52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
Size

1.5MB
MD5

0ea25a7a4350da5801c283d765825f2b
SHA1

c0716d04af43cd08390e718338eeb97aba2be554
SHA256

6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a
SHA512

57701024086251b20f682fc60440ddd780bada4a4bf74d4ab0fde75165a5bee1ab43d977f5102644e77ffc77c781c6fd1c79e169fd2b8e0d7bcd9aa7b51f2ced
SSDEEP

49152:DAOCsqoYbErLkxejJT/+EGq4xWhivPdOOq:HYbEPjJbYEhK

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1796	alg.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
1056	fxssvc.exe
2512	elevation_service.exe
4664	elevation_service.exe
5040	maintenanceservice.exe
1512	msdtc.exe
5088	OSE.EXE
1912	PerceptionSimulationService.exe
4236	perfhost.exe
316	locator.exe
3064	SensorDataService.exe
1368	snmptrap.exe
1800	spectrum.exe
832	ssh-agent.exe
3300	TieringEngineService.exe
2688	AgentService.exe
3636	vds.exe
4636	vssvc.exe
4900	wbengine.exe
4308	WmiApSrv.exe
4468	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\System32\alg.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1e31ec1983eaefb.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\System32\vds.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca5365097d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053b2c4097d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcd7ea097d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041cffe087d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044c899097d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000820e9d087d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ffaa8087d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018e91c0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2088	DiagnosticsHub.StandardCollector.Service.exe
2512	elevation_service.exe
2512	elevation_service.exe
2512	elevation_service.exe
2512	elevation_service.exe
2512	elevation_service.exe
2512	elevation_service.exe
2512	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4496	6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
Token: SeAuditPrivilege	1056	fxssvc.exe
Token: SeRestorePrivilege	3300	TieringEngineService.exe
Token: SeManageVolumePrivilege	3300	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2688	AgentService.exe
Token: SeBackupPrivilege	4636	vssvc.exe
Token: SeRestorePrivilege	4636	vssvc.exe
Token: SeAuditPrivilege	4636	vssvc.exe
Token: SeBackupPrivilege	4900	wbengine.exe
Token: SeRestorePrivilege	4900	wbengine.exe
Token: SeSecurityPrivilege	4900	wbengine.exe
Token: 33	4468	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4468	SearchIndexer.exe
Token: SeDebugPrivilege	2088	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2512	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3592	4468	SearchIndexer.exe	108
PID 4468 wrote to memory of 3592	4468	SearchIndexer.exe	108
PID 4468 wrote to memory of 2024	4468	SearchIndexer.exe	109
PID 4468 wrote to memory of 2024	4468	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe
"C:\Users\Admin\AppData\Local\Temp\6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:688

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1512

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4236

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3064

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1800

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:440

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3592
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intel\Logs\IntelGFX.log

Filesize
1KB

MD5
5033d0c068d234a13de910017d1fb268

SHA1
56ebf69ab4f3d3d1eac5306526bd749437ca56de

SHA256
12eab01059ffe6a1a76b1bf6031b6787032ff9b60009e042f4c959351d6bfd3e

SHA512
53edc55c54acd152c6935ae2b60af681b01ef41e855442e2c689438083402c692b6a5f7668e24956421b244f50aee6ab471f36d9010e352c62a0ee2a56b7dc10

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e96cbd84309ba62ffc77c0259492181a

SHA1
fff239887209c2063063b0cadf29cad4027bd821

SHA256
a791357a351231d96530f3ee43e3a02762bf4ee39c6aeb9868d147373e877b13

SHA512
16478f0908041c74d5b40827937eab0648aabe9b1f57a323da63e00d4bbb0d900a2b12dfcb61c2f913857a359c939a305f3d9079300b93b30f504f9f3a0de4ea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bc41fa60b3181ccabaa39859275fe647

SHA1
9ad6f25130a1283b67aa263cbb876107e72c691c

SHA256
ee1a46fdc024607c695283f26550948717ea947e630923415ab9fa1ece50915a

SHA512
fd280067522dc81ee91a272b2c772919062fd83883891be37e50a238bb41a1d391ff53981f56123de51741f8b9badf78215818f90b60961f17b602f636dcd8a7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
6661d1635edba08996fe3695d160af55

SHA1
707687fd893e0836ca8aefef30f42718ca363a6a

SHA256
8bf886ecd1bdfd4e32dbd8a7fcf7df854b231d89d7861ce523515112a4d96d00

SHA512
3b725a295096f8fa49f854a9405c14a35813f1f821d49e504b96bcdd76e8991170d0d4c19a8fca377e76b77e5edd7234c2aff7536e74d2a0d340a974be5148d9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7db0d93bcbffd8f05d73d1161cddd8ce

SHA1
51de4f39758710b4eb1ec4a86cb460b4e70526fd

SHA256
1c8a8c4cee4d4434c0aa557fa92630ca9cde9742c961ce9eddf61ae8798ddd5f

SHA512
821c4989b57a75e256dc39bc80870e1414c4e9388dc7c0bf006b8ce410787a6adefd3056c47e9da47d89b04a7c49fe414efe005229d2b3d88170d2e3a822fd7f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8f79677b59715046f7f264042c58c1c6

SHA1
26d18b1e06cb91a81460c967b1190a5bc1609fa0

SHA256
314f9cb1ca50ae642d3c51d06dff52b25dc86349e21ca9d15a321dd65c53630d

SHA512
2ca6cac3c78b94748305fce33bd1d9f177a35fbab8253a96faa7e5287e76f7d6d90ecaee811fc68eca9dee79bed2fd3e2cbc20a0e4dbedbffe81226acaba32b5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
477c0823ec2459b1495c330be2c1698a

SHA1
0d28245f6f7ad8d2e98806b6ff6d433d3ef4144a

SHA256
3c4fa8cd0e3e37db598b2900e8c8a8b03bc0ff7ebca64de4838111d4f19f7015

SHA512
50caee353c0efd17780a567d1d65587d7f9c9cc34d516d1991295d90bfbfe68cb59fe36948ac4dbf239b63d19c1e4f1674a5b1a280fcd938ab0e0264ac87806c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
bc94607b8a17e0bd09ad8e33eb168f89

SHA1
336dd2ebe4721df77fd5d329177d9cc5acce47a2

SHA256
7ddb4925da22c04da048e447325114e0e1f7b46b0f9b66ac021e41bb4fac9f38

SHA512
0183a4c1b312f4c39b53abc117982adb051261c175242d094c8523b807b3f71bc9a5775e138e008c9726ab43d2f2c09d9c9a071f4601ef6ed44973cc25e9290f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a507b2f0948a48301e1919c52255d8a1

SHA1
d282ad0866f0bfd6c05038ca762fe0a9d6dc82fc

SHA256
937925e1174dcd088abb348fa3afa32af5ff70419de86c3147c97267c5179810

SHA512
564c6d5f019a576b3258b5beac35d6664377331a5bbb3e7be961a8fb4c42e4f826e6b8e6c4181a7d2a8ec8f6a8351abcc99137d74208708e77a355261ced133d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
c928faa6ca66d8a577318478d2d554b7

SHA1
f7c93314966e0e553c61ccf4424a7cebf70b2bb6

SHA256
f37dec3c501bc1e5429aebfc6b2b3c5761d490a32cf5273599afbc7dacc0bebc

SHA512
c7bcebd27efed61d32cf8c56e2076c23abf80f761d1e02bf33a342e1eacbbd881f58683e6d3c6449830b868ca072fb6d9668a00f9d18eb54f5430ae5fa95a3d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2d2a969266db14c07b427f9cb76a467b

SHA1
fd7ae5f3d9a8c7efba28104b6a5afc7100804dfe

SHA256
545b42b51ad50f96ea675e56e2305779660fc7ebaea6e262c57bae033f587657

SHA512
4f8a5ad6522f0fd86d1dca202a2107b6c0d78cff6f1eafeac04e46b0f48a1c9e551445c8107aa0e65b1d3c5b16e194dc68447ff9447b3a8099d2a501abb1886c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a5c8a7ab25bdbaeeb89f5901726e9c23

SHA1
7eb0a5b6009ee7736ec821bae70dcbcb18bc9ff1

SHA256
1a76ea0073ac71f2fd08e42fde43375be7436604b679dfae9ab60027d562c0be

SHA512
8afad11900cf2b37e596652e5b375d34c3dce67cf3f5413ee444b09f782f8f9fa5ce3aa6633b63fe0096239ac2e911b47e11025e5b3a8a7a0bcdbb7c3a605560

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
27747bf26a1566006287c3491f122d5c

SHA1
72137160884a0d75ff10a592f668fa4682ce8297

SHA256
abbb6f970605f4433381044a263281da6c2472b5e90547a0f9db156ef6ccefb3

SHA512
207f7ebcc0a49000bbed1e7b7b28ba6461d1417cdb53a65dd32789d2330d525910df394c156f236bee1d1336ba19c75592bd6af0a1b94da182da7884bd8ce355

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
2c9bca67feb98482e4df0f9301958be5

SHA1
2f1428fae72f458c31268014e7b39b1ff1a96c26

SHA256
a081201d8b96006f4dfc733c3574570b289dd6a34b58441a2c6e18cc90303cd3

SHA512
7089b530ce298a9fcc5474dcebcc77cbe16f59ec148612a9c86be92566a8cdf5ab9e646580bdb7e4b699bdf91d2e802f781df0c77a34e88dbde64d7b5f38d83a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
65563dd8941a1ac4572f237ea81345b6

SHA1
4524d9a79a69ef3f407fd9c4c6e4b1db7e00a685

SHA256
3be72bece9c0c6cfd3a4f4383d6153e020285b43acb8a535e59f3075692235bd

SHA512
e06faad2f6f14c0ba0b3dd130a96821966362bdad6e5c77e904ec4b9f3f2de740af7774d6c04c83d1591571ebf117e03e34a6fae7db56e389a15e9aff6dfb819

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fa49565cc903a4ff5d4eed570ffcbfbb

SHA1
056eda9a9ca544377061ae9c8ebb4ecca47307c7

SHA256
4c1d001ee15582f7a6826768e873fbcb40f7f3b268821d7d068080fa3f8b9ee0

SHA512
2f3454cbba48fd94fc084e56d874d321d2ec4014eca251da13a7bcae358375fa0bfb791c7a22a332c4eee4913a1a218e510cd27140e6d2f35f8def69f76964f4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
aea02334f5a7f49965c974cc536c06e7

SHA1
59449f48f4c0129e5fe61ca94646ed289158b0fd

SHA256
f44dd0a05e7c462bd54e62928b8b824753eaf041fbab73d468cd715614dddffc

SHA512
0550358afec0b62b729d1ed74afef2fa09efbddeafde6f6b51974871708f60dbd48439e9ca13267a43eccbf9dc761018bce49e9e647b814ffed8661c08aad8ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0fcd70d0f6ad4acd6686f8334ff970fb

SHA1
69a3a7a85d3aeb0d196f86ebb09f3c4a4aa9c1f9

SHA256
24257daa1bf78387dd177bd3e231e16e85890a3451f221c82d3a86bdb5df6921

SHA512
a2ef38e3fdf96230a5266ec37d9f8a43553c669b3b67afcae9d705950c2069aa1e49ac4f69c52618173e9f2260832f1a348db0dbf664800603b8010bc3cf9950

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
336d76e55744efa9a5146ef39f77d83c

SHA1
d3f19e0cd565d3da2434ab749eea97facb2535e6

SHA256
b5afd3ab1bfefcebcf71b73d71a985d0b157e9d9540a0b13d043b1cd64e9b901

SHA512
f19bf135f2223306640584e67e7e40d835b289bd0f2336a9d5c284f81781b26dfa67fdc8a829faa9d06a3674c15d865d0344742167fff4ebb31d80a23e730fb1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
54b86b578c7af9677aae9336926a3adf

SHA1
1cb6b3cc3008fd1da678b8969d2d630185f90aac

SHA256
2b311720e65ea5924b4956e619825f8885ffd6d799c50b6348ff240d638385b7

SHA512
9de126612f360995ee3b08c21edbe211da79e2eac649e2d5b657ac225267f0d438eb57ac3e1b760f2930bef5cbd7c625a41717fddcc3bc061334beaf099bbe35

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
51dd24e6185c371b8114ec2421288d97

SHA1
9c54705b7be05e0327d46d2540a716beb037e4fd

SHA256
1f88d8d8db79b5462541cc6b5f725324c7d3ca8a1dd998658725bf718098070d

SHA512
23842db7e0c340acc18dc8b2ebb3f176250141155914e5acd6779b4ee125dfa89f39c40ffc4f17e4bb19c38093e927516f2424344a35206bffb327d0576fcc7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6025dca5107cd6ce16389eda613e2ae1

SHA1
cbb3083e40d2f346bfe2d330f264eab4d6db1aca

SHA256
d42d1d6affe69e6b1eb63fd3a1250e66334370b1ec76e8d25af49f605934fb46

SHA512
b1213df83d88ca40d8cfb52c94163e66b8617b4e2ed3d19ce27be27eb702eeff60246832dbb62ba4ecd340e07adfc218d7533795ad7e4862000e6efdabf545da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
2f8e8bcefdbd77768b22e6953637b9cb

SHA1
dfbaa92dffffec1734d39c0b629d58a2ec81a0c4

SHA256
1ee0e66eb08e18b1e9fb4fc05b8a3a5aa149c7155118a77b112cde5f403192a6

SHA512
1d3ac324695797f2f3539b92050023cb884794462214a4a6a52f3db9583fb75fa01dcb99a5f684a25846f53da682f9d4d1ac812748fcf3491edad252733720cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
d3d768702a20d5f93179a9cb286da3bb

SHA1
71450e89a93d1614f3e97449f2a7a837300c16fe

SHA256
5bd7b01084112fdfda70892ce32aed6b6ec5a8b893b830a5040666b53c879e99

SHA512
2d65f9cafdeb98f770b378bc3fa0580a5e376dbde250f1dcf12d62a0309bc64e699dc2e1263bb8a65fdfbf103aae1d929e6998929310788fb50b275f60c10ae0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
f653c88fd9f3093bbc778a4702488044

SHA1
6a0b930a9d17e142112a749a0e7319675250a92c

SHA256
de2dc26a26378fefc5d779251c86b093c0bae6cf23211c2077bcbc79d87f451b

SHA512
1e0bfbf3ebfc298bed738dd65eb2488db6123da49bf427744807b9ac4ccc43e34a6ce06626c764466bf04a098341a597f78c3dc78f9bd0501f8a48ae689a69cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e39ef01ba0cab1aafa0431494f2d9725

SHA1
48e5f759f52e618f0935d58368caded4b146c684

SHA256
f428cb53e8da16bce256e261c1a36d7053e07b0182f7ccc8ca0b77962066a4d3

SHA512
85a7e95daf3b442ef73b1fca318a63089b4f5d5ab7de6be3057c18cd9241068e275bd5d0b9e577aacf11dd73ef27048ff47a5074058b37a4fd1c5c14012e0c0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2659527b32c622f09af04ccbc3022cae

SHA1
73283e1a74c4efa2946ae2ce19ad0e5b5f3634e9

SHA256
10e35b3384c04722f618d7549804952eebc18a49094132fe6338ec924403703c

SHA512
62b4a5fc9761ddf40bfa1ef793df3fefe40541bde8778d00756515b606abeddbead345e8ef2f6287fac79ba2cf3702904135a101f96a25d101ed49713a4e4461

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d8fd347dffa6179de7bbc589967282f5

SHA1
c2c271f244a43dcb780cc2d4c95729624479e68e

SHA256
43954a404d7e52e009e595d5c970b7600f859e0400c643c466896c1f98fa6ce3

SHA512
0c86a7303d032e34a4d6dcbcca13753dbbc5f77b9253c6d05470b5f438232a47d45076f8966465145f545c91195ddd3ec754524b8fd33d4d13b2bbdc8df9395d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
457d6a1400713dbb3964ee7236c03497

SHA1
13a21d20f958934f78083679a16fb84267915e84

SHA256
8764745db725010d6de86fcf9bae4173392f19a47b293af328c9cdc0aa5ba4a1

SHA512
2f5a93fecd1d52f2c537bfd9b7de7adc2438e8d40a1414e299baa0d15f20fca4cafda04de89044d2882b944ad6643f17776a5ba863c3dcf7e229b873390e464c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d0a7fdc1a3203905e235c382919de2b0

SHA1
463979ada5a0c2913fb768e87d89bb8a8eb736df

SHA256
c80d389befaef31392f1a05ad497783c9e9ca4c980babbbd8cc5ef7756e72af4

SHA512
490a2a433dbe4d1b0102944446431e350c2d3eb6a687147e3fa57d76959ab6bcf9de1318dbf0003d5d9ef8c00c357cc201928dc555d8f35428a876b7dee3e23c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b576668f57920dfec28832eebe94702d

SHA1
d5b993a63841737a2a88e625964c603fed15857f

SHA256
649fafe211bbfad97b74bb1ed220f58ceecff0d36cd528cc2723b08b489de3a5

SHA512
d1b21fcf9479427478a0be3a608e177a717cda4d4423f36febf8c987e247acf32986823f337e957153cf934811310eb0b42e0671edeeff7dcf250bb2da9c4bf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
6c0be3ba6239714fb6144c708574f838

SHA1
1989b4420becbc89512224b52a48784463da9b67

SHA256
033e753d2fa913a455c80a73af8651c844c144535453912cfdb627c15d34e164

SHA512
da7cc856ad69b42db39a9ceac0b2242ade19aa9d093b46a0ccb9e8d74e9747d49a664ce5bfa38b0167e133631a97ad20b053802fa3f2bba25483a6f5f27d96f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c1d250bf14a34f1c90bcfec153eadf4d

SHA1
93e53af39ac59aa2a632b84e1fded2f5c30f39e3

SHA256
0fd42df8609883f7bab13aa9b5cb55b738eb62bae918446b4862d72523ea4f41

SHA512
9a726bf1330a6c7a6a34ff2e391242e2145dda39f1cd4478b8d5c4eb8bbab7859b68e0ba1e5fd96dcda8cc5127806541f18330e02c230f93122a0bcd41f81aa3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d6fd21c21ce78822b88101f837423169

SHA1
2f4d06505b46f9d3460d16fcc755a92318dec4d5

SHA256
1aea6f3429e1a76f6ce854d41a8f7b93bef8bfb36596d84d3b32ca2e1f6f5614

SHA512
adeaa87fde034b3d39572f3bd2ccfb4c3b0b837019c25612a81b2f05da164694c30caee175bbbcb4c626a1dc24c6efb0bc29249113e90e92562fe45e3fc94689

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
e7c63fe869c163c5861e87a8745c2466

SHA1
e5ee5c0534b949a007382b6fa02d99a4d0015ca1

SHA256
ed11965114fca42e3e8fe987cd0c93b67bb5886f33f5fa2697d15a87d36b72ad

SHA512
0e8600e20e254191c6421e12cf046000bbbdcf98b6c1c2a71e88f55d15dc1b0b43f5f80a12b52e9993fc013262885ee2e8e883a63fd03668df1ed5718b48da7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
30213b2af1c5edb9e60fe3b0403bec0b

SHA1
f236b33fba46fcab0c0d5d9e580efc6085ab25ab

SHA256
95dae3165fbae030780d58316b43f711652ca210fd09f5552366fefe6b0d1c37

SHA512
9c9f0af5f991ba5a2a760e5c642b43acc5856a30148d42fa9ac4cbaf4c2c22f7746fd7fa6e54cb008cd87c0c2cc46d225b6bd6392992eaf4381a876590d19b60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
81d3767dbc8c0f735a6d605e3774358d

SHA1
5bb238e208165ef66725881e18074a8b365b5588

SHA256
db4275a2bc184ef6b21e68f6b6bcc05fad54dc671059c27bd1b49a7cf4b60b62

SHA512
5e19be01dfe156d322b99417155ca7e570fd269739c5a5e34abac49edf929ae1b8e8a8df95d23748be8ae217e757b32d3c57901097124f9d624d2ca009b3ab28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
90337e5ba158a303569a0680dd71bf66

SHA1
6192e8198bfb7e0f3fe9c76e0903283e3eb98038

SHA256
e0c8dd52a531191426c0fae7437a30cd66217922f2980a3a46309b15375fd1eb

SHA512
58fbc01a3676bc8a276723d8506c920c1ec0c03a7b4fb4662e9421f01d752ad31410f1bf1487c8118fdcf4cf59c09e3ef2ce4fa2cd8bfe7bfda059793a703184

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
55c2c1899dfcf811601f1b25e3d96087

SHA1
95ac98804a8b083dae4f00de788a5b01163fdf76

SHA256
1570e4684815b09adf2426a38b8488082ecdf7e437ce946d55b298d664bb48e6

SHA512
0abdc75a34a02100baf7d9992fb95b56f1168c68d14a1d9ef1d63924280b00fe4bcd315f33514baebef6ac2de7e287de7022796742c822532e8640e6979de09b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
c7bb2ff120e5714bdd03a3f69dddf1c9

SHA1
dfdb7f95b07be179b6dc8d9b541e81ef95bf7219

SHA256
ebf87d50edaecec888d9666ea420d50146368efd7a9eed7c1c34f8aeaf8b8a26

SHA512
147da1312186df4898ca6bb7e11726f19172d5e0561b0b2daf3ec9cb76e361c62a0b9f17477eaf96ed1b2e4553be76bd04306b1b1e536f2f7859936989d7b54a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3011172903f698db92b3e6fc5e54ca3c

SHA1
efc7a0d9f21fbc3579e3e6b2b5fb89ad2512dc8f

SHA256
cef45ab8cd78edf2d6d28c4491d2add7bd3aaba716b58694203f77db865f7701

SHA512
199d04ccadeb8cf4fc1794e63f558ab206dfafb0b988502b611fa12363c22852034c5c86fd6bcab0b8eff30186bc22306226eaf719e95be32e3476ef62179536

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8288499b5acc30c8db4fba477163f121

SHA1
135c66e54029be7a0e167f562b5d69bf5adf5fb4

SHA256
0cff51ebb07ada1833e3ba8cdaa144f40202b4328baab7b3ad8c4851278d4597

SHA512
313d70f4fbb70117baaa5042bc7e40763cfc5f7f919ae04d1d7e640f38bfb104f0398be9fa26d5ae767816b5abf6308561b3ad496f20dd55c965d9160630da35

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a2e26ad3bdf727d9d851d4619d5e25f3

SHA1
a20552668672ffb3ae28fc0d40776569a1c0cc98

SHA256
0533c8378fcc09060f4845656c24abb88820ee572af89cb8934e4c32519c8704

SHA512
854dbe103c7737d070ef91bd67661e83932517b15b661d9c75b479d1f625c66773d19cbc469d37eb608e9c7541860741bd8e78c46629b94b303b98332e9001c2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6bc089f1c38df745e500c5267eede9db

SHA1
d794a43d2b8fb8fc91adf6f5bb395529fa78fa82

SHA256
f33f27bdbc65e08865b77710dbdf00ce5d2bf53d260972c58491f85a6415e147

SHA512
4efd83e18f6c6c932b924498d31c8ed1a1b5e2eb05bc8c82119b07f35fbd59515b808d5bae6d368e641a258a17be290ef6c4464bf159de13837f2cec57381cd4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2d2ed1ae954ee6efeae174a32760daf4

SHA1
f1d85751dfafd8102397d1c2e4cce862ea8ef1ad

SHA256
bf396591e91ba0056b6a649abea23b77caaa99bdd9d7baac8926c8baaaa60f6e

SHA512
2ca16aa35bdfa68cafed6d7923769bf4a086e578dc3aec7f06a06358408721ba2de97e55fd612f4a53bfb5e389ac8f72158ab685545a19d0751e7e421e6129b3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
b0a60d3805d7a2124fc9fd4e1420ceac

SHA1
d3a18dbd47d6e9637654f9f4ff16fa00b841dcc2

SHA256
bd2c6f75ad2815b288f38331c47b32c04958ccb60b4ab4aadde2475679715eed

SHA512
8ada369e2823e9ab3decc07ef339d98b5bcd2b794ec03cc7a1336741e1335f2ced440b203ebfbb9116cfd11a1c9e7aba6ac67e4b772912855a52687691798f33

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
46847c5c158284e65f3d75a7231e4e36

SHA1
77e8c9867b0f2f9969ddf30c4e51d4f8998019dd

SHA256
11f2a05e907f4bab6f1839d8bc1667ca374d6c4f4ef24f3fe6d521d73cc762e2

SHA512
b0bf7375f4f81aa295e3f3e9d0b6d59357eb71b05e559e5223fa5f8bb9e24934a7668588b687283c7a2e9e779cdc8881c75aba5b193e2fc4bc98be2d7d505f71

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bb6e2f1e35f51dc08356c0c3978fa5f3

SHA1
238674578dd015826ae839746f208913aad2cf81

SHA256
d04a955651e4cd06145cd48a92c197bf5d81553116709df8ed05a0ea7504069a

SHA512
14138cc3e79e6d76e19c3b51b5a1f4a0f14c369c0af67a485341baf4712a09b141afbc0564289021a968fbec29129c4dc29397f25dfa97f295806ca6bb435196

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3277a39974e2c44fd4d74ef478477890

SHA1
c3f036da754481981dce419127cbfea57903b2ed

SHA256
6b2d6886177cc08a81ca2cd6874cbfe970925106ecc46bb25c40a9333381b2f5

SHA512
eeb1aea1ccfd674a3394bf8e8c11e0c0284490546adc065170a6d25eb362342eb2819e03187ce33554c9a05fd70afe44cf6033f786ff5e6abd24dcb8c13b6eb5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
566a8994cf64992002c41447dccb2038

SHA1
579a2ff0e31fa25d8fafd2e1f97869be46522443

SHA256
0ee9a78f72ac5b61e9e7a65f76d4ff7df9d25bb14c97dcf638f9672fda1f22d4

SHA512
2e381acf1946e1f7b92b38b7984abac7246dea71ae61be9a53bad1ed475d2dcda6304879126de53a82b9813b9afe424c665c51fa6aea59615c56f134b37d9b4a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d6a8f63bb3c149a5ada4d2764a329009

SHA1
fd6541de3fac77a61c92d4cea8a1d8e29e7c092e

SHA256
431dd1b72f6aa40395dd0d9dc0d1b0947810bd07e4e791694ad680351dffb4ff

SHA512
f801ffbe417662890abfa84d1940a339d71e4420537e5df2e72b5a9c6583926f06a44d3265f06c5f234ac11953b29252947d5595394bfa9ff356609452bdaeba

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9b3a5839321069e53ad3fdbf9ce41e21

SHA1
7c0a3d535d0f117c6b61fd3b8b4ec27f883ee295

SHA256
a2a4bea8e46f6685a9b34b36d2ad2476a58775d1dca7348d1e5a4555aa741736

SHA512
d939e47bdc428e25f8cbab6d1dbde3496d4be5e9447069c4e042cd119656f03ea8040d1707f5e9a419ae8b0f65d936233d5afed906316240b9bd89aec8266bbd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ef4fd9fa7d99346f5734a5b908ea2f9c

SHA1
72693e06004a11626eacb3a2bf54b9830a338c22

SHA256
14168b670617e60ac81ea79335c0d859fb1a8406634c2a815312d4fd4ed055e9

SHA512
743e2b2dffcf15175dc9b43424ede46f488aa7e09e0a70f78ad511b523e6c3e575fdaeb5d559721ef83b8aed894990a2d3aba2e032e1709308d808de67658faf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
20865104acbdddcc785625e6efece429

SHA1
b66e4304e03307fcaff63abc1d614e790a9ddc23

SHA256
57ddcd83d052b474581684ac456bcac18f5467f589b625e2012824fc4a737402

SHA512
e9161ad9a625c501f48b8c07b8d1201e1c2ad7243e62ce9e8a533090141bf8a668ad80085c4f150df73f1afe596bb17fd9587bf15b77c9dfd98a92a56cb4359f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
eec4ad8a66b3b2a7aa45152ab38a9155

SHA1
e955470fab7018718bcd906c50fbf2668c5bb0ed

SHA256
52dd821ef29d1c2390bbc496ed4c074ebc07c069792ba58fa74d3a02d895723a

SHA512
eb57a6174b4b9273f38ba5eb7956bfd84a7e7288df74857b96350e175a631b1fd0229baca75872389c69bacd997e6a3f3b76a2b293e41c3b67865d30bd9c43fd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
137703ff0694fa53916988c57dfc1f97

SHA1
f4e708d5d079e223e1d228322701106bf733493a

SHA256
6c6d358941179548930bc2c4ae837bb0af0f4b7d95f81f9693a017943c4d72a5

SHA512
c1879d58d430054812fb5a2b25eadf0c3222901ce78ec48db4c595207a31fc1a1e921d26e45e00b33c4c3802eef71f33d719754fedd1f9e441e93c5d1e0c21a1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a7c33d6eb9bb125b7bb0ad77cfbb2b64

SHA1
d06663fd192f57453a65d199e6dd009940711963

SHA256
d49a16dd2319caa942053ed5eefbb251341eec14c599a515025cbae524c97c86

SHA512
46b5f2306dc5b6d64ac751dcab27fac2a186cdc7ba99d4da29f16e997e5fe7fded84dd135d661564c5c9815feead2ddd475391ba74912670a1044f31080be32e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
573845480f592369797a6522266e0faf

SHA1
b5ac9aa315b73546ad88a23c61ccd2e9eca5d123

SHA256
88bfe86b2f2fea3e59e7276d42d2126bd8f6f1954538f2171b4b7f214cb5bde7

SHA512
9b6d3da5d61be231dfd1a57236eb3f3ba2c9a9849f0fca54dd1345724d01864815a15267d058d749db6a8bf2ed1fb0ef28817a71e9a4b402fee7c2cd5c434091

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
612ae66def4b6104e4dc0e847d810194

SHA1
dab061ca2e38c8592a7ec9e9bbad87f7aa159529

SHA256
578659e685871844d2dc2dd538eaf0b3188c62c35b915dcfd948eeb542df51e0

SHA512
e1dd359a485999fcd78838f43e35aad5f60fcd3ad867fc96ea4851a5de692c500f227aae7d98851f3f0c8d25f7a53b31e05fad0f28318179210e58c66dfbe9cc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
031d606194c2cdb1a1df14475dfef195

SHA1
489667d70f1bcd6f9bd45d14bb957524162fd08d

SHA256
c873b188a105904b8a616f8628edfae3e8c3d656fa003beb7f4f6154e94fb334

SHA512
c5ccb33681fab39cfee0614777db630f651c86d036cbef24e6891bf97451b94d6deb26ec352e3d2dc1b17ac27c15143de741b1f2b2ef8cf754d338cfcd695ee4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
3e4e05615cc148b1e40bd7f6322abfa5

SHA1
87ac4d7a0f1067e5abcad24a19ba7d6556b4e1d3

SHA256
77fc37f1a911f959808dc3a9dadac6d9aec50df93bca54e51da3b662f0ceb0ec

SHA512
7fc40c3a5ec63945ab6f58955f502ab251f3f366e1055719dd563d51568d08e58aba618ab9a98f2ff491c3c1ecb3e98d30947b3fe5d86938c8ef3601ec3dba25

Download Submit
memory/316-141-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/316-459-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/832-168-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/832-570-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1056-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1056-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1368-169-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1512-96-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1512-348-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1796-40-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1796-126-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1800-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1800-569-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1912-121-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1912-436-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1912-115-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1912-123-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2088-51-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2088-43-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2088-127-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2088-49-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2512-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2512-66-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2512-60-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2512-172-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2688-175-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3064-166-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3064-574-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3300-190-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3636-200-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4236-458-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4236-133-0x0000000000750000-0x00000000007B6000-memory.dmp

Filesize
408KB

Download
memory/4236-128-0x0000000000750000-0x00000000007B6000-memory.dmp

Filesize
408KB

Download
memory/4236-135-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4308-196-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4308-576-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4468-198-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4468-577-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4496-100-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4496-6-0x0000000002410000-0x0000000002476000-memory.dmp

Filesize
408KB

Download
memory/4496-1-0x0000000002410000-0x0000000002476000-memory.dmp

Filesize
408KB

Download
memory/4496-7-0x0000000002410000-0x0000000002476000-memory.dmp

Filesize
408KB

Download
memory/4496-0-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4496-464-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4636-192-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4636-575-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4664-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4664-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4664-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4664-199-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4900-193-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5040-92-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/5040-89-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5040-87-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/5040-81-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/5040-94-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5088-107-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5088-399-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5088-101-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5088-108-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download