3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
Size

1.8MB
MD5

355160c6e8c4e33398f2b036e993da14
SHA1

878df12dc2e1b78fd60233bc18906664f325d88c
SHA256

3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0
SHA512

96696cabab70c6e9e80d34d2e80c9b954b083a2b5dbf3ef8096cded5b3b3abc11395c38057090db1a2a66bac3fbcda73df9f0740221d1e6d1747781a3a628c7f
SSDEEP

49152:wM9QPdxwfE7WlFwKAfzuTiDFUFkvxlMPdlR8v4UC0Eg6ET7M/I:w1PdVQFwKZCFgul2/V0cETQ/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2820	alg.exe
528	DiagnosticsHub.StandardCollector.Service.exe
3312	fxssvc.exe
3348	elevation_service.exe
3840	elevation_service.exe
3596	maintenanceservice.exe
4556	msdtc.exe
3604	OSE.EXE
972	PerceptionSimulationService.exe
100	perfhost.exe
4072	locator.exe
3144	SensorDataService.exe
1808	snmptrap.exe
3496	spectrum.exe
3208	ssh-agent.exe
4100	TieringEngineService.exe
4264	AgentService.exe
4592	vds.exe
4996	vssvc.exe
684	wbengine.exe
2140	WmiApSrv.exe
3788	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8e6a79ac8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\System32\vds.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe

Drops file in Program Files directory 64 IoCs

Processes:

3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\psuser.dll	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_en.dll	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\GoogleUpdateSetup.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\GoogleUpdateComRegisterShell64.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\GoogleUpdateOnDemand.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_cs.dll	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_sk.dll	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\GoogleUpdateBroker.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_es-419.dll	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e7da7a6ddadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075041da6ddadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e201c39fddadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf16b79fddadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009166879fddadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c12862a6ddadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057b1f29fddadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019e801a7ddadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1292	3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
Token: SeAuditPrivilege	3312	fxssvc.exe
Token: SeRestorePrivilege	4100	TieringEngineService.exe
Token: SeManageVolumePrivilege	4100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4264	AgentService.exe
Token: SeBackupPrivilege	4996	vssvc.exe
Token: SeRestorePrivilege	4996	vssvc.exe
Token: SeAuditPrivilege	4996	vssvc.exe
Token: SeBackupPrivilege	684	wbengine.exe
Token: SeRestorePrivilege	684	wbengine.exe
Token: SeSecurityPrivilege	684	wbengine.exe
Token: 33	3788	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeDebugPrivilege	2820	alg.exe
Token: SeDebugPrivilege	2820	alg.exe
Token: SeDebugPrivilege	2820	alg.exe
Token: SeDebugPrivilege	528	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3788 wrote to memory of 2232	3788	SearchIndexer.exe	SearchProtocolHost.exe
PID 3788 wrote to memory of 2232	3788	SearchIndexer.exe	SearchProtocolHost.exe
PID 3788 wrote to memory of 4976	3788	SearchIndexer.exe	SearchFilterHost.exe
PID 3788 wrote to memory of 4976	3788	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe
"C:\Users\Admin\AppData\Local\Temp\3a4fcf7d3f586b50d7efd407c360927bc5f09711ba7385a93bb1b494dde7d9e0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2196

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4556

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:972

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:100

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3144

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3496

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2232

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
671bb6e89ec9f059e227984aeb19179c

SHA1
6b121e47d54809816f027cd325a98f6710a38d51

SHA256
c3d275b7301be985c63993f2fe167f97ec9995d5195855e9cb67fc3046651122

SHA512
d52bdd48d0e9a7b4018d3281dd17f97630e6cae687d4c3d5ee3702adec550b79179c2f14736b7dad0b8cb099a48e1ec668e8d1442d4d58eddb3331d7c83d06c8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
deb1c2c1a5d1b33742c68eb3007e176f

SHA1
f0cf2149bccf65339122b80c01671646c9acac5e

SHA256
48f5f1e0053e93b31cd7f1f3892197448f5946b5c292ff3fe1836662ea83a841

SHA512
22685f1b0dc4aa478d76fc1ee76fc6869113dee454897d3342f0fa7c98aa19bd79f339991a7031a6f7db470c827469d0bc0bcc21cf7bb3768f85d26b198f5415

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
c64fe7b0200af5c2d94ef857664d78d4

SHA1
ade8797e82d04f35d73b220160fbe10fcc20286d

SHA256
9aa52681dd674b12e1199ff558b9eaca8959a7ac98afafe89bccc3a3d9529b02

SHA512
8f7912b60291b16ef15df342676d87905a23cc7df02ddc8073884ad721aa60602d04b83a87c510d74c7921f1bd1e66b6035fa8ce811766aa972e52ddf60f9705

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e46031930f6364828adb824fec76049d

SHA1
ac5859ed2c7bfbce8c388f2448d8cba2bcc7cf7c

SHA256
7bd737d279345df83b79822ae23659d8decfc1774d71402ede11c781fd000765

SHA512
a0f37d46efb10fbff7a2774fa9314eb5cb45122f554b5a0cc47f5e2c10c08704ba1215b27333bcae13aac65774ede8caca7e2b4d63551a50de0e13ba0772cb21

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
05fe1065e19a722e771623ad363802c7

SHA1
fc79b5350eec7471ccf4c44414e0891cf43241b9

SHA256
b6c11a8bf6909933f01ddc3ed750e3922c3868c9498485372187c358c65c9203

SHA512
2276836181632dfa9dcce29767da9f0e0304e3cc012fba1e0b482dede4b7bea64b298b6c200bc7cd11170d78fd9de1836025553484ac24ea697578631f49814b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
7a547d27b3906b8eea7fcc44275cae07

SHA1
1189f12e8211aeec0ae7e77b8fce86c4ce451294

SHA256
dba87b624fdf994ee4a752d808899d6b5f193954e4e3c4eec36d43b4105320cf

SHA512
80b023b78be724594c16ba4bf9a9556d3427da12f7a6a4aec322433b030e4b46fc4697f5bd6d05c5ac23e7c82efbe0faecc8d3467e0905a792fe930e0b0f6ab9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
02a6e86da79a81867c120af187f3e716

SHA1
376dfd200ff408d428db05de8232ce4795e1f058

SHA256
6a74b424754d82bb8cc24c9f091b9249ffa80e7ace47829c623b2d77bf6d3235

SHA512
f1d0d7ed9046d42161f37ecbe06bf370e25af7202b673ae9c834d1dfb2d1a6fcec8af240f2dad2742b81360511c299edce05946d0f705f52d9ef421ac40f25c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
169b162c0e4c5ce9e99a7f41cab8a6fa

SHA1
465c78b8980e4feba5d345fd897cd2b7ea6a4766

SHA256
f74483bc2ceb4bc7ffb5705c2790c6b32a3b3166419c22115b2c2b843446a933

SHA512
91662d471ed92d2a639f302d19cce011f965a796a29363ac284d4b7821f6190b3be1f81c3057802b84083f391fc13ca9c7dc527c79921a052b681e6f97f39c57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
ac562b5772d76f65a71a7b5759dbb85e

SHA1
4efbd231323faa34ea940b9f6932b343dc1b34ac

SHA256
bbcc9063beea984d18de821ba5b370d6e16d51dbb66dcda25682ea0fdb51c107

SHA512
ffe4cdc46954f3f3e75aec76a2d7490059ba1a7d9f6ebdf56d4d89d3deb37a42f8123df17bc51bab44910f62b9583384ffe612537578ffd0001216a33cfbd5cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
8b6dd91d71ea69d7ee4d6e9904b8b97e

SHA1
956f4fddb55d05b86999eeb32a4dafb55912f87b

SHA256
2fd2a49de4629c4410b00b7a1f0005ec0170db98defe8b8d4bc459788fcc2c6d

SHA512
e9a7a54a9d04bc0dab5a0f7f89fb857b4e0f3ebf701e71c215140a2b3d233a817e20445831685c7a41da8eb1dc7afc2b5ed8a9baec78974df506d85a53a1be0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
511d7557c698eeada7e4206abfbd7469

SHA1
54aeffd44bfb8ab66fa054192bcd1ff3d4fae227

SHA256
198febaccd36d801dd78e8ef76b2b8eaaa858286401235f1cd704f9023f57fab

SHA512
49df244c99c0e9317692f0b647037d579d752183303a617ffe5dd45a5b3634ebda27c076c8f237692abcfe11709bd0482d07aad3f0bcb07ce16311dde7946adb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
ad27c6d2365f5a489400e088256724a1

SHA1
f581b6311862dd2dc759296e60f03788991aa0ae

SHA256
3e8e4033ce1e40c9a0775cb3332f6072cc3e44d8b77bb41489740d596b155545

SHA512
c7f98c21f7bae517dd90038516efa82fe5d4af1f27a42e4d403d491ea952c2a65e6a363dbba073ca147f785c3464de8e30384596d2f4257ff141cbcb92949369

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
065b5447f8cc571ff8dc933c8e9fab50

SHA1
893ed99531c194a2d45cbf217829e6acd753678f

SHA256
04b57312b398fa7d13729af6ca7498ce402bf5852e58e6cdf385a4a4d79d82b4

SHA512
94fa4865825dd02cc7a4d8a781a9a8dbc9438caceb35ddd1bdba11806c80da7abccdb6b5f9da7553a3479cb1a5ea4876b2b6d146a1a9f0fc1d1c6954ad59d301

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
f4fee24d72d71688e511dcb5e33ac127

SHA1
6fa4bfdb5f7d77c778cdc872a6808025c0f7ea01

SHA256
f3ea01e27a82fb2faffad1eb080dc8d6834497ad146e8881a5ef3d474bef8474

SHA512
fdcbffb4354de3355e153d3de11e18fe095d816df16e550a7181c011cd4b932436db1701fc90e5ad5199662d406d63bbc41ccc9f327a8c16ea9564780d13ba43

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
4758688e03f02d03db078850f72dfa75

SHA1
05351ab765f341313e69d9b289e07e6689f9739c

SHA256
ade889d7772db2f6ad58c1dd8e864fd1731bd0fffdb0f61d11c845ad4bf91920

SHA512
0ca9cc4a7f57b90c0c4a0af82cde1925c7a32155f8bb33708d86f415202b9ee40b2ce1afec220731c0abec6763f9dd55ebb840e3aaab1c53399dd9001d2ba988

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
4b61f9ee5601e0721a4ddda5565eb21e

SHA1
11e812b830b2d261759c8af3420a4a5b8605136d

SHA256
164971bd55696e5b8c7cc3ae52d0f102320d67be4f0d32fec1af25696493e3e3

SHA512
e02a3d4d0e4ed038a8a5e13d18890666714c1e3f4d81e968164089a42ace5d06e138b5ec6c2b8a991fbf5435a3f9b23d9c0641a92c763ba462dbcdf5bf84c093

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
73f7b2d6a35c5605eb8088b843ac7640

SHA1
4213bae82fb9e177f30d1921abf34cbeba986b36

SHA256
0407564fbbd59d0775ab72280d91a2671c4310892f1cec7fe9615669db4f2ba4

SHA512
214a6a3a5e3b2d2a1b8f973222aa20d2b33a9df65f5aa2c1c9a61a6243e29e562d06c5b7742a57d66e5a634ea5398c59ea7e1fc5ec620a2d86c8cbb228ed0b0e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
15a224818c0b09a83761cf4cf76ea693

SHA1
b4d2edd465ecd525507df9d42b4139c74f3ca4b4

SHA256
2991e096f8d7798a0ee0183db0ae48187107833eb9363d84a00ae89d4bc4a8f7

SHA512
2470a554bdd872e91fd8582ae4d478b51c585e4b9440e399efae5e321bff7ec14032969b0fcd480814c3646c6bde1c670e04a5af406cde26f8f96cd862968ce6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
a85e51a82658d1b2fcb40787a36f2349

SHA1
d8e812e9b863414eef41e09ad7582f139ecd3ac9

SHA256
a4a1648031b3116e10f04ed86ce07b7d768a3ac9e89431ad37a1ff909c7725f1

SHA512
f48e4c85d9f7f4c7b8d7eab1640763185bad9e31d6c2357a713b65131452a4abe4cccf1f5d56ce01a4e5d2e74b42f967526958a3936685080110ee36bc9a6521

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
0e653237b375df7c3ee2a43043a7b4d5

SHA1
b9feca82210ba778fb32ceb74223fa206f85b621

SHA256
522917a2f9f4807b350f6f8130e054ae0a8fb84db5194774ff4682808d8b916b

SHA512
d60f5725cd392a527e0926b76269b96c4ec1c34d2700817f4699f98e81120d65ff689bdf55a515f6184d333e7dcfde4cd6a962572383fcee50288e6def065134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
188297a1d41fadc3a193248d4d378e11

SHA1
0a65384a880103f363e2bb6a133dda1fce1ba33d

SHA256
dbb484b0f5f308dc872bd1229073a9df49dffbd9b41fe077d991cf56f2af353d

SHA512
b18adb926f7263e33b1b7bbd93f50f7f8547adfe9161315821b1e5c9357c0c79f891829418de678f2c0ceb8c6d193f581970915da4caa1f2440c69e937c5ec33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
5616546d39ce37a96c261c9e890f01aa

SHA1
df7146e213caf24a9febc57f88f02fe70a494cb9

SHA256
4360a0fa1fd7f2291355c588d4da56550e400c5d2175c4a29e2bab61a4a7dec0

SHA512
a704f94ee03ffeada7386c21818c01dba14762d5955cdee29ba115fdb5421fc6156ffa279210a6b26f34d6f3f13ffca42fbfa398b17a6a0fb42eb25a42a9bee9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
ebd6d6a4271cf4faf5c9e830bda36a30

SHA1
295831789933a05d5032446f05e4011ce0ab98fe

SHA256
e369c352d7e9790810fe39bc6c24805e06805b16075358bbfefcbeca7937cf27

SHA512
34aa192773f3c04d4305fa2c5c33fe034fc082ed9c97cf6bcde26a7340b8612cda1edd1e67db661e5ba8db39cba8aab9e1263c9d65c157a4e3d0e7d666ff9e86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
ce0ad034186270da083def832842087f

SHA1
ac8efe65c69be54215051180bbe46abfa03fd7d0

SHA256
459acaaaa587a82a11ab182eb193e28ecbebdd5034f9afba14c53c898f43bdb9

SHA512
baa9353a51dde9dac6043d533ec347dcf559f95677f8bc478b25e2a48ce291dd46b7bdfb6096ba0909fde361e28b3abf5ce5cb0304cf8e28d0cef9ad5fd38b0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
1135175a4968027c15327a8b9f269488

SHA1
59bfc0c2df619bf5c02861424f70050271e3b820

SHA256
7006d8cbeae1e9bd7fa57d21dfb86642022235d5e24e1af384332ebe9c63ab60

SHA512
b0afd8c31d8e226695aaccf53409b85da9c11bbf95af670db6a062afe1406b192fcbb89199f4c6d621a7c542e38bee02b1039f030745cd0463cd557a381c3d62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
28a9087cb87953c503a1e6cb37bac46e

SHA1
3d2ef02d45eb20caac01522802c03d8f4c256276

SHA256
27201cf5c60901b42225dabdf9e04a021d5a382e3b1524668439d6eecd64558f

SHA512
4f3d24c44d6fb820c255870ea3b6e11a7fd9d4a3fb7c16a704c40fedcf6720825cf567bb6fe30420c0a6dd3e5d4ec2463387205db5d4eaa486ace9348baeb9bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
3a2f6df98454a22af3f5aad2a544afda

SHA1
6a933ef2637360cbf1717672050c49abeeda1b19

SHA256
5a8fcda3d5dafe85d6f1d2b342fc03356d914d9c6123a24d45cc4683c2b68a44

SHA512
ddc74b7e18bdf69b8ff07159c873528e842b0a8d8372d957fcb9e2b5a6e66bec6c9118192cb526074ccd25b2c1d8d4dbe885e0ac5bfa5ab602e09892f8e28b15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
5b1010163fb0edda5348d1fb2786a0b5

SHA1
8a8d5e213aec6906caed1ac24977612d3807a117

SHA256
24b612307baab0c4ddf8247db83f809d12f7761ea0f4b22f20ae8df169976c9b

SHA512
7bf32f9cf7911821ca5b87d58113a796d005af9bb723a11ca6ef53dbfbbc75333d6e379c98f96e44e70ea56483d281903b2eaa8a2848a872dedd342f4af5ade5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
b98f0bc354b7416ed21593a10e57db2d

SHA1
258a68ea18f2964014e3f20025ac0c2c1699a6af

SHA256
ab64ee7a2a0d9cdc967c685755bcb698f0db3d8edaad9e7e193b4dbb99df0a70

SHA512
ef98577b52505cb9f92725ca34ab92032ee8e48e5d63174dbfd49b2aeb5832dac98be8c52790ca882f67b9cfed2da64d826f26403242676e42b6f0fa4cbbd742

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
7d8a443892403ab38eaf9cc84e1a05ed

SHA1
aac01163c35115164be81e3e1977b54596bb4328

SHA256
658d1248a6f83eed98a16a768b73dc1b0acad7c71d3f0811543d0cad2a2e85cb

SHA512
bd2cfd17ddfb43378b9ed78a7d7a0a439f05976c765d37c030d89434d6d792ac0039f1a353109e76980d8ed6de52c614d9b458278338bd492d28b08ca1b0028e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
bec2f2e4abe7476f1d08e9f22da88aad

SHA1
b1d2126dfb2e45fecb7d52cd1a4f7b8187ea2447

SHA256
2cde31bea2747f2d3a0fd99d00f520f6714c1b0ca584e0b441754368b26faa54

SHA512
5617397dad89816982f38596b95e8b0cae3eab3b1b6a4a8afaf42a63bb2f71015c3aa364626ef4df7db96f3ce8968dafa160a760d004d349f1397da073a02dde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b81f90b79c974a22528f6197d4708782

SHA1
c3e7d97585bf85b5edb4d35f0f04b010ef5fabe4

SHA256
f6b75dc8a90e6409b2f2ac8d339f2ac05a2f94d4d2fb9cb3e13d27774a7caf7b

SHA512
3709c18e6f411973277ce3227e28073a490db748931cdec93a68b6ad4eeaf6efbc591d61165d1888fe08dc52e66a2900026ebaf6abedffcd3d23e8d4c75ce7c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
d2908785800aba051cd930ac699a7259

SHA1
eb73119283a1e1652cdfcb3cfce6070de4b273a5

SHA256
bf22c4c9912bc1d7052206d69649b12d1f59c7057a795f6a0d03b8cfe08dd598

SHA512
ec1fff974cff9a81316b0bdf3a133353ca2ad2f8951137b902f22de472d8124f056d55d8cc038ccf50eb155ad88b8ff8c96172798ca22a09d9efe39278741dda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
62fdc32097fcdb35337813d33991901a

SHA1
709c36ce49c738835239a676a528d49c8ca78d9d

SHA256
0c0e72a2a11a9ae01477b43659aa7b5cecc1ccd792496d0b742b4d0bbfcd9756

SHA512
2e21a9ca25b564d54498f67075363a558c3f89159b4cb87d5d58b3e861ac4aa27a9cb99c2c47301dc733f2d79cd96ab891f8abd74e5e9a85ad189214a7bd01d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
15ecff4d89598645a808c93f6835a031

SHA1
994de4ea42672fdb6f2e722a3bd2401d19ca17fd

SHA256
880b8b5efc95560c643d4bb34902d202b24dbd5e47fdffb9803ec490d8b3e8cd

SHA512
3fcaa67a05bcc265f053e82de3066c8370bc57cf28867a94f9cf14288ada53034b136d0862085a07a643b539207b22f38a1c602532c4bad8d2f121388227053a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
93d0dd2d73ab584120690563e57bbdf3

SHA1
8c9368e2821ca2cf8f0aa44c24325ef5f9aace59

SHA256
f3c0589fd6ffcd3fd1beb23035f5be0ecb0ff0b9a91ec5e808ecd73352400868

SHA512
9370c223d5367bba0bbf30fc003fb1ec9ace92476901258d95fb03234c02b00ac236cdc070e7fd6d45efeb37ff869e77b72f572c827c237c3617b1b53da53b5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
191b99ab96d4557f5543d6cf88871fef

SHA1
60e6e953316fa6bc9fc3ddd13de25be4db5cac38

SHA256
a2072078b5454697e98c046ef20b19a84938a1d1704d93d8644bdc6b8f6b891b

SHA512
02569300a9f44f3fbeafc3b357c146a191ab3a6faa7b925fec708a8017d38b0a9fcf697546f06e907ac62e51d6cbb1a8eb46d8e5631c694443d3f0c21318780f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
a18d499575619428a2b56cdb09f79c9a

SHA1
4436d482a1b446e1be68e5308a5f700831ae102a

SHA256
e767a2542d312a9db9f9215145c2199f82a376f4a5b19b3c2f2b683598f742a7

SHA512
236a89c7f57069a594fbe73e4baadcf77563a6f82aeed596dadc2b471d060ab00c057dfa3f8751c30fef60cfac230c9cc89e270f497d0d20cadbc97a9cf7edc5

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
be24cffdd1b53a9605a12c04fa1f1dbe

SHA1
d37669fbe234b6b437c651d2c0e5ce035c8b6683

SHA256
a177a7187a536cf4ca39edff384723291913dced4efeea4e023ae3225bb73214

SHA512
84ffe54a4e789600021091301644e88bd3db41bc907c7deb2145bc1d4ef562ec3aa6db9d99ec4cb772a41a7ab28a57cb2ebcc111d49acba67a6e29527d74b4b9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
c08598f04fe3d991e8b8416dcf80645b

SHA1
bd74763d267936138003d011d2c2782e80229a66

SHA256
b14bcaf6fa6af2f0f28e9800c9c18610ba5988aa8fa44097a047a80ba321609a

SHA512
9a00eba316cade1fb748ee2ab5de001544979fd00b02da517e368181dfa99c814dad59f40dd5678e31aae2e00e84c1fef4374ed606b7b2aa51a5114210eba019

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2f04101d0f07b969aa78a3217bbb9359

SHA1
7e1b398a064917903f3a8ae7d755e70f2c519798

SHA256
c2b3818159157ae7b6322e3444b6afb5f73e675f98fec3ac8243ae1a85c9ba4f

SHA512
7df5751d9b450c98aef36ad74becfade49f35f35189fcba2ff8a9deb5e184326cc8ee5a7f655c0568726af9df50d602e379e983b8b3b1cb8d990c42acf8e2f84

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
31454c66a9a35968d584929778d4aa51

SHA1
ed082fa396390b9e939d6031bd14bd02aadd26fc

SHA256
614b4d5a1c0a40461cb03135abb32d3f499fe836dfbccccf5c65ca7d79ae1bd0

SHA512
5b89106a96172b45ceaeca0374f2da595a357fcf43acc10a9c107ecefca496dad5f1d3f8074bda670103366675eb2f05ed18c4020e52d80343896e529b0a9490

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c1bd4adff32a6df5d7304f1b7e57abe0

SHA1
b02b7c71b7dff7f58628804926edace5346d8d29

SHA256
01a08d116799310351a5d0594fd0dab275409cffdfcf4a28b65949670544d25b

SHA512
0265b485e7c5cd376532b85e207dc62a6ba222f4363ef9848664d75a7779755e9bce98fdaf00df638879afb0aec75b0c71f2724925142f1c2a434563ac62b396

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
42d1e57d8b8b9cd85716e3391826127b

SHA1
c6e699ac132a84de222518f5ff3d81addbe4bad1

SHA256
e758c0d4ac79d490bf309fffab685c9dc79883f176c7a4b2c3a95a051d3e7346

SHA512
c1a5593db78779cc81c18ce015d5e4d7b18a47065bdd199b3b913b0e8494e9fc037122f6fb26821600aff88d62f4e2b1fc2ad4b8b703ccef044ffd819874a171

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
d62032f0ed75ff59b9ef4cc9938334a6

SHA1
e3ee99e371ba5e391adffebe575871628838788d

SHA256
83fddcafd2647ac3ee267679da188be1225a2c70b207b70627105fbf85947f43

SHA512
88f58102c578a7e86fd1d80a52b8206ed6d2e712047ff0df7a79d36a71b6ce09909798e940c78493fcac5a09863edd46e85b2e59d8f9104c169d91bb0cc7faad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d45aa887c9b0da05f5c271b021f7b9b6

SHA1
1cc61bcb247b1cf2cce05cc3f7f6629514855b09

SHA256
590a5e59180f3fa5295861625e9b4e2cccc9d797833e2e8506b8fe18df25b41c

SHA512
271d14d0e72e4c9bc48c4d6055b8d2ba329ae16342be14e6a761ec03b5dac03fc4d2dd446ca149a5415f1568368a0228466f1117a1595bcf960f1158d3d43179

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d550897fb94d46274c65129a34ccbe61

SHA1
ddb40f7ff42c6e83d131c00c74f43fa9aeebdf41

SHA256
659b621e0c823bafa24ad1e94dcc4310e09bf7b31665dc45308438e2639dd02e

SHA512
67f99b8ed3aaa1307ededf4adb0ba0ccd4a9c62b662cac00d035a6ec0135c48e15ebaa4ff6c9a760b18f6e5ddab90839a3b0ae5a9b40c1d57b31a8408dd5e8e4

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b3d3505ce8f548b20193abe9f40f416d

SHA1
62d8c0cd138975403ff6dae5471e7f2464b2cfd7

SHA256
9fc077381e17e5b58755bb3f59383fb5c1505f8c3edfcb5a7c52f84c3ddbc33f

SHA512
6997c599b1816a619a28071a4f405fa0d2e2efb1f222dce99f3db07aa726518404193c285812c6f45ad6f8160134361f5dd972d666a5052dbffdaa5121b5fc43

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
7377e5dfbd29c1070f050b09f6a50f9c

SHA1
d00e92ddf180a8d3d1f8b69774a8269fe148faad

SHA256
dadd2aeb1d676fe47451cab818e71faef7fec0ccfe92975ba6d7167c8b9bfbd1

SHA512
a42dffb3a81372b2062d8314a4f932740970d1d3e923e99b6ee816d1787fd2f9db44ba184d11e53d15742bd46e11b8d72b4de008f453b60c9ba55c621b5b10d1

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
b8d77bb605ff016bd68f7de9a4ef151c

SHA1
8e8c9bb96520209102be437887a9ffa2e63d518e

SHA256
5db2c7c4af5fba8f4ba7dbb6db774bc35cc5493e4206261e6cd90dbb8f46adf2

SHA512
edd615ea5f938f248b2b05303f2d6cd09bcb25ebbffacd4ec299738ab978c13566809bb5c5a33eb885cabc71ff00697d9cc32f1dde861ba6335b65d1d4b2d3d8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
0f2077a515ced1e99e10cbd5bdd7857c

SHA1
b7584220b1fedbe2c39cb183314a1cd280a64aa3

SHA256
ca5e20bbca65cce61806090878ced57452b6d7226cb99b1f6061a1b3907aa626

SHA512
b767e8ced925303ef8fe79464ee15aec9b6db57eda1200a3557ecee83e51e2652b0ef61155d34ad98540f84ec39693a124878655d2a1a8bba41084543f57cdbe

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
6ee16170de15f186d797868e9440867b

SHA1
02545425f791c8386d677ddab004bfaebd0c22bd

SHA256
736abba57755e5aa4ab50d0b1de1030578cc222b07f0e67370687da7703c2bd8

SHA512
b696f507ab0f89b476d43f7a6ea14e5b94b485a245ae4d0ee0d12aea0235a97b959099f3e1b0a048f4eea101b8c7376b41097deec3d2cd05237003665d0ddac7

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
8d2655e6a1acf9510d1fb6036292de22

SHA1
fe3acf5240b2b9b3c94c4794d87a3f60f7a46cc8

SHA256
05ac899408d4f1cee8ffce104cba189d4f592c113218732fa0fcc97f1c7f9440

SHA512
40ef22bdb3f53f45cb06fc4082b438b5dae3e580b1171f6c20e807bc47db82749d653d06618888b5ee917f6136f084189ea38b17ade739f6099cf451d2e92a21

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
5c1e7445827c83b446343532a16603e7

SHA1
8e7284a17c92a165862b701ac9f9c2db649494ed

SHA256
292e8f297e3a5435e41680eb853abe301ffbf761a906101b1bf416288d534db0

SHA512
18a0a015443a0f53b45f9c9e3d5cb5b674368ca7524ceb941be84dd623cd808a0eb85c5051312cd8dd33fb325ae987f3a14db51c208b5cb0320dfe7b73ab1997

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
98586564a885986d975fe14ee4097be3

SHA1
eda8ad7f48dd530ac96102ec151f9d8f4b0a588c

SHA256
05b9c2997da51846449df1ff56b63280705581eb0e0a7ac7b4379e2116d2ab70

SHA512
251ef8d4da11166c344dd9499d0df02ef3bacf7b4dc242153bc66e2fe9d8240a0213a3b88629cb45ce1140bd142d131026599b4f579853aa45900715a0075a3d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
83bb9331133362a49506cdc090ed4c80

SHA1
27bd9f5af24b29ca46059a673cdfbde9dc26f2b2

SHA256
e3028cbf210f0e50ed7d60cd30f6c17375f5d0a56d46c19f9cfc91a051ba7b8b

SHA512
c717f05a76df03954c99c27965ff828707f36a8bcd23db49cbad03a20ffc618659b9522556681f21f8fa8ebd8edb53965cf14f872a52553e481ea48e0a53037b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
37d0500e5d56ab1147fd23872d9f1ad3

SHA1
17a714f3130feb12b00220ed54d768bd567a1a8f

SHA256
7297139c02a4463f2decfd60611caa2f047120cc7f82d481ee5d9cb38c8f2376

SHA512
a107da168b27dcae690f2954c6e92cb416cfc89b4a7b0ade84bce3c55a4758dadbc9805dfe99eed44981102c440a8adb13ec6dd8525003aa50e7682622993faf

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
14c8e2aa14d6e3f91b77ad259d10aa6c

SHA1
c24375d91ffaa1b8d801973a6a311d8edcb0fa14

SHA256
4640830dea64d9d3d6a2a701990beae127897e2104b8c3ff4b1565558e5aae62

SHA512
e87a50dca10d75a6feadc3c1fe45e7e89aa1526a2a7aa7532e1b6fcafbed76414e614c3e4ac126e30f025c27008ceee036d3971772ede62c96f6727e59131b03

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
26af28ef884961f8ad98b1d2f92e9fa5

SHA1
59ccd2f4aabbd4a8538742e1cdc215ffb823cea5

SHA256
5ca451f371cae4d4557edd17ebe9e53c812e65d317c8c9603c46de4dba12b6cb

SHA512
30e894dc418dae058356791e418f67838ce031c278a004677af19e92ee93a8d9b29d0104aa3885f392ffbb1b1a9e93cb287e20c706b8c4776723dd180f265208

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
5db150ed325060cfe345028317e84c02

SHA1
f1916235a26b9fcfb290af6b9538b090ac6fb55c

SHA256
9b2de90d41cf37b13bf1ca405c4c8f4bf6a62e4787f26b3db4d13c3621c0f070

SHA512
348dc30efd8b97da063bee2ca4f73a61d2002501a8c396c1c05df72e24a2003b30bf4ab8bf078b26b727945dbf735eb59f275fea59a1492d03d6c66ed63a2259

Download Submit
memory/100-306-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/100-196-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/528-102-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/528-103-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/528-94-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/684-805-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/684-307-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/972-182-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/972-294-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1292-8-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/1292-1-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/1292-167-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1292-600-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1292-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1808-222-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1808-648-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2140-806-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2140-327-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2820-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2820-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2820-23-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2820-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2820-181-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3144-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3144-331-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3144-718-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-247-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3208-719-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3312-113-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3312-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3312-107-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3312-116-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3312-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3348-128-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3348-120-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3348-126-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3348-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3496-715-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3496-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3596-152-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3596-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3596-142-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3596-148-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3596-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3604-179-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3788-807-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3788-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3840-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3840-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3840-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3840-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4072-207-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4072-318-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4100-720-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4100-258-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4264-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4264-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4556-157-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4556-168-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4592-769-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4592-283-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4996-804-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4996-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download