02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 18:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
Size

1.2MB
MD5

1196f52a402aac30fd71be720ba58b20
SHA1

2d1dbb1bf895701b7ae5480af69b50d6579697b8
SHA256

02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a
SHA512

23dd8fd40e858d3efc3ae7bfd324691dba305aea4bf18ef6385222390ebb031a6c4b77da4bbb78d4700ca943e1cd253fe1f466857967d8d08239674af180bdd1
SSDEEP

12288:DQRUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8W:DQRatr0zAiX90z/F0jsFB3SQkT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1992	alg.exe
1400	DiagnosticsHub.StandardCollector.Service.exe
4620	fxssvc.exe
1624	elevation_service.exe
4260	elevation_service.exe
1448	maintenanceservice.exe
4452	msdtc.exe
1772	OSE.EXE
4412	PerceptionSimulationService.exe
1980	perfhost.exe
4352	locator.exe
4472	SensorDataService.exe
4916	snmptrap.exe
4632	spectrum.exe
1832	ssh-agent.exe
2156	TieringEngineService.exe
4708	AgentService.exe
2724	vds.exe
4960	vssvc.exe
4048	wbengine.exe
3948	WmiApSrv.exe
1304	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\61dffc8f7dd2f4b9.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\locator.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001baaaaee18c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074d95fe718c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e0cadee18c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014e5a5ee18c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000813a62e718c0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be878fe718c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b019dfe618c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c098ee618c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
Token: SeAuditPrivilege	4620	fxssvc.exe
Token: SeRestorePrivilege	2156	TieringEngineService.exe
Token: SeManageVolumePrivilege	2156	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4708	AgentService.exe
Token: SeBackupPrivilege	4960	vssvc.exe
Token: SeRestorePrivilege	4960	vssvc.exe
Token: SeAuditPrivilege	4960	vssvc.exe
Token: SeBackupPrivilege	4048	wbengine.exe
Token: SeRestorePrivilege	4048	wbengine.exe
Token: SeSecurityPrivilege	4048	wbengine.exe
Token: 33	1304	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1304	SearchIndexer.exe
Token: SeDebugPrivilege	4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
Token: SeDebugPrivilege	4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
Token: SeDebugPrivilege	4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
Token: SeDebugPrivilege	4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
Token: SeDebugPrivilege	4628	02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
Token: SeDebugPrivilege	1992	alg.exe
Token: SeDebugPrivilege	1992	alg.exe
Token: SeDebugPrivilege	1992	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 3580	1304	SearchIndexer.exe	111
PID 1304 wrote to memory of 3580	1304	SearchIndexer.exe	111
PID 1304 wrote to memory of 3888	1304	SearchIndexer.exe	112
PID 1304 wrote to memory of 3888	1304	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe
"C:\Users\Admin\AppData\Local\Temp\02ed26103c6e22f6b48f7a9989e5aac4147c4b9470210ea596955f13576ea22a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4260

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4452

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4472

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3700

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
57f075e40ece0704d49994d7f5701d5f

SHA1
3195ea056bdfc9583787bb8e586759b006263aa8

SHA256
d9e1f2cb8adc086008cafcdee02acd52947f13b45a102ece20bd0540af10af19

SHA512
0e3775ef531eddc62a9ab3be1caae07ced05b7fcd642f285a5ee3fd2dd9d8e6b0441804e6fb65be2da22246e51c6e22b85c546d71827c5b56d33c7a3150cde0b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1efc7893fdf8c8536c68633a8e81514a

SHA1
77905eb9021cf2c246824b52174cf82d7d493b43

SHA256
94f0d59f7dc50234a9d5b26c01ab791c22f272c5c794bd35a208663ba79da532

SHA512
54145514db1546357e75324fbf6e81518d1daa79a64e7053c97b8c0a1807ae2ddcea17ca78a8cf366b1bb653996705c6ac057eb515ad701f7042aedd9f983823

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b62867c7869c6671ef2ccd55a87beb19

SHA1
c234b2c9c072d27edadf17b28dfca57f0aac611f

SHA256
0d7b09e43c47aeed4934d592a0d1838809da13c1d54245c2627f4c0aba8d940f

SHA512
1cf23883de3df480b8d04dd4e61e26038994b2045370c2ba0681fe02e06e66d39a6957877a2048a5ab75dcf6872fde31ad46689acf9479206001294b3e7e9c0d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c31f6512091253d8d6f805e4c2a7b879

SHA1
4ecad39c4e479569902881cfddfe39733b3f7c9e

SHA256
4f740b72da804a0378c0f6210b7c7e66a48200bee78038d6057b8f84ba88d84a

SHA512
db73a675345ae730ac55457185aa5ecd7628f8920fc8b2325d19018fcbba3cddd3dc774b65ee97bcb6daae1147c6aed1273164e6c8e7ff657efd8d6324c76708

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ac388631a4e1d66b87ba1f1ed9cfaf3d

SHA1
ecfa1a1ba3cdb02e04b3cba0c219fa47a3c8f4f0

SHA256
bcefed266f975a84a77b662a4f3fbb70c02b95bf7a9fbe76a5ae883b34a6d94d

SHA512
65a5e1786a5ca4775c572790f1fabf11779284d97bbbf65f66fd94c97bdec159ac96cb7fa1b99e2a576967df118afc6f0c18905e03b6d8ea26eb18b9a88b95b3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
97ca683b9e44c90f7c3bccb7d975e855

SHA1
116b74b399a7ed844c7f5d0ec02bbc8141011df0

SHA256
f9d70fa5f7dd90b87647f9d1a76484d078a246c0d1bac816b29b813fa6a40308

SHA512
c2c8ac2c469595ef24748dab2db9d20666cd33475b992683a3ae1e92353abbb5c9a2b6932b926728169fd557d34212e120f9529105982210c98dc0394cf92c06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b3146869bcec3826b5aeab1808d91f22

SHA1
8d6628d608f662e39171e94d819159e807af6eb2

SHA256
878db58ecfbb673e80e5aeaeb5fdba9fa571a92af8316b69414728532a2886c6

SHA512
1f46d5469a790b02f5ac9ce2bbc5cd6712a246ca6a2119c5adaa8750fd4ced8dd84b16047a283fa01b3cc85fcdddcff1657f3c4629df0aaf42bea429dc8e680f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d98c3b24086d6f7b43f231f05b5b2fdb

SHA1
b59549e236e3d980c24554fd15363f29416850fb

SHA256
ac8eff599c856e50e2dbaea6b300526e186d322eef3dfd7067776b670a65d22a

SHA512
be5d9e4d928e7bc42b93f1db310c2e2297df418cbfe0929b44549ce81d5eae665807484bd807c8b5e3cd38db6cee8ff38e7f9ee40e743138007ac624970d1e56

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8869f667704f8aa32167c55786a8cdef

SHA1
014591376df0555764a619fee96e42f548b1c462

SHA256
b6fd22d09b4c1ad11b3dcad134e70daa811b25902d678e81e77837e85a912ef1

SHA512
db006242227e311f09cc16ec588fda490a9714a78a0d04837c3f46c6f64018e0cab0743154f012fcc63a45186d2dfa678d7a24b65692e3a9ab77431137aa186a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6d7f0ea4673593a25b754b47e76abbcb

SHA1
018d2736a08051fc51d025f570931e739bb79cec

SHA256
2fcc9e173dd1a89dd853bb4b47259fa960feaac98af02c954ec3ceaff9ef7740

SHA512
be76c093aea5a8cc677661dc9ad3509aee711f22e19ea17eec87f95993963a0fabce0862e6db7a3c0b2f3ee8c73f4546000362606369c5ed41d47253c563170e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2db8db72f3db0e2e7e5adb7ed105df64

SHA1
1905f09c0ef6e83db99c09d20ed72e79569a268b

SHA256
8b79c6b8728e32c38466b969ce7a67192211194a3947e18e7993a305fba6d886

SHA512
b7a458c05e365d079ca6a2acdeff6cb802114eae4f0b8b09e091cb3335d20ee097a0c94685c76a5be3fcd79c6d4947486334dd645c4e191ecce8e52780f7442a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0652f46d4633968e0a545b1916e6acd1

SHA1
b355a1506df2d0a825b07f1dd3b71c4cf4b03b41

SHA256
6005fc992309d74bed71bf27d849041d2e40db90c91f583308f1d3dd4e2f9745

SHA512
027360a752a23332ea7a417f2819fffd221a1f9c47d637e87c9ec566a2234b8105c12cebe7069121af74d603e7c77507b7a0dc9861fade1e106103bd81bf5144

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
13262423eba097ea1173dfc61e9bfa48

SHA1
a7f0f3bd940c4e4f3a2f7b20e07b6573cd7ad47c

SHA256
8543ef8186f76b5b304a440a91946ed705ab01c0822ad5df826495ed5da3bb8d

SHA512
63017db3f2e9259379859c58e20f6c0ce4503df42652fe8a12fa9488f9b51c0d63b3c7507866d4495f66b99b4818886b2a2a990eb6b89408b3135e426faaa9a5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
fef0feb06d5708514205998a449cd73e

SHA1
64b1acfd12529425e2cc7b592ae5c852e691fd7c

SHA256
f21454d089de332ecfe5334d7ba451c4b455611b93dcea90269fd63e85875f55

SHA512
f5285083f76523da5de277572b7682f317b6298f226cff6189f51a578dcefc19d6893439fc529b5b342916d360c05bfaf0dd4830df313bd6fa5301200a5c5870

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c203456719bb267f2d312fc190d0bc47

SHA1
c26546c798728a611a4e2a5468f92aef72b1fbe0

SHA256
3073bb3a0ae8b13f04bc6726e932dc98a115de062fc0c2b829cc73281bae94a1

SHA512
0104f95393f18a5ba1aaeb5878f53038d2856dd52c113e040b82f0b89d76c07c386683b8d9af06513ef191f6e55eb0bfd26db6ad8eaf09110509201df0a0d426

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7b0118d0c4de60d6b04685c22aa4300a

SHA1
bb2e36a2902c4eeef8c077f78574293643634779

SHA256
eb7bb4dfc31c89108c49000124f4428c29c2394a0b924669960abed61a611feb

SHA512
cd1f3b68256e99b1158c96c223e4ae1beb957abe568bf7e5c0cab047572e02e21f645f613bbb20271f8c381e53bbbdea418878cd3fa2f25e02f473ae8555a4b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
127467f025dff01330c255eecec8eda3

SHA1
20373eb72cd0cabf0a4283677cde9c0727e1b396

SHA256
200bc61e264d5730d96e9dcf29873a2050083d832d6c0b66a029f8661a19a3f2

SHA512
64b8323b6727566a54f3b41a3745da6df8762cd223bd3179fb879892a0f85a21936f018826b7ea63e30229a0e6558155ff309565c412fd8f923d6e496a5635c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
83b50ae4799d34694d0ec93473c95d86

SHA1
edce98421a15f69a64a563bc6a39a794fdfafd48

SHA256
024defe3a3bddb982c9572db2bc0084296caf181c39f0c45bd73eb3d4a93e8f1

SHA512
91170829550e708d929d92d778c0194d7958f98c82e83539398e9a636addfad19a0b63fffe33fed4008f3cd4e07fbf69771cc8817d688fb1e6462c6ba326905d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
da1265e50b8e15e276b8042252c3c489

SHA1
e1a7dd0cdc53ee6016eed91137ea81bb13b3d858

SHA256
a061a28f9c71e45480f28640b0ee32fde957bdc2c2ce1cd9ae605521631f53af

SHA512
2453351e486c27d861700adf021bb6facc42e157dcd835da4f53f1fc04719d527bae4db0760f21e2976719bb199e443c33d153455176b9136e9e5934697813f2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5a5d29d5ce7748e19618e79836a631f2

SHA1
74df75e5c67310b858a33e40753cd6defbaf18f7

SHA256
0e4c51585e1d4e03ce4e4aafcfba87920cacb9be04ac9f66059db24be97e5b57

SHA512
75b3e09d517f3046f12a5c746a3e13dfc997c1789ded54e43b8d55c8adbd787a3260ad775ef79caf61ce1d67f03036dbe67ce23fd16698a3a08712b341ab5de8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
fe732067b3688208ae752b869f912c99

SHA1
1c8f0368f3bc53297de203bca8f12d8a0c60d21e

SHA256
1ac3ad6c624871bffa9c0f927a4ce976b37c1589e57f4048af79f1375a499368

SHA512
8cef4ab3c421edad7ad3fe889671876da7059862997eba862e0c537645cac493c7a96f09eddc79059151ef78c74384ef717dca8d94e396ebb72dbfa4412e86f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e6f6d08c091d8cac69cffdd39b1d0621

SHA1
1faee6a5e4e53e9e3e25836212b022e9d508c7d5

SHA256
050a31a03a904fceb65e7d5d42afed6dfe7054738605fef064b468dce0f1ef78

SHA512
3b0011faf866f3ad100a501db15ab9274cbe5424d38b6ba906b7fa3ff37f2bf1718311208744f6f1e7ac9bac59a88250b5a0c78ecb6e7bee8f4d5ef452e2b722

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6ecf5e4daf6b41cb519316a9ed951920

SHA1
855b5d2ea16e1f62fa43f13fa0c9e092d2a81b3f

SHA256
9dd9364edca1e82351e452bd3f06c3713730ec05d96b950a873b273024284daf

SHA512
6a5bfa551f9d7e68a1c122b3e6340741149da663fe41faf33b5b34a2f98fddded92d107e1b72fff80e3dc6af36590f22044ba00d5e0697baa2ef3acadf095e90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
487354d1880eb95dd406213b5bac2b26

SHA1
280e440dd7bd0a291ef846952f287982ae841710

SHA256
f8ebde45bf98545e50fc3a80dc72302ee3a9e803acf5fefe74b15d9625be8993

SHA512
de61e921ae0db31cfc7f1b8b7f49a808f0857d4859067769d2e76824679551891934a5e0cfe7a3ee4b47d945fcba5313dcc7470a16caa687ce35315f298c16e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
1946fecd31c2f3905cb2a5fbaa361193

SHA1
b01a1fd242e47455e23348bea37eb86f9dee9284

SHA256
b1c8f3cea0eecf0b4ee130beb01b24cb20574cf49264c7e9ecd444d37afc7351

SHA512
e9b989dee66d9e98a382bbd4187ab3565b5cdc09be4190529e3b21b0dbcbeaba4899a2a97123195ee6e6e3d8cd25735bb36dc017f1a51acd14450c96641b8c7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
5493cd719e44ec7470946927de41f445

SHA1
fdad0f2181a1bd5a3a36c412424432e81638db92

SHA256
3e6508eec37bfcc556ec7b8e8609ac0c721df28378af849e3dcabcdbee28aa85

SHA512
722de6cd36127f008374cd41080a2ff952679143025139b24c41b9c4f414c7fce2d729b40d239f3862a75dded0d8617e83c4cc22c61d58e33e01feb70a980fa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d2711ef905c205398700632e17299720

SHA1
9c7ae331099d79c4ff6266e875c161cbde7fc090

SHA256
bea6dab6b4fe1c01309c9b1161563a8b7b377ea844519507c53be031c5c5518d

SHA512
8d05a266e7417763f9bcf90cc639b47a88e6b62f1345691454da014fc111c97147678b4d34c5e115aa31b25c0829760b4addd327ae960a364b067de3ef3fa061

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
5f4938a829582d7230f22493dedf4fd7

SHA1
d7cc6a4f5e635d05282e6205b73ecbc7d443c3a9

SHA256
ecadce231f18758a8bfb69aa82fd066f71489d116e87097233d437f5d6b64e87

SHA512
d0176d9b6a143c7ee157939a75fb062c423aea9f905f40ad6cd4c243f196d1e7054c02712fb23179383d957b00985618d77b78784819ea864f86efb5a195d6d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6171e4df2811c0faf9ebdc2e7dc440c5

SHA1
f001537654f5f8a407706410a412aae380bf4c91

SHA256
570f352b652bed27eed0faf7c5eb2f57197440f337dde6e8ac159823b3f8e436

SHA512
60ff74f7d4abf5e65576aaa7e6f775d04a8beb22265ca0aeb7036d1eda5401a8a4cabf73c80d94f639c6da69583109442fb8dd27d40d68327989900c82c16137

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f8f2bff4289ea1fb89dd797f7ff4731b

SHA1
3ea224c4efa91e4cc91e74bdd8ddde6c4bda1576

SHA256
dd71c990b220a8b0a8a2bade7ddf11edb70224392ca105dcce527a6d667f2c7b

SHA512
e02edaa9282d21c2033d3edaf87023bed1d10d0f04528a5760654a632b0e1ecefe19d5357e51e9ffa6d2e67865147104bc47073af744c5afc4db86d30314a2ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5d71b8aafd525c49b6a12790c29196be

SHA1
665534b774f980df0b400777eb4b85d249640008

SHA256
e2ef580290aa6a1ab753fe56ffd994fbb8944b52b52b5cfb760d5b1084087682

SHA512
b5ef7d200f68670da4920528c7d29c1a94d9a5f031f500fae2625526a2c839ed7aa1f1a2d2f559393bd3c170d9d6730deb2dc99a3275c661f028f8bf604e6f1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
66790d04c65ac6880d554e51599b77c3

SHA1
173c055f74d688d3d2d587ab8b332218aecf95ac

SHA256
619bdf2bc92fa2a2ab563f261600d2c790ddfd31df51068b56c509ce6ef1bd8b

SHA512
bcd9d677d5c7acbf32cc0b3736293bbe1fb7dc31fe5764b6a0a1860420259c0b5e976992f7aa5f3548aaf1b2b9802c5ea96ae6a2f5bccac940b2fb4effa69521

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
bb1829b9c8a0c7586965222d7ddfe048

SHA1
c14655684f8fded190e2cbda0fb29c74126c6054

SHA256
3b86a4be6a193244d8a0595a5cd410128d2f03b5822605602ee0d5ec27828444

SHA512
05f0d5ffc027b3a01d9d178b521c7c2e20968bd1420130fb457786982a216ea7e5a01d1c156893e99c75eed8139a1bf4c0f4586b095c8fd124c6ed4ce4ce9bc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
7e2028e06dc7f6bbbc8a2b1f9fa1dc31

SHA1
ba3a2bf6b0c7f99d19c3a8b0b45c203003fa710f

SHA256
9d10008d59084fb4c95c04ee75a74becb3a806fd471e6389c3cf61a7638f25da

SHA512
ca00141fae497ae59f1a33a2de053a7b4f0d8958d57552d6fb014ea9772b631c6a563b278e979f3a458eba922c9190a7104d2723ac44836d33fabaea0c6bdf29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
f9d0c3e42ac21f10da4805e135c1fd12

SHA1
76e7e2c12c755b2a2f4a0354b531fdef0acdcf0c

SHA256
daf060c82cc3795cbd6ec13cdffce80380868ec052013c17306b9a54c2ebbc9d

SHA512
b78acd0c29fb45424069440b8865e065a4bd242eaf6f3b484a8ec54e4948ecf1e390cd146aa78a7939162e417b19a799ce6ffeb017063495e78e2512fd3e37ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
d1676b3278b0b2857ac36a59fc6fd9db

SHA1
60273e6ceaaa61f5254431fb8cbeea6ef541e121

SHA256
07197ddb662b88de913debd63baae2acbd039e234fcfe04137e4d0d9ddd388c1

SHA512
c3fd732598e6926fbe4d757a16364f5538991dd67ddeff18c9fad09220bc8d56545770bd0e34f4bd8b00a1a91fd494e3ae40cfb28a3ac174034e2b230e4f9fd9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6c637c69df062e32700cf6d9ea9d1ba6

SHA1
a0043fdb05e2acb04afd1310274a1190dd7397d9

SHA256
e746e3bdf77ccd2b1cb82089a5a599b0308524dd985607cfb24ba63e7cb11c0e

SHA512
e23500e5d9086fd65b71f1cdaf375a5753dcdf3db06b495188531107d29d669b010e233bf6ef45e73e02e8ac578524e58cc078219a1df4cce46d06128037bda5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
1c5e825ca962b54e32a584f177fa2d61

SHA1
fc0f9c62d0ae0793ab401d79bb211374a034f89f

SHA256
142f693bc1b75ee3896a44863be9528cc9038b54394c3cb7cfd24481fa7d1b9a

SHA512
ff8ad54652bee76e6c8747937a3be171fced7c0fc12b6c81441be6246e6d2659040e1e85d1b0dac1837a1515e7aff2fcf3757746f649aca618e650bb56b02d7b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7ea63249f4c5a395ed83976d096106ad

SHA1
7a92a396da62869045ac5df941a554ad1247cf88

SHA256
6797cd4165a4ad43d81d98fdf475f0048becf9f1d36d129de3146590f804f0a8

SHA512
bbb007d901b2beb64a5fee146784e75e6626ce32845fc41ae3e76f98399b75f652a669fd0a453c07959a04125d492c0234fd4619245287dbc1f7c1d20fcd23d9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2db11bb47d6f2fbf1585a38c1837a3dc

SHA1
fd094688e7f3e96b23472ec70d914e19f74fd9fa

SHA256
925a6931a6963ab703e070fa82358b03b718ee645b6e6376b80af64a58dbc811

SHA512
9970737e9689cc6d1dcbd6462c9a0e0425cad251befd1959cf2dd3f4781729c4805e43c20d1484ea80601fa544d63da058f016a56e6c438ad42436024443a595

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f4bbc8f6d3e3e3aa4ad9db143c698836

SHA1
bfee1b658173f0146e562e45a061ce9b04d43fd3

SHA256
6cd61db0d28103ec8b0139d413cef28e21456fc57a836b466ad0874c5cd655cd

SHA512
35e01e7e2ae3d123faafd2cfd89e6120479a5ac732a6d77b27e8310df640b8b311b05ee113ea9fa9342037f7a84aed58c2333afdd678ef1645944b1d6b7ffe7e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
228a91b35a27be9002eb2fbb6097fa61

SHA1
4e2cc8ed11698f1981a640d9d09f698e9599fd36

SHA256
15588e293f3149f3f0487a02a803fa1d04b97b0421f4566130a1a1426073c220

SHA512
ea0c854224277a115932262f938014060be8773535f4cb01e9753d184c86ef45fb604ac2c17c4ff3988691382582f4049c7a929ef77d71a2c6edab56cf2226b7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
59a579a68bb4fde009ba1d9fe76d5055

SHA1
a21ab1494e976b2dfe7900778b1517b1760d899f

SHA256
8e050d9678ee7e4b45467f438f01032fa29eb37f898ac4abdeb76e0646cb0964

SHA512
fd4c5fc4fc0e73e7570aa79d8a78508ef5333c9f716ec9df5fe79abf7e476239253ccee61398d03729ea17d679a81a27862e46b86c045dd6d192645bd4576569

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
d5fdd0486145b9f71ea707f214c96811

SHA1
5f85dc8eb9e7a1c041dcc271daf9e5a8d8f99028

SHA256
5c197ccae98add29b0aa5a3b9b195e975b9cc3702eb6a7531c88967bfe2327bf

SHA512
6e5f166a06c8d28036547718d291afc844ccdf3c8bfc6d50fc84cf1fadbc041dcc706511610a02c903a151c5c3ba809b548dfad8ad556cb8a97297c5fdaba4d5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3e3387f510de4ebe7a147d3478d37e66

SHA1
7fd56797bc4957c0375042bd573c78c9663500ca

SHA256
b374b9e17adcf6f66005aeca565487d0a93bb7f0294eb484dd3f118b1591535b

SHA512
67f974bd784ca0a7dd3111935f1f549aa9e6f12daf25f61b0b19e0a75db6d765b3e5d4ef43cad9ee1e30326a7af62f51fbc4ed1f4f9773ffcba5a7a99e3aa3fe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
efa706e5a9030cd68812566f9365beca

SHA1
3cddc09c2748ec91db8401a1c573553a22d3d6c5

SHA256
cf2156677ada9ae343a740592f46bec1d67db9806d7469ab02cf7d71e210691f

SHA512
77b99f8a44aa9d603f99f5a825b90b6a02daf9e4fb79ed2c470446b7d75091c191419aa7081b449286a89d72e9b806d7454b6b9894143bf9ab71f99f8ab16d12

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d16fc2dbf332257427228db683ae0fec

SHA1
2abcdf8ba282a8ffb0c9565349faaa8fe0c2779f

SHA256
c843ff22295ba2954ec360ef09d212655d1e384c6ed33e13e5454f768324ea8b

SHA512
bfc165db9b53243e480b6581180f53c6a6fe90751097505838638a5316133d558e6916eae7abb60ebffbc713e024638a242d1eb78befcad45e150a8e4684a3fd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c5f4ddec3bcb7735c0f0579201ce091a

SHA1
cb47079ac4bb9aae348c02da20e41b24fa8bf2e9

SHA256
a7c63e8e98f58800481d4a80dc5275824593ab289b8ac63a17c152705008cab5

SHA512
244da67018a0c36cce005331439fd95d9dcd020813897c7a7ffb3bdd356b7f55160f5e20ed0b554b0a635671e555df30d1324bce80d5c2a45607a51d41383875

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d5178eac0156e3c9f35205bfd4a49204

SHA1
868f9c0c89519fa14fcb69933a89835498242a0e

SHA256
1ae596b4144176bc50d8018ef1db7d1e64825638538e4e44949e0a4f29b2c49c

SHA512
170545b04743d6f7eedf840fe7d4f16e70c285224fb6949ecf4d2f4bd5e9db466cc8fde896ecef2bda6c05fd934d95d3cd0feced2a1acb7bde1f045e76649976

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f235e75c30c84b09e0e7b20b5ef347ea

SHA1
12a02cfd16d15871f030e8206787cf475e6536a5

SHA256
39ea19b1ef55492a90c5edb3b92dd9c7c0888aa63e1634077dfe48245c5ac645

SHA512
88d35e2da4d5cd85981f27f766bb1b552e12d78283418919bf6ead997e74491b3fd22c6ba1304694461821f303ed398de5e2de08411bc5eb52bd9734de3e8a84

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d341ae69e77480e50b5eba88decae22a

SHA1
3aa7218de7069e8e2fbf4d794aab10a785676932

SHA256
c52b193fa7da752e5e485cae078424b3fd672cb544cc3f9c375255063b590e13

SHA512
90ecf6bd84853fb59d43529dfe98b4d38d6f2be458c94b83299a365e47620cddde41606d2395d9b566491b658354fa2ecdcc5792957c91e0457d653ebe8c5bb4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f55acfa389725101293135788667d9fb

SHA1
2fac1ddf2029e19ce67f92f8346c9b7ebecfc49d

SHA256
a2ec45a9273dfe2c49969d3b168d4e2d43a5100afaa039f7688ff8d504f4d314

SHA512
004f1874a7b0e87ea6e90eb3b8b78fdeba00f24e415ef3719a934f2eb7efbc538126b839de566482b75539411bf5a19437fc5b67cb1d45be285b466ac82c0551

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
dc225017a582946cf5653ef507886da6

SHA1
996c9e4b0086435b4921cd6a10a9058259d5b3c7

SHA256
1ffbdb7433c00a5e416c7dccfec93abe29446527d1bea985be0bd7195e08e2a0

SHA512
26eb6a4e1bf72fe5166c5d6b37d32983a6ee6a72e60687554dbaceddef649c065d6b3101237c3fb4ecebc0e2418d5a89b93a999711b15814e49fa9332c89aeec

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3a30a67dc2253bd0c4e5b6007ad9fb21

SHA1
97768829f0886342fed2c91a6d590d999e48631d

SHA256
5f57a5acfddd3736296e5b933d9cc17ad86740d8c1f72f3a0c2fd3492569af3b

SHA512
bd6f238a078697f80ddff5dac65f66753de6d52ddc2afa1bbb124c2775fbc0233fdbc53abe27aff19b085f46f34d40e947bd202da013fddf21f35b850b90b8aa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b8b0a4ca02a8eac09c07397c87aea0e4

SHA1
806e4a514c1989d233bc46c9126f885c5e6387dd

SHA256
87e9e9e9be9dfd15e5a2d4b08e19a4c8f51fd00f3e764e35f28f834a199c4251

SHA512
50c9e94a24493e0f4ff6a9db85408ec4a8a7e56dbe63d2999e91ad6d84d7d57cc450cf8858647365c8ef8c7433d6e164a670fd8082c9514d906c7539f537ae7a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9df0087c846bc770b5fad15bfeab3e96

SHA1
6e6923c7dce19c7f4dbefb3202bab458b2d87687

SHA256
a78ff1a5d6f7793006e860d32d7a0f06624a4089aa6ccd739ade6c2156476be9

SHA512
1f83eae63d22b3d8c971c0448f38435267c301ea4528a5ab8cbdbb9bdeca9a1980e1a73273ee409cb5e25ee68018cd10baae3c3a465c062a43659b70ec06e089

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
266ac0e72353aa307de0d2422900520b

SHA1
0d2447efbe4a2c02490aec8d5131133deea36d25

SHA256
ef466d06b67fed0d2e17c25de9baa960c80170e3dc4ebee3193924c2c93b20bb

SHA512
e4dcfb7d0641e71b911ed63c900d758c2701fdb559fd971a1d36d4162017ab6ada1ba814bce68198eb3ae1fa46d3227363f5b7a086caa81f860137b30e55435e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7bce9ddd2dbf26d0ae8057307bfcc0bf

SHA1
3414a2f148047d96f200aa948d91c8fc920e3d64

SHA256
b51419d8823b784938579946555b624463a9a54bceb54d671b55c80fdf8ba052

SHA512
04f28299b402aa18934502ecab91f0ac149f1e50a013e16975c915fd53bb0afd623c300bfa15cb52766e7d6d1c5cd41e787d251e32f937cd6aab707f687ba2e8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
718dd201b1de387554025b4806d54e7a

SHA1
60abcd1045abbc16a6f52096ffe286f81faf549d

SHA256
32efeb475856f4390c0b75e600a78a3c4b444baa01573a2294726a10eb65e4b8

SHA512
1845821f2d0465994bdb29fc1cae38e91235a0ee90902a33dca91926954968b3e4efc9603804ec333f2914a119504f01bfe59ff4034e866baa6b0e6498fab43b

Download Submit
memory/1304-585-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1304-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1400-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1400-31-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1400-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1400-124-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1448-83-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1448-74-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1448-80-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1448-85-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1448-73-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1624-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1624-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1624-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1624-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1772-104-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1772-222-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1832-186-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1832-520-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1980-128-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1980-246-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1992-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1992-19-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1992-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1992-115-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2156-528-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2156-197-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2724-529-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2724-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-584-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3948-258-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4048-581-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4048-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4260-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4260-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4260-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4260-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4352-146-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4412-125-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4412-234-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4452-97-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4452-88-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4472-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-524-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4620-38-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4620-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4620-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4620-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4620-46-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4628-0-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4628-96-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4628-6-0x0000000002190000-0x00000000021F7000-memory.dmp

Filesize
412KB

Download
memory/4628-1-0x0000000002190000-0x00000000021F7000-memory.dmp

Filesize
412KB

Download
memory/4632-498-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4632-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4708-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4708-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4916-402-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4916-167-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4960-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4960-580-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download