249185ca6a2944e320

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
eb4ff464f430472bcccdb4f7a8a0e853

SHA1
5eb812ac941ffb547e39583a5d1833803e0cbdbe

SHA256
7fe238c222827298e6c834558b9f679aa2fa31a780cb3903d02c6971f3b1a600

SHA512
a49e6b8757d3c8b284bb49748b8e86083730ca85b95ebf97a877b932d23a471b6539978ccc36913f08abbfaf8328d86275dc89d4a562081064a41756754205d5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
a8e7963b8550cffcdefbd0b8c86c6268

SHA1
bfd817728c46790507be023692abf7a2827fd813

SHA256
3fb3f774463c2af0929134772000ebba8201764bffe8bd19269dfcc6524d6250

SHA512
c500f70930b11d2613ad566b2c0acefc065e64d60eba503e2444ef2cc04fc8477342bd927dfd04eb2cbd709c127a6e43ebf5ab08ffb90b6e10a5a4482e68182e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
ccafdc3f330068018e3b486e7ca2cd0e

SHA1
b552942ff4c03f8229444d832f07793ac2e05bbb

SHA256
cfaea3c6ac2c38df164438a2f567073604097430ca29917138e38e074d81e941

SHA512
09fc65c52cf5b9c413228b0d598a34d8ddae41b5aa7066e653971bdbdf469d32d553e949a5159714e4212d9dd3d36d81104db6233fb279a8ab93f1c496693a75

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
b02274abdc3ff82ab087002459737692

SHA1
633bddde72dfd889424ba368b253f0aab361e60d

SHA256
2c053dccd63efb26d7aeee7e88514ebad51f380e75c0fe234693cd0b3f7f8810

SHA512
b0c81810fcf2b18e1459dfd8510c4937f426c8d20c7dc01fdd41ae9ab4a168d8406813068a0601fcb52424ad432cbd44dfd5afa78d6975500bcd3aedad210d2c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
1.2MB

MD5
1e66134b7c61e6ae014de950bd8e5ab0

SHA1
4f0d015e3ae078fddfa6f8ff4dd7f840f60018f9

SHA256
99526b821babde2c0feccd0368e09a5ec56fa1ec22a5a7dbbcdc161c66939657

SHA512
d188216cc698e816e3308df27a7bf0bdbbec6049cc00c3ebf63ebc9df3f96f3096f177441dad231f59c07c28d19c27fce90610d3473410a8bbba06b6f566ea1d

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
25b0ed977d2600ba22d301180dce23f1

SHA1
41966a1151df4c978d025dedb0d154293223fd3e

SHA256
c1c78f977ecc4cc4ed6bb2389557563e45f9d34ec89076a4aa8c029c1fef707d

SHA512
ea3e33a5a1ed54eccce890175bf21171232cb8c70180e26308454e0389795a6abd977b7bf6af1f746a534e4030f214be9c91eae53d0e82b5a56599c4a863c2b2

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
03ecc65bfa5abce9852242f02511f6e8

SHA1
e357472a23e7e904df7e45ab22b73d74ff922b56

SHA256
13776504e6b5d958b3142f6988756fa73b792c692567b3c218b90435e9a88e82

SHA512
b3584aed3f9603ae578786dac656c0811a720ccb4e2da6648309d50601f86306218f75a123f2cea2d7d566ad7b0c9fb82ace65a95a7441c646f49a76fbba555a

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
6fe0b1d88bfeb818e4a062ee871cc470

SHA1
08e2df598574cc0f44bdd93aebd5fc7f112779a9

SHA256
a709485dd2e2201834c13b3c5b2ad1937c40e615c5df8170fead25140943fcd1

SHA512
d4ea20e5985a6350f01dfe1d277e6ef0c1be4fab72fae88e3c7e75b042bbece4b17c42196930c2ab7f6959f9366da9b2d581d12bb0de59e2271a860a60206aaf

Download Submit
memory/688-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/688-469-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/772-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/772-641-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/828-59-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/828-53-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/828-62-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/828-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1008-21-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1008-19-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1008-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1008-91-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1008-12-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1016-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1016-636-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1488-259-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1488-142-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1632-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1632-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1632-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1632-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1792-0-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1792-75-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1792-2-0x00000000021D0000-0x0000000002236000-memory.dmp

Filesize
408KB

Download
memory/1792-8-0x00000000021D0000-0x0000000002236000-memory.dmp

Filesize
408KB

Download
memory/1972-218-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1972-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2464-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2464-46-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2464-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2464-49-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2464-45-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2464-39-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2764-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2764-639-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2924-635-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2924-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3104-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3104-629-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3204-586-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3204-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3376-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3376-642-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3448-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3488-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3488-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3664-35-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3664-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3664-124-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3664-26-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3688-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3688-93-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3688-211-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3788-192-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3788-633-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4196-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4196-131-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4320-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4320-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4320-632-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4612-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4612-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4612-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4612-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4612-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download