eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
Size

1.8MB
MD5

4818e9a8af14db61566850e4ad4104ff
SHA1

c946d43b4acb3a1eeb2c89e1e55a984a5b40ad45
SHA256

eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86
SHA512

c72cd7208e9e74903b755f42e0a6523bb00b205fec7e7c52dc783cc5db3a342ee3a2360ccb7ef3375cce6932c8dededd42488c3f364509beb079427078dd1caa
SSDEEP

49152:Ax5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAEssv/CpmpMgjtrrhDyQ:AvbjVkjjCAzJ9CpmpMQ5rFyQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4856	alg.exe
920	DiagnosticsHub.StandardCollector.Service.exe
1652	fxssvc.exe
8	elevation_service.exe
3636	elevation_service.exe
2820	maintenanceservice.exe
4276	msdtc.exe
3628	OSE.EXE
2528	PerceptionSimulationService.exe
3204	perfhost.exe
3612	locator.exe
4892	SensorDataService.exe
4968	snmptrap.exe
3640	spectrum.exe
404	ssh-agent.exe
4312	TieringEngineService.exe
808	AgentService.exe
2364	vds.exe
1392	vssvc.exe
3340	wbengine.exe
5116	WmiApSrv.exe
4396	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\AgentService.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2138b15b8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\spectrum.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\System32\vds.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeeabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2599.tmp\goopdateres_sr.dll	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2599.tmp\goopdateres_fi.dll	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2599.tmp\goopdateres_es.dll	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2599.tmp\goopdateres_te.dll	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2599.tmp\goopdateres_ca.dll	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM2599.tmp\GoogleUpdate.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exeeabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029664839a199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066438a3aa199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c69b03aa199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005adb5d39a199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b464c3aa199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f351a3aa199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe
920	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2180	eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
Token: SeAuditPrivilege	1652	fxssvc.exe
Token: SeRestorePrivilege	4312	TieringEngineService.exe
Token: SeManageVolumePrivilege	4312	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	808	AgentService.exe
Token: SeBackupPrivilege	1392	vssvc.exe
Token: SeRestorePrivilege	1392	vssvc.exe
Token: SeAuditPrivilege	1392	vssvc.exe
Token: SeBackupPrivilege	3340	wbengine.exe
Token: SeRestorePrivilege	3340	wbengine.exe
Token: SeSecurityPrivilege	3340	wbengine.exe
Token: 33	4396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeDebugPrivilege	4856	alg.exe
Token: SeDebugPrivilege	4856	alg.exe
Token: SeDebugPrivilege	4856	alg.exe
Token: SeDebugPrivilege	920	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4396 wrote to memory of 1712	4396	SearchIndexer.exe	SearchProtocolHost.exe
PID 4396 wrote to memory of 1712	4396	SearchIndexer.exe	SearchProtocolHost.exe
PID 4396 wrote to memory of 2024	4396	SearchIndexer.exe	SearchFilterHost.exe
PID 4396 wrote to memory of 2024	4396	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe
"C:\Users\Admin\AppData\Local\Temp\eabd8af5d969200ea95500af2f8be323a4317ef32ffcaa505076f00cd7052c86.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1916

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4276

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3204

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4892

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1712
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7229a3a4e83eba3ab96604d1ea75eb74

SHA1
19d6072b14c19aeca8e24d06fc5aac02ce369fc4

SHA256
ae39d2ccc8b4a6f4bfe34587ee9c0ee0caa47e0c3234b1b695ae5fd47274aed5

SHA512
249609a92f06645389f93c7b60e5582329c87d72176e51f0ef5a5d5bad2b6877e6e776855926b7df4d9363a26c60bc113a69a065362c727a1d3016d29ce04307

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
2b0ad348bfa380b8f0c82e04514578fd

SHA1
c736328330a6df6c1e8b9c3149138ddf62be2b4c

SHA256
aee84d9b057356031bbac499665dc4466f3d87c7e34149143779707ebc8fd1f8

SHA512
22a76f5430f11d6c45ad4c2cd7b925266c7c8120060ef35189eb808eadbdf350fe743a20650f460d7a01d877d0e58b6a47a29eede9b74010b1f697762fae74cb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
7ef6e09cb22e1cd5251224cb7a2a6595

SHA1
d6f16d3f02fd1c6f7db233767581af9c9349d610

SHA256
f520080558066496e61db62ae754ec2cdc594e697f40554e0e5b4e0e6f221b65

SHA512
4ff3dce2d33c96b844e765bc378d98409649739d66852f2263164d6754fd27b173ec20ce51f773249627c1f817db71c4f523c96dd9446bf1a8bf467546b7c68c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c39ca464151194d634a7f0732d15d215

SHA1
bd58abe0a39259cd2941c00d77e29db04c712e37

SHA256
8d0040ec2c463fb29a3e6aaae8f2d2fc284cc4d5c2f92ae16c44c467e0fe9b05

SHA512
7a66aef7eda1fe3958dbf8601f7259ac057d9e1dc7671d6d8f32d10cf16261b30b4fde20afe544bbf80420ff6410dc9bf3203ff1a5e0e15dfacac327c8f28736

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d58978ff9bfdd20a38621a01780c2b2e

SHA1
d16c3ef3f9f8c76b937532dffa3f3f76d5a39fb4

SHA256
b6b67eafe8cfb92bf3fc3469bd8c7a752ce9ae12bd17ec427911a9ab5d20e3d7

SHA512
41b57b6951abf4e216cc182a35331bdd702e42ca8f8ba940c1bfc22941ac848260d16696c62b8e7ba4c10d5734c1dbf8b06480bef9ee05339888d1092987d96a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6b0564f73a5b169ab6c8ad8884d1ff73

SHA1
79637329b09390fd31364329cedec87c74ea0894

SHA256
07a65070d4885904031fce5c400a9739757bd89cfb2972c4212db729e0ba7464

SHA512
eb037ef6039350b5bbfcf5fd5112aa085cd23ad386a8b321a1ef677c461d4e38d76adc02dbdef61c77f499691da149baf2ea244d37d6f0ecde0823a6c57f3317

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
1e3660c5561b668b703b6c2cb1f6d969

SHA1
dea948315d44a418ad9f4b9736b3393f7f5b25c9

SHA256
ae21776f7bcd32d428402efd81768c0375509c3aa14a862fd98c4a88fba76d0c

SHA512
404ec6b7063fe531f7c4e0c776ff29eaa2171bea0beb5ebe30d04b363351c7f40d5bbb35a0cb10ba0416b610c4a9b132ee45651b16d72172986a5a84671ad128

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
16d4bcc67929fb895612b667d3498e64

SHA1
658b152a420014805052014e1b75e6ebb464caa0

SHA256
665ed5e8a791c4fa487d9b343f9fd5c763dc5150337fbf7536603f907a9fec10

SHA512
88a6f68a61d1ab2d02f6f0574eff07ab7135f2f6845568dc70c5c6cade761c5095714b0f8a757a3dc8266476fa171be121e4216f1a3f5cc239d5a4129e7b4bc1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
3677238aecf1a779929c6f79b88c207c

SHA1
43d6d7f719088b5db5925941ab0a5e042ee08f0a

SHA256
efb2b0c6a525cb0b65f12d7cfdae9de6fb23baeda525706c9160c02995d07b87

SHA512
d13c991e1af5af2180502dced0957edf8706c4c108950a5daf77d64d9f67fe2a485e019b2cb3a8eb5cb8bd76740ee2dc135346d119c5754113d62b441650300c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8b20072d2aa4c58bfe9f4aa43f7dc90a

SHA1
17c4e90ec6c6e84a5bff80b7bfef6e99abfbd957

SHA256
30ca48c880a6dbd898e19067ce10445559cd45d8b85999d3ffead7095a7367f5

SHA512
6736ca01bd20060b35f83d6c267ff72d0859f60f8e67e91c6c09e424836ef53c613b230fba5b0b2fbe68be4df2fa9268348285a5f4565423e98b4cb0b24e0d5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
792e6b0f368ebef3e855f7cb32cf44f0

SHA1
8421e55d21af0e924c0627889e0657a41645725c

SHA256
09d893ee26536673c5116a4b00939f6dea511dc9f4d013661c3a6616a72febdc

SHA512
318a696f728b9e61fc85eb54103265b4556ad4bcbf5e0d17e57ad5ad269df29cd9dd709ab336f5da09da55f95999e2ede2de5486fcfe3f6fbf931ad0e76f2fcf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2cdd9019a4ce0f1b96959afb106a6129

SHA1
2e2b3754aa51b416888a87acc745424c930f4978

SHA256
78c69a7831a6299eef7d5726b49cf56128aa8e91f0c8dd4d4b424b6376e1c754

SHA512
2e7cb3ae57db26b05300b32bda49d2ae6c7ad5ae916e8214f2267fd03ea081553ecb1d69ecfc5810a21bf56667b3a8b4d312ff64c993da04db14d2eebc99da1a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
0f18bc8448edaffa764773bb15ffe411

SHA1
4cf0e814629e5eb29e6746ef5770b410e1abf82c

SHA256
e0a1c923a118f8330bdb8fa11201cc2df8bd60c11ac64fe017a5b9b0fc20efc0

SHA512
31c7622477cd17ba1db3f1a3a1d9448c0cf4c26e2a537c42858dcaf5658450773f328fcc1b7de0a9ef39620320067f8fd15616600420908569b36397a8fb6634

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
2f40b75415905bf87084b5d3344722ab

SHA1
6fc78e048b3db9a8902d1c008150487b57070a0a

SHA256
18c8aebca18c8610b57c95fbb20bf1c0af151f5d3771832cb5e7842715397241

SHA512
ef43021fead4b6a7d29d63e557a1c441f07208f7e7a6552b836ca853721056ab9c955e7feb84c62b56cc64ee63b8d18bae56ece7a1356a03db5c350be0f36b0e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bc7bae68013ee65892924968afe87cdb

SHA1
09a69e0bf8aab1e766f490b6eff98a7db7077d01

SHA256
aea7dab4fa925f3fffd169499d640eba939e3438038d91d88c528f6789e56eea

SHA512
d53670b0aae18bdfa4e61afc2cfaf71a9348fa3a5fb76bcac6283c09e9c64c2d27dbf5e38c934ff6087b4216124a3a993e89b60c1a20e4bda89290b96de5b444

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
83f4c90489139de1caf18f8516d012ae

SHA1
1b2299b65c8082bc862f2e3bb7714b60c35cf47c

SHA256
6ae1d24d11b7201c08b5de899036a81477390ff2e7f5482d3dbd2caf9b8b9853

SHA512
d8a39c2cf742a30c4594e86f4e6652a13686ce29106700d3d4ca543e0cd149bca6122e5e1010f0c15fee2d948bcec8766751b1080be89a305024b044fdf513d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4482745111cf5ae40d242a449a4c2b02

SHA1
db577d2747710aca9de6135063fd2d65223b0dd5

SHA256
16c790e7b97041d0654ca3bff3a3a916ed04dc05559e5a3e101e32dba13f4f8d

SHA512
ace5e8e2fff60cc8bb82622e335fc107cacffb078525ce7c4171e44c1d58ee484eb6c817266e5fc7c7797e3da878556e96322c3a90dd30d7cc354fd6693c2835

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6a1873c02737154394e7aa69287b937f

SHA1
1e57720573844cebedf503d4bb481d9cd6576309

SHA256
a18bf1209ac44ca82a575a38aa135629440166d0b68c6ed1234d1917a090ddd8

SHA512
59f6b090c87e3676d392a3321cd8d0520c6bcc407b8612bb7fa255457e758cc3e05098daec8514f6e75dab659e278cf2ebba12f95b620a85f94e4c4e585653af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1086655e51b3450d034f74ecc3e0831d

SHA1
2b1d6d5b8c27bee692e83db34c0b384a4810fc7f

SHA256
9c123a1013a8fe92ba27f55beacc055910e2e129be8d2f3de390441dbc3283e4

SHA512
e71b6708bd63f657b96bc89c9d39d83c0d57050953ec247d98360c65a78bbd5922f8b2df15f1913bb21123913eb053540cf760ac89a0a89007e80d59b07a0acb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
caaf4f8846795bbe39eea5e5f1f78e59

SHA1
7717759b7b0df4bfc984e19540fc3be7808e14b9

SHA256
1f16670f6864fda9eb3bc84a8af5304abc4f33394c25e261259a665f2a287aa4

SHA512
5b771c3b8a0235135c8217020f0877d911d5694fb6b620838b5e095e9e19ace8c0fe5483bbb5cb2ed0286481d81ed314da8c58f3d4f354eb8bccbb33c614d8dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
1cb2f9cf65f8de4dd4498ce8f3b60c60

SHA1
7a12e42611d700a97d89a98f1d48f29eb6c1240b

SHA256
4b5e21a41286b12b54ceb1afe589254687ba68bd5c1f84e16e58b3f24b6566af

SHA512
e2dade3d502861838beec492baf6d3032a1d2ab07de7026381f012be7ee9495ac1e436ef4cc95fea70ae36f9bed5c0c331a514d181081291607717a5468235bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
fc1e44681d2397d63e71273eacc37b9d

SHA1
316400908087a31232bfd35f77a531a7477b5653

SHA256
9bff6378d0ff7ca4f15c9494e34e3f1682c2ff0b8b7ea961a5b270ee8276f43a

SHA512
a59d2d74fe3af50991a9f1a8170285915273accf086444a906457fd00785ce37a82fa02efb37169c7a8f78cd0d3cc0da783903b45778a2d5b333ba336aeffa3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
d9a68f5e7089ee298473bccaeac35a51

SHA1
53d5936d6a8c83983144068f22e0934338784660

SHA256
4f3f89963905ed29578f1065388b6f6e0e5df62dc102125fb0fa125d3f4e9903

SHA512
3bfd82caffa319dd680332d7ca4c671dfaf465fba8515528e05205bb398ed6020da287ec70f511a2bcae7a74cb62a5b40c54716f592310918e4adbe51cd54ec6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
11705024f14a476e6f852cda9f7d8f76

SHA1
d4dd414774451bc43dbe264e636b4ab74686f95f

SHA256
3920da440089b4bced9c49c387c6ac95c769bf2f8bd5508eab38c071147522af

SHA512
ea133bbaa48ecaee75d3148c0d10480ed2caf5664ee2f0b4d420763bf6d8621548171be87ff146a9412cc59acd2307eaa6a2c6f42a642ea75c33c8ad50b44cb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c0a64a5c3f2ad9d21f479a2dc3e8effb

SHA1
9280513f84ac192ffdbaec6bde1a637c32dbb545

SHA256
e22b4918faaae6d5c133afb10b18fc14d4dff41a5e192face818a15d5c79d337

SHA512
f75af6c09959b5ff9a1c34b5b387cc3c825469fa30ea7e00b09a3841d57cfefb69a5088f5ef0127db2a2efcb5d25d4018c1e7a1e1ef5f127059b8a784cc28a01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
5cc21fec8db83d82a012b1613856330c

SHA1
b6763dad390c213c13a6127866c75c9567f13fb0

SHA256
867818c731f3005f41714761bfbba222da695d568304386db99db5280a5bddc7

SHA512
9f8abbe1fb2eb43b116c0b7857920c3df9112baf70fb40e1c7bd02b5cf789a8b47f9a12b4784a3634cb70b864d5c8b5b84092897598bfdd6871cba84aa281137

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
87cef78750cd2a96fb91f231e2507062

SHA1
2e89eb77083df7b36ceae60bab8acb703b41f403

SHA256
14f9ef62ad103e709124dfb7b4f8f3d5f03453408f1f490605392cbb1e5a775a

SHA512
b960c827a242f96327db0b5bb51a7193e919dbd3c2a31f1635d135ec5ef65024a387ef52fb872dd9efae52b84d14ae3916cac99b47147dffd43d50c2b26c7e4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
b88e7876decce7cc1be64141b3558789

SHA1
df129ba21c62020294373963cdb4b570148a8835

SHA256
fbd45242dbb8bac5c89166c439d2ac7623e2c7ee446c3836c0a452bce7eac34b

SHA512
982a9dad9b4770319773741caa41b601e3a528fe7ba15b374ce3d87358b97511e136b55767d3a12b273f4bc8ca86e4b884fbf9593910e62f707eb85b60388f31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b36db2513c70373647b587beae6502e3

SHA1
0e9b62d9089f1ab98c009d6247cdeb2748df7fc4

SHA256
cb58364aae8b9f349252a00a272760491aa25d862f71adb2483c172744ee1c52

SHA512
810262794ce23d816f04328b36c1f94a044676a76b489da475e9746143d7c9e349ce412c8a0a12c7d6bfffdf256a7698c65b213f9c9c56f72bdf1310e77c7d89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
8af5dc48b5f85404c061ae4b6b2e8b84

SHA1
5f6be3c2320bd417663cadec0ad2f3d061235752

SHA256
6f7e62908d5b34e5fe9f3386fbe254bbc171777044718743047ab2aaaf11f0c5

SHA512
d42423cef410969757d000eaa9694b08482169115d1d42710d11433e46ebb38fe1e4f02b7f37a721b3ddd3135b47bd292be08786c43e09bb5d279f82f9b4be9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
f5cbfdcff2cfd00f550a0d05ff295f75

SHA1
b1275b772655d125f025a92f2a035b51fcfc8ae1

SHA256
d5a47ca1c1eb9906759679351afe19db4164b75a580c3b85416b3056e31c28f4

SHA512
9ee691d4a054227f8f63fb151e9a87323f213ce71ddd6d2190d14ee3a711736a696aad669180ed3353c43e27b3b53d22fb7190c30c8354073eb97dbf5a165c25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ae8ef56b93a42446513f1a0974380ee5

SHA1
df59c0c515f1d67bb872a8ed97428e901b7e1f3f

SHA256
fd613695e57ceb748cacd0b0f159c1c37e6fe6033c39becfac2282268e78c68e

SHA512
10b248e4f83f1441345d7471e5870a847b6788f896f7895a983c11a51f619268d0398d91e7b4b4064609cb8964ba58fb44261534ae3aef8472fa98a44459f190

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e92607f2d690726dcf45a6c21e614d71

SHA1
a55ff96b6b0f1b403a7533106156d080d11f49a3

SHA256
bfb3dfcbfe945f6f2cd895321e15a9ba73eb06aec3c2a7fe308d0f546004bb75

SHA512
94ae7592a8a257ca0749d78e1e7aeb427a62aa45b9646d06fe4c37fd845992e28c3847d7fcf37c17f4e912175151942884d9a144a6edda424d4a40ae376338fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
8433fe34ec7ca8562104b306e2fea8fa

SHA1
c34a937a600e45ffc6eabbf925a5f3731f8b4779

SHA256
da06ec7eac3220d2eaa986b785b57a0dd7afbfc5c4bd65cf297a26f179dd7aa1

SHA512
942a24c56ea0b8655f038cb72be743c9b9c18a2191283ac71247b808a6ded090c6eff1d02c7636429befa3b662392836c263739d7396089e95d91eafdf04cbd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
6a91bd1c8c668aeb9c35a5476697a17b

SHA1
20544471dfdf27e62e7d4dbb273e1d167e921c15

SHA256
6e6c2fa53f6587146d51eb485f4641761c18b7d86a45d0cfc61222fc0554afb0

SHA512
f49b6b25be448cc31e90678439706546c65a6c5180d01e55c13c1a88730e92e7198a33f0a5e3d337fa733b1c3d294aed6844b09aa6c3fc5bdf3ffa72164b1cbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
b539293d005f6968b2672054e79946c5

SHA1
a02793b4df15950a58d5dd233efcb68eccee99ec

SHA256
b4648e7bc49e8f0b000a71d0122ed381b6d1c8d01f06bc8b5963392fa0b3f9ec

SHA512
872ca40e8a57b3eddbf8d8edf8fbe4ccf9505c6fb971e468e5570a42907ac576a45899112fc6592c301a51390aa4dea16524ad61ce1757b32cf10204b9a810be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
faeadd439176784d3a4d2cc3cfc7ea00

SHA1
af6ed46847ecb30907e1f8e75d96b4a21a112dbd

SHA256
9563d7a3f14141fa786ca2b5e6f794ccc7ead3f4027f9e6d7df086eacbf45bf7

SHA512
134edde655273e0a8b8f4814089b52f5d2085cee5abd1dfc34523d3613a8751cec76a8bf713c27643805ba435c0c4f2ee261e038a89be4525aa8e8dda21bad55

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e8ba1d4439ac412cd5fe684060f8dd03

SHA1
a10407d2afd9cc35566e31e7c2a4afdf497a99f3

SHA256
439ccbc661504381490a474fe2d9a6df8796fd8b978db759b6f1395f7fa28007

SHA512
ef1fb13d9d5aad491a4a4c1fa526a00224f7f8ed31670ab598ac20d1506827a05a6a5369a218f408402ab4ab99df7779ec7d453fc733639f3e30641ce0b5b23a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
40074ada50fa97dadac61cc5e0c72226

SHA1
1b12a16bd707fb6e9e3193ac525ab22977d5ec41

SHA256
208e5edd8908d1b9a9743e4e6ee4122e4a7737da7401fd5034c7dad939cea3ad

SHA512
ca29836e5c000fde66599fb5ec3bf6e6817264afe927eb2df4177cc4406207340ba533a6675bfad321626b16d83e082798e18fa2f0bb19a4e7f67b4cc8493e74

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
fc3022b9e5372d10cf1fe918b45a41b3

SHA1
dfad70cef1847f7f6c4bb16b586735d15a6e7f54

SHA256
68ceabe61e2c40d6297e140fa806198b8d64183979a4e1620aa5c7b740ac7e8d

SHA512
8b199cb63861cb14336440d19b6f0082119805c53b5f449d7802b6d3ea22e3f6b31ced4b916696cc488a48330769fdd0329982f24ed787c39d44dd6a2144d732

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
03a321daf0c1b863c5dbb8b7a8dbb04b

SHA1
1d1dd1d15bddd467914f8f8b893ac736872205f0

SHA256
630ff832a7e8f98c901f77e05dcae42c8e1fab466eceb3ca7ab9e4c0a9f95216

SHA512
b20b76829eedfb628fe6cc0c8a33bf3dafe8b2b8720fb70ae296d57282a3a646182e47999abc77b2ffbb8370bab2a504ac67d7cec5c107e4a17dbf5d91df71f8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
97d9011ee9608d5d5723f169e11c063f

SHA1
b4c3c784cf13dcf204dfa7db810ab461baa570c8

SHA256
38a34e43516e1d190c78dd0476856c8b67ca6aea693e902ddca582479a64ca8d

SHA512
be7aa2759b4077e4ea32dc917e5f598ff43ced003096f97080ea670a897c494639a6c8f3875a6344d441a8ed0aecbd4b8f48b3c178f8ef4ee1f6da3e14bdd2e2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
638a445ebb95ea95c5b3316509f89394

SHA1
c9a34eea62f0ed13f114fe379f8b91f20b000ec8

SHA256
b271a75e311a7637eab5c2c6e0b7ae9abbeec1a5f58773067f57318e3d97a54a

SHA512
7aa01b610dd41f129cff006e274909f0f85ad0a48abbb990e0d564d5b7f35bea2587f875fff5999d858462c4dfe75d6497377695a696f7c39b81f1b0ae1841d6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8e49adcaf4450db3b023ae973f6148be

SHA1
0b09cb136dd850c85cbf7d578b4f6fe1da0f68b8

SHA256
96c71225b08a76ffaf718ab6295df532486dbb59dfe51d9cd683090ca1191e32

SHA512
9fc9ef874a9e5921b32c06ece9ecbd34cc29d2cc2ada5cc64d4e68d023b1d90d00e5bfe4166ef59b6e157f6700db7243e8a7c6e7561f58f68f1fb6e3789acaa3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
2b2f2cb2335b80b49856be92baf9304b

SHA1
a284dc99b75089a698545ce3e998d0bd6fb1357b

SHA256
440751bfd480bb14553de6a56122f098fe2faafc62d479f6c6496e4a4d68e14f

SHA512
0167d316fa7da0a39011b0461c17f7d7779fed0497e46510ee09ab55ac01cfeb9a6b39438e4cb46fb6ac3f92aacaa1ea8d0c55dfc72fa71fd244726b5ef2bb43

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
078c023b3b827ff83e61f7c04ccbed74

SHA1
ad6197c460afcc1c398e56d8efc4801f1475471b

SHA256
45a19f79f7066d78925758b5e687e462b39a5ad2abcb0defc0e1ab677c5f7447

SHA512
a45a22e80790f403a2992513bfdd15d946e5c3bd0fe0a079a9c15e02d9b4563dfafe16b5a4bda12a7a148c6fe8f796909e861b1e4d18ced57c2370493f5cdbbe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a43ac8b6776df59dfe5335c9e6eea776

SHA1
b0e40a692929b8de81d8831d15a605dd924285c8

SHA256
919631eeb42a85a2a233e8bdc4cb055b41f269b2cc3726dd4646212422610d47

SHA512
1cd38ec8889928ebe1b59485b8cb63a9b8f0e34d0e88d5dafff4a7814b8513418b9c8adbeb1e9142a77e8911352850ffc511c010372f163422b54f658aeb2650

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
429f623fbc3a33e3563be6cb8cf28f53

SHA1
a4ded2fe27fb428c57177e720332db57773531af

SHA256
a74c087a5432536b7255ff3c1bb03d83cbc2a5caa3051d465fe45ac9b5f1767a

SHA512
5f98e4654bd9b3c576bb3b153d4ef95f5b1d13be32f3e30b50e722fbb77d4ffc3d644fbaccc1a6086c3a796bcb76b01cd7513134e0b370ad3fea8946add4e948

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b37238dd8b9efc28ad0aa4e9ae809c03

SHA1
9048a5245411240bc269fd0840fac1dbaa50159c

SHA256
bf7708d6d36b9f7d8b8843eecb9d2865bed11e7982fba003fdbecad1f33d1998

SHA512
834ccc75fd203830b0804d2b02e40a0bc86737d91295e003deba497398d6a7950b1fc81178db41319c6d59b17602be21416d60dc7bfd64bf1bfaa5dd0260c5c7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
27e4003d638b51bf2c92a8ec58b1ddbe

SHA1
d7d66bfa6b1987bdc6d838493f5bd9f9486221b0

SHA256
dd0fcb5049a73b38ff9d0d5d7e5061f512a635a53d671407c6e72f3e7e152eff

SHA512
7e8cf289999451cec88f40bea73baf0081e08b253c24c671a76f7a8967c552282ea457f6bee711502af8e88fc4e7fedef2a17f5de3972bedc37b83b770e1315a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
df6ee37dc41107b9a47c45227a32f8fb

SHA1
18ec6c1c310f3a4fcfddf89b55620f51b9330acc

SHA256
266d2242aca8371c6124b4eb1f614a82495fb2ece092c467c6827911b143791f

SHA512
aacbfae70f4b1fe3de3360921b1837cdde46c6de12529c3617999c5c72437c750936b1ee2fe0fa0231776f878b85ebbdbb00959848f2e85235e8dfa43dcb05d4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4cc67dc7717b7d7fc86340ec8a24d54b

SHA1
e51e3dc98a26dff2c50737393573caef5dd00b59

SHA256
2141cbf533aa1308f138d6ef9d7dc5f16c50f5bc3dcbc3e0f8357c32c54e2352

SHA512
aa579f4e07448cab5a3c1dec4eb5862d2073d28950f23a5921095c2d74ce766d8e39dd90ffdb3f11f55625050024b209a94be2f7e99066fb287057dc17c4c65b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7cf264563109735e7ae7f01cf6040dd5

SHA1
f2fc975d1fa5ac23314ee18bb673e56452dfa339

SHA256
d12fe93bb049165418d1283b172dcc3e8c492e3382222f4a9052a40bfc11878b

SHA512
8dc910b920f5d687545ad49e04b144d4e2fa3a42d226d4fb9d6fb97c5fbce5978ae2ce9cfc15e8a1af891b74636897e1f6c7b960d7b8384f82d80057106dc80d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
718830a8f26c62da8a9aec18a8ed65a7

SHA1
f39ee4f5f7aa69f3d7679d3e353ff3420fe7d063

SHA256
b2befb65c06e7090f3275ae6ed38d9a4ffdc679ffddf901b580993c8cc95b367

SHA512
bf58c3b40749d59eacba0df33c28b90a0a79274c3684ee4702692e10fc0c593e8dcd98c9e443d279295d796c8efd7916e9fed8bd7eb8abea6c8952691abca4a4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
50c94dfd510b7ea8d4a12a77d1f5ad43

SHA1
c79f6c4b2e44d3ae5b27f222e08e20a117c72b81

SHA256
2f9c1f40b4797d9de80c302388cd514fde562d97d8f5ffd0d8c4fba91f232f66

SHA512
7a4784d164cf068471b6bf398cd2e456d74eb27e9635174bf26a73ef6fc9f7cc6667a4124d05b0aeb62d3379e8477235e30eca40ddcf9091cacdd46c6e6ddcfb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
55a32ba59db51e777dfe7827ceedeaad

SHA1
69972f486d88c216f5f3076d0653d171ab4a944e

SHA256
66c1969ab80e151a2647d924739e83892d3cd5d1f64eaebebbc6e679a8f7a2f0

SHA512
db73cecbebbc0d6fe44aaa96f8310df5706c1adc5d562a6684f04405e5c4e6217a32095b775d1dc530dc9c1b0e489102efe51ce9062f4f2917efd7fd5bb024ee

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e57a65780e388bcad6fbdd7ab65247ca

SHA1
01cb4ea1c98aa54217333d1a7a1af9a2ce993fed

SHA256
1dc372e513a50431ebb8015996e41a3aa9cac0d6ae10f809a26e959eeb43977a

SHA512
b463924f1f56ab54e7a7e4e0bb21934e527b02bae78739c991f7233f943e1bbd6505c1509880fddca8f2b1682dc5eebf627678f01d4fc0a5b4b53390f0cadc9d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
137d1bb3bd6971e8d66d0634e8607d8a

SHA1
e91e10520482f2aa523c86474968b25bf07eb277

SHA256
4a562be5ba50c9513c243901a89e70db11468e6b594dfb54d4f4215ed4141a5d

SHA512
6d0e7b7222f2badd54edb6e4658e7288cca54a624ee440809d2d761e9d07e52e40ad18e39a78c950fe5a5da87435df122ec138c31d1f594730033e7454b433eb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
358017555178c7740ffa6abf1d19b34b

SHA1
538a7045b6b5d34549e89f954a5f49e1255887a4

SHA256
2f45875d1c9355137780757f6171e616f09e385c7082f2a97bf1f4f6ec037f97

SHA512
04e0812ae010f5e9bad6486920d520feb81221fb218865eca55495e92d8908ee15fa78bce850d58ab22ffef497871af66fb917f5ee17c84d9d664bb55e2f4697

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
8e399f03546704195d963c977f4ccc2b

SHA1
d721f54705b806fd766fc4df47049489a3de29a9

SHA256
6d621474322ec779e14232eadf486b001af7838a0111200bac91e045449648a6

SHA512
7573285272180bf06ebfabfd8fca0bf49922b23106ca44225c8729018036dbb79a6b88f56fd523bf85412e5187b880823230363b6ff7550cf834c3899b264420

Download Submit
memory/8-120-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/8-241-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/8-126-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/8-128-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/404-255-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/404-719-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/808-290-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/808-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/920-194-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/920-94-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/920-101-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/920-102-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1392-724-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1392-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1652-106-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/1652-118-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/1652-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1652-112-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/1652-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2180-139-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2180-6-0x0000000002310000-0x0000000002376000-memory.dmp

Filesize
408KB

Download
memory/2180-1-0x0000000002310000-0x0000000002376000-memory.dmp

Filesize
408KB

Download
memory/2180-644-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2180-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2364-299-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2364-721-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2528-195-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2820-153-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2820-156-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2820-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2820-151-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2820-143-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3204-197-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3204-316-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3340-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3340-725-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3612-335-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3612-215-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3628-177-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3628-292-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3636-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3636-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3636-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3636-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3640-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3640-715-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4276-277-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4276-160-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4276-158-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4312-266-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4312-720-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4396-727-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4396-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4856-19-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4856-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4856-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4856-173-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4892-718-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4892-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4892-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4968-549-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4968-230-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/5116-337-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5116-726-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download