a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
Size

1.8MB
MD5

5e4edf37975d84fa6a153bf447f5557a
SHA1

66db1ca4a3ad1affeb30b650ed2862ccd406fa62
SHA256

a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7
SHA512

45f5eb7ab0d1dfe4dbf95819a63955cc28d36622b467c32eaba749ac8f3aa2a79d60296a25b6ccba596d010d3b1ce26e249b5aa2afbb973a81b8d3513b405c3e
SSDEEP

49152:mKJ0WR7AFPyyiSruXKpk3WFDL9zxnSjhG/1OfMUgAkp8:mKlBAFPydSS6W6X9lnIhG/2o3p8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2228	alg.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
5072	fxssvc.exe
1484	elevation_service.exe
4092	elevation_service.exe
2548	maintenanceservice.exe
3800	msdtc.exe
3880	OSE.EXE
4044	PerceptionSimulationService.exe
2328	perfhost.exe
1944	locator.exe
1588	SensorDataService.exe
3116	snmptrap.exe
4284	spectrum.exe
2652	ssh-agent.exe
2280	TieringEngineService.exe
4832	AgentService.exe
2716	vds.exe
4156	vssvc.exe
3592	wbengine.exe
680	WmiApSrv.exe
3424	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\System32\vds.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\13f27b07293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdate.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdateres_ro.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdateres_no.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdateres_bg.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\psuser.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdateres_et.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdateres_en.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdateres_is.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdateres_de.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT512E.tmp	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdateres_iw.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM512D.tmp\goopdateres_zh-CN.dll	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe

Drops file in Windows directory 4 IoCs

Processes:

a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002632f2bfa6acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008563c6c0a6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b6288b8a6acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd4cb3b8a6acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ae5c4bfa6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3ec72b8a6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002632f2bfa6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d2c6ec0a6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e5942b9a6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000041abb9a6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe
1988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4552	a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
Token: SeAuditPrivilege	5072	fxssvc.exe
Token: SeRestorePrivilege	2280	TieringEngineService.exe
Token: SeManageVolumePrivilege	2280	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4832	AgentService.exe
Token: SeBackupPrivilege	4156	vssvc.exe
Token: SeRestorePrivilege	4156	vssvc.exe
Token: SeAuditPrivilege	4156	vssvc.exe
Token: SeBackupPrivilege	3592	wbengine.exe
Token: SeRestorePrivilege	3592	wbengine.exe
Token: SeSecurityPrivilege	3592	wbengine.exe
Token: 33	3424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3424	SearchIndexer.exe
Token: SeDebugPrivilege	2228	alg.exe
Token: SeDebugPrivilege	2228	alg.exe
Token: SeDebugPrivilege	2228	alg.exe
Token: SeDebugPrivilege	1988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3424 wrote to memory of 2812	3424	SearchIndexer.exe	SearchProtocolHost.exe
PID 3424 wrote to memory of 2812	3424	SearchIndexer.exe	SearchProtocolHost.exe
PID 3424 wrote to memory of 1784	3424	SearchIndexer.exe	SearchFilterHost.exe
PID 3424 wrote to memory of 1784	3424	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe
"C:\Users\Admin\AppData\Local\Temp\a4f3caca71b6c57c09c77ca7cbe4cfe2b9866fabaf1f07539d2f2d74c5f623c7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4092

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3800

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4284

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4460

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:680

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2812

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
5cfc8b6097c5f20151e91b194fb84bed

SHA1
86d88f38783cdc789b86a86df4b5f4f6248869d0

SHA256
7152981d54d9677192ab643a956f09644f6d5ad94f36c9e8a417fdf9d132d479

SHA512
c96aa723e7d28b609498029a9a3a9aeaac864d18d16bbcd04398c09aabdb292b95fdcf49048f9122c9d2a4e21118902d3ce72569ebce3a7474c6818001c73399

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
b6f59c3ebabaf92b622b00486fb7f65c

SHA1
1fce5c712229a419ca760e81d68f12ab116bacf1

SHA256
f5d4f3af10dfa090c75f25471c2782b18fb795cd21d2a93cbcf4de333d82a9e1

SHA512
55a5c38da78e7d1de28ade9306e81f4e09d1f52d16e99a8f4ab14885e7c650b66665da234917a7960c0c456ed58d30b8419b60b84e50e95e35fe52ee92eb1cfa

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.9MB

MD5
253453dce94f838474652fb3b30ca5c2

SHA1
0da8f27ac07cd362e77fee89c6cad3b3eb3c2d99

SHA256
775d75d01e0594ebcfa2ee38e6b41f7ce40de9ef5a8e6f533e45c8c9dd6fbaf5

SHA512
565055e805b43b3bfbe56a30b0600e3238fed5f73856f13877d915884a4e48abad234ea4571fb6591d75e23ed5374915e4b6313cf01e31f657d190c68931a2f0

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b1c188288dfdae4c70fb078484f1f4d5

SHA1
e0a5a6515021667fd87a4263bf5375a8826c8311

SHA256
1778b9b19627340b5b9112db650b7f53bb57d855a5833799e107e7252da4ed37

SHA512
559a938b945b36701ba9b4fd357651c17586c393a6d79619054f21b487e32b210a246a98dd8736bb4c3955a66327a11763f72a1fa5244269b26f8f8f2c7ff2cd

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
bff62621c82aa0192969461ed1d27c06

SHA1
e4f80a0c0f61f269193dd6ef4742a07768fb9887

SHA256
d74085346ce8008ee790a29e1ab03a3b6d4001af56a0e1f5b2849400808c2302

SHA512
a77d2cc9ff777fdba0a8343238194b91109335a3c774b8209479410fdbf7a9300a4ac1bad721d67031b0431ed7f1003f021d3ff739656022befe514437ee6f2b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
47f35fc23832578a5c40ce2fd16774f9

SHA1
5d4b0afa4937a52fd89b38708d5cb9b614829524

SHA256
cd81b18fac45b8a4e739fd122e4490218b737d6e3cdd5119276e595ff7d47bde

SHA512
443e3b8e23c5c52a862a22efa2148286e545f8f886e6de23079f4eeb43721c30da4b9a5c3fa97c2a45caca04faab5db5492b1770ca823bfc54cd672397fa0b84

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.6MB

MD5
3073687a7d92106ecc2711ba5c0e9d6d

SHA1
f42161e2aa9ce2017ce37c94061ebabe2753b957

SHA256
91d698f713b0c276dfd4462fecb5dd2d258ea7cf0a77de7f7a92fa19920ecbb9

SHA512
9d02c4e82e5baeabf04c861b33cbac949b8754cd3601654c7396f13c218f0d20593c65f7a9d7245a745dd3145655eef8372a86ee6ca04c6b07ad13da595d6dbf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
a8691817b1270191b7c867edcbe8c0ec

SHA1
dc00ad0ebece3c936d057f9bdb8b4530081caaad

SHA256
cb610936123a01846c27cc61fc5790cdd9b5b5f1a48911e730a5f78709c76f70

SHA512
67b173cb445c4e65dddf6cd616a01285e40731292c2e1a2b36ea024c8d91f95bbdd80dc89bbfd290415ef29e5d345f66c8faa5e7a6665282ed5fffa3eec1e080

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.7MB

MD5
37f44132c4f6ca8e16fe7964c3d267de

SHA1
6b2358adf4c098649c6ac693de9df14555f81469

SHA256
556cc0577b79ccdb1dd5511095e04e73d03a9a2e48288242b112f10ba5a7d634

SHA512
998a421195eb2bcbd8b7dc208e89d6df37b8aaa0b157219225e9ee59b28147091d8be75cbd947d7e6b02dd14eb16fb12baf39052dab962dc00613675ae4f65ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
e11e10bbbc689e0eb8b6ec56285fa14e

SHA1
edb5f8b64fd91b48f3c8c8794389d84dfc648601

SHA256
0896ed7cdcc23f35bee3aeb7393e6794fcdf0a061046d528c0954d2cc598f0b7

SHA512
1dba6470bb58ef26348c9609c74a77806078a2de78b9574f9c93b6308058bdc2f5895d7bfb942b51fc38c846501ddebb200ade36c03f35bb8ce2f83981aae862

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
447716696706123c72eedc022b3db6c9

SHA1
a8da5b3699fce80e4bc8f986ca3dd1921148b321

SHA256
e4435b5b5e895d1c85ef4f337bf34a04ab328b58d605ae6ed6dbb231c3b2c9f5

SHA512
3401422926bcdeefb04055b12fd70dad585599a0d98d20c196bf2cbe367d20c12c86e6dcb391333137be6bab2d2d16cc7f90026cbcb0fc7c2b5645aef9bab8df

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7efa23e0fe1c2d318831e1d636cda0df

SHA1
c4ba234a2fd7f6acdc14f12b09e5f772614c9183

SHA256
1a3adf5bce0d6b954017c4e6d474e8a54a3328d9495b458e858d81d0c5954dfd

SHA512
10bae1ac95cc2f3f0b2a9a91989a9174a0650353e369f7f1ac91238484d9be4d781b797c89f9b84f4977e9800680f70616cc4d56ae0cf63dfe4d4b6f4a310a3f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
8069b978016ba119058e4cf838b339eb

SHA1
ac52b9c5e987fb687d2d2affc088e0f33842f642

SHA256
d84038b3bab144ba5cab70a414b5be46184daee6aeb1da87c9430886a67154a2

SHA512
b85da9af6561f64018e9900d042b64991529fcb90c490892a9a2d3f8599af17397f280c0944b8c55fc8e3915552873ff89140ac1583c8509c4730eafbe8622a7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
b6c5996bd4dfaec96e9aed714ead0f2f

SHA1
582da0b84f063267d5a6ff7cf25b0336701584f3

SHA256
c16457f16ade7036d9237e13e4cce0d006884ffa5bba36f661dba2eadc9e859f

SHA512
e56cb6909b4e296db172486b3ed9adb147738229fd9dbbed3a7b9037ca28afed009b80173a340535fd7e8bcc9bf2bb056c602563110ecb473bb75c5d4807d580

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
dff3901a1daeb007c6b7458c0155376f

SHA1
3858db8f64c811832bbd044c97e81dbf6a57cedb

SHA256
cd02582e2748cb441fda96933a2ef52e3365a85decdebe32b79e1b5cfe93a1cb

SHA512
4d872037352f02dc6bbf70779e623e910d1d5a3593c9dcb471c9a265612106b3d18e90378e0601abb5589696945b27e890cbffd93d14dc02d47a3654bc57d167

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
de014bb59edae36caf9351a558053d08

SHA1
a1be2057069de21573e4c30a0aefd865bc1a27fe

SHA256
ccaa4c645fe242995d6b24bcae2f0645d54e201d1dc537a6e538217c2219b4e2

SHA512
176f45cb6e2acb3f68e52496368eaf01dfee312db12273a5df4262ffad9ec8cda8793237fe05277ca50dfb6c8d444503f55024b54f1a96a90c3f3f7c307b7c7e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d94a98329dd9f7388742b333b51fdc96

SHA1
4bf9f0fbd21482910b0256bf5eb7de6cd49fbd10

SHA256
d4095e6470bf73117af8d62961a4c76f949a496c61ef6b54b54fe8e993a635d6

SHA512
1245fdc2877c26dc6b8305b8a504f8d06acbf6f790090267b5b062b37cb6a95445c711ca0e1df5770425fd916f3f1ac7674d7114478bd256ad04280549aa7355

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
c31f458f0a5cf97793a1f2e49a887141

SHA1
d2d992f54742348dcd987cbffe98bfdf0fdef5bc

SHA256
18874ed1d21832efa9032d086ee8cd52cbb2c3e0cd5809a5b4b2e1469c1529ce

SHA512
92bbb119f37da6d25ba591460055eb76673833744948466ee75089588558161295824941a842f5e5ebf52fcb4b0390c0e2de9f4b88bd071b36e21e2930f92226

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
258bbf8c1f04112da5e8f737d585d586

SHA1
22b6c865282e2bda20394d5c7066f73cc4667ded

SHA256
500f5130a9cc83da23ecf8032b8b769c29b026ed9d2eb712ffc262ed134d3902

SHA512
43e1084721794922271c22159987d4146056b2595a46c9953e9a8d8c2755c37ca88fc992fcc61bfed4f4ebe185cbf7c743e8d99eac8752ad43088b21932c3391

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
a79c1d7f4a9db6a89d790bc96b5f5ac7

SHA1
f6c243e072b7a35a9ea3668709c374dbb08bf6f0

SHA256
aa82c7743afab0512fff5af28e51d5bcd0ff7a82797cc66ecef49f01839d5c44

SHA512
a7cf300b2597e55e6a064b171f96a224954ad8d043165f7634c76d2095184786e9470262454406ea27f918076612d10821c7c8c674057687325af2e0a76022f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
3a1f8dd393139f24a05903a30911e237

SHA1
c160d169da46b0d03530f2f0482d392797f13108

SHA256
f2ce9a135f4a1bd428bd8fea73b1ff193821199ba2e4e2ad3bccdb7739032636

SHA512
574763c03b1bfe131f4428ef1133014f298245b376af2933a5e812407118892f4d9d334712115b0256ca3693d48574684e85cbd1110743a612799b72a0c52eb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
c74c4f1e918627fc661d76db611e6df5

SHA1
3a585072c2e7e0045f52135239b5653125aa44b1

SHA256
77cf33cfc84bda7003f2b8879f870243b5ed3a02bd34b604249ba32a6a19669f

SHA512
d2b41eec6dcdba68837694f57f9d46c5a6dbfcda1f3c2c33c5657c30cb4d6044f9d7786078958681f25261fbfc5adb5950697305bdc2ed82be2d0136d452f302

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
945c5ca7d0449be2f66d8a1d1c9d1e91

SHA1
2784269b96c8f2ec1ec4a68dfff52f0781d790b3

SHA256
02efd7aea396a769621883a77e6b0eed125417aa5c34e33239e823a65c9e9475

SHA512
4724c21d28abf17d311ae65ac33c3e2151a3ce779a584ac49f612f5dfb2481126d0c61d8c67f6a53db521c76db19ff72236681c7087791828781ab50a90137e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.4MB

MD5
38b1662325c54977d3e55d6b511dded3

SHA1
2add3ea453f49ae3af4cc30b9f6390f7af929486

SHA256
b78eb085d90ccf13f02dd279e583fab0062bc75b5709747028b9d31c49d4ffbe

SHA512
ddcf6a65cd9b3e510229b2763fa76d8c669406e97c11cfd19c7781058e2c57ad5e93e5fb5284fda6c79880eb428291e7bbc7690786ffa90e446e250214b470fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
66ac3955cd3033729dbd2a0790ae213d

SHA1
d3666e6ca7d9d8c4b4e4ee2a5df32cbe8f65cf4d

SHA256
4c9684ab7fb526e3a328d8bd6d112679254ea9d29e377ebbf2c2d5b7a34e6ec2

SHA512
eb9e36068a836492342ae5b6acd7eddcc496b67ab7b7442822eeff7989a6435a3a8aecca9b77ddd51da0940ca08ad78b842272eea6237d5da5fa9cb935f00235

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
75c1c6494d6f68b22e11d91d783d2e48

SHA1
82e779a5d6315de7ef37e53d793b7f1aafb63ccc

SHA256
635f341ed8fce0bfcbd44dc7965d06aa47f23f4ad76657dcca0055537e7648cb

SHA512
9ed40b99413f96f14d3462e2c15e9de1d4ed63878f5bace8c60a5e9c252dbba0a8b7c6a9e21191565503926a4977ba7b52ef3cc9f08f983490a378bd3fde4136

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
e96b7a158e7458853bc484f581f2b4de

SHA1
424da17473ca4039d859ca756ce766588e150749

SHA256
320a62aefbf351f539af3d030b954d39f46eb1db6d0328a51b80a9cf35447ad3

SHA512
1ba03ecee8eedc3bda8e914b18bc997c32694094ecec47d618dc36bc574d4c757e282954bd10d7309e173c98300a92a50def34b120414f534d45681582c3c5cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.6MB

MD5
7bbe92f5c3fe8552fc0a0e10e5319e89

SHA1
5cf38f222aa796738e60a432cf386a658747ec68

SHA256
51b82ade71f9641103dd8ed5d782b42ebfe4d54d8b4419b7feccd064364457b7

SHA512
57ebbf9bf4891d6d44e38566e955515c40c2e122f32724849caaa5579e43c32d285d2ff0bca272de3a3b609cdc3c64e3e3ca128570180ccaf3897b8db276ad4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
d82e3b747c4f96100af8d44a6622bda9

SHA1
27f6a06d70e598d1b3a022ab94c703a84351a61f

SHA256
b7971efb7ced0c19c6292f91b0374d0902316ee81fd34713a2b951ae45eab6c2

SHA512
fa2663c1a48b7d4cd89d19f8584e22d42c74ca0356aea4d440acd375d9809f25acf2a4aa08321e4a64f2c80ae4f8b78974c4ea1d89ad70a7a83cbe845a9a7932

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
39f9efbd7c818b13771bf5de9de60bbc

SHA1
d2ebf23daaeac154c537baa490cce2678eb3451c

SHA256
69d03cd170e926d18f05bdb06cce8318bec4fb5810e45569bb647203880d1f80

SHA512
5c24fc0eed831d5a589c00e0c4cc8bcd1d6c30c8cf4aed94bbe9ff7c5b94c6df48c984bf818bb9d8b9a8051ba6c278954cf5e79f6c40f9531d380ad10187536b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.5MB

MD5
f79ad5e55bde1c013cb83b334e0c8986

SHA1
bc9031b7f8a4cbf7dab8f6e38fe447acf5dba8a9

SHA256
a67742fabd662879dd0845f39d17b4d71da5eec0db3fe41ec73b73a829eb8bf8

SHA512
cd580309e1ee02a44f7631b0fd07675a6319f4a6a35bd4ddbec6b05d10a45118dcd10246dd15151e60709fa51790bf34228fce97da067082c3585114ecc420a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
e26c273f42ba443b0e7a81acdd0e4684

SHA1
62e5d8c0e062ef060c325c3e54bbf2e6abec0c9d

SHA256
3e7c86613c0ac9b68497f84a838d6930e79b8789920658029ccbcda99b8829af

SHA512
a8d7985ed10fc334ab8102c3ae559a0c388f9d37f90020971b4e9bfa0870ed232605823c84f3baa05729b8e2ed6d89f1e798ff44dbb4179dc64a4950a73d0dbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
7d9c92ecb2b3a86c49054c2259a3116d

SHA1
cb7b27bf4ad7f5faed82291149eca760a31738ff

SHA256
fa59db2a4c136ff10f196944e2ff6dae874a83b7802aefe296aa9d91a50ba960

SHA512
107df932dc57a998b3a15d0afa10c18ec73ae555b0dc45e4cb081e7a388a5f6a6a5cf4d7e8b95cd7eaed239829250800f257cbe2c6474a7ebc4d3688dfefd146

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.5MB

MD5
a52940d7c029ca71b25dcf862040871d

SHA1
9e7574143d3c589bf63bc48de15ae14ab93a6e7d

SHA256
dda963b104bba332563ea880c3d44840a94a49dd38e12adbae9b6edb86d94f5e

SHA512
88a15a5957457d72ce172892358b8ec1df809745c861155675a5b56c9b7682457e49ee7227779f3a5b4a9f7d5f4bcda715489f433b27c131e6a42bae29a718c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.6MB

MD5
62b12d3cd28c0abb16b07dfee0b4106c

SHA1
fb4df639cbdc31dbd585215ce81b3816e28ebd9d

SHA256
ffac40ae433210343553ad3486df25ef3426059dc3835cc4272c242f6157435b

SHA512
747771227189f24e8250c2e62db402955bb9e0b5698826a859fd7dcc4eb0e6a1ad6231ca5ee66b580e4535fb2bda70b8d75d1113066c75ecb1b59338b18f1a75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.8MB

MD5
97c1d8c3f898c76143dff528f5ebca8c

SHA1
e7c569dc989fe1ac2bb7532a0386aafb4b817611

SHA256
a47085131af7ae3462c61c61db03022713177d429d2394b0ee6c1e4b787da47c

SHA512
4e820995d7cf2e9f0345ba5ea3ff88b34bf513cb71d9a42203a1a4eeac5890d5a335394205d26c2981fe061350cfb097e02b36d360d334bbc3f55ba946871db4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
1bf873c45621511ae4ab47b2b19d7348

SHA1
603acfe9af9c1b32a62306c7fec7e717a30ea853

SHA256
2f89663147e05cd4de2ca27030e3dfefe30dc309249b1426227874e74d16edfd

SHA512
3997b197bdf040097a3c917dda93532834cbef57418f5e1ec54fdfc4b036a5caa189df6ce66108f1be9f69b35fcd56b7bb20333f057ad1e423aa46c88600d08c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f59e752ad0db5f414922b7f601474ab2

SHA1
5a9f459396d9ce25a0ded7020db95526b85845df

SHA256
c91b9b805e5ba8c7064082da9dbc957b8389313bfacbeba57bc906e408b7b0cc

SHA512
9b3231b6405771b2d7594d5554090f39665bd060dc28cb19f7f3261f831b667b65135f4a4c0ef77eae1eadd3a0cffc3e9a9778e02a4c767300b80a70fd142519

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.5MB

MD5
7e10f7b8e24dd6f6afa59509b112e546

SHA1
c548363ef6be78e31d6b4af9578219937766f624

SHA256
a732da1f78e99df2ab79c6b05e9daff81b3ecff9ce6f4d7a5fd2b2c37d83f35c

SHA512
cb98a6a573d8ce8e4c19e92736d579685b95695fad8c7a3de2e01b7e649280523767853432a838c352679f31bba90963fe21dd64e4edd81e939f981260fae6bf

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
a755398f1019bb31b91c8525e1ae7215

SHA1
dc3fc579a1937e50d880954a2061b2f0a3c38f2d

SHA256
d68584a44e6379c70d1be3f50befdde2911ee430c4aaaded801d4ea95b2f5e4a

SHA512
70d9ebda14e1983d54a9ad8780e6f654962d38138281c66d4ed44af27c083f88ab780345438aeb1ab62508a6a503f71dc277feac213d0c145fe0af6fe06140e7

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
21d6f3028e94a27856231ade1c09e8f2

SHA1
eb062ab48cb01ea94c2bdd1b79f73ffab2710a0f

SHA256
e1aade9be61be7feab412fd0aba1d1ac9bdffeaf29d6b27d8d7582c68aa10459

SHA512
0b8dadc6b0e21fd84addb17d3672492ebbc560bd8cc1e320b632725c749757cc3dc5ac2f294767b21b620dd5b838aa0ae713f82179209ccd36a3ccbeb2d486e7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
bfa267243e96cf38c46d52fa1983af58

SHA1
4fd7e7b5f4e41578ee1d3a67cf59238bbaf24da6

SHA256
264b3c7859d6aec3a6a0135dec7ce63b5cd74aaca3340c201c4eb6a3378ca538

SHA512
75e2ffb019bc52d6962fa992cc3fac2d31441e271818aa83ebd33d352f0c498d5e789d47b8a2cf3fbd75c5eb009e698b457cf563b156e93fa7d15efe9a608956

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
af9ddd9c4be2a082edc6f7bd5cc9dd69

SHA1
bd0e32af5b7e9b67f3ece74ff5a7f68ba0e25c25

SHA256
6e78211c3d70780e5b57740107e81d1b076964ed4bc79ef0c3cfee8427a47694

SHA512
dff06e67e12006558f7144b76176fcc759f0eee84e4d77297c90c70a451f98d87e3cfbb5c4b68a713b4da1492c7c7af98cd3a4ff4404df015cdec3326eeac939

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
ed0c4445b1f120028f0c6f5df631d60b

SHA1
125867a264321682fea3eef9d0261ad1e81a3abd

SHA256
e7b1a374e3de5b6b5dd56af9dda290831ed8bcf5fd8d0df97137040f51e70655

SHA512
62a2d4e638a38a28770206cd8fbb81ff81cb8c87d9e955e57c5f926d64ca22fcb80d410f63bea6cd272af4383e35a8b2a4cbc876fb2255f6fbefaad084e2e353

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.7MB

MD5
13cfa61000b341f3c9a4442b06e1add5

SHA1
38e4401b6c9ef4d9f14890d9971971a96f065605

SHA256
17ed7e100c8f6bec0cc9cac384077bc1ac96e868b883cc8cfcada9ca66a6fe22

SHA512
5f62cabd02fa3096c771e8a664ebd6c98ffa7385101528fc19b71f7f50a7f4569edcf1bd4a84498e9acf56c4e5f5b57b02282a0583fbb4f7d8d249d253c9d56f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
2271b59ad4fac03021f4411caedcbe88

SHA1
1e1e325a217413ac46a35f943eb91b2a99ec5521

SHA256
41a2895065abac9109d4df2eeab77f5f92316977ec49bb7c793b1e964cbd0a1c

SHA512
e4d5d89fd0ee33646f14491874d979cd182466536b411c39a218f03e20dfce41334ce07af77b7c7ba2beb9c935d8ab6376cacb1d8c238460b5b127c9e36c6965

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
db3a35c14507572346e49b9e18114726

SHA1
61b459937820ee58d5ec5e00c58467c9bc2ebe67

SHA256
c5a6a1a2ee4da840959681a4479fc1598140d1e90573b1581c140d655ecb7521

SHA512
47c55083a973becf8a17cb1721cb5a6053294caaa587a7c9abd8254e2c03f03fff63808197de456617a3d5b986ea7001d41e29c882ca2384af1d006d849496db

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
2bb34db4abdfe8469adb23f64dd8f7ea

SHA1
43ef6b0dcd7a1256179f7be64b730dd1a5dc8af3

SHA256
49da589af17a563e299c1d25494bb19b68330c8176c318954ff18a71fb0ddd24

SHA512
9fb68c1df8e94293ec654f8148f8dfdede8220395886b25fcd5eefcecb61be31e9a0fed74467ad891929dc843224f747995e147c1dc2352de1cddb868d77fef2

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
e960cb4cfb223079c5a0e75597436ade

SHA1
f56c1a8fd6269cb0fad4b85eede088763e57fde2

SHA256
72b673583c42f2c1fbef57dfa3548084e862235ad92bea66c364f96536520483

SHA512
58cfc8696ce2cfcf1343c41b25ecc11c60d4fa379733a85b94769ab3b0f197a072f53ea6a18570974ba9d129209fef05d208f35cd7570a04b8177279c8eb5d76

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
0b14e742cdba306041a5fecbb9c34713

SHA1
73ac20435827faa2be0fb31364915e7d0025fef4

SHA256
3a4ce075ccba78df9ca4094577574853e59582a4e9866e2d314cfd596f669b3e

SHA512
b6caa503aeaba960d05857a7d9ca5165e8d7e05abaf8b81d960f46cec57fd8c7134299d1e4444cde86addb4388e470e764a5340b9b7855756a71d10841aa4560

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c9b656a88692384d46575d3176bfcf60

SHA1
6fe5dd6d2388a8d6c05c04dfc55cdf7b1abc7c50

SHA256
4825a189d6bc984e1394bc26e6563548224ad5fcfc51a5ca7cbb8552070db8fe

SHA512
0c4bc96398ba5198e79cb85f54960e0a88874544d458b8aba533b5af8f734b6f268127e8dd4bab08a35fa42f25c80489392b87126bbec86cd85db8cf3b52d8d1

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
b126455cf30282d749413e868fa319fb

SHA1
0648961f85bf6074c0bb2151588a4b8c697083a1

SHA256
70ef852873161ed66561c4c517b51740b9cd5d58d1340c204975d9cf4b4c1186

SHA512
7ffdf7421aef9dcca7c9ba3430391a4b91de8811e82287db02a896aa8d712b302348a106bcaae0b2182d7f40c055ed1de215c0879fb02c544ddd4482868ba5f7

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.5MB

MD5
8d61da5a82e20bfa373b2ce6daa42aef

SHA1
8ac5c952b65b8acb40feb6234ee5f4b88bbb4293

SHA256
1d041a40cd10a51f51995b7053e384b78cf041c25b3169f1059e7897c968b839

SHA512
dece6f4790dae7e023e8a0276fe48399b472b19cd1455cc9a776a47dae55fb5a6c1825d7da3e70d65c2459d285801457a2b326e6dcf6f26c4ba674d69a7fa936

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
402aec244c1c2dc60bcd16dd59d4499f

SHA1
fdc08f09e389f17e1eccc8cde407f2cf17927a45

SHA256
3da73e37146ffdcd73730a3641b02c1b63cdd126b3641dc7e62816d2ea04dc8a

SHA512
a87de9b0e078ca9c66c6bc9883266238aad1f93558c35f5ed1a805c16d24743002b3bad5d4841bde31826accbd53990b5692fa2a07bb3b7f008be146d4aca85d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0089aa80255f3886013dca10c93758b2

SHA1
5944ea8eceec2f49ce8aa6191021fa245b3da745

SHA256
e32aaf75827adb0772412e518b322c2737db3a0ea8162cfb82d1d771323d3878

SHA512
13c2381dd68fcf7e85c01a65c6bfb4dd43835eb51b741ebf8a8ad6b9b5349bd0b956c41a55db22ac5f83279b81f4db6e4197e0850ffda2eec2771bfa3d25d685

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
7a19c52eec4873110f438a034b4e4631

SHA1
4adf263cb38e76809f25b93ad5e65dfd7d4c9da7

SHA256
7c2687313f4793c43eb081883a77031f9f4ce81be68561d2a62eedfeb5857121

SHA512
ea5f7238fc7037c8c9cdc056a2ae428bf30692a2f9ee61f23f3dc896d91375d5d4a8d99fa307622d3f643030ea1249e50b3e679e08d3857c6b350c7c9a775e9a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
a185ec7e61273c7cfbab4af6e9faa10d

SHA1
4ba479dc7e50972a9dfcaa4a0cc6df5c1c933ba9

SHA256
5013d623bc53f5698b2d6d13e4049529f489cd9de09bb58735e587add82e32fa

SHA512
573218a64d0764a4ad40686c8d00840c7264d28dace2389346cab7498a85736ee89bc8198189221564ccf2a926ebe9bebd2b5b6f2ab19cf1568ddb9c06f7cde0

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
42ae12f3094cc4f8a488aa36d1438fe3

SHA1
1aa19e1b60fa0707f33f0aa365cb84b34719eaf9

SHA256
8c847c56ac5fb4ede0e58f6c9e89a604b5d6149aa59311f883285c6a8e1ac9b3

SHA512
2df62adc1cb1051a20f2e244ca3fb0366af822fa89c48dad7511bee347566a5fcbb8f41c86007c3a16d5426a7d35ef25213b0970a5385746a753111a8979be70

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
b40f2703197f40c970069a52e0ae05f5

SHA1
8824647fde854e385a3052178ff60af0ee5489ce

SHA256
da8d6c72a244571718436e8a0756511591659d5f0120b6c572dfbadc815adc16

SHA512
71ca213f04b7c9b2a3ddcd4ab84e3ad2962ad8a2fcb09bdc9d6f476a9c899d1a8ee79528409d87f19d4e91701867cd859e03acac2d384c71750a8a9dd572711c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.4MB

MD5
03299710996a66cf78dd8dd9de12d6eb

SHA1
6260ec0fa461eaddbf168316235bff5cb6d1ade3

SHA256
99832f27153d27296c3e906635a6062b6f78de91465ffdd8cfbf49af7605a01a

SHA512
8c201b3f779c1dce415bc3776cabfc1781fadca19917f90f9cdf3c76b24d27933c4ef5449785c67b9ccb63cf4182a4ce2d259171925f1ec2bcd52e9f40963c11

Download Submit
memory/680-347-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/680-799-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/1484-117-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1484-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1484-250-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1484-124-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1588-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-351-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1944-208-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1944-337-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1988-102-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1988-103-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1988-205-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1988-94-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2228-204-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2228-80-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2228-90-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2228-89-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2280-679-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/2280-273-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/2328-206-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2328-325-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2548-143-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2548-154-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2548-156-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2548-149-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2548-152-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2652-678-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2652-256-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2716-302-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3116-593-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3116-239-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3424-352-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3424-800-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3592-798-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3592-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3800-158-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3800-167-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/3880-301-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3880-182-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4044-193-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/4092-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4092-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4092-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4092-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4156-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4156-776-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4284-675-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4284-251-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4552-6-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4552-173-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4552-8-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4552-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4552-1-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4552-521-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4832-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4832-290-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5072-106-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/5072-112-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/5072-115-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5072-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5072-130-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download