9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
Size

1.8MB
MD5

23e52bf04b85cd8922e88434cefd61bb
SHA1

ac99de9eee0228523b59c0cdcbdf39b34af07ea4
SHA256

9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7
SHA512

4dc4253dd40de54ae96baf06dd276417e6cc8a6f2a50212ba29cd7c4f02a75824d880d2d2b815790ca9809565ac4f89db97eb36666ae8f34dee374f82fa9df30
SSDEEP

49152:bKJ0WR7AFPyyiSruXKpk3WFDL9zxnSvXvYMLprznyDSga9:bKlBAFPydSS6W6X9ln2XvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
428	alg.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
872	fxssvc.exe
3936	elevation_service.exe
2156	elevation_service.exe
4680	maintenanceservice.exe
4260	msdtc.exe
2780	OSE.EXE
4884	PerceptionSimulationService.exe
1648	perfhost.exe
5084	locator.exe
4284	SensorDataService.exe
1652	snmptrap.exe
3532	spectrum.exe
1952	ssh-agent.exe
896	TieringEngineService.exe
4600	AgentService.exe
2084	vds.exe
1792	vssvc.exe
2816	wbengine.exe
3260	WmiApSrv.exe
3956	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\System32\vds.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\locator.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b1b85adbbb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM78E9.tmp\goopdateres_zh-CN.dll	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM78E9.tmp\goopdateres_nl.dll	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File created	C:\Program Files (x86)\Google\Temp\GUM78E9.tmp\goopdateres_sk.dll	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM78E9.tmp\goopdateres_et.dll	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM78E9.tmp\goopdateres_fi.dll	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM78E9.tmp\goopdateres_am.dll	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT78EA.tmp	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000314d812803b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006384d92803b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062f0a82903b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050095f2903b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3f8ee2803b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b97ec2803b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006402352803b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d16e042903b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	996	9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
Token: SeAuditPrivilege	872	fxssvc.exe
Token: SeRestorePrivilege	896	TieringEngineService.exe
Token: SeManageVolumePrivilege	896	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4600	AgentService.exe
Token: SeBackupPrivilege	1792	vssvc.exe
Token: SeRestorePrivilege	1792	vssvc.exe
Token: SeAuditPrivilege	1792	vssvc.exe
Token: SeBackupPrivilege	2816	wbengine.exe
Token: SeRestorePrivilege	2816	wbengine.exe
Token: SeSecurityPrivilege	2816	wbengine.exe
Token: 33	3956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3956	SearchIndexer.exe
Token: SeDebugPrivilege	4296	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3936	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3956 wrote to memory of 4764	3956	SearchIndexer.exe	SearchProtocolHost.exe
PID 3956 wrote to memory of 4764	3956	SearchIndexer.exe	SearchProtocolHost.exe
PID 3956 wrote to memory of 4244	3956	SearchIndexer.exe	SearchFilterHost.exe
PID 3956 wrote to memory of 4244	3956	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe
"C:\Users\Admin\AppData\Local\Temp\9572f850156f12d65ce03200ad1a6b9ca8319c6f1906969c6567d844c9f144a7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:428

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3364

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2156

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4260

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4284

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2948

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4764

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3bb19ea7a7a4da751c4c8d0113f0f392

SHA1
2c2a3fafdc3ca4a4b3a7117900c9c7abf7eade2c

SHA256
4c82d1672f4054a1314bb1dcfebcce74ffd61c9b72249f9a84ca6a1a297f85fc

SHA512
99746cce62efda6344a5212caebe3f83a92b39556c91e1a96fc3d01ea7e3135ef90bf30aaa74db95bdfebf9926c357ac4e7e29c943d2c58e4e566b613b82e268

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
1a777a0c7d952fae669567629d42ccfb

SHA1
2ac21a8ce13f3ebb00ae511a414a1d9ccb4df883

SHA256
34084e80bbc4717677cf867ca4370ffc17c5731c79492e4295efbc1642286c17

SHA512
73da78c805dde3bafa08903a514391f5f6a8624ce6092261d5244cce114642338a9513a7c56e6ddd5c5782ab098891f6b268ec43b411694145be34362369bbf6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
21f01754cb565f786c30aecae4cde363

SHA1
d3ac975f3b2e6020d98d70d2e45739642a193b49

SHA256
f1f7d7e613a0701f393f4b52087e329cda060f2b52fffd22df69946735bd6487

SHA512
e5a3ff5590cb5e890ef1dabd1fbba96f5666940ddc614ddee401c743ab061c8a006afdcd4ee94e53b9218befe79e76d0eb2bfc08814e687d3aad277f25da67ee

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9e7de168c6fa3ab00ffa87fd1b9c066e

SHA1
bed0d1929acffa7f501c6fa45ed42abdea11068d

SHA256
fc5578079bee1139a80b2a3a7b11bd84d81d3ff38cde63d306629be9b412acab

SHA512
0e3d058b4675e067165f7f62a7ffb25f1582fcad0b1f5ceaf17e2d230b42039776bc6ce978d2a36273384bfd32db36a4212ee82f9d231327124850e75b395d8d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
daecd61a8ee825f878dcc26fdd77521f

SHA1
7e91d5d0806eea3cd7da618142aa076363344977

SHA256
9518955fccb32ef94d947750852ca5ba6eb350cad19ca93b6ea2c37c0b681db4

SHA512
a5e6ed80c1c039504723becb2cee3978df08ad85b41a7c5bc6a4a77607b79dfc8a3242115310fd20ff8e25024e59a6cc5c9572a5f18d9266b0b08ff74738c980

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a80a83408e18c0cb6d9be56910d991ba

SHA1
cd00192a7065323413bc369375b01d4c24921f84

SHA256
bb637117e71cab49a820b543b0ca83f5195a3c9ffb12e6ca0a452000f37ef262

SHA512
d390a8232003b9751037bb20737f823ffcbb171eac4ab675d9ab840defb9347a95961fcfd1369b7af9325e49419fdb77b251242279995334d91b62af93e4fb15

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
299e76a3e323942086d66893db0b12b2

SHA1
3281c134c10166d999565a1f3dab6ff848faa542

SHA256
7df4752e0d0c525bdd85f19f8624cda9e27cea2c966f35ec1dc92da420098794

SHA512
fe9cddb4c8a7cf95cbea151cd9d3c373c2fa02e9612c02711ce6bb6f58e81dc91d8895f12567d5553f6ea746003c91490599380fd4121cecf7c133dd19ee99c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
81ca9bdc86adced910e4b7053a1bd0de

SHA1
44b13049bc4cfa0df1cf8cf6fe66322a26d818f8

SHA256
f39855251722881daf1716000ca4ed071fffbc212d493938ca571ce09e695827

SHA512
454384ac30733c416b7b8c6b21f443fc5a123fb1b4606b42d38193fb3b0846d0398a983d5715d0a410747f4e829d3e11863d84849c8667a9fbf1eb88a50729bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
c1b7b406489a7e72b3fdbf5a0eb938ab

SHA1
c8cdebffb9540e37d7640d8d1c07efb6621bac10

SHA256
37f203cef5acdfe8c0b4c36180e6f8d8593e3b7a7bd3f8ec7256230dbc5d9db4

SHA512
af41a4df9b69a8fcdda6dfa10280c5e12ba018d220f6b14340f298ecf3c6ad42334549ac7ce2131be1c8ecd50744791126c0f26a949835256adbd900b570a2ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a12e8549dc738b3a0b3e17206ba1d54a

SHA1
6b3f81c2cd73a01499275bcdb361ff2f3e001554

SHA256
beaba0796169df0d6d81fb34d39fe0db1ba3ac57a3f5ba1c434cb0d9e97ae50b

SHA512
b7d0b777b704092bcc70aabba07c8e4c61dc311a0ff82f15ea870b476ea26d0e82cbc3af6f4ffd79a0b23bde8f3456dbdc9d7ea6a26514ce92436a43f21b0eb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
db21b42a15be8e3e7305f9d5e4a7b4db

SHA1
90950b53494bcf7f63b3f0de6c9bcb2d5916c071

SHA256
594dd42f257194f858b1725076f6ab91aea14cd6ee7a59a23678b0064256e2ce

SHA512
9591a06f975c696c44258c78e0482f4d2363ebb75105e8cbe6b2e6bb0849d47418607539344104d2a4897452d84ca6d6334d074e0ab92e39bdf867c9665870e2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4d624b487e4a69ff9fd24946237869ff

SHA1
4fe625c1775268315c1437a6662cdc944132ad9a

SHA256
8423ef41a7899c8ce4a3df1044bb280e728ffdcfcbac94f388efc271430471e9

SHA512
66a2fb513ead1276961d28634c1376c0b749f0db046d0922455f1308dd9cb65653354a8600b243be12d8930e55a63914ff4e2802b8d0994574ceec6be986e2f1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
9d9db78adf3c07c8ed69fa95fd85023b

SHA1
2033c5bad24f9976bf84523e3ac4cee684270c93

SHA256
a5cfc51b3ea47bd66543ebb92d6b8eca9f1e6c59511c23301fcc584accaab759

SHA512
1ad652bf8d8cf156a9bf1d35ea8fa9c543136a20e4ba8138de73d7e068e28ea3caf209e6705c5f2be6202273be07962f8d76f84052ad401d5e4873cd45ad8a25

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
336a628cb751cefa8392b5b07ebd0f4c

SHA1
df37ed58bf3a05f668aa694ab2d0d3d5d21a664a

SHA256
c2197811f9e8ce8602d8a93c72ce776dac3c324f21e678d0be1bfe5d745de666

SHA512
1e95f3115bf55c65f54da456405d428112e5d12efbb7fe17c5ce7f7335fcb4b723769749813463fe7d0c9b8088982885b80a6ffa13d0ee916ea97c3104def7c7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3772ff00a1bb937a022b2e03ab242ebe

SHA1
a82326202a4ec477d427f1a4d91874b32425cd94

SHA256
62e9f3c5ba084e8476177bc36a7974df05a8aa1f290dabd636c484672ffd196e

SHA512
3228e6c1fb602b898e6e0ecae066db26d48f09b5379c04399ac44901309a746c6713eae605c27105a7b5300c5b0740aaae67de525aa935ae8677b76242436a02

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1c45997e06dd5791124b562b23d64716

SHA1
ef2476c5ca3f800f5d9edf33c57554182ad6ad70

SHA256
49c0d952b2ced179fa5d0a718e8c5953daa1722062bf00b245da6b29fcb7727a

SHA512
a696349ca27eca792ff9eafdcf1813ec6ec5a18c03ef1e0d56daaa0c5e69872ed56d23e4f1cd7268255f5b37fb9a4926bd9d25041a24c35a261d6386b2de5672

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5461ce2c7de387b4111f360117b702b6

SHA1
ba17cdbdaca9d6ff3b6b93ec4d269ce699e25712

SHA256
16ff022b4b9b9bc10149f305f42b8396a9b699ae634bf8b4891e0464d3d31b52

SHA512
166af14bc42371dc5c7774d519e5db6dea68ac4f45b444044b5fb929273e613f8e23a543c7bc8b799f02b7407be907445ad630476695961771ecb51f88e19002

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7d7bc78cdb9c7ef0d1811ce173add8a5

SHA1
d11ed6a863b17f9dec0f12bb9ded994cc3a03408

SHA256
ca444f73551ffd6c1c78b3675965c16c18bf344d3df5d7d806d981cfdda987f7

SHA512
14e5a13ab17001346498df8a5d317bb17456cab8c6d8b696bc0ac1e720a367e82eaa01bebaa2d2288420a277618850de41f3ec32a654fd00fe47773d21743f48

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
41c344284d8a7e7b61c1d401dd5fe1cf

SHA1
9fca5b42228ddb58c09037908ab95ed300d8c182

SHA256
53ac4b60aa606a758d1a25cd3d15f8c0b4b2b823a9dfa57c1b7294506c0e814b

SHA512
ca8c3ba044afe4e4ded67a9248b558fd4fecd61715e50189d21499f4d094e502b2a0d0153d27d2764029f0b15e24c40e6c21c68c601d74c5414a69c6c8da8f98

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
13e8f89433720919e394d6927ddbb44c

SHA1
577d94d39ca1b510c1be42b3d2949d791c5e7f50

SHA256
1dbb7c89cffaa7bd3a1bc3dde1ff3878855ac1e2a85351aa1fece27dd92722f8

SHA512
496225551faee41af210aa8278c400e946c1e65519ff7ab0d75baa2f25a79f9949b5f7b2a74632836164014af70b8799fa6381029fccde5f384e2628de85732f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
2a790b982fae01bb6394c7cb3bdd7777

SHA1
e08ab1429616d583e0bb127bc70cca1bc59e715f

SHA256
ea550d27001c6e471926b13a24c6be1d8b69093b70040f0574876c907d9d3759

SHA512
0d3249c977f53af367eec772a4178071916e1bc62dce9c358951a3c7d841260702fb22a77b990b7f3b52aafe387f0bdd4b39ae93d9e2b5dbe483ebdbc87dbea1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
e189e0aa9f231df71f468a6e64f8aa92

SHA1
aeb3f22f5ebec6ee8cebd96621ba4ef91b703f76

SHA256
ddcbb709afced833358f39dab27acaa3139f442f3fc5cc9f9ea323c1e45a7866

SHA512
5561cd2c1865586a0c11d11069e4ac8abaafbbe33bd4f2c5ea71754dff1979cb2333988ffc10311cdd7e7704fae85ac7bed150e689d866c9e2b2d2f98a5b22e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
be508c8bf79e6546bad0635357129fac

SHA1
6e34539509d1091073f3023eff72ea8715daf1b1

SHA256
bacc60a5686457d6af68148c967c496f3a95ff80d7a7978ade24e15e0c0529ee

SHA512
8de745375e00f54efd7431cc9bae6c077ae656d8016efabcf00e21aa659f98d76e304b177bd2743c81e5d65091cf1f3926d235135722feeaa9e937dd5d1e2d09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
6ebfd753909dfd5ed4580acfba72db59

SHA1
95289e9c22d3dfa990d1ba08b16bbc3c1f78c112

SHA256
ffd8d29256b658a3304fd353df0b721b81c55640d7a1513cadd443538e0e7e78

SHA512
1d64f32159f31180f8015e72e0ab1c468c521b065963277ed2ed218e972679fc6020059ad4d13465b40138c2e224d1b00f388bf7ff0fd3c056643ab1f1222ae3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
eb3fd4c84dd850f5680f741984878ca5

SHA1
be808c967e466b95afd29635d92f704245f90b16

SHA256
2349810dfde82286afac816b7e6d77412928afe8f3db43fb7ff36563ce7c63c4

SHA512
62bbee79780f7611b5ec4e4954728334d0a0cf0f456d87c9bca66b6cac6595c6dd28629d26b50360572be2417c02210179c8bd2b995a51f90ea8d90c278f9df4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
115736cbc801b5eb94789e76ba2c6fd6

SHA1
c878d825b5e969086c0259d96a7a2f81507039a2

SHA256
009308ad4245f0c2ae9d97ff310ec8e0b23568bf4e5fe27427e6882781d8bffa

SHA512
e027b6496493db2003cc9ffebb3cfaa07dc2449031bafcab3431f7847718d83403518b0f2d03b32c3c9a30d98f922dd7d64dc7a1ce2d5408d4112224cbd98ead

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
1dcd571410be42446a78c905b55a02c5

SHA1
3e3ec5fea106c1db43ece9c5d81b1700cc2914ad

SHA256
609a69e4ea1c9d14a4fa00d4be38739d2ba82ec83300bcd20824b37b1157d97c

SHA512
fd50c6220545254541c3ef989c629f17def18a8bd0443af09ebb646ffaaab0141d80849b925a63b69d2d20db4f64538da94138a6d0fc62cdebccf79dd4fdf9e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
4ceb82ea96087823e58ed70b6ac6ce50

SHA1
c1b506b40484441046a6f599dbd8aeec29d75358

SHA256
bc5825ed6291add8623de5e1f8c7e643f830ffa78f52b139e0fb33d22946874d

SHA512
438c2821b0b8b4de8902d66c21fde237f21c8916cf55716e1abfa5b6f4226b6ddb33ca1d35fe322eafe33f817795ec18e193defaddc03211f5d9a06a753f62a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
b2e6afde8e36142131bbba0ebec1f969

SHA1
04426d9f87e918160daba49c97fe93a04b618600

SHA256
d8b09d06378018047700a2576709d9b34c7310c52e50893c8403ae4dd59f67da

SHA512
c69ab75090350786703bbe5648e973a20158760f838eb369a96b3af66f276ecefdbdedf71b6c154b4a407ead56bb633ae82785e1591ce5a14f2744b7a367d39a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
d1d86e269514c4fbe4dd3a58ef607b03

SHA1
2350615dc2273848eb70570e20ec79d7f591ad05

SHA256
05276dcb900147e61b79f9a6acd1f98386f661bc96dd4e0e5eddcde296c3ef30

SHA512
43870e86949c88024b263ef29f74a7861e6885a0e7e0ed7e4e2cdb87437a4db9aefa94ea5962a6bb005df0ec7fdd12b548012876842d5d19b169958d57cbe24b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
afb1cc2ce71165c681bd66d4b85d9c92

SHA1
1987c7dfc9b44e675727e88f1212b5785077838c

SHA256
d629956d5d51ce6895bf1c275062867520639951652261a57f488dc4de0325be

SHA512
f4618115158637423c54a70946ba3be41dce98f6e67c5cef6e8e577e78a27a5ed92e472279bc4d103227e4d19a53a9213216ab542b942b51059b90591fd204a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
96124de3391efb64ce8be92e6979de67

SHA1
49582b98cc4e164792df7129f330848101126a1b

SHA256
04afec455d54b8dbd9c783bb205e3487481f6e17969bc66297ab224bd4c6cdb7

SHA512
2f2e41b1c212a4ab07ffc31290d227f8b137f114bce7ea51890dfa85c542adc465c2e71aaba63743212306bb0de864c48236397d565d380f269a6870b3d0f422

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
139e78fcb3251df3de031572918a368a

SHA1
96c5e2e804d10923b28bfecdd47f357e08a8b4ad

SHA256
6d4cd3a75b5b8a7985a255258527ad0b493ded6b1566b829dd8aa1b3e0579b8b

SHA512
e0a760dcc5b54a1b444272d6a99f21713e4dfb93d55ebe92049280399d6b4f9297ff2297352f6a35c1def4da16ccbeba2753673e5663183dcf254352337a946d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
7af1bbbb855d5d79cccdaef4172ec8cd

SHA1
7c45ee1b90d4afcea718c8d1ad440541971c3f6b

SHA256
4f109cf52d27b4e0a969ba69a56e6f66f5a5243b3718ec3dd0dafc2638122e15

SHA512
687fb39695cb0ff17c4fd2bbcbfec4f1714acfe989bb751f544541c6edde20f4d9ed19782be7df6ce030f10d7f5a65cccaf17f40542f6920e64f2ea567cd5695

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
1cff993a0bf61ec54454ae154aaf1f7f

SHA1
f66917391c441443c14ea9a5497302b1146ee8e6

SHA256
f836c824fd3df5b8d669643084e04db3f4db9518fba5ffd5d044284e744371fa

SHA512
e161f127213cd6112827f7d52d31f714a851774a5e59bb7f34f102f0c949998b5a23e489da7ced28931e5a58abadf1f183991ef2e2755b5fe2c01fa9e52db971

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
57c1663a02720c451afa5eca1496ecd8

SHA1
16b35cd6d9908e9ead032049c0a249add4a46d45

SHA256
6dfef48cea9bad1f63192d8a5d5c08871c859ae1539596bf8beb27cd229c0dc4

SHA512
007dc0adebb73bb4e4573585b3ce578a9574fd5419d53962f8d51ddc4e03fcf0f2e964b30b27a0a81fd1093865e5a153a77df6ac5210e0ce429c3fe78c4a8c88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
51140d85046209fdf8cacdfe99557bcf

SHA1
c1e473cca0de344e023711f89aba14d86b8357bb

SHA256
9a13b2d197ca1e1499423c9dfeceaf67238919a91a1e89fe08d1297ec587a018

SHA512
370b0b68781705e10fbef4784bdf907c33932609207e870f2721c9568577182d8147cc2e9c12cef66b0a9bf7fc3fb614ac75e3d500fa95453aacfa25f5a7e975

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
84d51802ef19685d83ad1c85b66730e3

SHA1
cb14f339971882473961dad9ec7c25af7c762faf

SHA256
87a1c5b3be345d63a5c02d00320b4cf6a6b1a36bd77921489d1c7538aab99728

SHA512
f68be46ba13879f876b9f8be3a376fa057de2fff3478ef5b8eda349c1f24e4173a8c59d5d6f282e1bcd34c71f4468cb7da0e126d0a0dfa865888ba02757ae07f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
fd705999f4023030ca3676e61e20c381

SHA1
16fb5994b50a5206613383a5aab03f06566cbdca

SHA256
2d6ed5a482df77e4e6fe7448980429bd2901bb794ad8c3c228c6c54610b5f958

SHA512
c531c12d9a5abb458e284cb16da4e0a745269181dae0caabc3c026f0d38c8fc081ef941101fe60b678ad609d219bc32d76715d25e7091f7eb5630cf9245cf33e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
fc002f15196b91770643b71b91f4c93d

SHA1
6eb740d2e8b4a949244b88e7c047c3316cdba9da

SHA256
1d511d0ea79d94a1a563602ad02df2a1f96fb1bc9f91371add743659b86758c7

SHA512
be9def47eed8b956c9239042a9a0ed34b205df65d2aedb817150e1cf2ff74cc857e481e56b0a058f62c1c48f79983b87e98b09ec20f62ff1aa799478fa1cd373

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5fe4d75f85d4a18999f47b10f696fdd1

SHA1
cf3e3785c81f81b8bac0950e75bc25aefa359383

SHA256
cd0c33e4bc4683526d4098e91ef0ef8b12f6bb4b1a53b1b31aa0ea60eb46f9c8

SHA512
ae4cd60953f8291957e1b55e8fc10c43a1272bf7445cf8bb085c9066bdb88c8efceb363b1ffa9935df62981c2af1ffd21ef86b01cc040588d1daf8ca8ffeba4c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
932d85e8575354f91d1cb75ae0064d0b

SHA1
8134bd84924cd3cf196aa0c4466f9d77dd79a90c

SHA256
c468098c1dd6a1b247864e32fe8606a78e6d1f6acfedf09085312317bbab4bb7

SHA512
1eb3f94d1624cf3ce2c8ab0a62486a635043037ff4c96c15e0544b527063fdb3c6685c22a1849989180e6b2c92213daeee6fc08fcd00339952f18da8b83d023b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b82082d5c5bfeeb11f9d48044ea4c9f0

SHA1
a21dead075a8e73fdb820f1a47ab24c5c16f6137

SHA256
7a0716877e1385bc2c2fa04430c71031be5659c3b8484f7085746f804e27b19a

SHA512
3789accd570e2e76252483f7d6702f4eae06f5b0e56cfa8d53982b7082b8fba4b6c6eb15b4f26fd0436a9048701bf504a57f5e8fb2ceccefdf65a93e75a50452

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
0d161a4cf89cb1eacb2c839d24f71ede

SHA1
41a86b7ac6d46fa6d4c721cb88dbc8e88f0ff759

SHA256
c42d248285fbe7cb0a760585d0d9b5d71f5ba9a354adb298b186618f9856b1e0

SHA512
75c78fda739b38244bc42e6da1c995c61dcbc04008ceecf60744ec0b22da197a3368b3926c797139c5b10f8ecbf143dd57964cfcd70e0947c3dee2fe92f4689f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
be2263717121cbf4dc7d2ed201325e1d

SHA1
d24f5d7509ccad1c381120327d658805cdd041ce

SHA256
2fa8698172d9fff4406c0bdb27fff191d1aa165ecf5898d42c4e8bb25bb22e3e

SHA512
38ab6752dbf130f4b710f103ece40ccc0f34af9dd661c39c6b7d71f473b3c2a1365748573610fdca9ea4d9465e813f74324720c2772e01ce4b1b3f6c9e123105

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
98c8b7bb0dd43201c0d690c286544964

SHA1
dc0c68e047ced960831243aa8f06924b4000bc15

SHA256
cbb1cc5909a8d76d49e5660cb58017fbb1dd117ac4cc3edb7c2de140bbe5ad9a

SHA512
f7b9bf5d4bad077fbe236ae7999fa67e927339d14e8413f2f38f0ae1ba67f6cfee46666f9d106a7df5864b6e65813db423841444ee5c7ce5ed5d06460a1581fd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
aff8a8aac02ad82027bf2d092ef92898

SHA1
803061685a24c01639a33d962ec328d58828de6b

SHA256
72fc92c7a2bc5627e6cb6fb39baf3fa670704b30d26073546cfcd44214438508

SHA512
f95e92057a4cfa552cbc505d591e10392d8ae2efeb9ecd52ab059914571591112da22ca3673d7710955cd1a807271421e7d0dc18c3eb7864b76a847eb7b7b52d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0beccb6e9c7d39ea13724465994c3b7c

SHA1
90f2dd4738cf6d6028d9cb8d9c3f381a884673b7

SHA256
ed40425db500bc294112806e8e8f98a1189c812e2d9f8062e064e8f25073868e

SHA512
f8749b106777d5453e67386f404e8f534a41a837ab63232dc12888a25040773ecdf4a932d8f440c28372427767872642db1a55f28affc814bbc53af27d566278

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
adfd92050549077ae87553a611c39867

SHA1
523131d86725edf9b56c73b556491dae0cb96885

SHA256
6d41d11007d00c9ab37ddfe1486bf5482e4790f56b6d59b963670bcbd98dafda

SHA512
021763673dfe56e989f9c18f3c9a69204678ca82733348a88c86b4df469f1254c0011ec72da5ca24874fa84811cc0e38e83f159f92d82d206ed8938f9569055e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
bb5c3fb8448a9efd639921b35c80ba17

SHA1
e4c4e9e6f9725378dca7d5c2ade975e0aadba6df

SHA256
40de6492a739e2d1dace1023892b4e448ce11ea493af1dff7a1be8bc3bef8a20

SHA512
6bf16fd5adf8ae5d3a9bdeca824cc61860774f9d4f661eb133a411b530e3cc9fd43f96a1a9a941bcb6334b3efc12623f99d091cb2d001149e006eda438894c1f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
220fa69fd38685d90a09da770c23b97d

SHA1
4d429d58cc453ca3982407e1f2025c6c197d57aa

SHA256
823ca2ec21ba225f133b2fec7d549a5d4621d124eb8a5847781b455c66940c18

SHA512
fdb83b965b6c839040bfbac5a2b612624b2a0011e1ec0ccf6d7bdcc85f6bd1223235ba9a6138767d3b252f827511ba668734bdfb8796ad7889dda3c80483fa5a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
281a2900e2bdb1a30c4e25f1d87dc594

SHA1
cc1d7592a67e736744db6706efa4023ed866fe5b

SHA256
655fb3d12235ef2dc67acc279e9097de9d4a3cec5270faee823433e0fbd5d814

SHA512
0e90650da210aea5eefdaeada74aa547e38282f87cc3399e9499961759b5f7a07cbf8aca139dcb73834e967754d8cfaef50ce63ca15263e90633a0a6ba780719

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
83c4cedec33d508e645acd3f422dc628

SHA1
cd48de92bf7fff32a0d1946681d4335ae6de4b26

SHA256
90e97a4337d767627a43366b5fc60eba8f7d6e63017f46f999afee11c78593eb

SHA512
9a38b493246f871650151dd5e22906d00c0215026c33b5481a36ddecebe50cd2164f06934430a04b8e02273dfb6cb9e7d6bbe3995a613c92b69df3317e6685f5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
3653ad72c1e87333a252c8fd071c149f

SHA1
626b9da3063ad0477fc8b3723edb59f041fef149

SHA256
a28f24b97e2a4e18bdeef936cbc29232cea0d52c18a40703c897dec48c2f933b

SHA512
5beb6c89a29b2720bad57ee877f210dd54257183ea78b4482e4fc2706306fd48b5e44f54ee9a46d13b04a01f9b17d46186c161ec20db81cad579d4fdce2b30b1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a5e5c84aae8400b22a37619f83b92698

SHA1
e50d52b3b0d88efa174ce8170af7bba25314794f

SHA256
fb2525ae66c80b86f8441c1495da05f04cd1c7ad02775125f2e2994b1ef3fc96

SHA512
e3e042d84b5863ace8d451b4ea3edd8bdaf794094c6933604e5c9ca5b8d426cdd2527824ae075592ac55b3818b014489818a0bef49791e816634e750706cbd52

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
11977c041b1572504ed90f2e63893643

SHA1
567dde05f4f3abb51b4fe5db789f416b7d4ae523

SHA256
dc7ae625bf2eb1200774e20e96611ae27a74976355e209e61be99204c9b4b4c9

SHA512
940d486fb54ad3d2c650671ebf13213a2ba6cd3889e41edd7d00b3d0c1a77d0c6c4e728f5299b7617c993049b859ef27ce7bb641b701875b5c510b4acae9e935

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a1a525e30287b6efbe8c1636288331c2

SHA1
16fda4b777d745d32e14f2ea68aacb4bbbec84c3

SHA256
6ac0cef04c78d2945521c35095b1c5c0ef59b56f6832bdf39d3d9c0a12bcc915

SHA512
67def8594d49bd60ecabc13ae4c862a6bc474f3fe8e8e8470603c476689347387e982dad6d419243dc79811ad253c40ac2a3b6d7bb7649be6baafd10daa46a03

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dd40f456f22d5cd14ba2bae95f94ead7

SHA1
24371f3f0782f2993956586984977a20446fc123

SHA256
584e1a187fdfa8476185f4ac0fdebd5fc808cf85b5577f6d3c79a06f7df342d4

SHA512
f19abcf247a89c02881f4e0135f5361ef67536acd92e916996b28abd3eb6160d8c94690808d312b6d08941bc4a28fb96f788bbfc4106dd6b80f1c05fc41c719a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6ce4c13d0806a5108a581fcffcfdf900

SHA1
5a491f500180d630d7e0d0a7ba23430b4262474c

SHA256
865e556c62cdacb083945d76a047e025952a16f88a70fab6118d51616c51cae9

SHA512
6fa188a421b2ad376194bbf2bd9450011305239d8b6bf2070a2b79e2ab0d3177ec6073d1fadee06b568fe56cf2ff8c0056c1139ecc07bbbd35b348df64eabb5c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ab391f96e39afa5d3520e6e71e37e4d5

SHA1
87f4f1a9d1c49767b1d50c8a5b7e81f2121d2892

SHA256
faefc24c58c9cc022f70aa9e79ec02192937b2d2f2037bfffe2ddf0163cf638b

SHA512
14cc51b4ef6e7986e4324422eb3af04b0cb0856e726341818f51d7cb50224a35f7ee7bb91208d96a84ffab059b372fbb8458582c0b545d10f96eeb1c3b169e4f

Download Submit
memory/428-179-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/428-13-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/872-100-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/872-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/896-217-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/996-145-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/996-496-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/996-8-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/996-0-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/996-6-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/996-5-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1648-168-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1648-236-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1648-174-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/1648-169-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/1652-187-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1652-716-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1792-719-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1792-226-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-212-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1952-718-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/2084-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2156-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2156-210-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2156-120-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2156-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2780-147-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2780-153-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2780-229-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2780-146-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2816-722-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2816-230-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3260-723-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/3260-233-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/3532-198-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3532-717-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3936-101-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3936-108-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3936-102-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3936-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3956-724-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3956-237-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4260-224-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4260-138-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4284-710-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4284-183-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4284-706-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4296-92-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4296-84-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4296-93-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4600-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4600-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4680-131-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4680-129-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4680-124-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4680-134-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4680-136-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4884-157-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4884-166-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4884-163-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5084-180-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download