d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
Size

1.8MB
MD5

77dc3017d77e1d1b5fda33929d568b12
SHA1

0145b932c1790d7885cf3c000bc23fe79db559aa
SHA256

d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd
SHA512

9d9504c4ffa6d85cdcd4636915344621c3857e7bf156417466f330771161770dfc6d62ab141647696362e23c133dc3057cc63dae634f5d54f5453e69afa25e7e
SSDEEP

49152:Tx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAvkQ/qoLEw:TvbjVkjjCAzJEqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4624	alg.exe
4808	DiagnosticsHub.StandardCollector.Service.exe
2700	fxssvc.exe
4736	elevation_service.exe
840	elevation_service.exe
4324	maintenanceservice.exe
4936	msdtc.exe
2780	OSE.EXE
4968	PerceptionSimulationService.exe
4344	perfhost.exe
2032	locator.exe
3348	SensorDataService.exe
4912	snmptrap.exe
4432	spectrum.exe
2996	ssh-agent.exe
2764	TieringEngineService.exe
2864	AgentService.exe
4480	vds.exe
3248	vssvc.exe
2668	wbengine.exe
3728	WmiApSrv.exe
928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\System32\vds.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\95b487ad8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\locator.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exealg.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM442D.tmp\GoogleUpdateCore.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM442D.tmp\goopdateres_pt-BR.dll	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM442D.tmp\goopdateres_ar.dll	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM442D.tmp\goopdateres_et.dll	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM442D.tmp\GoogleCrashHandler64.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM442D.tmp\GoogleUpdateBroker.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM442D.tmp\goopdateres_uk.dll	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM442D.tmp\GoogleUpdateComRegisterShell64.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM442D.tmp\goopdateres_ja.dll	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exed80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abb2b74e1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0e82e4f1a99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9983f4f1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000503ea24e1a99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e50b54e1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006439ff4e1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008645074e1a99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001ba1c4e1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e564a94e1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4808	DiagnosticsHub.StandardCollector.Service.exe
4808	DiagnosticsHub.StandardCollector.Service.exe
4808	DiagnosticsHub.StandardCollector.Service.exe
4808	DiagnosticsHub.StandardCollector.Service.exe
4808	DiagnosticsHub.StandardCollector.Service.exe
4808	DiagnosticsHub.StandardCollector.Service.exe
4808	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2596	d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
Token: SeAuditPrivilege	2700	fxssvc.exe
Token: SeRestorePrivilege	2764	TieringEngineService.exe
Token: SeManageVolumePrivilege	2764	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2864	AgentService.exe
Token: SeBackupPrivilege	3248	vssvc.exe
Token: SeRestorePrivilege	3248	vssvc.exe
Token: SeAuditPrivilege	3248	vssvc.exe
Token: SeBackupPrivilege	2668	wbengine.exe
Token: SeRestorePrivilege	2668	wbengine.exe
Token: SeSecurityPrivilege	2668	wbengine.exe
Token: 33	928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	928	SearchIndexer.exe
Token: SeDebugPrivilege	4624	alg.exe
Token: SeDebugPrivilege	4624	alg.exe
Token: SeDebugPrivilege	4624	alg.exe
Token: SeDebugPrivilege	4808	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 928 wrote to memory of 4868	928	SearchIndexer.exe	SearchProtocolHost.exe
PID 928 wrote to memory of 4868	928	SearchIndexer.exe	SearchProtocolHost.exe
PID 928 wrote to memory of 2316	928	SearchIndexer.exe	SearchFilterHost.exe
PID 928 wrote to memory of 2316	928	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe
"C:\Users\Admin\AppData\Local\Temp\d80803feb12d62718d6d33e93f610ed876b5bb18ece6bf6fa45d6896926ea2fd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1472

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4324

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4936

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3348

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1272

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4868

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
1c8e59cf56e0c558ee1c4fa661f09d40

SHA1
99e106d1f104dbe95a54e6078fcb9bbb6b8937c3

SHA256
76e7c40bbc0c253a185bd4e87db1e33ed1be65ade667d7fa6da5706294e6b8ee

SHA512
234f7027d62d1ee8c3fe7f8211fe1f21c809122488cb16b3308d012f7e3e54343dd101b53fcca3a0571074a9b73bb58270bc1a9de4d8575da1dd98abe1b5ad3a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
78b8bf6d85190a92a7d1f6f96deec586

SHA1
e1b4ae48292a9a3f4ecb39881006f8d729fd5886

SHA256
b7d7720d87caee69ea2dede6f0faab28b8f62f569943be93cce8fcda0cfbc260

SHA512
62cc6316ad8bf127c236ddd1868d04292e6b0bad2cd07846f935ed118f11f8d824bf31f447d524bc7e9e6a398b04ec3b705286b5f106eeeb39f13237ffa39334

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
04ab06226e3f9d4deaa5ef397e7357d9

SHA1
b066706abaee9b04a6f88e983db59f97093d2dd6

SHA256
37e24d733c3c421c8b5918254edaa31fa2b3a6e7e0624008424e78dbc932c6ee

SHA512
eb0183c82f3ad9fbea0653b8b73a005ab6dac56cd002a2c530aa59a71c9307390e16e8d1865b1ce2fe3240b8c47bfc6fb699093cb68df91777988b7768eeefff

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
8a694da52c2891628c964befe82970da

SHA1
d2068a9231034cdb934147b981d2b77f9c65a578

SHA256
a13e283bdf0d30824653769d786e77c27b25544096260327fca4cc7fd194702a

SHA512
442c2fbcbb59dbaf6eaad7d31ea0ae5ac0993ad53a2f11d01ca1eb528ceb650cbcb1f4c1096e17518f1581f8b034628ed6b948a7adb880b544740a1ff9db6c95

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
55326385c613e980e6ca16f0dc44f430

SHA1
b850a1ed26622facfd1143691192fd743310899e

SHA256
4b55753a4a9a985353002840111d75f9dc49a4f54acee4628c8a52146d1c199c

SHA512
b5d200b0691091ee48056a0a65bbf879bab52a997f91af944dfdbfe3e3c2384fa5430ec08deacfda6d59568e5516a891a5c4829a2f87ef5c3916dad58a5dd40a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
e93828f1653282560dca0c360072bfe3

SHA1
40b43791184b830e205406781e9ec215f3d9dc04

SHA256
0c1ea9c719ab8e8678c88e07c1caab3844b763867c4d8dbff6bbfc663c7d7ff6

SHA512
a0464732862c3b3648e2fdede1c11d86f4eeb9c7ca3b64b61240ebd10804dbba37c04c35b1b4b95697ca9e7865b7fc257351e6d05914d9e09c8915eb5aee6918

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
d085a6f7020c1114b9247626d8629b21

SHA1
9fe5505d16738a5e63a2b3154bce5d812414b76b

SHA256
e73c257727c7fa1c6e9be498d17096bbb023360b18704136157a3ae6eca5b22e

SHA512
14a276993109528d500c536ce560c99bc952b60174eb8f2a009ef26775ad6a5257efa27b12fffed3d0f29984c357d308649a14579c7dbad27609fccab2b7d56d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
0349526e19e68970bdf2f1587272b29d

SHA1
6dd0a6915f5a878ebaf085e9b6fc8348426080a8

SHA256
7c71a9ca9a1254821a94413d9d8cd79c978944a1abc51ce76ae075f6a7892adc

SHA512
8ed3aa32899d8c6e2e6db29d5661c7e7276a643d7aa6ec689c42b7717f2deb86a6562a669c4efe0af442a42dce7e8f7772df647fea41595f976ce216d8ff8c67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
f0875e9d4f2c3a531724945ee7115803

SHA1
01fa7629e5898091baa7587954a6381d5dd28f1f

SHA256
df76414cd6c8a138a6214e3a130e3962a83cde71dbd314bbcba480860b0c2655

SHA512
8afa9c59e96204d562bfe80f17eeedd5516a77e4543947a44f861f42ff42e27bc6ddc2a50cd5952c8baf4fd874c065fa72a83631dac0b7fb81687c70e7943f08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
12f64a29f175f94b71b2aba1886b4fc0

SHA1
564525b99e2774c784a4b9b40c0b36ecebb21256

SHA256
8b6fa83e81a7f9b9d84f95dab934b32c2325915a7348dee0a9642e0de6a0356f

SHA512
2f657667b596b8720b2b817abff7fd0bb117d35dde418c93d30a26823d018571775005a4debc0583be5536a782d143db0c607f8b802fd498163e1e46c4df1434

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ed0b336d4889ca4784e6c2684aed061f

SHA1
230f3d3932c635f31dbe20eccfbae417a9a8bc3e

SHA256
1b92b1bf4e02893cebba14e620e54f5a505f8fbbab934d925d3911a1ab2455b1

SHA512
6ae56785bfa2d43abf30283fb15aee9961cb94a7002ccf4e6a6cf0989dda31fc57b50b174948d18920e39edfd4c3f88a7c65387a204058c081b7ad97d4a8929e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
65f0b4a55657ac30c6daa3b0e93cffe9

SHA1
3e5ad1b61ccaa3c1617f6819480fbbe1a7918ab3

SHA256
53fab52f55437089a900a8d97b34aaaae45b1987db6fad7ab1c5709c512f15d3

SHA512
f35cf9b1c113393a6eb68acd6dad3e5ee5f39e449c025d2baef13c049911a9fc3b5e42a9ac377d14f29b8e83d180cbd294f244e0372d9cd2e385709610cb94bf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
78a20fde26197e5523f9389035c9239b

SHA1
3fa4b63026619e497bc96701008f1c6a29c78288

SHA256
7be5a6829cdeb9704db1bd1a354d4bb317cf3cf0b17deecf624965e5b690e7ca

SHA512
230857146226710184cb1c750d9e4a944e68c3c685b80feea82c320601f7b43da20dcfb8a0d1dce5c4b602974a3ef3b0aa52fcec206f4b860249ae18ff94aef7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
8686ab9faf1fdf630d22109a898bb9bd

SHA1
f708f9d23ef565e69a2f1daecef25c5f2fa5e10a

SHA256
2ed3b3e382e9fab530be555556035ed5544b32982c9a646c9dd31e1ff52d758d

SHA512
d49bd973231ccff40151d0c931d3f5201ca1e246ca9a7873e01a8895295cfb6a15937a73c8c0f728235eb940a0e3d9d41af6c901a5a9e81bb7465f19083e1bcc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
af738a8ca99e38ae0f305c3c8e3c2046

SHA1
4889ad4381bef817349af849df3cb584fe3f0487

SHA256
a4e5d85d97f54d6c15f1d24ce4c7fa0eba14c76631ae8ab93a540a1e7f3f7d6e

SHA512
0f5001a3f4d47cdeffcc8cfb0617f49d5bf6e9e14f01be49de0dccead9fa706f7c02572f3710d991043a5af60e1accba078e23c73a29e1a35615c398b0b126a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
f1bf57dcc36b70813d9dc67ebf32f6bb

SHA1
6008042c6542a745d893ddb7d78e47d140275175

SHA256
b8aa8f5b77434aa51a4978e0a2635b855a516e458bf37ce997d2c6cfbaa3ca0c

SHA512
dfb284bffd0025fd69e61f8fb403ad091a26ea701bb2a43ea520d973b012f1e540344ff9c944b0a7352bb20c8da2ba960ac52619d27167b8cfdef090ef71f065

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d3d2ddb1a3d231d657bfd6bf7465b9eb

SHA1
e6ff024b6d84ee85a1618afdd07c2fe539306322

SHA256
b2f58df58859dc00a2a91c7df38abcfb2edcf4f7982b21cbb5ef688593260853

SHA512
43a0804f9b39f8601c9c0bb336e8c01d11fb43c520da232fef631b438a559622622c2a7997bc6e3a30505cfcde4135a1d13f3d4dc9df2536db48ab0721fe0abc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
c2df8a76df33f039d60b3ea036ff2115

SHA1
b760b0071c336cf537591f448d0a054196a9d892

SHA256
4618d4a36dfdf5fb87c61e035823b311e55c944173febf3acbadb4bcba3a76fc

SHA512
aebd6262edfdc387cb6df22c29210483ade693591648d6a479af32b945d1a2db93ff28b08b1594e405e9947f59b8324a02e8f51987af8fd96aa4d896bb0eac8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
9e1d92586ae1fef725980aeb0d357b65

SHA1
1228fd1ab5285db8b9c50122bbf3b442fc3537d7

SHA256
cab57b470b857d360ee3b477ff158dd66b999aa9e377ff998dad567c00de3134

SHA512
d4917eb9da6024654b7becd34052c3b98d88fd1f5596d56378409cb0d103ec5897a514ede8f106462b0bae9f392f12653f4e64daac375a3164637d84c08eef1f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f9479e5c3a2ce7e43d33b61f8ef4c2e8

SHA1
9f09e70b9fad7404680ab06e3ab5c6ee6dd843cd

SHA256
bcfb90bcdffd56737dfc321cc7efddb114a45a9d61721a21bcdc7df9ee57a940

SHA512
e16444ebb1953a4f4a4d21489b12c998dc93168a8574b190fcb6a826637056c201e1223eb48e874f34eb8380b43108ee62088ceddc899bc744a1b84fc3487045

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
595c61ab2f011c47588aa21e6fb0d2e2

SHA1
ceb805127f135445d0b153b431b1447077307f41

SHA256
23c496da6763bf31fb7c83e6b2b9656d26643f6fd0f9b1038bbe3bf8dde8b52b

SHA512
c38dd3f7c9c88195b4c154c1514c8f195d7eb9e2ebe7b6a2e40430da6c4eb15dbcb202bba1fc90a2e63270069e24758f33710f82eecec2a88854ee08197c5ac9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
d81fbbe1387ab1e9adbbf87a39d92e6b

SHA1
6c14c9db8e1971cd80c399a8f49bc864335b49f1

SHA256
e316d1c03d13209774ef2c455a83541d5a0fb92750ed8f8bc1fb0316d75ed431

SHA512
dc8b7a7b9b0b27e5c1456febaf9a000f569d09f75d036c7550bbea012daeea23382128b3a30208f714c1a31fe1c3172d9e4d8de8b9f76e343efa7226da73fc60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
f995c4093a526c6eaa73c43590889d11

SHA1
e155f0863b937a770af611b66db540f80f7891d0

SHA256
08c5513f0ef282f2b1168d80ad33377cc8b0c9e691ceb02d045709dfb4bb3edc

SHA512
2f819ce465f0c702bc52ec47e85183d6203642c0d314af8cd183509924e771def091651ea49b61f4d406e8621513736e26cca3bcb2ed6912926130d839df354f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
d5157d2b41698f0aa3620aa7b42c1eef

SHA1
c547f6ea178593e3024bbf7c07c901c5203ef211

SHA256
ed268905bde5c671d7d4d30897e36bf1ff98ce189c5abc485e1b4779fcdc4e35

SHA512
cc1489964d8b884e4bcc1d90730800ae1346a3e0ba87a57a3c2cc33d08f6564e250564137f9c398dfb159fa4d80eddbe5a92dae8fde013b4c0ec5309542ee86f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
1f32b32d59a4aa4024ce63dd7385204a

SHA1
05cdc9c2851d1b7f04a76c3a69e5bd0b4ff0cb7d

SHA256
bfd6f7e77e88f7b19a630d74defc16dce3b271b7b72469293a8f17cd51d641e0

SHA512
4f572dab43b4cdea8a422144865241e4c9185a83629dcbdcfd997eaeb66c9a7e46394575ea21db38898962e85e2b2e4a19f06a99cae884c59feca077edfe0666

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
f18d429cf453d71728c50b0deedfe7e6

SHA1
0067e7be8e2c1d59933330b16eb42ec8eeb5c0cc

SHA256
fd2ff5d434cf261bb76f33c06b7e8f7d38e481680e36350858e6d1757cba1295

SHA512
776764a501b81bbe9266ea244db19d53995305a176d131bde452cc5d830fc52d070c263823dca57bd97fa41fc2d525ee56490a991cedd003a6589399878c387a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
c247334712e46a513d884997fa6cf073

SHA1
21cb2de985916c92827730987c3b0b5bcee9e652

SHA256
af1cfe0dfac74bad0263eb3ab646cedc16d77695bee3ca99fd51ae24c88bb97f

SHA512
9724ea331656c941f954cf9686013c45b3d923c0cd3192d42ad74cdcd9a7bb050f66521c710e5c560ef814170424bfef271224ac07ff7ac32c1448a251e71a13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
750bf29986ea65090bf701cc285e39e0

SHA1
fb73ca72eed06369101c9d91152af3f79dae66a5

SHA256
e17a1d68f4ec12114b15eae1febbd7f810941a6c5f7a023db27c00cceccb7d2b

SHA512
0623a5717d2bede7447b7130e9fcfd2f51f3faef77733c4428cbe52699f5dbe97ca6d093bb41225085aa23039431f1b7d4c010d32bf07f2868da2123bcd0a4bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
9aff9de4927a959917b5e0a0a68d18ea

SHA1
a83f24abc0bbd65b09eca3900f7ffb258f110abe

SHA256
663cd0102ae097aed7abd776ed80a9519f7c312a8bfb73f449531129d99af2fe

SHA512
b0284523cb1d70281cd9eadf0497b00d51a9b3109e8ae13b2b6080eaee37b8b57c406a4ab1cc9c3f7f490ca15ffd0a016280a6d95c819912a0026dd6741db600

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
789972d1bb78a286af298e045463a301

SHA1
21cf64619ce01b2cc96cdeb7485224819462b9b3

SHA256
2b7407db636373724533186a302764a713d91f99d8101bc9284b9cd73906eb38

SHA512
23de6fc5a509c5283e5fb40be4a0587a3bd9a3d71e0dcbc1fa0672f82469d4200e2c3e1c306092662909b5df83d0bd4e2e99083dbf7a8cc0abf02673b46c1650

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
63d60e8e34c617a074a24355769ca317

SHA1
5383391e80162ba7065f996d67cbd655456654e9

SHA256
8a0ff1df08a981af3f677741a961ef71da3c0d4784a590c202e75b3fe0eef610

SHA512
9ff24886a95f1bdf04ec66606d0a662475f8b940abb52657cc51975f5db80ef323baad4699ca97cd93ba1c6866defe06b8cbb57721a3ea363c6cf9c14e8642b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
99cf3989857e7d5796f7d1a2f407c9dc

SHA1
c941a0db9f67814e35326ce6af8234cc8e62a525

SHA256
0dfd46006e16238d43459b37bb15e6162419ec920f964523e7218cf261092dcf

SHA512
4d5264cc62ffd689b7e8f13875bda02c2e8394a3438c40fd662dddf8f68128f5fa0f8612e370eca1412af8fd3dda4866f127d4d35d9a20cc5cd2daa2434cc68d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
410352988efe17bc62da5a20f322ff38

SHA1
fa550152009e954fd5ab433f9bad0e3fb6e4f5cd

SHA256
ac1722d48d55b9cb768d71b8fc260d24d6c187959f398f01aa10176fa6db3f58

SHA512
0f20e12dc9f139fb182004225c5b74daf2517c69cbba7b4e65b2d38193c3b36ffc8350ef651082494ab5469bf39e6619f53d0951114254270af699fa16df12ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
1ff926cbae9b193876506c57be2dcbae

SHA1
79269cb1f6044c0f7572a38e72c9354bc3c5e4c4

SHA256
f48fb51826d5f78f81ea358706151231ec3ab7e1d0818c75711907f50b29ad7c

SHA512
bb4e2858709eef0f548f0ff02353784b5903b12f199a11a7bb50dae5ca26d33a9b8b7f71ca88e9653d1f584527e7cf5f517ae19c054c426cd4cb568eed9f07b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
d90072a3259527a193df150f3eff04c3

SHA1
b0f829cb38e6af2bf1af61a6e7fc01771e6c9aa8

SHA256
2087129672c6d01ad8192045e2a811bec4f37c2069a231463c03473fe3485c4a

SHA512
df3ac262afd51660ca7a8910705d175775e83006aed1cf337d9ff166e6fd6f4a00d5da98f9c32fcd014ae13dee3685327ccb00ccea201103ae2dbaffd5e09802

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
26a50f9b97234afb28c1c6360dc08543

SHA1
69a7e1ad43be083c26aeb0b63dc20045fc682fd5

SHA256
44dc8b6727b6da70d21eedd18ddb290c650f58b1d71c64017b2f667babac69d9

SHA512
352ff581da29dc569d0e1e5020dff35491aab3910f32ff21d8cda79a7f78b9c8aee21d1739aadc4ff21fbc88ab622be560c73e4da92ecdaf373ce2c1d8e02e32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
78dfd21c32f2451f7835672d0e942f3f

SHA1
86224b1311b6c8741d1e69cf617db5ce184884b6

SHA256
129c9667b305ee855652fb2502c41868b1c8e8c83820612c24f3e3ffa5ae5ed1

SHA512
19d1bfd2916a96719094ddbe2eba9c129a44b18ee78ff0d0e5ccaf46c31ecfb5520bd04ecb5ec42e878ca17ecb2ca57df30795366e49c5bc8e0c09b30ff33234

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
1d955d425b7055c45e863c26e0764e9a

SHA1
2db1de151d8700b4d4fb1022176ba13fb90e14ab

SHA256
5a5fc39ca615a2c30a586747586d6870e9352c60fc1586f08419df24e52ea2f4

SHA512
7cd3c1fe6a9807799af9aa29866ceb7b7b697512eaa2413b169a4baca299404769c9cf40f6cd884d7ce97e51250aa35225b131efa1ab8eeb1de0283e6d076ec1

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
3bc5151f9e8b9627998c4f6c9b051878

SHA1
52d10cb1aa4a8005962344fbb3282ca97a5963ba

SHA256
947c42d8c1e27a515df3ebee49c84a75bd0386a0d70d23ff0cb5f383f4cd9185

SHA512
62c48553e09accab006fc58ca8fc1f1cdce5b4e15e5dea8b7abd1d39c63426ec864db5316b257efe0888eb9b19260dc744d5934ef8771575ba6513b30c6987b1

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
ee496f0971dd6eb3dea08b852b6eb26c

SHA1
a48b12e0ae91030dd7c4805680007007e0ce6442

SHA256
9143e8984bef4f6eb7fb862dbdff953514f3afb07e542e56a35ff419929e9a85

SHA512
e8df0f6f9d089e4b41f91eaf6f455b62f283dab0cffe022d66745a22fdacf07bc5c99670d1410cb432459e0c8832467a1f31b5e480d056e4a5ca302580a3a486

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
88d326fd33add71b685ee4319c452813

SHA1
a77c883a7ff64ca99d8e2d2c955bdd15a688d5b9

SHA256
bbe4bb7be9ee6a9f7747557b34b88029806bd5b9ec34d060ca30e0a690ff30fb

SHA512
0ec1baa5d2609de50d93c7751496baa6f6276c5d0065353450fb91dc43dbd92a82ec19dccacbdd5937038443558e7bf2b295acd8fda3f72e06fbaad30d815f1d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
3957f8391bab8a5fe74576e00f1cba7f

SHA1
25eca88d63a4816690f8c7e09a106be44b195590

SHA256
da3eab51df7533748a8b6cb60d3a4d4c13b0692b228720c6637d92f0fda6d658

SHA512
b77d709c879940b819243dd9f4518d1423cf2767997297ed18314b0a34c77ebfe746983d2813083c93634b0af148897308bc150b4d1c9c4d2f590929d09213ca

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
7b0455aaad0498fb9e19465c89d70b15

SHA1
a38f980c81e4be70f2e185c30779e8234f7715dd

SHA256
65af69052f8520342fdea8381ddffc283ad14bac995f6b178b67b069486f3575

SHA512
d4bbe8e35370c7b4fb0b60b9509c4dedf205f2a6edb290dd81906abc2f6981f987ae5229ef7b79cc5cf5a7cfa530500e94d9e641c66ac06425313b5194284140

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
6c662de7f3afa2b0c51d0382e1e023ce

SHA1
e2a310245274ecf8e2ba87209e3f79e43c7938d7

SHA256
37a9cda4c999230b8ffde06f379ce38c82ea1a373a4f0f8caa4873dba8d0bada

SHA512
81628cb4c79db83df530d00d956906357d10e74d4901203ff3b2ade8350d1ec8feb8c99d27541c5a047cb6f5577c0de7a68eabdc02253515cbe43c0c55c2d588

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
00ff231ba7555d7ad89b91c0e0e98207

SHA1
72dc3aebfb5e902375ad79df0af8d9b33f969f65

SHA256
77199489a2169f043783a0f1acef2ee73a4d768c16577a3fb979e78223a753f7

SHA512
f96a2cd434faa77078124faf2df464c5f4e947fc1e8fc3cfdd49ac8117a22c82d69c854011d37eed590133934b1f4b3257d306de1eb912d66c9f5693fb25574f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
06d16dac242d4a16c15efa0e57151926

SHA1
9e1449d06a63516f2c093d506e6fa195aac86a22

SHA256
f276edb967dac80fcdd0f603e6567d549859a06c5efc6787f44c5dd7992d2d4c

SHA512
ee8fd1c8cf568fc194ae49600889e2c47a4b3bddd87288aed95286bba418f4ff29c1a8a226fed1a04e72bf0c6c350da9bd3ec83b4fde5759518e137220d3e2c9

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
07a29c9f01e5da892a4107e9cce20e09

SHA1
0607f508a8c1b208a8a1f0b8cec7d0b4c476b9fc

SHA256
ebbe3e43123732e1299b5100678c731ef1cd2531a664ba2dcba5cf7203cc0619

SHA512
3aa1d522e9d6a04f76267771fe424ba204d86387bbc657de66efc956f2f6c567b4e736b9174d3c988d6b28cf6f9671094ec758900b3cf109ea52465b81085d6e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
94ea47080c27dc7222ed30f007b388db

SHA1
f29029f28d622715fb385dbf71ccd908ac398d7b

SHA256
402b5910ba2c2363d7953713b2b83680e8bcbf36c921b75bce30e7d0ab15a938

SHA512
3620327412a1a9d4dede0027f5c8bfd9ab02cd0d2280124a8b11f63f92bc300a96e293f471ce9be4593cdbfb6f516f6380b9daf5d03d248aafecaa5d380bba4e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
8943620047f4aa49d6d1f8af913e663a

SHA1
670addca89c1df8f22442540b7993209d6e852f7

SHA256
f084fdb4e0fc8fd0daa214c2f3054a95497e5c66c68e8aa2268f4ab977e0bcf4

SHA512
fbead933b78d7103ec57dec5dd096ac1c373e348511f54168ca8608f490d493563759347e93d9b85864df4a039cd83169f45e3f3f484fa1b57d1846ebf640121

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
68e052e95a2ddbbc5d005a3f0fc9cdc9

SHA1
2f8a3af94fbb49690962c8a4fc8b929bdede457d

SHA256
4f1f1d099fa292f6d5a48b82a6292c8b3fc2504cab8ab4dfb3777fd41641cad4

SHA512
e139e261d9cbe1b969444b14206d4fb1b66e29d2b7c1512326ebf2de9088b581ab6c8d92a860be00a97c0bc9cc5c7b745731844fba92f2af46b47724d2b7383f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
6a42af7c08d7c34c9c168a5c010ef562

SHA1
379c2b1c06a00eb1c16e86fa3454e1c7dbe83704

SHA256
eda6766cfdcad808f143e4e7417df83febdc47a0871f657d0bda3e9ae363de43

SHA512
4abe6be801d7e7654e93a536760522b20b9d0927f69faf178175be4fb4ff8e39f714a21fc8898f85e87627d7a929d3e2398e04ff4be951aa3a29e0f58496e59b

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
a1ff40a810bb54966c1413130a9a02d6

SHA1
bfbe20e40644d7d4bdc45b6949ac8bf445543a08

SHA256
a964fcefcf6850e99bd2b923b73be4c2ccaecf07d01338af8761365d928d438e

SHA512
39db223e8b5425b45868b3ea35b3b831f1a69560ade7e15299517367e3ea12b53f9829064841eb96b55343317a95f369439256a3ef276e8170205342fa703e84

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
6b84320595ca6e976fa8c102cbeca81b

SHA1
04f12fe1bd4662f199a9b6a8a29da525ee0b94a7

SHA256
00a3d92b3a548f3f0180d9bf661cad74874b66e2970bb700cf4960f9a1560745

SHA512
0dc2fa2c48e04e3ce088cf381b984ad5ba67ea8cbe6b4673c54eabe171c557493a12c2c3e76f22309de978348a222136cacf82299ab577b6175f8a62272e1d58

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
6e718706ef9bd3332eeb36585ded327e

SHA1
ad079c5d7743b24f357cbbbfad50accd95adf249

SHA256
08e7f43cbf60303b08073b48ba5a9c3d626445feec9a483e9f2fec5a3aa04cdc

SHA512
d017ed72bb065ec0d4f9ff3f3902b107714ee70b2d095a55709b0363979ee7fe262258ccb7777c9fff6632f8229572d70ca4e7a8c24cb744033d01bc8c1ec976

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
3e3deb6fe998bd06d8e7432c0dc69675

SHA1
ede13add510e3bbc1da9fcad3bfde6b3ebd30092

SHA256
9a734e56794c4cdd3736984f150d24ba677799f00f3ff0bca60b1a344ab2ee17

SHA512
6fa1e85c80ba6516f1bba367c6b557b153bac4b90e177ecef7ad9b9ff4cb2a7e35fb0155a2ffbeee8b10be9200c74e7b887deb41ecd2086ff77ca72c2c261c8f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
4c989f097883c72c06ef4ca5cdab7af9

SHA1
5a91f882e4ed7a476bc57003dac3983a9068fe97

SHA256
97a133df2cb36c7e8546a1fae35c72ba740a3937a9f57a3ceac5db22fffaab26

SHA512
e27c3a8710ff90783348aa5d4e9ce7b70dc14bafb2bd61a08eb3bbb927715d4879a19ed41f6d639f164c7e990d14133458095705ee81b64f63373fd840f2ecfa

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
164096407b6a3711c08d2d860130dd92

SHA1
eb8ddbb320fe21bf668971ea4675ca5f53926fde

SHA256
ee532043333b24e49859dd67688a1d88f6ab40463ededa106eb079c3c6260b1c

SHA512
6f5e00db8b5b8e0624b9ab40bc44e456ce6e8a4c5478c721cd1a78898fe213c6525dc26a61740aa9700ff3cea7204b4e65011de98a4393fbeb80df5e71a8e74e

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
5925c7316f0550f796d198df2e90f293

SHA1
5feeafc50c792e154ed539bbeda094ff16b85ada

SHA256
2d501632f2e63e9f003d2e5cfa573ac2b34ef18c6e2c6120e13ad1ef0a0ec669

SHA512
41807b4a8a57c9124cd7e7feebe0f10e737f2060528b19b5844d570d8a138f257440f0e9a532e3727a8406f7b43d3eff21d6c31f93af407009f58ec8b42286cd

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
746aae35344cbbef985b75284086e6ca

SHA1
197ef1ea49f7d321f86a7cd920ed4960de94eadd

SHA256
a3f22cdc7789dd1489e7fb1325bd0c5350ccf4ea190b2dc21f773cb063aa55d4

SHA512
f4056cad7341178b5721e7c90ae04d88bce37d0730e50c35661c0bf06124f678bfaa52df9bebb54e7127c4246e9890d5f7e9aff8d66c2bf8ed7faa8e7547666b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
30cf05fda5e6f8088cc944b1d41daf11

SHA1
a3eb85dd54fbca6982c0800ac78d5e919d271f24

SHA256
c98a21de3dad11006210df36ec5dc32639a80c46cf36f0ad213ec9e80f1f6ed3

SHA512
ebdac5210f3dfda83319332c500b8addd89fb89e25f83d0610d1888e97d4f27bb4942adb38e7e94296bbb3a88b05576743df679e707eaaf6085bb3f3cc1fb367

Download Submit
memory/840-130-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/840-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/840-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/840-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/928-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/928-792-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2032-326-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2032-213-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2596-1-0x00000000022F0000-0x0000000002356000-memory.dmp

Filesize
408KB

Download
memory/2596-6-0x00000000022F0000-0x0000000002356000-memory.dmp

Filesize
408KB

Download
memory/2596-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2596-724-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2596-190-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2668-790-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2668-315-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2700-96-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2700-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2700-90-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2700-114-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2700-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2764-785-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2764-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2780-290-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2780-174-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2864-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2864-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2996-261-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2996-781-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3248-787-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3248-308-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3348-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3348-784-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3348-347-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-791-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3728-327-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4324-141-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4324-153-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4324-151-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4324-149-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4324-147-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4344-194-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4344-314-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4432-721-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4432-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4480-297-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4480-786-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4624-20-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4624-212-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4624-11-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4624-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4736-247-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4736-119-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4736-127-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4736-125-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4808-34-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4808-33-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4808-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4912-547-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4912-236-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4936-157-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4936-275-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4936-156-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4968-192-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4968-302-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download