22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
Size

1.8MB
MD5

68edd0924b02ff41141586303a03bb82
SHA1

78a5170de3dc0c0026e982b0c6d59b63de579273
SHA256

22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1
SHA512

27537fae6d2b7655348eda12a7f1072fa99689e463f9cb91030b797b636003c4b561d91b8989735d32e737eff2f74698f0375038bbca98abdef0bbef1abcb9be
SSDEEP

49152:rM9QPdxwfE7WlFwKAfzuTiDFUFkXrz9kaq/:r1PdVQFwKZCFgIq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4440	alg.exe
1316	DiagnosticsHub.StandardCollector.Service.exe
220	fxssvc.exe
5092	elevation_service.exe
2924	elevation_service.exe
2364	maintenanceservice.exe
2084	msdtc.exe
4940	OSE.EXE
1660	PerceptionSimulationService.exe
3380	perfhost.exe
3936	locator.exe
3912	SensorDataService.exe
564	snmptrap.exe
4840	spectrum.exe
4944	ssh-agent.exe
2460	TieringEngineService.exe
1180	AgentService.exe
4208	vds.exe
3644	vssvc.exe
1928	wbengine.exe
1876	WmiApSrv.exe
4924	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\locator.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\System32\vds.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\21e13e0dbb5459c0.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2654.tmp\goopdateres_am.dll	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2654.tmp\goopdateres_cs.dll	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2654.tmp\goopdateres_mr.dll	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2654.tmp\goopdateres_gu.dll	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2654.tmp\goopdateres_sk.dll	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2654.tmp\goopdateres_ta.dll	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2654.tmp\goopdateres_et.dll	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2654.tmp\goopdateres_sr.dll	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2654.tmp\goopdateres_pt-BR.dll	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c488719202b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057d4bd9202b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e08fa9402b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039c38b9202b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cce2d39402b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010e4b49402b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a45d69402b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004233fe9202b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3a2359502b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1316	DiagnosticsHub.StandardCollector.Service.exe
1316	DiagnosticsHub.StandardCollector.Service.exe
1316	DiagnosticsHub.StandardCollector.Service.exe
1316	DiagnosticsHub.StandardCollector.Service.exe
1316	DiagnosticsHub.StandardCollector.Service.exe
1316	DiagnosticsHub.StandardCollector.Service.exe
1316	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1952	22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
Token: SeAuditPrivilege	220	fxssvc.exe
Token: SeRestorePrivilege	2460	TieringEngineService.exe
Token: SeManageVolumePrivilege	2460	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1180	AgentService.exe
Token: SeBackupPrivilege	3644	vssvc.exe
Token: SeRestorePrivilege	3644	vssvc.exe
Token: SeAuditPrivilege	3644	vssvc.exe
Token: SeBackupPrivilege	1928	wbengine.exe
Token: SeRestorePrivilege	1928	wbengine.exe
Token: SeSecurityPrivilege	1928	wbengine.exe
Token: 33	4924	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeDebugPrivilege	4440	alg.exe
Token: SeDebugPrivilege	4440	alg.exe
Token: SeDebugPrivilege	4440	alg.exe
Token: SeDebugPrivilege	1316	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4924 wrote to memory of 1864	4924	SearchIndexer.exe	SearchProtocolHost.exe
PID 4924 wrote to memory of 1864	4924	SearchIndexer.exe	SearchProtocolHost.exe
PID 4924 wrote to memory of 3744	4924	SearchIndexer.exe	SearchFilterHost.exe
PID 4924 wrote to memory of 3744	4924	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe
"C:\Users\Admin\AppData\Local\Temp\22b21d2fd223a6bd469a76bd31caa681a6d5ae1ef443bdaf23c228c6520043d1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4844

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3912

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:564

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4840

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4424

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1864

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c43cd29d9338e0b3f889f7af0067394b

SHA1
b99a240d1960fef385a83d76e38bb2715f1d3730

SHA256
1456ce6aee23c911b91c16ff8d9653c20c73ab72759b12865e8b311818b56054

SHA512
bbfcaa9b0655c0f98e6fce48fd043a545970e1fd6755791227c0f2e2b32c7c88bb5390ad3c990fdac6cc35c4d59e4f84415d0a9cbc4eddccde0937aee2e5c037

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
96e32f6a7eb62cf328c1c8bdc2da30d6

SHA1
22b3b7e182f973651d7a4c4dba3c0f19d9bc0152

SHA256
5694f43088802423032f3a395c04f1c6b78b65b67ea361962f93b8044160d7c9

SHA512
20bbe8d2d6ab27bf56f2989ba9bfeaa1c8fda48e9c3bf6744d6c425def7a0a7aee81beadd2e150f61ca1f158e7260b57cd64e2b0986d2432ee4a2145e7cca604

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3e6b426e6a4c41670daec378466430ad

SHA1
c6db669f0694cc51808f4a3cfe7060d375a21d13

SHA256
9c29c3c321a3cf88685763084722dbb4bd3c5c05ed871648bffc8e03884dbe8c

SHA512
ed41849f1b4922aad4e969d52721d910458abe551ce25790f32ee1829dc176d2388816e1911eff5b9a07baed77ab7bcc943c9ed800d755d69043f63f421b3982

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
98267bf1b04e5914780c0cb9ce71840a

SHA1
41caf7afaf66e0add680484e30c9dba3ef917e91

SHA256
40c488f2b5336fbbe2e72af9d500bf39856fc6e2bde5bfa801cdce48e42f3681

SHA512
9d92a15a57a76808647b1eb76b90a4e372f06f4a0e367b1a98a508bc1594ed002c2bf21cd0131fcb12f628dfc38f40464a8a9691e0e6db1ce727d803e113e4df

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a05431fb93ff2f99f7d8d644655bf8e2

SHA1
9f9c7b74d62c2d1b105eb6f14561cbc161f62619

SHA256
77c5c254dfeda15749b72a00b908eb4b6fdbf7c51c86bd0e510aa26fa99dae88

SHA512
eb3176ae42bb0ca1ff586314c474271c96d3670fb089d5d6649e71ae1df6117663f0a4dc16d9c7201bbd0a96dff2a35876c4c80642945970e5a424d19a1b2521

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
371b5eaed38db5f9d6bb1d2b93b90dc6

SHA1
d3badb93fd09edc33b52df0afa676599a62db771

SHA256
aa604bd6bd18e470c1e851e8767015308c47d5e4da118ab5a5386f91429c4b72

SHA512
82f3bc2436b2f61fd361d0d3aeecdd1323bc611555c0e6ae5a32963ba2a0494b03d4045ea8219c328807483326d708cce58ca9f17293c4640e58e25055fd079f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
47b61e1ad19cc9142080816e91f4348a

SHA1
0e175321a035a7db75d486606d62fc7d432a1e68

SHA256
329d8689ed6925982841a047fba55be101914bbbc7175dad62a37473593e2fcf

SHA512
c22f0cb681be037e88fa0d4d3c30a0ecd5669c390f0e79f6f852bb02164ca18c3b933d88ffda08cbff080f874ce0f33bef926c7e00a83132ace414d52b79b511

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8c4959861e843b4935eb758613d0a226

SHA1
4f521b0b79b332a5dad394236c78e2448d6e4095

SHA256
d22028df139aa2934cc4213e9da32e695603fe13b8d575ef0c8e5d2337b6cd4f

SHA512
654bff5ad2a7435cb093f025e1f82fbc5b29a0d929d58d0b1251e2a4885eb3b95d600e6d44188a307db8cb77b44e17ae4c2cd3be952076651c0626d4750a123c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
26a2f5223162bd33039305703379c376

SHA1
b1b3602db45923d8935f0803b0b0e098479dfe1d

SHA256
5518be1999250bfd9cb01a282cad5b6988ca4b914bc7eab0c9b8e85a21b55244

SHA512
22badfefd9e8b8633d49dfd4fe8829eec7d8f0c92e6c39f85a3d756034e42e7280ca6e1e53d2ddaa775f0e2c99e15c6130e6ae0f12fcb239f9107efab053c34b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7142429add8a15556c8376e321e14188

SHA1
bbcb38caedc4118bc28bc20082023cf8d4cb097a

SHA256
be6494d23eb6c6620797a4dd8e2bd5e7ff4a3864ddf918cb952fb2c1f4f594a9

SHA512
52d2a949afe5fbd97c1d5eddedb52f0a94a4dcf8740db43169884a8a17507550ebdeb034807f3915824521ee93e1ed8759d4ab2f5cdadddfc35ff6a66e86a2c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
819aab83c2a0833c9f7a5c92b4cf491c

SHA1
5b1c939647ba5dc9dbd15f20dbf287d1dddcc853

SHA256
d45d811d41c05149a24bdd910d018dbec38ecab891735d0f1819a0bdff572b65

SHA512
62c1ccb741c38a3758b4f1af54f40487f1a2968c534762620402c2a9a663993f4e132b79106b103c7473ff29f8a4303e49dcc7be534ee6d02b1129018a225859

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c277d28e1e3c54a332a9ad22cb199f36

SHA1
0db20b7c5e82c438c928fb25434681845add8859

SHA256
4856ce8a893d4e211d954db92743e97d30425e3710b7d42e4cc93aa6736fdf5d

SHA512
b5834c1ec13bbcc446684f2719839940f30473a8afd3f15eaadd78345c528598b966bf9fe1df47a6377940210892dd2bb306ce9297c34c51a495e5d74e3dfadf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b29be5a6cfe574c76e64ca55c1405ed7

SHA1
56ba88b387791ceb812db90718e3f6f1206a9e7c

SHA256
e628c9390f7374a2f377eece740b5554cc50a05d25aa98842a264db516b31831

SHA512
5aaf6f0872ff698af8ed66a785002bd0dfeded440ba053aa1ca1cf055fbf937e9541d02ecae4a302811fe269226fbee37e0c07a0e6a4de7f04fd173158b2b23e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0018de1f03a29ea26bc606b6d442b267

SHA1
024de4e023b9ab79a46e5baaf1814013d38ad7db

SHA256
40a3fb2b2eed9b13b1e841830bf53451d41ba27836aa7d93d0d5dbfb26ea9b71

SHA512
18eff5d4cc1a8b52807f7f067bbff15e60af7e7dc58985a2a28fa4669418fc83260e2d5ee160801b72ab569041a23001c35cf724c6dce23d1a6e847e31e548a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
497c1cc0567c0b7424ce724956aa4152

SHA1
b78f630a088c57de7c0dfff191020b681907f314

SHA256
eb7632985bafda44c95f60c887d54eb67f93588250f466c9a1b34147eb4106b2

SHA512
01ee8491388507cb648ef76b63f6dfd88e52e943bbb46294f82610076988efb5f2ce8b5a64303a41a6fcf6b17c481a8895141d4d8a75641cf25ad7e648fc3484

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a36cbfd15ba19ddc69cd19009940e6e1

SHA1
ab4ca83b9a860f81962757a065e5fe87279afa2f

SHA256
bbe0ab7f959db08185edb9b05388b9bf2759e70fbee1852948738a55bdb5455c

SHA512
5fffdfa9d20d63fbcf76ecc582a2a4c49ae6c95f0b8c0c7ae01a75a5374f87005a3c25e68daa3c3dd9baa3a371135e33f9c881e94e8d8ed58b0fd786b50cb107

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
921284e9905f027549ac71bfc3fa8952

SHA1
6c940c73b48614f1b97b12cdf8630beed68c51c6

SHA256
f118357369ce7b4e2d449ed98c6162a870bf105c52246930946df0c966e0b15c

SHA512
12e5b9a56f7f8b234de6e6c5d47199f7c0a15a3673b50b5ea0f3086ef369a3942f7c80b3304e390691cf81ff4b4f8e6fe15f2bfb011fba6db50e550f0d6a0819

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c8be9de30870e360969b2f47170e8fd8

SHA1
aa7ff73ac784069add8b2dde58a96aecb0f090ff

SHA256
7ad69844b63ea5acc7266bf0e7f0dd595fb0fce53cf1d6a6b81742c69bf91312

SHA512
bcb798134278dd19c56d4ba5d5083ddb6426b4f411effd1c8ba1bf9f46aa618e37ffab9b67dac9d2af03f941c62c9ffb4aa8ab5a59b014894652527240fae8d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
998850426b4f56726911b6d458a1c683

SHA1
90f38a19b5ec9a5c5436c3e18a8c424a06ad0b74

SHA256
6ac8dd98aa9a60875858151b3360ca747d377182314332648cd6034649814166

SHA512
fe62decaa906d9fd38ed5f02692714175b34013705dcfd7f51ecec29b86761c703796df045c632b37900b8368fdf620275e2d3e8e94374d394c091c7ecad94e0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d9cfc49bb5a7dce66d8e0f3a2c9c0b36

SHA1
743c2bac079e7cf73069f1dfec9d4b1edd71d949

SHA256
0228b33a5c3859b4f2e45926862128c4345f66dbb84cbe6891db206e0bfaca11

SHA512
5a75b2b1cc9d3708fb4263b733271b7988f8d0614710a06d9a6767456cc9464594db64c093d724875def539a74040e9fca7c70cebdc4c6384cad69ff20366322

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
316f92015b96e60935ff147d495d4bd1

SHA1
846f9d493ada0d153feea602fceeec064f439bd9

SHA256
dbae1adbf4c7c1fa1ba6034de91ad2e33686f8a12fe0457d6e7f3e4d90ed8ff9

SHA512
f7ba74cc66c556f7821d136dad690a75a08b145c452db21ed379e941985d95b91648fe536a024b94110438a485361216a43ce1bc86b88098298010e9e8f3f858

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d233e147d9706fb6f3ac4bd7835cbd28

SHA1
0b3d0d9b409f3979e6a3b0eacca3cf7401f0cfec

SHA256
43439ae52ee7c823c0ffe18f83288bb9153525746fb230dfed0b25fc2865fd75

SHA512
63a632d6a0f6651855d72978b36f758c38d9a6c00eddc65b02461c123338963196bc860bd57b4451f67f02186c10c381c45356d49fcc450d543289b6b56d60d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c8faa1f5f3f5ba5170f9827bbdd44ed1

SHA1
be091077fd3c2c18e4011a3d89faa4b6867dd705

SHA256
54efb89002cfc788c9a69fd221cd28fea25a4f306e7c6e243a418157b96e6a7b

SHA512
5affa08a97e9e43a5eceb519a788c7c49fa9a712199e181415f5897aec7258fc6a2d1188a88bc78ed15fa7b55099ce06b520c7f0ad880c17820b7f19a41083fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
c139a59e35cf90e7d6dc722597aa971e

SHA1
23e9707b4f0d10b672e84b6263a4be3e6f263426

SHA256
dbc6e1d7eb17c69e21c9c960283b08b87fe2213419bb89a84f0ff4e461c903aa

SHA512
f7d2e48a974542682101a0c2df7db068c0d9e6f8e2ad55ad3d850f657e46c8a1c4933db078df29a5b34307ad1a0eb3414cd532135d156d462723e3ce13825ee7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d8b59a0395b85db83701fe0ca5545f91

SHA1
3424819227b20537d16ad2f1dda5a9b46d3f8886

SHA256
9508bd8e6060c0ccfaf92b26bb4a5cc9d2a236f51b7ab6b79dce8a6ad21629ae

SHA512
eb28fce9eeb07da7314b485eca1fe3d4344c7781adf157b4211f70b31e3d32213f6c19e41be520dcacc4e8802bf0c6f959badc202af6fb45cf9fe9c58ed498a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
cc2d739a474c11fade07cef775093a0b

SHA1
fd23b2587995252752c7d6af4c7ffe25f63d3af1

SHA256
b68c42bd35194506369a10a769bc051c73cbafc1fdc5be894d7849e7b9b34eae

SHA512
70fe3eab0f967afa8a17432fb69f853b6019783e696660e082a678b032f79931d0fa81242521999235ab1a0195060ee99a4563de8ca21d7a0e6f4f48b12f602f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bb15699ed4eb354c453d444590f703ec

SHA1
4b5cfb13f7844d323272b39cd68f2180aa6700d1

SHA256
aa085e192199fb4917b439829de4e9e5dfea74ce0540b3d5a161c7a0a260da33

SHA512
38b8340a19dce3776cfd1ab5a992632a832bda215f6c3fd6b10a65217ae0d4de0fcb6b60519adf98852b35a4c07e9cbe2e21f827d7fa7a273502f7fcb11119fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
3cd986de6ab308fa6ab7746650f92ca8

SHA1
c832de9cc3bf78522a4fc3d4f6eaefac476cb4f1

SHA256
c9cc379e75b71fdcab1e5f9802b104f30b26d6cdbbe9face7493f090c25107e1

SHA512
cb7814a049367fbb702dca923587b0dece572df95a4061ab7c9e308e1fd6741863cb4fe42af35f9f869cc927db99860aa7e1b646b34392326d1c42ae76804fcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ab14d04745c3e47323e1fa68aeb60a70

SHA1
68590f79b20c4dd985813e38009456599a853109

SHA256
7ab6ad07eea32b52d94478a2f18c10b0f574690d90de51bf7b95719cd805fedc

SHA512
b46d9fc8117b0a55a22e43c847d848952e826c38aa50454fcb8614ebdb871fabdfa2b3cfa4258fa4b118b4a429a40423e2fb33d7e02173ea9af2a1b616575591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e76054ec43f4849901cd9b204b95fd48

SHA1
066dfc473c188e0c41b639e6eebdfea2fdbdb418

SHA256
ca43a8ab75c7c824c67019acef037d3a0aeffb9b3ec71821ba50806d058e8181

SHA512
a56d67f52ad720e55dd64f45cce9ed8115317b8be3ee312e01b252ca4a612650d10fea967e7fc09218b4327f90d1ce1cb86a9aba353c234bd8a4fde0ac9b145b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
2975869782dedd8f786691a6ccc571c8

SHA1
28c5adeeb7ff8a431c6fade4668b32a83c77b3c5

SHA256
f850b561f0989f8ea8734e8f31cd5a01d8c18ec25201f6f8e2d933c1f36db5f0

SHA512
575c785c71c4775900eccae34b3cd1795a794920490239e9ee878ddd223db4626039d08ec1de2fcb57fb3cd645cf3b690b3068e6e5bbfa8eec814e5f940e89e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c8d436e7b740601334ccc4cc589fe07d

SHA1
7ded494261138e3bef15edafedcf36f4fe6510ae

SHA256
bd2fe47b7051bcfe35dddafe3afb18a38fb7404604065252b2d175a3bf35de0a

SHA512
5e5ca226899127d8057ccda9064896fb95ed37449c49c41e15e64ed09a61973e5775f003e0c924dd8888e6c225820f62525abe903ab5c7655fb8ab11fca5009a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
5085dfad9b64b8406fbdb40089409621

SHA1
2566f470224aa04166d74a19fcb7a091a1001aec

SHA256
59a4fa7be422e9e01e0b1db58081e63ef95457847910729653ae7931198463a1

SHA512
33763805fd5a3a425b8514cb518d8f599de16b490f30e7e4766f8e49918d1448b802ab6b55448afd66620279e123df773d97e1de1179f02a5049bbcf78b19df6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f3c89c4215be417bc9f94eaaf2679294

SHA1
f50a518bc6a10cb04174f1965ccd1fd32dba4d07

SHA256
6a8addba71b349bb61629cf10bb4755b1ece1c5b1d69464b0cb9eb176dfa55a7

SHA512
18ba32f36a69b7a9897b3638bbaa5972340764652b2ff95dff02a897eca28b3de41edc4acf2cd8d955a0d6fdfdd528de86d88f458d80a4c8f6c372edbdfd0840

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
9f199c0e242173e835d210204b652729

SHA1
03aab24e8032552f6c13b12d591f635122a77ae6

SHA256
d3aff8601dac68c2119946e6862f04073575eb5af195e2e19b58194af3c32329

SHA512
1a88c54a39887e88db1cb991d3580c3b9941c6694223f4d49fb899b325215088a632087ecc56694da39128b0203dd3441b311b4cd1b004d752d33627dd846415

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
705bb6ca786c30cecae178d3047646f0

SHA1
b393d8b7ed85f6dae61ff6a0e6d280617e5a1a44

SHA256
9648f8ca5deae8475f9bf35e6c80ab8909d03e38c087a286984ed1611bed7e2c

SHA512
67e1fd1744ea23824eee2903bf848fc4545756ca48ec3ec8e31070e07da37f749c25f29f677d02194715a7a56ba96370bf09158dc306edf3fce2f1881c15940f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
503dc8f9cfeb26035a1653175b471f04

SHA1
9949b0f780c2d26e96382bfc259458de3cbb4a7f

SHA256
cf9a21c373541777b82625cbb0c04eeaae57ba5e51b82922ada27b6e8962d457

SHA512
4c7b1d3a8908a8132f37357efc4d6d44d71706493e27cf02e3a67a4cdc87407fff205b5c4ba7d2161a03e4a370abdcc37853a4d27270e593e0417813b8889584

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e2544f0a087441574b3830cd54c971dd

SHA1
4aa6567b8390c42e0ba0547be877449e1a6c737c

SHA256
38ad51bbcc88aa2c906ae862b31fe5069a32582f87d1946bc96a412419e50f2e

SHA512
e71f83e03f4b2cd58e39682582bbdcd5c0cb699f983e62a3e00b18707607907cfd81d4d4a32b7832ea79e2cf7daa114a4d6988cb92e20b90edff4381e6742712

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9f619bad0b6020f4138706c3a8874e25

SHA1
4a3c5281435d5349c2751435d1e053fdf75157b4

SHA256
b6d0060f4c9671b76bbb80d8dfa7cbaa25b64c6a3710fda4c4f042c595346984

SHA512
29072eab4a097ce6b01a41f63c9e92e19cab1077389c88074c5f219037ae655ff2adfd45126fee3a17e2198ccc55f43dee73ae680bb61026086f108a1ec70e12

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
03dd75c2e21acfc0785a5c2df20a00fa

SHA1
4c03cf5df01f783ac9149ea20b9d5f460c950990

SHA256
cb7c4fe454589babcc519a3eec93041b6753d2ad82404c186f4d70b270ee5bdc

SHA512
9626a4e4aa8acec480ceaa19aab534222d0c67f12bcd9ddab5b49af5c05749d2f61b57bb0905cb1958f2d2707febb20c416da898bb9060eab333a03405c3e0f9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b226281aa5a09a382f99b95b14854791

SHA1
969e6f160ce78b764001e98e44cf1f9bc9f7a824

SHA256
9add0eeadc82e54fb63f1c6f0fe312ad89f84b92178537100ef25e74d02149e7

SHA512
63a85fd7e2593d833a4f53daa3e9d3a0af3190f5dd05c2abd84b681e601ba85e354f81cb88f5779b1d62a7e2e9d1591d709310c995306800f0645df3a133ab1d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
70b8cbedd61286e2807d680d8c98e943

SHA1
336a99390decf98c53b3b39e67fa9fac167bdc02

SHA256
feeea3af384c5d5a4096c227d64365b2936e61bef7ae239a642eb075c2fbf25b

SHA512
af8bb31abc37b9eeeb95b28c9b688475881b89498e4d5779691636ceeef947af6966f7ed68f37f1e0ae8040aae0a30c04e1a6a7b883ba18c4ba2c65a80bdd298

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
37be3f3712ed20a5f9ca35e1d714fbad

SHA1
75aaa17a472fa234bb132e9073d78e085857cc01

SHA256
3de21b56e06195c81c23ee76c3ceb27fcf3ef8ef1b975f1d0eba102513eac19e

SHA512
cac6286c3576ca99d30e1b4b04d8c6e1b89eeba6c353cc04ef8e1ea0d693c6f10ee3c81365dd0c4a2572bf3a58ba59670c043e3d8a609d306b98e42c35f71c82

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f7dcf05451eb134c197606695da086ec

SHA1
35d074b0c5a33dc3f2d2791b23e36765744aa6d5

SHA256
5ae806e089f6f0fea92f914d7208746de527a6a988b8bf80eacd2f6fa80054e5

SHA512
8b1fae66073cdca2b33280d1dd8fa152eaed4fd3f8c94982e80cf6f04df6af0dea08d0a57aeab04382d942997c1c4d0f95bed543d533ccd4ccefcab0e3830c4c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f0440f6d3f874c66d409df3a3c732305

SHA1
d598fd75289a73b38ab6682302e3c3b396a52a2d

SHA256
cfdfd7b4ab07dadb9f22065e50b7e0307ab51e3a0cf9d2ec72a596dea1fd7308

SHA512
48cdf6aed9d510e931b97bc99f6f485f74464a4d487ac6964e1db91c7e7e9bfb61c28098f7af84b0be15b567c4ea8dc8a0bcf4cd4290c2bef2d1434637920c66

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b106e620195475a012a9d8c0b62fa421

SHA1
3f771d75d77c6c9504085161b2af90f02ee91da7

SHA256
ef6e82d0fb5331b2c032537b39035a4beff2481a6652facc4c609d502663b893

SHA512
d24db58c202727d1538edc42e2f8fe4f6bff17d20d34d1c1c17a143af758fbae86233302fa3037a86cdb84669511f750a65e552352c82e99a1665a4f635d1838

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
66a61e1cc56d846e195160f9f20d504c

SHA1
e566c82586c97bcef7111593342866cf6c7740c7

SHA256
cce3ff065db8764821b364433904919f6f409f7658e3fb58d6e5ea31ee7d72f7

SHA512
c43eed4a853e7f0090b13b34d2c9f182f27d79ea94eed433f98f7b959488a66b4732260cb19d28a4ffb6e9292a43b8bde34bdb1b3e16364311ac441ed0c7e8eb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4f4bebc75d5e13ccca5de67513f83c81

SHA1
020e6435c145801149ad3bbb9c1097876e1b9a41

SHA256
ceb7c9f4d2a4b855d5ce5550ee2da5e4af8a1a62b2c5a2c7274f4eff71489fa8

SHA512
a2b0fb939ec1b0faac88368274196d5d8d370ec2a6a3db1600e5c4855980ac54c7ada62e2f743b599c9d05cbe8e6a69fbc648d51b7fe8eac2aac1e5fef73474f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f7fa6ab68ac7c0eb3692de26072b28e1

SHA1
0d0946b249ad768314bb8eed9dea56049c48b6e2

SHA256
3d9e42e5a64ec820b00e6efb6c7aa39618a0beede5927f6b48701901ab7e5a47

SHA512
60bff8ebb7b6442161d7b64b71265040a8add6332f06278494191c458dcf35660837ed1b4051b3a0b459093487da8b1c4cfd4363bede8167cb4bc37816339bbc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ae8e1cbe5b61a77f74d39fd674d2d850

SHA1
c523027d3cec5c49234bc0e02ee0269f2e2ee385

SHA256
4cccd9b9201c77fe492c5f33894b6ee1d93b52dbeba1acbee9b77702945396b6

SHA512
4e29c10e9e5a6f019ed2059ed956610cdf7886699d4c0333a8d75ea8e0e5e51ee8d1f5b74523df1b2f60a069aee85fe30d8cc139bbbb07e8554ee4974ec61bd2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e758c462e86353fddc8160ac2adcd3d8

SHA1
183299913d115770764fdca7748d42be5603542e

SHA256
c26914fbeeb03b6137a6dc435769384d44fd403a0306d25220d1530e9895de65

SHA512
e32b9f1eb61b188e3a7ac3bb01268e876c1da02257b4e1f00bd7218b619c0e81054bbee9d1b652bc34c1e3f846c54c2aef55e8b93495ec1fbb85198cebe136af

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7bf74479f9cb73f18896d70b0a448b4c

SHA1
aa3e55d17e4cad67d1ad95c22bf62a7b34b1124d

SHA256
6af0c23e765066425e1b3ce5f5c190fd13f90b85c5ed57b7b5f0706025938f76

SHA512
28260208d15b50cdedcce97c2595300e70d5dd46379a36251ba7fabc6f785c8cb211d13a2f1c1c8f159fb4e7aeea56d15654a20c36d25ad6b3fb92e566762446

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
65ba535c0944a7310a9a3c6e2fc170a8

SHA1
1d1ce0ecc0dcf3f132317ebd8aca66afe0d2729f

SHA256
26d062efd7b62c55c15bdfaa6bebe5fd0b8212ae6e555fb2acfabafe8110ba78

SHA512
cece94d6748bb56425b8e4cdecdc7d11b4d95373776076ab23f6b7f461b09695af47ff05abe7c550f9143e665f496db6b13720781d23405b82409505695da055

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
41deaed8d9890819152a65e2659370a1

SHA1
9e3a8ae65d1724f64e66a71b9b45fd64b84b004d

SHA256
44613c078aa223bfd4dd33ef7d140a4bdcaf6fd56e1c4a1787551a936b8e9dd7

SHA512
94a4c28fd906ec5c85a2e5403cef1f2ff66ac1012d74b5a9952b6664e049822f89a635a8e8dbf32d00f4396d9fba55456c3593cd59787f1751f01725f7cdeea8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8f4232a3bf56eed6e92670d406292d3e

SHA1
ba5d2da4794be7bdd1312d02930737dcb6bfc7e7

SHA256
4f73421aa349f73077d8b1dcebaf1459409e4021dd46dec11c0f98558932068d

SHA512
659361475e103ab09a2bf97e96e6124c583cc4bbaf58d575d38bb1d251301e2bf1285e69f177e2fff4d0f702b4bfef03499a16431cb3e843f64b4c9e6e509ec9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9500e148c0eb4babe5d3b1e8ae3ca13b

SHA1
9b7692de35e56897336e651296a2fafe8d10d10b

SHA256
1f96756921d261833dbd6667be858e86279bf22e6f5b36faff949c570d615401

SHA512
60218b97476c8b09d97ddc47fbe255dd17ef3744eac4eab133a7e2063b89d10764ff08cf4ae1a8d17ed7098e432c13368f0c1eeebc9558ee0d76a26e7280e754

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
90a0106560237b21ba8c644f12902b08

SHA1
df721de504b24deb7d6e8f2801dd078e45fa4b60

SHA256
ee139ac29ebfc14758b8f7063dadb231d0aca8a75f53ba5b11cbb83aa89bbc3d

SHA512
6a70365df4f0e431cbe55ef14903c7709c220d4fb74cdaea3de511c8f1fd4375d272844926ad828bb68e787736336bf895ead971e107e8151641debf016a6ef7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
30fb412f212e3ac50ecd7c97cafdefa3

SHA1
4c7b0ead31b042d22e6b4dac008190764a778cad

SHA256
032024ca426ca544b3b3b52e8e66da10a82d7a754e88d7af9c35311233f61ee6

SHA512
775b46f87ba900ad625aafd117f0b20471d81558db4c182b9ef8be07c252df7634366735ca4160e4a2cef589baa5bb5450297e99609d043a5fc9ec3aecd5349e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
c363a0510c2ee20ce2a17dd9cfbfa600

SHA1
1dd95a946d9d6f15e93bfa1847d0cc2e956f194a

SHA256
f65bb49e15c71c562398139520c6022cf1399434b2376a86f2ae93a05d8a3ec8

SHA512
ecc4e90a01e3c1a3d3f720ca864c5fdce236e54caf64bc27c1996e49c73cfc1c64f4f3b3b799b6023c42abec375ab082f5150f80fb59734c776bd6ccad5e79a2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
3f310640ef63a97c53559fb62f152ddb

SHA1
3691297936486ccea2d27966c72514d1fce82f4e

SHA256
cc2029d865e2defbef090c12c7294b501286770d3cad73c7137d0c2326f8210e

SHA512
9d458bd074a2db24486a907ea3cce21595b188d6fac7c9d73e3062fa1cde1e56cb73922a6c997f58198b3c3eef821b8bed88b950919994affcbe5e283f346c51

Download Submit
memory/220-112-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/220-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/220-126-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/220-106-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/220-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/564-262-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1180-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1180-267-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1316-264-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1316-37-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1316-25-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1316-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1660-252-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1876-324-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1876-741-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1928-312-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1928-740-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1952-166-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1952-1-0x00000000006F0000-0x0000000000757000-memory.dmp

Filesize
412KB

Download
memory/1952-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1952-6-0x00000000006F0000-0x0000000000757000-memory.dmp

Filesize
412KB

Download
memory/1952-554-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2084-167-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2364-147-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2364-154-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2364-152-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2364-150-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2364-141-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2460-734-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2460-265-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2924-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2924-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2924-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2924-321-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3380-214-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3644-736-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3644-292-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3912-457-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3912-697-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3912-248-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3936-216-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4208-735-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4208-289-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4440-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4440-19-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4440-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4440-251-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4840-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4840-690-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4924-742-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4924-336-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4940-213-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4944-250-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4944-691-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/5092-303-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5092-123-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5092-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download