0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
Size

1.8MB
MD5

8f5cc8bdfe0c2379aa6e309c49825e2a
SHA1

6ea82dca6c018c21572cb20709f3e5769711267d
SHA256

0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446
SHA512

06abe05e701c35a22c93397f711fff8884778f95e4330523c76a48177836515f1670e273ccea48e5280d8084d956cfcbbc9f1f30917138030917d31f6de365db
SSDEEP

49152:3KJ0WR7AFPyyiSruXKpk3WFDL9zxnS2MdFrIe78vH/:3KlBAFPydSS6W6X9ln+TjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3212	alg.exe
3516	DiagnosticsHub.StandardCollector.Service.exe
2388	fxssvc.exe
400	elevation_service.exe
4352	elevation_service.exe
3232	maintenanceservice.exe
4636	msdtc.exe
1620	OSE.EXE
1800	PerceptionSimulationService.exe
4244	perfhost.exe
1916	locator.exe
2896	SensorDataService.exe
2348	snmptrap.exe
2240	spectrum.exe
2912	ssh-agent.exe
684	TieringEngineService.exe
1628	AgentService.exe
4660	vds.exe
2980	vssvc.exe
452	wbengine.exe
5164	WmiApSrv.exe
5392	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\df8eb574c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\System32\vds.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe

Drops file in Program Files directory 64 IoCs

Processes:

0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdateres_hr.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdateres_mr.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdateres_zh-TW.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdateres_fi.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdate.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdateres_pl.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdateres_uk.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdateres_am.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdateres_fil.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File created	C:\Program Files (x86)\Google\Temp\GUME0BB.tmp\goopdateres_hi.dll	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a574e000baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003c41d010baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084b86f000baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b32f66000baeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065a47b000baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f13a14010baeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd9c35010baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd51ca000baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3516	DiagnosticsHub.StandardCollector.Service.exe
3516	DiagnosticsHub.StandardCollector.Service.exe
3516	DiagnosticsHub.StandardCollector.Service.exe
3516	DiagnosticsHub.StandardCollector.Service.exe
3516	DiagnosticsHub.StandardCollector.Service.exe
3516	DiagnosticsHub.StandardCollector.Service.exe
3516	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4796	0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
Token: SeAuditPrivilege	2388	fxssvc.exe
Token: SeRestorePrivilege	684	TieringEngineService.exe
Token: SeManageVolumePrivilege	684	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1628	AgentService.exe
Token: SeBackupPrivilege	2980	vssvc.exe
Token: SeRestorePrivilege	2980	vssvc.exe
Token: SeAuditPrivilege	2980	vssvc.exe
Token: SeBackupPrivilege	452	wbengine.exe
Token: SeRestorePrivilege	452	wbengine.exe
Token: SeSecurityPrivilege	452	wbengine.exe
Token: 33	5392	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeDebugPrivilege	3212	alg.exe
Token: SeDebugPrivilege	3212	alg.exe
Token: SeDebugPrivilege	3212	alg.exe
Token: SeDebugPrivilege	3516	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5392 wrote to memory of 5872	5392	SearchIndexer.exe	SearchProtocolHost.exe
PID 5392 wrote to memory of 5872	5392	SearchIndexer.exe	SearchProtocolHost.exe
PID 5392 wrote to memory of 5916	5392	SearchIndexer.exe	SearchFilterHost.exe
PID 5392 wrote to memory of 5916	5392	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe
"C:\Users\Admin\AppData\Local\Temp\0f8adaa5db2f5fe428995479a9333a206fe6f56373c7da4d31245b8cac606446.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1500

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2896

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4496

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:8
1⤵
PID:5332

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5392
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
00ebff769a365404501ec2d4e657c5fa

SHA1
cb310b8b8d006f54ad919885fb033b362949a3e1

SHA256
c1e83fa37a3ff16d6ef23be0b4e80d7c1663dcf1fc9b89d0cada0e7d7e80bdbb

SHA512
f640626d51dec94c7120a512642bcddea87941deb515aa4eec5663a2ac293492f644f2a7a99ba197cb7fb0a0957ccfbcdd603b602db91e5713c872ae298bf82a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6fb0505c33b0b7debbdaec358b7b41de

SHA1
edf0a12240312bb069f8cd7c2db22af02f378418

SHA256
5143945254ef0c559bdd636974ea958cd5adf5a9b559339253514003e531ae43

SHA512
bd58d67e8e451ab81e6c67e3237b17b9054830618259333d2136165a8749c270b4db9fc778668dd6e2e2a8ca12d30f19d4d3b50a7949ebd2b78cea712d9b6745

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
97b18179021446d05949e217b526fdc3

SHA1
174195233707b9eb237c7d322a4fafcabf1681d4

SHA256
0ae5038f524fb5b23be906b0fb95a41da7a84d435ef5afc40d3c926840dafabb

SHA512
b1de11513a930417ddc444e0f0638633d588efa47c3e7db04608ae9451ce2c53c4612eb6d6b2b189d676fdabe33a7e6d671f23a72fd85265a190493f4c0222d2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
66f6261faf09bea2c97cca218d4236cd

SHA1
793962b88b4d9579d6c4d89e5e7b98b86c252efa

SHA256
5b7c9c659156c76ad2b03eee3fd973a6f50aee7b63f46ce50fae7e20f8cfde13

SHA512
1bd502b4909d27eccb2d4ecdf498901f76ed160dc4ab951152b688754f001127e817072ae4d7cafdba63655ada0528239f7305e73af91bf9389cae717d4b4894

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e752ac375b2157a52a20399d5061717c

SHA1
a11f5d0bb983b24ef16933b7025df719620c9e24

SHA256
b8eed00baa0cfb4f58c17b1cece12cb061b578a64c8ee38c939989c7aa91f2cb

SHA512
511717c2d980b11b5aceb2c6f3b08582602a245ad5d5bb70fb5937c4563f4a49a1aa64f4bcbebbe7ac3bfcadbc265e640ddb8d145038eeb874a280c6524e8b7e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f43431c416a2a059caf1ac0c7363ccf4

SHA1
6d372cbcd41a1f78fd18cb29f564e5b4952660b8

SHA256
3832509971334ed26e5f23d5a30f0c7dd44643bcdc98de412c3ae912ba99d4b2

SHA512
7a3835648875b962c738c83c88cbf5586f958352c9291a66fd65be6009c3145293178f64ee6950baa91ef8b40ed2a1013c69e5e4a15e6d3afdf1559a6560af83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9f3912a84f6d1fe3a3b0e752bc3ef25d

SHA1
df04fadd5174d4219743d9b5ca5a982c99b7b576

SHA256
d98a05ce34ea7cdef54c734f78e21269a035877c6eb2c55227da9da55f8bc1a9

SHA512
f935171c95489b101e7b806bfe4645bc33b1b60d3aa1292ef6e25732d3ad79bf355d65f0a0273f995bb93ebc41b0ac40545836e62da9b9ca711f3dd5d999a5f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c809f88c8d6eafbc20c59b737c0a7d88

SHA1
b02a0fad91bcabb15ec5176b087d609e0a38e6aa

SHA256
62be2a340f66e15bf0c911564480c16dba4989a01381daf29962b1446123e03f

SHA512
8d146d175572206f983e261ebb72f2db1b31881160c60435c61b2bedb5a8c2e4061da4b94da867e2fe4445583b415a9bf79a4c4fad9e988156eb2ceda98f936b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4e10ad3f22394cab48b78d06f4b0d28e

SHA1
d2ecd03ef0180e7d7783720d631ae7e3bd685bd2

SHA256
c998dffe1a71cd48ac50276c6aa005f9c26f8cc66c3639dfc909bd758d367d94

SHA512
8cae3d4c9a67fe52bf922237a0ed316a2199536d7aed60d5b2c787b96afdd534f8bb3f615826dde610a2ee4942275a8b4704242b277a5159cd29302d1c3ec2f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
163b0e34d03a2adbb06f604f3444dd39

SHA1
fddee35f8fb3255590f23dd7df2cfad9ce2b1278

SHA256
ea005fd48bd755d5bac7f472e912f5ad1d508da017a3a951cf6f3c830fa27920

SHA512
39afec39b21f1d0f0fd7d5b43ef7548fd9ae0dd28559214b79964db68c04239753322210643ad3596d1ef9d9ca8903a22e8758033663cc1b2f6f857e39acf3c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fb83e707c6437cff7b50d0712bcd6fd4

SHA1
0100b2ef00b66ef35a71d981a865f14d38af155a

SHA256
193fab477a87eec5317858e9cab01620280a8e8c95381046e4b605ea1e20316c

SHA512
d0c1e04eb2de1d18f3fa620418022ef4a28aed3a0c6fb5d47e38c54018b4a3a5bd937e583521598232e3be5db2ceef4512cefa3b6e281587acfc83941d5922c6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8bf48b6bf2e345bdfb8e303cafa1851f

SHA1
464641ea5321a118ed20a40d349b5bea1a145cdc

SHA256
301936136194d77b3015f0366fa8a93d85568fd0a446f5c1c5e36d77541c310e

SHA512
f9abb5b5b803db3b6d195402b9002db4553815565b4f549b77afec9e0d5574b2d9c500bbb5ed73234914efaf12ad4a7fac61a65312bda698ae195e63bdeec105

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
fb38daee1d2fdab575d280a3ef6b5607

SHA1
843e6b409cb59d66262cbc1323e66e37bd5ef8e3

SHA256
b795b3120794aff214fe47e64a433b0830f9b6b64f574f7d14758862046019e7

SHA512
5903ca3a78f309465987c210f017884bb8beaa95e176dfc39cc153dbd1162afbceaf479467a31da10c6401b9c2c9c1a7dcf631e2ae9d7b16b75ff4f50ba40284

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
fa9a50c32f22df545aaa29329d2eef09

SHA1
6a61dff07014bd9c37acc20ff3323da4d3a467f1

SHA256
a2b4f93ed25ed5fc36af94eb8885989b5cd54fdedcb2589a9d2dd32c5251a9d8

SHA512
9afb0ef6016bcf8cc142e1434335f1036537a55837fe814cede508aa4089c40510d4f57934edea9dc85f3f0c5c96175d69dd8c915bb4dce813db1a66ec6376f2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cb3bb8c0dda60a024bd3bf6611128bbb

SHA1
7bb57c4b154baae29c993835ce26988583b347f0

SHA256
ea6473899982411dd7a83d52e3ccfd86890766f32c7abe05e5779fa4c603ff44

SHA512
6f33d2f312b0dd735ca1a8c65dc0004cf3bd981eaffe9a7864833b5ec5fc77091ef768ae2b093aa415f587f40edddf6530ecb980019a6dec57174267714f9a10

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
3f23c929ebecb20af3a27c296445ed45

SHA1
17f02455ddf6f5192a8fb89a4b82d89b25219b2a

SHA256
ed919e5ec06b7d62e262f932234f86a8014db44325173f96c57ce2cd501b44b5

SHA512
e68f5613cd0c32fc5a1359325657b460c362758c0e09b08817ef7e7e35cab9bdb154fcc0253257baf8e3e5ffb5ea158dcb52b9a8833932defc5b98c7fd5f44e1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b5191309cfc7834e6078a69faafa54d0

SHA1
efcdfd6d1858ae81c64e5eb99d48503ceaff72a9

SHA256
7a9f63de54377499e8e230d04e12253415f3885c87e9960c3166d18165336de7

SHA512
73b7c09b0fc735dbdc29fc369e1d74f53182bc3ab8e06f027b21bf8725c79422a7234988a0ad732dd4a4b1653e5cfe9d7d9a0b91714185edd45ebb147c4cad1a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
da6530b295c56706d62be848091e2ba0

SHA1
9ae857d97fd24fa503883b6ca12a518f32b144f2

SHA256
5ca0d736969eb69bcea71901e82ed16d8c89f0b3e88392c6b1f354edefd55205

SHA512
2ddd44f852076a0010ae3f193917d6d9cb4f848f38bf8044dffdbd8f0231fae6ef57463c4f33fbc373450bb1f5928e0be67df04a894f9d9b6f3abaf217234303

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
385cefb4da60472928727d68c2b7b281

SHA1
4c03eb27aa0e0b9d111217cb0736703763afed33

SHA256
56405bcb2c7dfa35ec1853e44cc391480350a106149c1af347d2519496f0a3da

SHA512
9d9589eb235d1506db34b377fedcce40750cbea9235d8b235ce1b344cd41f4b3657c3ed301885ccf041458141d0e6fd7816b34d17caf1e61844cb206a3822e26

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3700c833124b1619b0913990eb00401f

SHA1
ccb442c3f2f296ed41a430c0c94dbc23d8886d57

SHA256
f7f3ac9beddcf864650c601f68572d825b5b8ef007e1995d3713205374ef988d

SHA512
f3016f4d3c577fb29cd92947de9c76c48525422f1c91dcd686542cfa72e5ff145eda095f06cbefb25a32c210a09e08da2a6374244bfb2f52fc8531941f13df3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
e11960704fcefd1624ec71b905b85673

SHA1
e4040b72cef8277d22ef4ad47372c4d4f93383b1

SHA256
b1214483848cfbfcaf35bd3e71900f57b00e27f975824e4d0cc91248ff3b10bc

SHA512
a36aecc47dfe692f1eff4e99aa8da2bf812681437a9741d230cd429f90b36e8920aaf490d4a5cd18dc222b60a38091701ef27ab0e83a8473fc07909742ae645d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7105eb6003b16f36eeb74d7bcc8340ca

SHA1
fd80b7262b9153f8b8f171a7fe86e227bd6db9b1

SHA256
1631d3e30bfedcc04b204057357d79fe7381984c249fde0c435d3ea6ee2e2321

SHA512
bdca9eff21eab8e11361c0ebfe90848969f324e6ed387e5a41023e59183ef2ce62d779d44b746b7b5da591c1c0694fdff37a45cc26cfa76ba149bb5aefcbb3f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
b82c8bab5437e3bcd38134af759bdad7

SHA1
902b6d293c5c71aa288d15a4c119c11c0f876d8c

SHA256
20c70a331f2265e91ab90623c2b46689bdd678d09283dda1ab2c17351c713822

SHA512
235e36986c20543a023b3f87876257b4dc5af2eafac93e6f5420ee35d16df65b6efd2cee0be8558098a9f6c6f6fed5421da5fead041ba9e365f4df07a839ec79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
fdc0067455a4dddc1f550305f0bdc51e

SHA1
5cbd5ed6f59aa55bb137e99d2872035db363e633

SHA256
8a40b28eb90e993d4b7bec5fa9145383558f288f456e59f460f9984a4c694208

SHA512
b49128f743ae78b1eb5d29f3ff5c20dfe9789189fdfa44ee8db02c911a862c3e670a3cc5c57e7c6e93779933b19a5d9a7e67f7617b5d4f59f43e4a07529c62da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
80ac9828d7b98dcfe7fbad41b5500f41

SHA1
0c3a4a3d67df0009beef86efe7d3b189d7c5f2d2

SHA256
10cf3b0f399a95dc6cf744476ac23d39ecf67b32720a49be4647f47de70686cb

SHA512
0c3d7102d381304ddf0f725aa28e98f3da26cd855562b397fd60fcebbe217cf592b2f885a033012a258ce84bd30a79ecb997eb0ae49670213125667b3ce9b24b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e91b25d87265b3598cdcf550fd9803f5

SHA1
232e45a2c25ca3f92c2a153f090dd98384344099

SHA256
c9cc077e6a8cf34f8baf13e0bc76fb97bcee6303b6c396cf714ee6a6e78faa4a

SHA512
12a76a32df2571d5fcc39cceade21fc1e1503d94dd5dc4d56f68f350a27198cdb2023ae0459877275c5effedda5d262a6808361bcd2a0e0a7cde4fe6d993c15a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
97aba30c00475d7d0065e6cf9e398f6a

SHA1
b7eadeeb9b7100b55df4ede95aba289ac294ec05

SHA256
2191d7b1590257f70d2aaca82f6c4b9b33a2b173cbfe76e7d6522713dc95ffdc

SHA512
029b205fd8758b82d704ffe09932c5330a13b17e7c8051152f0837a5ebac9746e72a9b31645ebde7206246c6f921ca72749ff8eadc450ade70a1dbebbd99e942

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e51f7ae135739d167638e048ef44d520

SHA1
ddfd42e32854213ac0024dea88bcc3d7b5e9fd47

SHA256
bedacd0ef20cac21c62a170052ed4447a8846b16984f9c5c823a31e8be924ba8

SHA512
52b2dfc6ff6d15ce10cf97b282a78b4f10e65b044779f4f192e20c97c09dc31ef06bbedfa61e61999479c3a663ea6242f2c6b12a49ba85cee9e4e5534f129d6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7dec31d98dabbc0404aade78fa81d01c

SHA1
57126248f506abb4400d7687980d2cbf88ff3c09

SHA256
1bd8583bcd36c05108f01187703dcc9f39286b1abaf48c86f36ca683d14dc3d2

SHA512
6044d27c11a10eb8f907fb7798ef269f87a9684ea7a28f622f87d23ebf298277c9f3401908e783fbe0c0fbaf2139cfc9e46b9936711ff0f17caa1a98d4318ea7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ddd1c77d745a234a5a64fe3947de5b5d

SHA1
3897ec46e5019bdfc62a632d87b40ef71da2f31b

SHA256
ce95a41456c725de693e910dc23b564f51ceb39618701e06afd499b0939a4f91

SHA512
dc983d73672bd6160bb7aeadb20ee18347f79e02e669414d1dcb7fae030d3c990431ed9b3ab8414cbf9d11f1fdca3d45f0fb4d26352d81034ddc102071c00bd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6649e42b920457332e8a73d06d8efbec

SHA1
c5989e84e56ca5d762c0804157bcb6c7ab3aecbc

SHA256
29d323cec1062e3e082bed580f355330325599339fb55214d8a4df16d418a77d

SHA512
a3f6c6701892d89dc2febacf246f6a30186025cb10204d29401448cbe6b8c10a3491dbfa5288f90de44c185c375a020922d61e38a4d194d45051086baacf8aeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
1b3e81bb0146871596105802526edcb6

SHA1
f894e20c418a56f6916bfa509b9d37acb4893d45

SHA256
85670f6966637db136dde5aab5b8ee086cf7c3547b32beb892b745a0b5862d13

SHA512
528cde67dd72a865ff853b975740f924b4646f994da03d0bb2d1192c4c971262aa16a6b1ac48ce0139140e87b7f0399f6d8a265ca52cdc5b358b5babefae06dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
85ca54afee20747a50b7a733d618ab3f

SHA1
dbe482a030aac06ceabe824598095755a1347112

SHA256
628bcf170efb16989b61cb08c9b4bdcbbb1ffaa87bc60e87ba0e63029eea51e3

SHA512
c90f09c811b2fb72ca389796a2f26298d8586560e83cc3c93958b13b7d783c11e95cb4fa2f658ed143d7c813754cf787a777f88bb6ffa1e73a855894224b1f5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
afb038550ec02ad78ff9fd91be7bb774

SHA1
ffac73591d85e38b60dd0bc1434ae7dd0032fd51

SHA256
ca66288e92238759d8f5de0f9793dfe2b2055a7fc4cf55652f4b9bf0710480b5

SHA512
9ce1be3c74ff0b2b1ced81dc3307df1d6f9c1ce10c37d882e8da03afd6e2fb972116784b619ab34229ede9fbb9f2c78c0d6f891029a4a7dd9431b6ea8f5d7e93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
2ee3649124e1f1e38221778cf984a65c

SHA1
9a906a10c61a242093fb0a5a4d85bf05d932c6a3

SHA256
be6d8debe764a484f7f48ce0a73d5b2807770489d3ded7eb669643778ed6f560

SHA512
961315af7fee16bfc49647616fbeb10d56e32040d75320d238b328b94e33a5b7c8759b0c8ef83f550b6cd2b9422a02ca79d46d850db1da0a016ad8845795b088

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
8aa618d5a32cd5fe80343b4a6cd9dcce

SHA1
d064a87f0d88d8503cf98e0784cc25f38d720c43

SHA256
23eb524219dc26431bebe30e444c18c1cc7f4ffc17295c3349b87bcb2ba4df30

SHA512
41ad398e70694f24ed65165f028a6977811055a17e77e1579ffbbda8e78b41774eba35194a6e2eae3bd5f6d40bf326f131afe27521ceb7ab48e16c622d5ec21c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
6f79392e1804a398a14a029ca37d17a0

SHA1
e455dceee14d34fb38bf93264b15f955425951b5

SHA256
884b4d5e70237f3b56802936992f872c34db266fe0840013083e210929b2161b

SHA512
b152df1eac120e02f445064e031f074efbc64d465acca6fb6003a010d835231e4a22cd74b332ca9195f3c43b4cd210b4f0e0ba300d45a20e53dfa09f20497edf

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
bd3c7db1db69bde8cc0079ac6a51cb44

SHA1
c0932a8d6ac79f7d07bb072c6f13c0c313bc4bbc

SHA256
bedc2387bf82f76a1af4583bec254a21f6c478a14e5df301c56b822bef0bef27

SHA512
2f51a9c17503c0bcaa2908e4f578e07115b2405c4c2a21ae49b89b62b3e249fbc0b3222fff187f9dd0a811c43d72d95d7e162cfbdd65e2ed4b7e44f2557a154d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c563262205d9c41d95be77f63cbb47c1

SHA1
3f0b767ad58d8938eb9a8d9766b5d3280433b7bd

SHA256
7d0b89eed2affd2981addd3eae41a42e47309c0f6d1a86e797844c2035e89051

SHA512
07c953c3c9d717769744df658065bd5440d28cd0dfaa16cef2c54bad6382eafae9a6b49e037e6fdea9a323e6f494a3b62e8f02d6715035f6bad7ca09fa271f0a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6b8cde0df6278b8cc3af3ca6b701aea0

SHA1
17a0b45b2ae7c2b1335d66a613c01be7d15819a2

SHA256
bb0cde6702c5f190fa708b3f893142eb874a5a406e7937f65798212a4224a5a2

SHA512
4e65dc2dbfddfbb942c38a884d30082f9f7117a4515c35bb5de72f5ed40026a568f673e6cd3948be5a590472b5016c9f88805a2f2a3546993209b52fb9e03fdf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e5c891af7819582d3c5f534e6fe37110

SHA1
3117439beb7c4c54b171e5292916cc1d4d5f1fe7

SHA256
0a27b5f7fafb8375ad80d5dfc621ecb013bdf4239f6bad396edacf6447f82367

SHA512
11ebab9d1a5e019e0cd902ddac7c6bdbe75de4cd6bd3db57bab0674e828dfb1db3a5c6fa801166cbd17652aee585a1e1b9a8b8f7d35c2c36db6dea9b45b45c96

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f2e3de04b54052e5e565445372ecaee2

SHA1
10f81a905a13b5daac8ecc03914ef48b1b310eac

SHA256
ea9cefa557e878658b20646ea817b6ded10648a583082088f38ae86041080eec

SHA512
6c813ba3fa3e6e692b193696412b03ee6b95b12cfc23c7723f8bbe9815bc3f26b2c698409342fc0f0302a206b391ee5be6679706d0f676299cb33d130d89b890

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
720b136b56ccc513070e1ef6e99fbbf8

SHA1
e8f72fa7c7e0022a38806155dbd744684b18fb5f

SHA256
a6967d4ba5057b3bb27b34c47c48a0bf2b98dbc4b655c6984e172cf39d3fdae6

SHA512
6235bd821bcfd03e64de519a047bb843e4da61cc003b6e6c0a557343f8c7390abff3da05ecf43512a93aa7988bf2406e43a7d6b7b81eb1da431a298508705755

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
cccd6c47595b32e8c1a8ccd3b31dd718

SHA1
4660741136db39b3928ccb2e9de34fc1459753d1

SHA256
32a5b4bbfa59755caecdfbf8e8ff4b87014cd1ecbfb384b7ec7568572a7ad012

SHA512
ea777bf638f6d8410a4c8d57c163ea4818391b8e145ddd993a0f9a6ec437e677bb6b062a14c867a29beab7feffc3bc405a1ae4cab8b6cc6c43c38a61d7cce7bf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ef36f4b1b4b255b13f760cbb5977dfd3

SHA1
46a0db3ce9000e80940e1927d33bd9775ba57cbb

SHA256
3bdb531f5ef118165814e5e046c7424b077170ce8f0e4892aff9754e19a04df3

SHA512
aa0dcb5517429778d1c38ce35fc2d830bd71c51b4ee04f2675766b5f02e6194f156b9ee19029d96f28759183e21f2fcd414051ba879de9193573d161237f31fd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e091281d93e1cdc326a0b80810417ef7

SHA1
c19ab0922728aa094a3afdbe1c5b0bd797fe6acb

SHA256
7e32786e7a2a2dd0659376e5f7dd3171469a1f14a540670f7c7e80e3bc238394

SHA512
77d7478d3d178a12ed352a4ca4554cf9827e4737a4b5a693c4d270c3a9c84c54b5fa936eefcf24100b06cb4d097d830eb69f637e88de6c6de14b1c5004ecfc4b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6fb851c4c060cf0bfed7b617b0907cfc

SHA1
25d420b5067b50e37bc3beaef04969fd78b88d66

SHA256
af6aecd9512c039fef6e41635445ad06803e926c03b261384e4332d3d9a87ff6

SHA512
bc9eeedc614cffacf537a4416845a852b56a4413ee7da738e88a91a43df7159cb4345a5b2ac51b8ca4f23fd3c88328f8e6637ee3859170b574294f54838d5dad

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6a4263e8eaaa6c4ee04878ef62111df2

SHA1
13059c5127cecc0a4e501738dfc1b676b9082e6e

SHA256
4b377778b0298306a780a60d2a5d5eefbdb02fd8d0b15f8a1dab2c49b5d90402

SHA512
1f7ff6cd97ba3da759a6cf7585e61473a1deaf2fd1139df14110fc9c84c667f4629c0d4b0ed940af989e3aaedc516c473f2c8b8cbfbf37b74b9338199238ff5f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
336b35113e8d14f8c84da2864c60d537

SHA1
37d0e9f2ead053424a2b1ac8223805734e25c498

SHA256
8e7412b5a9a393c66613df079d674b05dcac0bd69399b774edb9460385ba5697

SHA512
dc13b3601457b55ef90939f4726561dd7886a029d4aff3c54133f6ec234fdbc8041707059bbef069db3b2bc86694065d6d5217204286375b57c66357fce9b85f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d581ef69f4f930255724ccc3e6b6c995

SHA1
ef85ddf244887b2d9171b7429862df7ddf1fcfd6

SHA256
a90eaea855c9d90a299ff20c7db40243a1c73efc221476815ea820af2d048557

SHA512
78e14daed590ef4893911462e91465174b46b466b4b1349bc54bac9f54b862085787a2f2570d82b5dcc18f8439c6f6e52fec51530293c294e28815f7f71be3bf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0144beabb39aba02f747b7a8fa09275b

SHA1
3df81d6118ed9c6f519191d34eb908bbf1f497bd

SHA256
52361b9cdff910ea4191f59ab26e5d0acc3b3bf29271928bdfa8c60f4e996aea

SHA512
93fab4a786b4cb54e1c38608f4076cd747bd7eea6529077c37102d1f620c807cf3c2d83937370cda22b5c1713b15e00112af8d22d81e344ea6889b53ef776d49

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4e043c676ae76d2f49edb6ceca930f8b

SHA1
30dca1b28c7d39f77d6dc09e8aaf783db030edcf

SHA256
b8b4f79b59deea1146d85c1d8e385e0f32a35b83524b29ff8d58f00be30abf3f

SHA512
90c8cf1cb64a49e681d5ea0ff4a045a8fdcab133d637cf11acadbe35a3a795abe8ae358186adfde4d9f12c8c22f54867449508c955cc90691c9b1c666c0932f4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7182afcc5b7d0b25a44906ed545c1bc6

SHA1
1b1f3d7d74214a24d7b501cbb5c343759792e3f9

SHA256
dd856d4588c5c6f54aa744b1abb82d152a633e0177f58d3574a6757080761dc2

SHA512
e6ed67554f108a05c7f86fdb420d73508444f1215776721152e370b7dfd2394c911dcdd55934e212e27f71713b179a8542b3e97cbc786c66e0e3e40a848584eb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7d66e3c963670d8907e3d080c73b1317

SHA1
b3c471519aadc30b972a1251cf199478fa07507c

SHA256
f2cd7590ff1ac7776609ea0f62b2d8a78c566d3712883f8fb6da372ee7fae244

SHA512
21aa398dd37a1035f6654c75ff77cd15abbabef8e717d07c56fd851a4ce73c1b8d44d911678ffdf29ed491195b053f0108acca5324980982b442cbba4ebd2706

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5f5cc950e94096ee7b416c0305659b38

SHA1
f11cb0fdab38f2ee2215bc0e7c5632801967afca

SHA256
94e072c6a8a81d663a6a7f54d6047075bbee31e53d9762f1ae385cc7cd8cb919

SHA512
8f65dbf078c5633807392fc94be8c5e9ad00fcd3e55a42c77bb21e73aa3d57c1fab6514899d9b0c106fcb2b22504527156b23fda65895253638cc8d2ac1cb90b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
609348d6e12d53f2e3ee9ffc307a0fec

SHA1
1748c4b2ed882cad4f5d9cca81cfda289429200b

SHA256
c73a26ef1632712f88f794b8ee5a9ea447851e755fd744dad0e27a84284cc0f4

SHA512
e46ae6e71d3c528f06741a3a6b5c5bde832ef8682964826cdbf66b8f008ad6342010ddf61247049c9cdd32e82c0095902c6d72591a6f4bef9ad2ff6fd4f7d761

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7364923d5ef568ca67dc6c77a2752660

SHA1
1b4992971cd15ecb3fc2b88477dcb18858e1d40c

SHA256
3e12070204e4f275fe971d2f5fba2f4e39671288eb3d97ceb9737ac8fa09abf9

SHA512
164cce93baaf39010abcb3042ece596bb960ced2d80c3ddbbd19d2074155bef940cdb9e2c888bfa08c15cbec1f24b9510ac63148ca983b47002b5efe185f1563

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
22691496195d0aeed30ad43dbeb3acbb

SHA1
71ee2516b0cd539263b089648103deb11e862b55

SHA256
197e1ff17a5cec6d10df8998ad73e31f0a0ca916e6d80340623ea8e69b5dcec9

SHA512
8ec5d585ab70455e41a2ea6f884c072010096d65265c7cb5be4a7bb8999b3749712e01d1fcc679362c94f04d2e6e0a3985b3a61d7caf609a173da8b77226caa2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3e1db7ffcf0568acb5fd5636d6d30cda

SHA1
3f977dd8d75338d5583bf4378f08e8522dd12ae1

SHA256
3ca37645de57f5110f44721c145cc3ebd472e2bdd1433fbcf45b99109d81eaee

SHA512
1dd36fa4090c9ae937ebee1e29ffa0cc73a8a1f2f8b04ea0c6955e901191c85b4566e9f4eab0ca0e8c01dd2f870c370d8352721ad7af1f3089969c26191c5a3e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
9b33d61fb358cf913f0741da5f938401

SHA1
a8eec0c1abbbdb0f4426a849033ae0d41727908e

SHA256
ff524966ae86a1f1a38ddc233cf4eeedede9a5e24a25f230ae3434732a9e1f92

SHA512
4372b12aae5fc5817f216e5f06b9411e044ea51afb998cd9d47c6be0690dcf273384ee84979118ba182601f129ada3376d9d2d37170f6a8955fb13631fb8d156

Download Submit
memory/400-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/400-119-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/400-127-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/400-125-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/452-741-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/452-307-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/684-736-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/684-257-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1620-290-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1620-177-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1628-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1800-183-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1800-302-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1916-206-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1916-318-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2240-718-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2240-233-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2348-221-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2348-647-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2388-105-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2388-118-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2388-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2388-111-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2388-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2896-653-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2896-215-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2896-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2912-735-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2912-246-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2980-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2980-740-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3212-23-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3212-194-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3212-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3212-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3232-149-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3232-141-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3232-147-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3232-152-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3232-155-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3516-92-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3516-102-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3516-101-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4244-195-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4244-306-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4352-138-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4352-245-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4352-136-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4352-130-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4636-156-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4636-157-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4636-268-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4660-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4660-737-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4796-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4796-502-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4796-6-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/4796-168-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4796-1-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/5164-319-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5164-742-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5392-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5392-743-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download