51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
Size

1.8MB
MD5

52394c071ed53912698f42af536ca7f4
SHA1

db2aaaad71f05e5c292763405d9002daa8b667d5
SHA256

51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425
SHA512

bd564634e4dc03eee689be6696abf750ab21392118bc849027e0410a49b923483d08b3e3fe12ea92be3405c71af0f5cdd854c7ff169315a719df864deed87594
SSDEEP

49152:3KJ0WR7AFPyyiSruXKpk3WFDL9zxnS370jIpM3kiSBM29mhNq:3KlBAFPydSS6W6X9lnM70uMhSBrkNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
816	alg.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
4656	fxssvc.exe
2736	elevation_service.exe
2852	elevation_service.exe
3496	maintenanceservice.exe
4324	msdtc.exe
1592	OSE.EXE
5052	PerceptionSimulationService.exe
2980	perfhost.exe
4840	locator.exe
3636	SensorDataService.exe
4604	snmptrap.exe
1148	spectrum.exe
2308	ssh-agent.exe
5004	TieringEngineService.exe
4924	AgentService.exe
628	vds.exe
1056	vssvc.exe
1208	wbengine.exe
4344	WmiApSrv.exe
2100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc79c3637489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\spectrum.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\wbengine.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\locator.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\AgentService.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\System32\vds.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\vssvc.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\System32\msdtc.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\msiexec.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exealg.exe51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4229.tmp\goopdateres_ar.dll	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4229.tmp\goopdateres_fr.dll	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4229.tmp\goopdateres_nl.dll	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4229.tmp\goopdateres_tr.dll	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4229.tmp\goopdateres_vi.dll	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4229.tmp\goopdateres_it.dll	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4229.tmp\psmachine.dll	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4229.tmp\goopdateres_sr.dll	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004db75734a999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca338630a999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034931234a999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004e49630a999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faf2e730a999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6a79b30a999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5459930a999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2540	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3548	51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
Token: SeAuditPrivilege	4656	fxssvc.exe
Token: SeRestorePrivilege	5004	TieringEngineService.exe
Token: SeManageVolumePrivilege	5004	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4924	AgentService.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeBackupPrivilege	1208	wbengine.exe
Token: SeRestorePrivilege	1208	wbengine.exe
Token: SeSecurityPrivilege	1208	wbengine.exe
Token: 33	2100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeDebugPrivilege	816	alg.exe
Token: SeDebugPrivilege	816	alg.exe
Token: SeDebugPrivilege	816	alg.exe
Token: SeDebugPrivilege	2540	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2100 wrote to memory of 680	2100	SearchIndexer.exe	SearchProtocolHost.exe
PID 2100 wrote to memory of 680	2100	SearchIndexer.exe	SearchProtocolHost.exe
PID 2100 wrote to memory of 4032	2100	SearchIndexer.exe	SearchFilterHost.exe
PID 2100 wrote to memory of 4032	2100	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe
"C:\Users\Admin\AppData\Local\Temp\51ad21a1e7533ab8aa95913ac51ccb5e7c0cac3b002c2e4e1902808b02e8c425.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2416

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2852

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4324

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3636

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1148

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1840

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:680

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2dde388e3bc31d4be973011c5fcdda39

SHA1
21ac24c1258d3dffdc1751a9729c9bd157889419

SHA256
6bed008ce04479b9854ef76b7b693c1def26d91e331708bbeff28bdd649ae5c7

SHA512
c43358889837cd457e0512d074be9d61b79561c16ca9eac941f0ca3685bc476cc95259bfe7ad2575f81b4052f48d470b2676aeccf0f3e37497948bd0bbec1da3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
043ddfaef0d9e0c7fd67465f1bf2e43e

SHA1
54aaa9a436560c051cce229809716f909f17eb1b

SHA256
2794ab4a2741a605f910f612fb70aadcd3ae41180f6b831fb0d7afc3edc4d2e8

SHA512
1ece2d61a129c2a2785146c8a3ec7996431ab7724770c5f58a4c6d123d85f87f7674940870c5356b17ffa63208a0619ca3461dfa61a03a981bddb261f0385d93

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
e9ade5c86b1e249388fb2dfe63f2b562

SHA1
b44776243b32ae961e13722a87b5aac2174fbfea

SHA256
e77d39645af15fb2882268e0289fc52c9750f0e12b6ed8f37eed88be3cca7ae0

SHA512
cf9ea34cedbf198bb455407f312304af5ac0777a314b690f8f7efd74d983347dc4cf3edfacac1153b2ba3d7e071ab193dbe0682aa18642149a6df10450a94e82

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e8fcb3323895faff92309cfb0ad933ea

SHA1
80f550150f9fc78f1f32e5787d3a114c6e8de93e

SHA256
f38cada93d3372365816e9434ce98195b1eca8e79e07e758e04ef761ee4e66f4

SHA512
0ce9bf0309cb848c298a8016fd92ea6f169214a26244ba9f95e15c6e820b85586672772c2dcf7ecfd490b2993c382fc92573d7360fe12f1b7c98c7c5bdd42d0e

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
62fc0eb13ae249029c2651742c8beec0

SHA1
52813687b7888bdc6295e45d0c1bc50f2351f129

SHA256
b6bdafe7f63a19b1db91f96c4b3a60dbf16ad71f5eef56f08413b035b093f3f5

SHA512
23d3fa1e67eaeba2bb245fbc3c0b7d320d0aa84b1ab7cee884bf9cb3ee624ff23ce56de669ed91b32263ec3b5c4e6386d5f92570bcf72dd61011f71f5e52586e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
76553174b16327d834f7b55fde20cd57

SHA1
23d2e7278617eeb156753b01d2ef555683c6b6e9

SHA256
1f6c3a12c2af86e096e7f772f2a654dee7ae6d32e74d4959a489e57e071a7ec7

SHA512
76d272543f74d2d33b8f2b71cc29655952ed3f3d6664c365adf2f25d714d1f074f9d04a6721ae54c37ad37fc956b985b34280d353a5129901ecacadfd504fcdc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
fe0183b98fc37506b3e21262c8554370

SHA1
bdc14cfdbca36094b738b40fbaf8eae99e1bb98f

SHA256
9253ad3ef8dfff3316b1366f1f63e2d5ee61d4c1e03001ad442a4e10c5c7ab39

SHA512
6f1c5c3da66af03ae8cdf3e692f06ec7e974e2096f2bab3bef5951969f64d97974fad0480f4623e1031ca1cc09f29c1e43f452ac02e38f1309af8821eba40e15

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
4c95c187570d6e71d6926fc94ce57e29

SHA1
4344c69ae2a68487772711d21545ff3094f6b644

SHA256
b98524d3bf355d4a2c87f19cc8ebd3e15b5481595722eb98a89bab3a9a8c15d9

SHA512
7fa29eef1fa6f82f97c99d06231e72e0ae40b5ff838907d923a6de0da71528efb9f67ca71ef4da0140d36f41af027843d724c2d8ddec80e5af767902b3fcebb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
10724e9005370210ba1641b5409d5441

SHA1
b8d752a2de6b31bd79049c8d65fa69325f0c254e

SHA256
ace2656b7270ad3deb020f2741d59db11ede9f87083648bdb888062fd674ef3c

SHA512
87333265f3c5f4f7c13334c1144d952d1853c195eccfb5a17060447818e193b93ea8d119fe1d7c63144c4603bc96c227c24b12e11efc5b69cb521151fbe39d73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
916a77436ed945f6a1e06b08a4e0f95e

SHA1
4cd9134661ad513edf101f1ba237f30a58ddf89f

SHA256
572bfb6f81c51a2cbc1a5d16d515367490082fa5996645d2539898454d4d34dc

SHA512
c4dabbb39107606463ab4141f86f81fa81707d1b3718f931727b38aa616da525dbca0296cb49541c25d7af3c1f6282894c56a756bb88acc1e6af8a6a5b8bd84e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
b4fad8ecb694f4835a10586896731cc6

SHA1
eb289bfb9a45c281d6269f237dea5698a56999a5

SHA256
1ab69919e8383efbac98ccd782889044b49438bc0022a155e32be559e936d203

SHA512
13fdda06216d87070e9a0058c5a599af84df36ad2513642c82ff24d153b3f688f8489e7938b88973beb47f4ee9148b7b7717659741d8f318b88967f63b0613c1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f65cfdc49705bbe59c32b97205e3409a

SHA1
ed498332e3f88503cc700a9dd75a776199223e3c

SHA256
20ba24b9a4b4c70d2cb9f962717b92777edd30a789c5519d01086d54fdf7aa75

SHA512
9ff7fb76b4094293554715a189465752fa6821ef5c0880fc0a0d73c5cb966c246179de4c865d2c788769bc8f21d5b28acca96cc708f5b51f8c77f8a46fdb47bc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
11860438d13921e5904eb5c7dfa7160f

SHA1
8da5e28ee0ba0c79c54cac1db07b0474694c7c28

SHA256
73f482775b5955c2e5b6a7bd8fd604aac30afaa5bc6fb881b42c3f51a4b67008

SHA512
e5bd087392ce09151e2a31f736ee42f5456c1b43c47d939356ee75b5c6d23d4a3ee81bf2992416681dc7d4381a4f84deffe37c9b4b21f8c2d5c5f4a84b8fef84

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
c1bad2ef69a836c239deeb46983b7860

SHA1
a4ce86ecf126bc528c7c2970340b99843e604a72

SHA256
76c3c16ae7dc2df0abb85d79ded6dacc996ad1eb2cf3f115d070c505358fd091

SHA512
0222de62402059946e6fd1e5b1ec8ad18c3461b58045ecab566e36b9742004d12153cac0184c609d4aa79d8329b2cdca851a5122ca0f3f14460a2c2552aedb6c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
355f57f72617e2816ce4ce4b5de94f78

SHA1
1e5ce160bc94fa9e27df5b714694ae3d15cbedc8

SHA256
c2fee695d727754639c24a2fdc19d4d624355b402f11e0ffb5de121548ce4652

SHA512
a30ec8edad43530403d0ab78eca6df8b80e172dc7e7e94d8ca9c3df468188cfe098bdd0cd01f6763a430dfbd1769291c4e3f4b95917fd360883a64c8cbe2fa00

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
ce5b4c9c623b9f067c2b8d2038a33900

SHA1
95eef4acfd08e81f678313087b75a2a84493cbb7

SHA256
2b870e6d29325b7d49b8c28e0df41a78f9496185e161e40a873dd8430e50a005

SHA512
c91a18d94be388b1244d69c4a7f4a77de4f0157939a9c29d427a19ae0ccc77efce570641176fb1a5a282917438466dbe363c3b2493e5f9b32ae939c8679e1bad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d9ea2c310be0ca43a613aef7358e746f

SHA1
1e3b80c488f982083e1455154926bf67f2d29e84

SHA256
fadae28f5f6ef0b80b54df7688366a3caba3a876b525f6abf79ea66aec616534

SHA512
a7afbb6e8490bdd671d731c52a910df0b7b2edbed6c88b1d13060c29f5a025da20f9bf3f2e7acc5cbe8fe0f968d7ce543c4bff9e8212035e175c6b4af7a1a3c7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
2810df35a6984b6ac6aa372752dd509e

SHA1
96c3251d8234282231ad14224791dcf05f554695

SHA256
aabbecf0aa5d2039f9ccead731ecd9f4ce50c0d06373b3e093f79727d252c260

SHA512
c1de7b928acacba19e25068cea7e8a4d32a96f71beb7efbee1436ac344aab321dc500b9ca7030370aafbdbd54442207902929920e38557ffab2e23a3c0fe31a5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
646b9b808c609cc8e3b6f396582b04c7

SHA1
bdf1631c6b2a05e365984842c7b31f5df638be5a

SHA256
5bdd2aae792606f96293e72bb18093cef8f31903f4d2f27504eb11085ad07778

SHA512
747396985d34e605856da92423d96843d4ffef03c85fc1542137bc1f41edce2e218e517878bebd261a32465625ee7287ed4b532b8386bd19aac3cc68eff3331d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
6f4abb30e825a56cbf4daf7faf126539

SHA1
29da1fc6c545d5f2e8c8f3e5023b2543d4881845

SHA256
353341c7fd0c434cdf720a05c90479514c4d6bc061cbf51dfb28a42b56ca37a7

SHA512
c0986869b04a566470f9283e47fdc18b7cb46a9660cefcca39b2d9a5ee8b27381428f52be4bf76cb30d25c5b2395ff8490ba982ef4029d424ec907844a868370

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
6d7a74913f08b669bea7d5a07571ebff

SHA1
c4bf307944c5d7f38759d49bc278d39b99faeac6

SHA256
462495e9e0619a1541c0df8c257a352bc84035b21c38e25f4d8330c1e8934ae7

SHA512
290e7449a4875d180ba36e54829912f49575d6ea7b5b3235e710e778c985bb4ca7ad84a78a167c0e0437f41c8c420080834eacc66b530f5f8feb8f988414954e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
a43d5ae4885199180e10981db06b2986

SHA1
3eb6885fe70cfc6cc276f2ecefbeb77eba14de65

SHA256
88c7ecfb46e60539880c7b4ff320543c8432fe82b343f07342864a48773c396c

SHA512
c7b9982236aa4af101f818c04b965ab0666deb8c73968ee7291a4db443bc583156c04ec6f41b1cb67291efd70252238654cd3e99a23cb2f6acf885b25ab3933c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
c43fcd82755053324e5729685b3fcfcc

SHA1
2686be692ce39c0ac0501ad0e5bfabf03b7bc182

SHA256
bc722877c01d4844a7f5b075b2891524a67ec9ecceb56466f87d9447232c9b2e

SHA512
c252f7ac774cb45110ac0e64c55705384ab1b82e2f1298a21cb250ec60fcd67cc6aa736ee5553b93e9f35c74eb6826e65c1d715506551bb2d0dc0944ed2b0da2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
e65a1233d60499ab34cf4ca60c96140d

SHA1
d341e227ac0b3035fd04c81a627a7465e2ce6dee

SHA256
38f6ed653f884d31fabb8685eab20abbcd27ef13e6ea68f970f8a7e34d8efd7a

SHA512
42f00fe281fb0ab5b77d6ca9431c1937735cf988f13ba7fd5951055e91e80dbab1d8b6ce5cdd0d3bd6491810c48cb185e5a453dfa9e3a712c82e98296f503d80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
d2344c3ed74d921e8f4fe7aa7e0e5e81

SHA1
956dc9c413fc42ac650e9972e91dc98bc48f6666

SHA256
662b755097f7509701df92e21e4c331b611679518dda6092fcea6c2026aa9cab

SHA512
e502e60534e931cde943fbf5c58bb7865da3fbd51c95e22a9cdc07b86a6d5a4129e2d617b525f58e601b3f37f3162beea77db83052e25ce0b8bb48d97dbe75dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
197d54d16ae7dc016b461e4e17cfa134

SHA1
340b56102f97d362cd66626be634efda5f914185

SHA256
82e50704d457c16394f76b7ebea4a6ddaf9b6407de1d243e0246a1ae1bdf76a4

SHA512
ff1f3d2af5e6d05a63029db9e84e91266a8f7672a3f6e81cc40286138a78eec4e60656700d39549e1c90b025839c20147808c0efa65c85bc3b3ec1e40811ac2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
34984a6b3f601ac2b2a0e98016c28f9b

SHA1
15987df57979fec1be0678e70631ce79a6e41c92

SHA256
10be90bfd994dd8cf6bf62539969b76c7e724805aa5dcd878aef8a27b718e57e

SHA512
bdc6484a410817729a05f1c3085f14e4a3ce22e043c5adb5ddf37ce13f947a95379c72f85897b7db620790c42a14c23d54d237e1e5f901a1ffed39e896e056a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
e8074f3fde93cdf26f54fa9e505d1b1f

SHA1
0b462f5cce518906a8965635f835c8cdf7098b40

SHA256
6656725979655e73540c5b7f5feebfc4512d6dc62877faf2255b1e449c7c03ef

SHA512
83d6d487074c664b6d07579c0a21cfb4a7dc8264e0987134bcf7f304adc4bf8b090bed8204b1ad6fd53e79563c95bdae428384e1722110a12c22a1288091ff17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
3144dac20a0521afaae43a3d09a866d2

SHA1
52156e5813ace54eb3cfdc28b3b361bfd80a7fd6

SHA256
4c3d917174c6f400319f0b781c9af63ffc4d4114c09865ea84155507d5889591

SHA512
eb9fcb80480ded615bc22c5060dcb894c7dcef5137ab67dc912f9eee0ed728e1b63893f0cecfa98077fa11ce99b4644fbf2b73bf512944154222849546ad538a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
9ad8faff41a6710c8bcd51d3ea4747be

SHA1
251e67959f60ba4c4414ff68001c99fb5c593387

SHA256
bc4ce5e75d664f888a009a095d3dc7b5fbc5dcb7ff94607a980fa871526fd675

SHA512
9c9cb61b66758d5dd9d04b2b51c4b8ae45a6fc03f5b5c25d6c0598ae76cee69617e9d0cee3a7ae91bd513f24a3588400927ccc62fb9fae0ac0c5310b0ec7d000

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
780b45af9f2a209812fffa069b066bf8

SHA1
5be37c92830acc27a18099b484a245463cbc9e07

SHA256
fcbe9680fd32a184b94de84bef47ec7c1c7681ea446957ab8e4375cc618c2d28

SHA512
44355527c699cb805ee9597613b9dfa64f211e1e0e8311af836bb4804f3ed7464d8315acbb46c6fe1d8b6e275ac7b82c002adb8ca8f46527b72c974e6ecf093a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
a5d855216a83c4d720c401e127c90cd6

SHA1
7f48d0b45e259f9edcc361a7ac3eb1a6b473b508

SHA256
0dae978476b5cc6501fa8f2911df30ed2b3eb29a1592b6f91e49fc491e57f0e0

SHA512
e4e4cb2fe2579a39bd3551b1945310f42d619e259ce1a0c5133611a66d687d5b9df23a3680de44b264128c1c8a3c557949720a7a454dda716301b396fa492a34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
633a8cac30d1dc66b6efc565886dfe17

SHA1
a099064a92bea910bd8688e47367b17973d50291

SHA256
524077304a84e328884aa7562c777c06b6da31cbbd9c2b428eadd56b1565c532

SHA512
e5c0b85aab85270958ca767ad0a9d1170acfb0fa62c77c2892b415c79dfeb3e09be23496585877dab3afae9871e7cbb68b3a0c3379d0181708846d41ca7c7de1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
d241ca15e50037c7ee243bb87f42d89f

SHA1
bbbefe0f82edcde7872876c9385404ef0b14d51e

SHA256
c4200187c7fe7c62e4d605e78c3eb9452fd92f622cd0152e2e6058d3c8554ec0

SHA512
75451c0d0b5f31aaab5e73121967334d4e88d65ed2c08f2c479a76d1fb7228ccd24b946434cc685d0afb4db330c867ad710a1c05c7c184d0da67daaf4abb4ad5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
9de933c954ed498e0c6ea403b588576d

SHA1
d36f9049a44815b896e592b9046289d912d18cb7

SHA256
4ae7702f9ef461b9012855a4058991bd3c3ad07304906e6dea05d12cd8ca5ede

SHA512
fa48f63cd9deecd1e43ee7e0bf764a858b0f95cbbbf9894e83badddebb0e2dc6b9e78fe3b9f4a5df949457ba64fe6560a1224c7898d700d067593aad5ef5a9b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
9d51fbf6881d0d53838a2797f27ad1b1

SHA1
f7c7fbacd20f34c896328c607c18979fc646d53a

SHA256
a85b7ee016d909cdf4bd23eb100c387dd4933073b404b86f94205d4d0c131309

SHA512
eed5fffcda7cf53bde9b3e0b60765d3f037da08a0e79e4134446e285167df6a25469ca8789caaccbc7584edc8ecc4a16384828cb55070dc16fdd7c1c53132bff

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
2976326a9c085148144a736c38d7707b

SHA1
59313d30a39f59d27abfbdd02a5f9d8237d623dd

SHA256
53602755de8686af202fb1c391b6e7ace88840c22564ba2b10dabe347c808a4b

SHA512
b1967d1cab22fa590383a32919bc1bc42aaeceed07a097fa81672001e74473ddb8f67db0b86a980584d9d37fea06a2b9147407a0a682a4479cbb57b91c51b037

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
3fbf01ee085ecb34ce0cd6997d50140e

SHA1
41736edfecda430b894d2988f1e4f51e5c237b60

SHA256
a9b5948a09bad7d5a2b937f9212690267ee880f3e0a18b876ef12abf1256fd1f

SHA512
be7dfb908cab5433909ac21d7cd9a5711a1b759c99f88b9081b125cb7bfda8838918dd25bff7b6bfd76fb3f56e25b3052dc4a462a8a5b8187fe7a8c67425cfc2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
8c828346248e7dac77ec0f638d11afc1

SHA1
35e1eef1e49bf6e1f9135b4c65558c183073fdcd

SHA256
8a060f04ef2dd9b59fc897128199c63428154aa7cb3ab7f721e6e977ac5125b9

SHA512
2855a937671425ce21eb06e40403f942873e694542f91aeecf647d3d96fbb05834cd136f9a67a9e4cdadd44b40daeb9a5383840bead2d28c2d6a3f22e9db0f0c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b757265a66a1ebdac2c4fc5e43355196

SHA1
f67c968a020eb80f6b004f992da70b78e4d594d3

SHA256
efe9df1c0ff763a1d19876e5035df96436d4f2ab06b2bbd68984bc8c1fc9598e

SHA512
562bdb86424a33f5ac22192c54cede685c9c2712d5a2a2a57812e91c0755662ca66265d0b3d0c200310c53540327b3c8f064db3b29ee9f737eeefd63e2416561

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
e20b805c6e72e6b7ae27264a4dab800a

SHA1
40337b6dcb12d678070a52bdbf06b72d9096f536

SHA256
680ba074130ef870a8ab04105b8d53e7ffae54d9a4e864fc22171fe929907c4c

SHA512
9b831001683287473982af20caecb923c02bc23fddc35f0d2cc4319f0cf84c51431d5e4df2ce92bad1ab39b14a705f3e36c2a2da995a928c23f8342574729dfd

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d9a5188afb5eb24f3397fcc049d0f36e

SHA1
7ba80d0b262804fe18c87f3873abdb76ceecd528

SHA256
6db219ce06f25f5c174890ffa9799b36d062a87a48c8fc38c09d80b8c79ac475

SHA512
d3b948c225256fdabb5d11a1a9c8d3070d7c72000d61b17f0d874077486458357516ac93078050fadcdb0e9ccde263fee3050390a0c4fb47fc023fff0bb490c8

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
2783f925a98ad8fa6877995e201af9f5

SHA1
88c4cb854a413318b2b2165a2b30fb87bb074991

SHA256
daac0d1b8f741e93dd3bf2c85c1394769ebcaf531e07da072d62ef5c1284bff8

SHA512
c1866f81cb12ed8e4ddd868c05985c1273f183ce9391e27b3b427c837ebd369ea3f825e72d422d5f15f9e05b820c8807236579eb247e532d4064a447203bd077

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
b1e3e5dfc02ba5fb27652ba7a4418f1f

SHA1
c5e8b24b9b4824e7c7d2db6207c3fa6f4dc0643a

SHA256
45658e1faf283321c7da5d0ef457c7a3e5edd37b486b4de9fb6e52d18302ad98

SHA512
b23a364043205513c6c40db3441305116a21e26dc27643e4357578e80000003dd2ff6d4670b962bd1640f036ae9eb9182f3138383c1a3be7ada3b96915074fcc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
963d67e7134a8e9940b6846ce69766e8

SHA1
1375548359559fea0666068390a56a42b8bf8650

SHA256
7557d379f452d77215581db0ffa5f7e7b9f878f08a04c27ac0769bd270b04863

SHA512
293a98b586f0645beeb3249395ab5ce164faacea6cca974dfd419655a1ad22909e024d0e5995127e5e27b4c57805595e6977b28505598e2a3079be674af109b6

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
291e205a387a4705081f285f7a5e02df

SHA1
6cd0a3b3e6e81391b02ab217f62bdc298d03f19d

SHA256
4597ffa61a6a6ddb70cadc06bda8dfa4e9601d7be7cb020e464566b178e6b51d

SHA512
af5e190fbd5bf52909e9ea9d2b2760cfebf3b27b3a1dd5cb4bb1f2583e63b858578b5cae9f1c5fc09ec0f6add27764480f11116077a43acbc2376154f7fca24a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
8cf2d8f5ee82e8ad3f49555c0861efd8

SHA1
555d1bc96cb117de9432bd79602499de4fe7d0dd

SHA256
daa78fa613c5a176c395575e500d9296b013f6dd4fe222bb68a82b8d8517268c

SHA512
44cae938076ead3cefaa1f29351b8e5a44f9e8ee2c4e73603ae490056caf89df0e747b263f02a96c0fc0f38c2e0b2a8e3161f1d4a38bc2fca49a339ddda53e98

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
10de1ad72b2c0ece1c750ad0ac5f8ed7

SHA1
54fcc04b9eb644ab37e7bb2ec21666516286f7f7

SHA256
47114fa7a6fdd81dddb95c8508f682fca3a8a1c7ed04330748a59c64dfac70fd

SHA512
e52c4e861cfda0297f3f093fdc724b8d84a3eb68b0cafe7290d151c338be1d2d0fae1e785b537acbd11abe91429c55f526209400509fc08c745245187494bc19

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
48b85fb7310e633fc86e9f979038d1d7

SHA1
3d164699b33b4079f8c46e1503c99b4663c50603

SHA256
e46f05f176446474f531d142a95081c439e087468d75df617a593f6b397c78d7

SHA512
888de19f83dcf81d46594bf9f2b86fe833e6b9c3ad3ade0a90c29a2825619418a12ff505e7d8a0eb85c8df927d02b29c08174cf27e48259bdf012f5c92015c0a

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d0ab403c5af64485fae9134f722bc4f8

SHA1
7c679c179824461f5127bcc1a7988af289b0c745

SHA256
8bfcc2885bda6d238b849d3709515d4cb66628c32210740687ad65e5a6a16d2a

SHA512
1fdb438d27dd4871a54ef539c06200420d55458bdca9f45501382268bd4504ceb825e79df7582bfce6f5af91bc92f9d29c2343eba8f5225b5ede3f4076e83e62

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
d57dbde2803c34b8d7252eef3c1e105c

SHA1
715bc56b301c8ec1afeadfc0c65c70bb264ecf57

SHA256
8de2ab8b5329a4e658ba888c72e4df2df63116155fd691666f65c3c6db06cc0e

SHA512
4b5a3ed46c09480f8a2ebdc0805a3f151acafcde0e1baca349a5cd8c6f4ae4124b5e80ef4bcc06a51c26f30e117716b2f077c8b3f66f314fef19673097a95759

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
6854ecbbb1eacdf399bdc875271dcad0

SHA1
d307d32f58052193add949322c8dab5bf0b4120c

SHA256
b97a9eff15eb0d3032ceb4ee0894f98982a178b2ce42ad6b1f06c1c848f998b5

SHA512
8ad2f26e2e9af292daf9d7dff88d2ef959effead8bb11a1bb61a41f3e2c4d39642ec72e14060f3eefb297f0370b8e4e4b83bcf2f66f9c588d973da3190375741

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
789e1d625730952e94df2fbcbe0a6257

SHA1
18af88dd224715f78a9939cbcdf1ad228bd59fef

SHA256
ef924b4f041c4b119f0cc02f000258c11c4a44868b09668aa23aa80ac8399701

SHA512
541b9cc21f75dd04c4fcfc767e2d7f78b2e9364b536066c92590de7fcb7a7646fb21f6841272fff7915d7164167ba46c3826c911ac6076aeea8c503fdd982a84

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
1d592e9602429521c3fad15ef896fa6a

SHA1
bbdc9546c55d179ed87d6c24e788ba9a0c881d59

SHA256
e181065c423b129c61578c809666362c61c731b1b32e2d815b679440140abe46

SHA512
152ea606ac8472ddc70e702c8501b48f721cad25c3f9573b24ba9b0469238ce39d623c204ff94ca72d79a55d8a2d82a743dc46562e1683d28f276c46135d95a9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
a673474c6d375d8c92177a967d1c9dbb

SHA1
75508e7f59f4ea8dec55845f1d86d3690e8b2c6a

SHA256
cf16f524d718d680520e4f938fd8a3fd9ab9bbee28274f28a732ef3d257d9f0d

SHA512
b440827c2e834827749be3af3b1e3ed3f75accf17c9270d182b0984657035c565e4fc861e9a1960927025051075c8669784f0f4b6eb9be77c0d6de49fe02b1c1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
14d532fb15d482612acdb7ef6c2aa36f

SHA1
ef425235ae4e56da75aedbe10b61902e11500dd6

SHA256
6711e0267248b2a92e19fdf5e6073ad9a6d498a498e3cb4cde573f54489ec133

SHA512
4f20e7fdb0a541cc0dd12db10327600babb60120529612a89b64c2d5b1d25572fceae81bb2c365ffcb7f11f036c5408116d078e0bf96d4490e31bf5af105c07a

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
eee60bf6e2e5b24edaaf21f01bb07e15

SHA1
bff71846da65600a992a281d202f136a9dd3a796

SHA256
ddeafdcc23cab740ab11e35b109670778d3059492b4c45fe64f1dc754bdf359b

SHA512
ec2bf853d2b94c07ef8156ff848b934800aaed6ea38fd5373489302d34ce132180f1b207040a9775297c7e77cf7d8b5b782dcbb780f035b616d9d23d816cd8fe

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
6e6285a1e76140ad8d3c3b1fd4a35784

SHA1
8aa858508a59441570998876f57ed53c9c66d1bf

SHA256
ce57cecf29b037dad1bfe6a2c4accd21a0a164cfdda0249742c63d69d69a4a0c

SHA512
e4777dec0c26c9ef5fb714d16c24028dba0faebbec11e25592a303a7c4e57c60181a8bf91fe37337d198c25a60b16766f32575ca59246f1ab49bffda0e6a8044

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
13d02d6365cd52721a429d22d4fd1cfe

SHA1
e9687c2496bf015c8dcb7d7b912884425c2643fd

SHA256
388460ca9ab4d304eda797b717a2985eea7728ea2e8cbe6ca16e9f1ec067cffe

SHA512
b9c7a875e4789cfccf52a8ab4a190b53bc3b5150a11cfa5beb046fb80f44d0cd83b7f9e7696293f024ced7509f7b4858d39cccbbf0cb8c7c5d363e16a167dc3e

Download Submit
memory/628-286-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/628-735-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/816-12-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/816-20-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/816-21-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/816-198-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1056-738-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1056-298-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1148-732-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1148-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1208-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1208-739-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1592-285-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1592-181-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/2100-741-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2100-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2308-248-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2308-733-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2540-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2540-79-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2540-76-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2540-210-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2736-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2736-126-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2736-128-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2736-120-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2852-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2852-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2852-131-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2852-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2980-309-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2980-195-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/3496-155-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/3496-153-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3496-149-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3496-143-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3496-142-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/3548-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3548-180-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3548-1-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/3548-6-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/3548-491-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3548-8-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/3636-342-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-681-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4324-157-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4324-270-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4344-740-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4344-330-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4604-231-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/4604-669-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/4656-115-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4656-112-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4656-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4656-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4656-106-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4840-199-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/4840-321-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/4924-271-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4924-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5004-734-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/5004-259-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/5052-184-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/5052-297-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download