c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
Size

1.8MB
MD5

c1d92acf2e0b47e8511e8de5edd2b3cc
SHA1

25726fa8455606064edaab6d7c1a3a878d95131c
SHA256

c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224
SHA512

3b76f463adf8ef0932d54a2a67b41cfa523de4cc5951f50840a6a4a63d180d2a0ed756c12488f61c8deed30fb327375ae6d3133bfab824fe186c3f6e2f6fda3c
SSDEEP

49152:8M9QPdxwfE7WlFwKAfzuTiDFUFkjgDUYmvFur31yAipQCtXxc0HC:81PdVQFwKZCFg5U7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4160	alg.exe
3900	DiagnosticsHub.StandardCollector.Service.exe
2404	fxssvc.exe
4152	elevation_service.exe
5052	elevation_service.exe
2396	maintenanceservice.exe
4444	msdtc.exe
232	OSE.EXE
4632	PerceptionSimulationService.exe
4948	perfhost.exe
388	locator.exe
628	SensorDataService.exe
3856	snmptrap.exe
4620	spectrum.exe
2068	ssh-agent.exe
4324	TieringEngineService.exe
2032	AgentService.exe
1228	vds.exe
1912	vssvc.exe
1360	wbengine.exe
3644	WmiApSrv.exe
4312	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\System32\vds.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5dfdd58fc8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\locator.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4565.tmp\goopdateres_ru.dll	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4565.tmp\goopdateres_ur.dll	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4565.tmp\goopdateres_sr.dll	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4565.tmp\goopdateres_bg.dll	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c051e7a06bb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059b2bc9d6bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002614bf9d6bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059b2bc9d6bb1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000779dc89d6bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a509b9d6bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049ee989d6bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b658f9d6bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009101ac9d6bb1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3b3e9a06bb1da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3900	DiagnosticsHub.StandardCollector.Service.exe
3900	DiagnosticsHub.StandardCollector.Service.exe
3900	DiagnosticsHub.StandardCollector.Service.exe
3900	DiagnosticsHub.StandardCollector.Service.exe
3900	DiagnosticsHub.StandardCollector.Service.exe
3900	DiagnosticsHub.StandardCollector.Service.exe
3900	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	544	c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
Token: SeAuditPrivilege	2404	fxssvc.exe
Token: SeRestorePrivilege	4324	TieringEngineService.exe
Token: SeManageVolumePrivilege	4324	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2032	AgentService.exe
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe
Token: SeBackupPrivilege	1360	wbengine.exe
Token: SeRestorePrivilege	1360	wbengine.exe
Token: SeSecurityPrivilege	1360	wbengine.exe
Token: 33	4312	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4312	SearchIndexer.exe
Token: SeDebugPrivilege	4160	alg.exe
Token: SeDebugPrivilege	4160	alg.exe
Token: SeDebugPrivilege	4160	alg.exe
Token: SeDebugPrivilege	3900	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 2516	4312	SearchIndexer.exe	111
PID 4312 wrote to memory of 2516	4312	SearchIndexer.exe	111
PID 4312 wrote to memory of 4192	4312	SearchIndexer.exe	112
PID 4312 wrote to memory of 4192	4312	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe
"C:\Users\Admin\AppData\Local\Temp\c0315cdd9d8676d373381f8ada54bd4e15ddfa1692f8727ed2289aed4b07f224.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3216

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4444

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3960

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2516
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e16ad1a0ff46d610c43cf98cc5bebec8

SHA1
586e53b9917e281e41ced0f5e4f8a89af9507c8a

SHA256
6cf923c555f46e26856016837b48f02dd6406bbf319c253af28c31ca12b13cff

SHA512
e3bf383514ba181e2a66bf78ecdad1d33eb86ccfe034552dcc7d0aaae80341f712a5d68fe69f13a520691abfd346f6e9afa6dc3f56c2188e72fcf1c84b90daf8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2a7390a0e4bb48ef639fc5d7e162699f

SHA1
696fa3ed97481800ad52c6ce18acddb51ed8785b

SHA256
926576186bd64a25929073f1419c05add4bd8e1b510e5e582a321ed8a686683a

SHA512
9a3d106cd4a3c592868e05b84d76ca8d77941dfe0615b7605fab8110d8e798f3c06d8f9c90ccfd3d3d0c90aa19a4b3cf9a7b2998ed12666ef60dfb773f9d5a59

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0c39a620124e28d305c531aa371a5914

SHA1
2ddd0acc9e1b4437ebf19c5593502e65993cd10b

SHA256
00e08406cb6c80b62cdbfceec26f20994161cf8fddecdea29a8f2dc44bd75442

SHA512
56a80617f0abc77cd10a8b7a93e11df303fce4b441f2c36b495db57c994178ab0f8338cfecc9ae4186a2bdb817d7b50b68e456759ed1b0446d45348bd51d8699

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
018441da12595806e38eeae05ba511d0

SHA1
29268d93966407b021041e0abaac8d52f0855a04

SHA256
363f2fa9b9c04d1117b4781cdae9224c93bfd3498731b49f2a4b6be314f0d250

SHA512
9bb8af9dda516ae877b41c2375732e27faedc8c7a43e914851ee4987c7d15a7ce2543254763dd0eaac6ad8e33a5b2737764fd4c410c40d23dea567a6bdf27c9a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6b3b970f20b7d572d39e713ba0391bdb

SHA1
8a3a85c97c0a5f2aa5bab208d31cfa0bc7960ce8

SHA256
171545799c58a22b96d95f77265277649fc869d0c9200c1815cfb1d04673fca0

SHA512
29a08775926e85d48a713af1d9c1c970a3b0f7bdaafa9506347f213d3a9593c6046b8cb528a02fd2da5ab61f15fcaaa64b8cd7fa33c3ddb1c444d5bc8416b803

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
158908b299549156cad6a2f3f4aa69f9

SHA1
acacfd5f1e39148be9da42970a3464638aee55ec

SHA256
7e47ddf9d7ca0fc927eb3bfe997be7acf8f29d768b4725d060b4faee893c7b17

SHA512
07ba7536dfeb2cafc312cd1a8d292807fedf508ce894c46c1f3a484ea7858b5c899a0617bb69e15ba4ca1a5a26da817e36da32b0449ae732245afb265878adfd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1442b1d5e2a1287bf8e4ed97d8da63a9

SHA1
8ca15c1c4f3a15b1f851df32fbc6764b9b9f4d78

SHA256
5e7c8efb36b66abefb55254e3588ad25ec463087963eb09b1bc82f4445556e8e

SHA512
52922eef72c591bee8f057bf7726d60f7c0a7905cddd14677dc68686a14088e1b5e9f2bf74e9c49603a8a894ec7ed7b7ac5534e598c412435fda0b391e91b99d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
abcd4bb7db75a64c667e4d014340422d

SHA1
d5e185389ff9460a6e72afdf196a4e68632140fd

SHA256
12a7ee7b72e7503244376e3951cafb92d2ba764c079f3ab78f966da63d2c0197

SHA512
6a5614a3258a688a170d3718f098c162cca448e43336719c9f2ab6732dc5121043fa0712874384c43973783bffe210bf3285b9651d2ad71edfd42647ba672ce9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
688b7e8bd966ae144e3481424eda3212

SHA1
399bb59929d29566c420cb0d77612f9318908c5e

SHA256
3025196b44ab63e734325c08c8ffc6d30ae2361f3051a4b83a2a52c63d0b2b62

SHA512
a6bcc0c73e8061f40327627448da47a66d05542ceef39ffb7b156bdedbcecc491c930bb5121d05026249b8fb07d946e6a85c46ccc6fe0eff42863a6ff4122378

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f7f9e5e02f81932dddc9fd339331f307

SHA1
c574a410f24c0e598cf869f2d69fef20ee05e796

SHA256
3eed0f46b8dbc020b7b5f25e350d0c7cf010876b506ac36f363bcdce95872f79

SHA512
609c06ee11538368cc26c85615e8f2849fb83966366bbb63406de5ee849f762cf46ba6fa27d0c2a6ff73f5b27d88d5aa981902aa4be44523f02db0f4144b758c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3951c0704fac252a0565e437fb8490bd

SHA1
2c486dd43ffbfc07f7af830a7276f07a551d8e98

SHA256
d58a444aff44253232f3142a0ed0e8733753ad700de5b9b2d564022302157252

SHA512
ac8dd9c1814627a66e8d829de9c891dee34502c6e8e6f4bbfafc45862f9bd8543f731a281ab8dc096cd395df93e83a03761f7ba84075a752be9fa64ba3d4c7dc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
64467d500dce54d02fbf1c047bf6fbab

SHA1
6900f8630cd63fa69a30ae94970479ac3e438a75

SHA256
9cc60c100eb0efef75589d07b9e77a6318110445926ab8ae13e81e0ee8c7f6c9

SHA512
f8acd816c47da96da118fa480cd4208e4682e0561523cec91a740f21d7e00482321053d5c81a4fe025fdd2a8377eecf588f39c9ba8f5846f29e354eee0ef9936

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0020579ce6ff6bdbba98044da3494081

SHA1
7b38a43e0d9e58821fd190d75a53769a015b02f8

SHA256
8d07b0adc4b14e34db5543e49ccf863923b93768a8fd91f5048f5c85155d312c

SHA512
64a709f4e097e1617f22836f2ed0335c9f7b1f710e2fdbc8a0eb7da544b9b3934b7f117f70daaacbd380fe2094ec5e8775794490600c48debfba4d3b9588359f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c0c6607940843f35002b45ef5b6f82b8

SHA1
db4b6df265dfeccabd280696fbcc4fb2922ceffe

SHA256
d7a67ca545e6efebec0b85896d843e5cc4b49f12734de3bbcf817e640162ff82

SHA512
f0f3621ea5206e84f072157c2b9bd9c94302ed4f3b0ad57bc23a3011a87ddb392babfa23494a13839f737685bc8c4556ebbc7be40d7b74251f8bd3b67973b4ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dee864fdd358a1c10f2aac89d500c0df

SHA1
d77fffce48dea13ced7469e8a4180b8e8c0a9b1a

SHA256
bdf1d9234cfbf400cd06638df86d8b50550a8891052d6878974170450f217681

SHA512
614c706817d6db032f0f676950d1ade9475359ac5641c77b1030b616c209ec3ff1ddd0b93212a2b03bb5f6efedcd904a5df32b5a17f4f7307e15e2f648cc613b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
375838871de56c6accae8d3d81a2772f

SHA1
c2f6907edc6a70d0b72c1342a958879469f1fe3c

SHA256
3617d69aae0a6f701fc9dbf3c8577692a062559a6cb4a410f0c69b577e6652e6

SHA512
7d8f4b3d513f90b4cc6c040db9b7ad6fe72b1c8ebaca8b3c70cd4f887a13630b52f09bc6038d0fe002f16ecdb9042ed4c33030afcb0c5236ae1f1b550aeb31ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
52cc9920a1adc384630bbf0388aa68b9

SHA1
d05000ca971c5327e56755add9ec5878567d38f9

SHA256
8e1282780f5af06fb919329fb056274b132a95b2562f20c824cb5833196612db

SHA512
b7761b2580ba558557d4a0e14e577c9bffbba1b85c146ba0dacfdcea66191eb0a325350c541283ede6672838e1ea7ad1ca3c80ea0a808b3e56511efd299bbc4b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8004bee519912c17c06b7b34e300ecdd

SHA1
be83c1bfee4dfc1881755736d28356c902ef4a56

SHA256
a60411a2a5f01a31aa83d52dcf1fd3a320b2f127346aabdbc064824044022f37

SHA512
87518aa8d5bc307b0d2cdc93e593c173ea68516fd9a902222b320de510a8276e5cf778eece7eaedad3c0fb0621454022ef7122a818a371f41865a352d95dc394

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
63301e68aea9dfbd68ff98204a53b61e

SHA1
1c460d5650a3b122b3a7448d35e00db7e6d42018

SHA256
19196dfdb4d9d7d3bf7576857a0d5dad6ea6c4b0f713a62717accc1905f20aa4

SHA512
e56a2b2a03321cf257ed2751d1a33c664c74f4ea1aac3d6fae4b00641eb1b8d4c895ce1c722bbe079e0237f261f695fbfde009ce3aa161af54dfe2899e8dfb2a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a8855e190deebfa1169f5e8b84ea5f8c

SHA1
8bb1cd01b63ab1dd3a3acc557fe7155e10ec729e

SHA256
aacac8f03ce6c78b5bbd8406409de1acc9fe37852b9d8d39644085e426baeab8

SHA512
6ad7b616677c2a15e4bd459d35f989f12e5d6d3106c75723e08724e7f4a66726cd39b72b4cf81fd86b5af0e5fbe5e471fd012200b9022748f51ad01bd1423bda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
35ccbc076cc97779bb9c92a1e0f13e15

SHA1
65be1889aa268fc8dd4828e1c010d2d1eb50b0c3

SHA256
51ff8a30437a738e5d3051ab0def71a77ecfb3aa6a35d3b794fcb2522609b109

SHA512
d85df36a152cd40e2a8d7cab651a77eea1aea7dfd4054c3010ddb8f8afaa606e98a484a7a0febf59862c623cff1703722d5e609a688b4770c9fe573a63f2b74b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3cecfecf4cd28c3ea0ae6671370ee54a

SHA1
19d0013e07cfa75f076bb406775109f80d77e25c

SHA256
1a7b8aa43e28f8acfc64c5a991991c040b84b7f88f80825a088a63f65fc1b2a3

SHA512
725a974813b5b80abab341352899c8cdc1b130918d6207a174ba997c35dea311acd5a13684ae68f1e754c322b19e72faa4575fec314d705cdefe3e41cb4efa93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
14a1334fa16b485db2e93ed145305752

SHA1
cb7c7238e18fdeae4c4bb409a3804a782eae65c3

SHA256
30a254d1049be279c1365cc2fe04a48eb64ac78576fb535f05817ef38d93ba0e

SHA512
ce7d638c1496fac1d62e22ca266011068d1fe0608ccc33e6e57b06bf527994355ac55959e8e98127361f632efbc715bea0ea7c1cf69c9b01c97c4c563c2806cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
27299556b5e78527c78567cfaf4e7fdb

SHA1
0e89bf2dee94c21bb6dfe1f6e671306d047bd544

SHA256
0503f09aa99ef608aff684dcc951b4db62d584ba991f8af09157619549261fbb

SHA512
f546af9db53376728541b878c4b6446a6613cbb4c10a5d888a16f48473a29a5b129f932bc4c3823484775faf9461c53a1d1f638530957e5e62c3ada879911d5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
25b78ec18f318823b639e5883ff55bf4

SHA1
7f490147fa0101c1db4c825aa968be6891ff26fa

SHA256
5de69fa9afa337538974d9ff934f8e60fb3422457eb27362dee0b2c091215c05

SHA512
e28df1337d40febe1a7f3b652c8fc3638e527bfe5d523342c7dac71093acdef0a812d50132c55caebd74b709353d638632cf3b5eedf08fdfba70f3420a2250b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
54ece42a301a579a2ece0f4004c29d2a

SHA1
567e02bca879c60fc020c25dd2751875da3a9f80

SHA256
59e861c85aa1dbe9f19b4f8fc1d61515ac062bb1cd6cae2341133ed17e0d44fb

SHA512
746c52f3749e18bf3add3727bba82f978a9873bb54615a4d7a5e68f5eb4355f1de48ee479970a2ca81a3fb92f9259494c5d45af823769f522a564de7428ffdc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
82e9c95d85bb8cf2ce900181b21de651

SHA1
f747d7250a7b89d25ee465970c60a39590dc4521

SHA256
f31b581ef579652370882971be1c79c08554ef617677be3a0f36351df7125482

SHA512
4807cfe2e581de8cb9b8213b5a65b868101b63b09f29136c913bc1a0b8d789a14531f7cd97fc7ed6d17a2c8cfc05caae1917c6a22a1558047a32860af6f8bdcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
19a38d278f530be01e2cf98ffbc4ec4a

SHA1
7d716d217afdeedb560bbb647eb643b1fefa7e9c

SHA256
d51d3404c7bde862793b968a4ae59448a8c6caf0c4f33add6e1988331f1ec0ab

SHA512
d3abfe42a9abcfef0c89b1df12fc1b0092a603f0e97a8b2151c05b904d08142cb8fc748de5d2fad9a13ba362e0cfc314936cfde4e944cc87b84486151eea43a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6a9fce9c694b0d464b027bd6359975da

SHA1
031780ef62342c20a4a02dd0d68ce084ffe411ae

SHA256
5470cbbe78111fa5062f23c997ebd9c0e5b5d053655fe590a98adb93d5f0f874

SHA512
f1b23269388b22f62952a4fe269adcf0ddba477785e6cab3426ab1c455e61db3b3278a11517ca3978f0f49fa04ba43e729bdd69dac8a1437168852fea4e556b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
50ad0870bb81b658d3a8431b7eb75ff0

SHA1
a3f705c3169dba2328177ecfcc16e5c5fdef9720

SHA256
ea3818c5fe514ed43234aee34c63ee938ba4edc5c43e44b42cf68cdec220d8bc

SHA512
542264095e28e75a4b76c513b41328b0fd86c7a1e4644bd02cea970eab2f6f7782cc2a9461c4ba06320b7c339f277ba81b3d46d0f33222f99f8571859de79f4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c064de422070e123dbcf96793ff134cd

SHA1
b9bccc4c313ac56b554be258ef636dc4bba62f6f

SHA256
f571386e40775b50791db230d2e01a7374d1aa7167cdf109e898b7df24207d56

SHA512
15457b3420228732fa4ef0c01b6c92e37d3d7d0e312a4cb1251075398e7bd71597908baf9a88aca5d118635407b8be0b8f99c085f15d072796f79050b0713d26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
8440c85819e49a606aea9f67c2a496f0

SHA1
9c60fa1cefdf6e8038118e41f0310a888aef4caf

SHA256
2e7ecb08cb7cd36b8a5c16d1c352e88ffa8abd166bff1004a035d8f11024b2a7

SHA512
b02a2503b246749d1095670cfbe871d90a7d0178eb1ecff8607c86f7d68ccc3ec376d52e85bfb61152485c52abc57af6ed69a7547c27ae38dd18264fbc7b847c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7e9d95cab76d38555c61429364e1ec86

SHA1
e210f021f9b75f7914e3e50e8338a4bc39fd00a9

SHA256
41fcea5eab5d7f19bc71543b11acc3537bcc749788390a04f48926c9466becf2

SHA512
1a24450466a1801ce1c0fbb516f53cbcca333bbbbabf7ae3a5fadbc10a72b21e4d416aa32b0ef4612e163eb1c10e84e1914c79f0af4092ed7d933509bced43db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
fa191e864faab1c8883765cce295b760

SHA1
f1cc3b6d859a444d57fbcdea594c343d3232e202

SHA256
593b9e6d710628bc849282998aafed4f61de7341a6ece54f9eca29ded9003543

SHA512
b3d2c7157a419b49c7981fcc2395947d24685c19a1bc9d284ec08d0138ccfa90ef6b06547ccaab786e289dab3658467c314a3ab6e4d4836b0896d412fce57e95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b7c44db65ca680263e976d39f0ad4cf1

SHA1
a5b392093968b5c14c326600500b0775b61e8690

SHA256
15b618ebad325621860ecbd39ee2587764803ff2134b4c1996efd2edfd073f7c

SHA512
d294b1f512433ea9f253308e83846307ee181e76f362a31ab09016398256692e0497a9a2d9bea8ac828b94113f9c2019e1f21e121ab5cb6d19e90add3ec591fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
18b6fcd74f8a200153082af8fce6c903

SHA1
bbb81c6637f90fb713149bd9e95144764ba0762d

SHA256
9caff1841aa624dd8bf52b993e09b24f8a534f6ad61c39e310b55dad86ff1797

SHA512
ef75f712b505fc5c94c9ece012461f8cd0940119ee3299af76fe5856bdcb3538da71ced2d68280ca5994640d7a072fd12b072c0684c4ad51a8852c4dc6ff334f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
fa57efde775906b6334f8f4386b6e2d5

SHA1
a9d3df9b65d6fdf63ff64891a2e12bfa5449920d

SHA256
1cedef0903a105b20793a3d4e5054ddca8c17c7cd624f13ad0e46ec46773990c

SHA512
83f54c924c3ec8e9d7e68cf1f9e934d953afce11b0a0f826329e20da79f1701123ecebeb14b40a49bd599e3e77e86aaca7cac07ca298be209507967de6c691c5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
631ccc9edabc934ad68bd9f7fb5f9fc2

SHA1
f51a13f3bb72352514d5528d1c1e4cd5b07aba1f

SHA256
b792dcfaccde312d295aa2616dd0f7a98b45925d865865f11c44d7011bbb7852

SHA512
979340b34445832e964c830ac31efbe1f8e4772a6f1673e023a3003eb261eac7c10ad501629fedae2aa2294157f024a49eb7a32b99bc22b05f0d910471d5d53f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
32b7ec50f60d7a0b66ae7f91d45b645b

SHA1
bd70c423375ba1c96df54299923e5fe77b65b001

SHA256
eed5bf6b71d4ecca1caacabaa910fd2367bfed92b5185e786afc582f1a82f1a6

SHA512
066c1a8d66244d01f5a2510898a499fd94e4b579e7f6a47a27cb9b429c23ccd0b8a74613957d424eccc8ab3964447933c821e4224d5df9e8acd697f341b154d2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
747807bc34349117dae622058e77ebd0

SHA1
5e9d1f6d4afd17641104aaa08f22cafe505feb07

SHA256
cd35f0d5fdb4a2e89841e06c4ef30dee641d66c94d32a85434769012fbf01c98

SHA512
29117f92d513993bdba9e4d3d618c617fd47c69751ca13ca6cd7944d986e60da48626e356bd5a82d327e5f9c07776158fca7a127f812a68a6a739eadd954eb0b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0af3d5a0288603ba04eeabe0b89adf4d

SHA1
0227ee55b786613adf68d3edf75c885b43ec57b8

SHA256
73342cb0701e71018946035a4f23a24e54898d87d7f1707989ed98c6f257cfeb

SHA512
0e7cfd8824b876871fa9f712a262c18cec94c4dc00aaa19278e6ccd9aa9cd507c3ac0c4b1c5dab0eff195a6c07bb1d4e4a8a2f831d05bd07268a594e8da4e9ed

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b9d8170f57336a138b0e1498e39a6706

SHA1
7571e77c45fc0b4f2b7b88cf7bab40417d502699

SHA256
deea55a404f87df678c7aa84d55d850e43ff178ab0973d48b239ee587ed4a4cb

SHA512
dbf00a11fd9b6fb400b9953c56bf26f2ceb424728ef4824dae73a8ceb95fc2bf7410990b9c955200619b24a7705b2683c48fdb85169b0807827e6f560bf19849

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
85e4fa23080ad4ffd5615edc4ae0f95d

SHA1
5609bdbac65ea9583307c85fca485cf36f65b68d

SHA256
c02a2f36d43fbc542f0fe1bf8bf9f8d3caa2f1e86505d9d6bd13078467407d2c

SHA512
b68bcb9fbcd27f6987abaf6fe190f2ec47c9faa1353a1c4def37fd0570b5a67b697742b576c735146a0062cc062b04dddcc04cee9f325911313e6448a552e1a4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
edade972fe65345ebbeb0be511e01ee6

SHA1
1e49f7b264a14544f9e37b45f0edfb0cea54e56c

SHA256
3f03b27610501ef50be6f22fad007d3388fe2355c76b5df84346ce319ed1c9ad

SHA512
792d86947adf0ea4de2a5b44f6f72d324e564d9668ff41b9af662ed5e867dc1d7c29308625591fb35ccae6a7a00235ac67230ab276960daada0ce0141274518b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7e49eb2e4b39cf4ed57a2134036665df

SHA1
e48fc6bf689b17ec1160de5a2b14d043f2101480

SHA256
4f641791055ec4eb9e2c92165c60412a0e129f94e9c5b7264e68c1d63d7aeca4

SHA512
efebc8c63d10532da771ea9c6e8694b67ce874e86f96897da81ff52aaab14381b0752b40856d245181df618a3100ad06f70d7c349176a932db93e8d87b9f9ed8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7e74f8de97f30a637f7f36cba2ddf2a3

SHA1
7e6f440c6ec45f6a323f56dc531149c770223bf9

SHA256
ef4fd2da7290eb044082f18534fbc859c1c531114b1702a3a06d1a07cbb207fa

SHA512
b8dd4d5e9eef571e1d53ac34b93a415f603b1584087b66b21946d0defdcc4df45771f3fae666a696c90e41e176393e423e6204d363a3f5316c54d991ed18a5d6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6df5def40af44b1589f4ac59d06c3592

SHA1
16fafd8d1ae495c903d3a8101692b93691541bfe

SHA256
5aee8dcc4dd0e5b33f3335c127aeea554e9cf592c5858652b1adc92be44b8815

SHA512
049f0e183033bee56155bba5fde95cab8963d85fa409ae20639d0ce7804fc26c3425b7b85dd3e4df133f717873425a90c44d499b7de7e4d539d3d41a948897dc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cfc9dd1069a3cba384016d987daf0f59

SHA1
f5aaa3b268755430e6c470fcc8a43f171faa0e53

SHA256
45ef364c085375801bfb76b9805787bb31735e7d912b9312d51244835e752f28

SHA512
8fcc52d602998a5c243da59d268a946379c3fa91278770ffcf4577ea4159337fb293aa730706ac94c8ad5a597d981e6405fcfd7f89b65f9bfc106d75b58ea2b3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a651346ebbb80895bb8559c922124890

SHA1
959bf0e2269872a659b024d903c5c82af66bcbfc

SHA256
fe92b273c327074acb16cd03e7be7e3042d1d194ab0bf09a0e71c3030fbe5ab5

SHA512
77a1a512ddc48dc672560097e23e91f867fe07eb30ec7d8edd28e00c3e4ad4af750776290a98690d9c8df391d63c4e0f09607ec386dae5993fc1b1b12d0cd229

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
856a719428c23d4582c712332ac714e3

SHA1
eb39d6ce9a7f2b62683e7242204f68e7d908f132

SHA256
0fde86b9cd52cea72078250b0ab9f7904bf92753af3dd7d82d7b483c1abcb2a8

SHA512
d836be81eca11c607e8b0e472a550088929736e255b11b7b32270b6b32b7cc2f2e894c6866da217c1f3c510ef53e194336b6337f3605ca8ee90f4feddd6235c7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
93547618338bc453c60f4ae3f3663f8e

SHA1
aedfe51edc91d98b586061c434bffda6b89b8e9d

SHA256
c2aa80b5675463089e71e6556da68f2ff8f3893a320db98b66f5d6c5f74c15c4

SHA512
c8360aaa9521b132a77055e5fb2057c64365d27c7fcfe6813fc5f452e9bf59c772c5db2135d70388687fdd475a38c322c5cd3025d637366eb986ebef87e3c2af

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f981a6d1b01be1101ab83bed7790b5c7

SHA1
0b78fbaaa5099531e2d7d47fa543a772178cd92a

SHA256
79cb1da3f158fc07d4d0d8c54fb1b5fec30782a18b4f31887b8f29d3632c9811

SHA512
3c66199c249568f2ec52ccece71c1f09c900da6797ea38520f1206b0ebb329d4165b96df801458d01e5015dcfea947c331c3020d9e68294b1fecf057d97bb6ac

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f399968b88b04636cea85deced03cd00

SHA1
ae7c4269a8063d08dc538539d2fcc452d4ccb369

SHA256
ce777892d43c13d93618c56aac386f2cc4ebb75a6c1a11ed547bcedeb341c08b

SHA512
e1f50e5ce434a71894a06751ed645fd9da4fc9c8f6ce30600adc885ad3a257419b72947b97deb1208ea7b99aa8a98653b9ad0580dc6efceed46490c72ac0d82b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
baa33341d1e86a102a45fd0043b3eb8e

SHA1
dfbd0848244154e1bbd018717e6f267193524baa

SHA256
73fb659c955e4212b54b6b6f550552623d7ace660e94e7feeef8e86dd55c55e0

SHA512
f964170401ec1f98261ea6d67642d558f5b4276e3b7a27eb29a6e42e339c66bb8a84a33633542c9425b87736af0dc58eed2473c201c434f5694c123d450ca5a8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f0fe6a212e678b67c2450eecc65f3bef

SHA1
13864bf259bf6101910cb7470681cd4cb835cceb

SHA256
a5d2a1b60ed6da9c0aff6048db5e36df95ef3e4a6985266a6c783b358f542c9b

SHA512
7d3611ee89c95a8b8eca299d4835c7257fe61dcf88f773ab96728373b2121aad12106ad870725926ad10c1005e2c6f326f9c47dc40c563dfab1e4b146cc7c5be

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0f24d1c2601895aabe8ee22ddcaacb12

SHA1
1dd33d1780774babc7aae3d28be7e724a166a46f

SHA256
3bd56066692aeea6cd3b506b9ba656bd3943e5abcee119365b369d9356e78e10

SHA512
04f9a6695100fda59aee4759fc2751fde29eb50d5e2cab8a2ba5babe533ed26a5c4c76345f1869597c9638973dcf17583598e2e09577efadde8c0f6c58c1e528

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9620615fc46b5bd47e1d8d0b7621cbaa

SHA1
abc7d0fc425277249e254cedfc26a67828055a84

SHA256
0439881042e67552010f6737e478804baf8474e5e892ebb28e2eb7f8c2ba023c

SHA512
beb6098a4b125e920fafe16998a33f7e52f5b74c99315d5d3a5104e356c1694de704b303aeb4850b6aba3b8536b17bcf155e9f4dd0d6370d7b3462690d6481e0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c816428002f858f063a37aa9f4aa1f7c

SHA1
6f1b3e411c02fed722ab30c5d1edb1a7693e5182

SHA256
abde9bf8a653151b32fd355bde41adf4e9f00465c0c4c63c36ca4b1fe54eb5ab

SHA512
98353050657a5e4d35210937930444994eb8ae98a94877f5d6699e5795c5513164ef2ad2165db8761a5b5591953cf855da68496bc3cc902667ea6fe5fb56877b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
366119f0eae592c1cb7c586d17e5488d

SHA1
84d19cb6417ad6a9c34e6456d9033f7f65aee28e

SHA256
fb2bd768ef4fa9570b6eb9581db1ce80c184643029a7f75893ada2209ca98b96

SHA512
81b906ea35136fa73f032d4f585fe2e36f2b48ff2e0554be9a287be6265078c7c49e745f68aba63bc9e3b7088f297f3fca3d508f67795988655f66fc86262ac0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
682bbec49289c50ac6607d4d0315845c

SHA1
d7bbc1925209b89fb705ee0fc8f5a24442878a25

SHA256
6489c6c09a9afe151d54520a8e5c2ed4b886ee4d5a52ca63502c9e913cbe931e

SHA512
948a4905dbe1f61d71e9abb36843e7df54d72bf63a827c201340ec5e2af7616448c4ab3a8ac624effe32d2050d08677f58a63e950639a4cf25cc23b26a74788b

Download Submit
memory/232-290-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/232-180-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/388-215-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/544-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/544-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/544-165-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/544-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/544-583-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/628-704-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/628-343-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/628-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1228-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1228-809-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1360-314-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1360-813-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1912-810-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1912-302-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2032-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2032-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2068-807-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2068-260-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2396-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2396-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2396-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2396-153-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2396-143-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2404-106-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2404-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2404-112-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2404-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2404-128-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3644-814-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3644-325-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3856-673-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3856-229-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3900-93-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3900-102-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3900-101-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4152-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4152-116-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4152-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4152-122-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4160-73-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4160-179-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4160-71-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4160-46-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4160-72-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4312-815-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4312-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4324-808-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4324-273-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4444-166-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4444-157-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4620-724-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4620-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4632-191-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4948-204-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4948-313-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5052-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download