31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
Size

648KB
MD5

39765ea8ef86b000ab2c029dd8a5c355
SHA1

da654157e43e7f39ca30559272d6588973383ed0
SHA256

31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674
SHA512

bab015272126e727063005982af8f41832a70a085a1c093a46b34d4d3d4dbdbafb9425d4d4acc642fa3135e4948337b9f2b3b3b04e441d75bac2333e6ae72227
SSDEEP

12288:qqz2DWUV+lCFcD1goThydrWUeB+QChZsrwbebPeVmfCUqVfZbdbHF:Dz2DWWUOoTqy8QCYrLLeYKUML

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4700	alg.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2220	fxssvc.exe
4976	elevation_service.exe
4412	elevation_service.exe
3356	maintenanceservice.exe
4644	msdtc.exe
2884	OSE.EXE
1664	PerceptionSimulationService.exe
3216	perfhost.exe
1932	locator.exe
3372	SensorDataService.exe
3192	snmptrap.exe
4632	spectrum.exe
4480	ssh-agent.exe
3060	TieringEngineService.exe
4048	AgentService.exe
3672	vds.exe
4408	vssvc.exe
4896	wbengine.exe
1844	WmiApSrv.exe
1096	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exe31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e54476355e51cbec.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\msiexec.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\spectrum.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\AgentService.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\vssvc.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\System32\vds.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\System32\msdtc.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\system32\locator.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dc35154a699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000675d8d54a699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064c17054a699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026abba54a699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3116	31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
Token: SeAuditPrivilege	2220	fxssvc.exe
Token: SeRestorePrivilege	3060	TieringEngineService.exe
Token: SeManageVolumePrivilege	3060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4048	AgentService.exe
Token: SeBackupPrivilege	4408	vssvc.exe
Token: SeRestorePrivilege	4408	vssvc.exe
Token: SeAuditPrivilege	4408	vssvc.exe
Token: SeBackupPrivilege	4896	wbengine.exe
Token: SeRestorePrivilege	4896	wbengine.exe
Token: SeSecurityPrivilege	4896	wbengine.exe
Token: 33	1096	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1096	SearchIndexer.exe
Token: SeDebugPrivilege	4700	alg.exe
Token: SeDebugPrivilege	4700	alg.exe
Token: SeDebugPrivilege	4700	alg.exe
Token: SeDebugPrivilege	2796	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1096 wrote to memory of 2636	1096	SearchIndexer.exe	SearchProtocolHost.exe
PID 1096 wrote to memory of 2636	1096	SearchIndexer.exe	SearchProtocolHost.exe
PID 1096 wrote to memory of 2088	1096	SearchIndexer.exe	SearchFilterHost.exe
PID 1096 wrote to memory of 2088	1096	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe
"C:\Users\Admin\AppData\Local\Temp\31a47ff3a5159eccf2e48943cbc855160f26e115359748faa2ce973b9a518674.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4644

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2732

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2636

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ce43f52e3a00398f1be56c5d9e5ca6b5

SHA1
94040d797dcc73ad8886e3d0f6074a9a1b663cdc

SHA256
66344967644a72d60a392fd0f05f0f5e69ba7c97f90a41607b5ae2c11a3e9afc

SHA512
c34138b683a4350775178374334a6dc743ef81ec7087b7c8a79eb694157b69f54eabe18b942f13a61375aeba6cd82176d8c3a088b2b1f497dcf4c712750f8a8f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
e06857513b20a28f962ba20e08005e53

SHA1
7535de3181a071981a377be85a36e6d140ed5402

SHA256
77cb2f60cbb46d8198378e7f57741ce202dd974def6f2fa27e8554bce1df6892

SHA512
36e35fa9fffbf3c366a70e0cc5d5fd06922cbcce2c31bafd5191b67e86d3b5828a5abbc44240433147ef0bd80a686e3ee2c524d1588bf47fe0b7ec68cd2ab02d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
0a693838b4c6c08375b6b61a86021e30

SHA1
dbf56c8c3e50559a271e5fb7a4b8a26d579efce5

SHA256
8d981b8f83f3abb6321c2747a96752c4de63e1575c552e9be32c680a00e63ac2

SHA512
c511dbab9db5b0a6cecb0d0c4a750e0cf390edb9d20a2e7bc055038759b9519ada7be63a6b7937e8dc2b972a4bc20b96efc72fd2799487a59e4af5e9412d4329

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e2dcb77d8f6ec9fbb79714f410bcc5a6

SHA1
ccfb63f5d99ea082f24771f6188a0027f9a65dd0

SHA256
31e93786af0e1df6e34aa727b96ad01ee6408404f733642e7fdb8ccc419d4760

SHA512
0a5a86bb5d36986988ffd686b48370dad299fcd21d6673bf0659ab11468a28a3c844dc13fc1755e6de389f1ef7314c27c98ffd725edeffa24e9287cad35deac1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
65e2b84ff33e76bafd02e854e7085af2

SHA1
b931d52863b0c8d3ad4ac1e275a2aa7ef01310b7

SHA256
1b9dc2a0a0b270cc98b56d0c25184466254cae1977fa83838c92e65823131009

SHA512
bc0a78d86b1a14f3da4743e96b0aa2caf119a05167cda7149c78f272832f6112995d7ffcb6f551494239fcb3acab04e32e0ae9c3339d047a7ea37f714979cfb2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
d6872e1c94550994c1ff0fc2443e18d6

SHA1
3217cdfc246e66e4003b5ec4ee8a9a93718743ca

SHA256
dc7bf10f90232104353abe2173418d885f0b7383b92ee9517eaa80f8d305ce14

SHA512
4e2dfe601d9801e2b8c854c0bdcd8b5ca233bc35728253fc33904402e0499c36578265f3b1ddb9d3878bfa0356a9c5f1cecbaccdc5c5fbf4a388cfeb74939a43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
f6cfb491c4f94f0c21982568974633ef

SHA1
cbd3216bf0512de0d4c45b1bb8700cc1114b3434

SHA256
8657f49e94bf879cf4ce2cae9521cab3799bbfc115a00d7d37f75fc42934dda6

SHA512
997ebbd6f35501adb02cc0b41ecb2f05e03a189091db175d6b1c00ec62caeebb3764b6eaef76cb60b52be1f2af1aca1dee95e25de9d776563feb6c921d3126ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
386d4eaad6a7fc12a61435499577dd58

SHA1
7e8d487b42f68dbcbe1b04c67e44d19045b62519

SHA256
9de88b70372fade0af75ea41d22d6786aafe025d0a7b6b531da32e17ba68a07d

SHA512
45bb23aff6783818fd203572df459af296acc4d3a48989906863f366c917a8e53109726afc73c81f7a643f1a7eefc91ceefcc57c1e7fcf2ac7104ae54801de79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
835ced05c0c84cbce5a118b5a71ff26c

SHA1
f708fc03e9cdd3877211f904d6608c63ad9ed5a8

SHA256
a5f683c6a77b1287ab5813a6046cc9055a4adb9fa0b8ba15fd00e2ea7f8e87d6

SHA512
2c3e39d3fb716a2c0648a613bbe1cfeb9280c47cb9acf70bad59f6f10fcc4d7df97cc4cafc349a5574abc4032a6c0fb8c1a64c289d47afb7c7299a7d6f140491

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
27c5979a43504b676f9d22e503b02a63

SHA1
3bb309f97e8670cd50c5c2ec49074c473a399c17

SHA256
58011857ec09e7169f4bf93e6ea217cf255d8f6338f9259fc6f6de3e9591f3b1

SHA512
4044d4f1db3c6e58ee2085797089dffa875c3b0907fa8703c119979b7abb4a8a7732d94b5642fe41d0f61070af905aaea96fd53c9e2b809d491b67c1c53a0630

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
1032c6c2d386b9991c52ba0907e1980b

SHA1
40807d0fb22b08558b0a2397c31ef7b95772633b

SHA256
715816e51fadfc6f02a1713aae690881ef5176845aa67ff35fdb2b70abeb495a

SHA512
31425f4643d0469d38bb15207b4f752ab6e083082c5bce438daac95074414d0e18033bc1d6715a5213e1abf6fdfdc44b44d65f61176e0bd61ba92b33af138c8c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
82aab1602252074fc375aca485aef4e9

SHA1
1536e9fcc88ea068a2b53b4758ed8903c00cbcbf

SHA256
fb537cfbf8c048df2ea6868d958bc92c7859ba2b5a939c8530fbd27b3ee29158

SHA512
65846d5a9ac24fe49d3e466c342c633af2fadf45111a2757a599a52a7b24abe63ad40f810dd6860d0abfb92484a3e37f420cccb1f946f2cdc60c8ee5bedd2f98

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
0c6d00eae38f26a7b38860d876e2de03

SHA1
5e416c23e3b60323b1e3624b80f0f5cb64c3d57a

SHA256
ce2b975c29c70f8fd01c8606db2f7fffedb6569cda2119f28bb30b121c9dbbf8

SHA512
5b31eae070d467e907d8f1a76a8d16b39b896a0fbf320b3e102e76d7f84ac916a65daf236da29d006ce965df5b88ca9b0ae82d1d634264b950fac96c0c0ef57f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
1afa50bbc0af5cfcf3278e0bdf8e8cbf

SHA1
34983114cd6abd55ee91e0aae798f354bc6f6688

SHA256
9af43b391d9e60b085b91aa1b8be1f48f61eb059fca10b354ebb38cba3f88be4

SHA512
c6ac2a3985d41e0c83d3dd1c9304a071a90c23913de90c6eab567deb5dc9cfc612382bb5552c51ccbecbdac7fedef6cf8331457991a084e32b9daaebd1b493a2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
972ffaacb86154ab2bcfd65674e92a78

SHA1
e65743eabebbcb5d1c1cceab876591fe5b183b32

SHA256
80bb5e8b1c1eedf912495fe41291ade131eb6161e2af8702b6b94e2abbe433fa

SHA512
76aa3c19b5cdf480082d958460ac1e37c2f4f7b2f8a75400238396e32e063c94d0656501bcabdb6545b3b41b42641bd7b325bdba011c341862118ce9d7af6bef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
d65299d918a54fb6e13e313b8b31c675

SHA1
103ee1fba4800d03566432c6ddee564115780f79

SHA256
c9ca57d7376f22eafa2cbb8098cbda2796887da54ce270f9c16086184a85a8fa

SHA512
813e81f81ef1163e59c8eb62dc24551bee4dcb07220cd375e9a286ebebf3d2ea8c02999bfd5d25a14819a2150da932f40ff324f5fefe71ecd0c3ae25c1100c89

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
3261e83db8c10c9616b04bc54d32d822

SHA1
49fb6ed62a593971cfb4067b5eb47021a7fa0009

SHA256
0e473a05425242fbb8c38f3106163c8f14685e3824f7f3cf09b89724bc6548a8

SHA512
b8d51cc6d85908d0065f995f3fac6b4bd772c497be8831df1f5c576d2bea2b3c3090a5db7bb2f4653498b198e348a5d5f53067b0424dc3b1a895405ad064b061

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
a1248556540eeb614ee036d3c598ef43

SHA1
d03a04eb9a621234ac561380fb304d683c3c43f1

SHA256
68618a6c64a7cdc1ef05d112f66bc42bb70d0f0ae519a91fce3f615685bbca55

SHA512
af4ed38fe18c72ebd65f5c61eb84c02b6a92c1d4e01bdd40c0762668e0a2d9d2938993d0a37b0a57715864495aa589f85946b0b0c1c39cb10b45d7c7f2d3e1ef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
2b3256a4d3f0e9b79e782ff0fe310bc9

SHA1
1995ff5135714489c927ae301a882dfbd7d5d8a3

SHA256
3fa5494cb626af6a01a36748b34836a6fd78767243ec59f77b6b8c38ecf18d66

SHA512
c6eeb4bffbd30905077afbc95e8268f4e7879ce53d8da62c42f2dc0dad44c1e420aca0745e028b6020f0cb2bd9ee1ce5f45151d545ed2c1a23b8097fa2ea0003

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
6c81e666ace93188685c562a205084bb

SHA1
5561ee19422a8ba04fe5253fb1b696fc86880b20

SHA256
f7bd9908645a74471078b53fd99591e4408c6891bd6fca7c8b28d83fa13f5f6e

SHA512
943f5520e510e45db8cddc10d4a80a35b172e79a56cbbc846c4d645c5145cb449839778c629e98d487c5cdc8883087eebc6645fe0388ad9d452a7ae7e5ebfbf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
546c93e9185fe0942207d06d688190dc

SHA1
7065f2dc5ebe25d0686b0178bf0ae870d67f1d5b

SHA256
a5da4782d2789a8d49d4ea816a926a3d5984e1b9e8ac3a799497573447c8e2f7

SHA512
1c7466bc42a4e2da0ec4a0f45ff181a63138827224dea8d2d7867a54a4df80b6a7bb400c6935b35bc5e08f3d0a9a479d761a9e27d8b32dabb3dcad913e7fdc76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
7f088062e32842f02d8d3eae24496a34

SHA1
81900715e6160400e981d085df0969f8ae01f698

SHA256
d3da938d606e1ba8bb77b2805cc40731af3a87a4154acea83a4c78b64fa9f2fc

SHA512
dd384dae2ca3383f9b31737735ed7b772a706be5592bb0956d3d3402eb7e690a112a413f350e11dacf78bd6ebdabe9fe3def231361155667452119c1f59a9d79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
f0488f4aa9c9cabd5ca332040ae932a2

SHA1
0aba1f5866cfa8ea4f412500e49d050961a674e2

SHA256
c76e10887930b4732737fa51bb40913ef2429a5314e0094b0161afc0c5e2ae68

SHA512
bd48c652313b855237f3ef87cb26f81031c5680ce938fdcd99fbed2f5d7edfa711145d0cc6dcae5dfb4fc4846a8de82998b1bfa7e76721c5af2e8b643a6a5fff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
a502ea23fed1e64e2f7798c4814006ec

SHA1
5d2c1b77551e4feba4021496aa0c4fd74295bc28

SHA256
988e4ed027bf7f6495363e6f6f508bec3d79cfb3654e46a478bdde79c829bedd

SHA512
03e1bfa3d5347abd86e0d83fea71c4dd836105de6906255596943e3117d8641639952ce98abb299ce0843db8e0d28bcf62fe2ba7d4db9e207b7b6649230c3393

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
7fd1191500c9b24edd6307005abd6e60

SHA1
f0ca5a4bf84fa21d72de1f4cf7189fcaf2ad0c03

SHA256
fbd0aa4b5e6f937e926defc4e22dfcd0ea1b800499dbb052049ec67bea91315a

SHA512
0413437e9de55ecd8e84c3d53f3a0900352f7082932d1e03152139229a9d2455d5df15216f5a0355450a9f21f46221d0a8ffa6403185d6762a6fd4b0328db349

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
4173ca1af9fc751e5b7df20feaf7ccf8

SHA1
2e64189d648f16f6b74524e0f4fd94022dc1e482

SHA256
5e58ceaf618fc451334a886d2656230997cee7cb99671c04927aeea90f38e1ff

SHA512
8559018a6859e5a5604115c05a40382e5dc18ee59aae0460e0ae4a2ccd755f7d57d5e14359d2b8284a768141595762cc2ea001edce4eab2cc6afae838c5ccabe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
c5c1e4153ba28f8dbc51ed8121b0d164

SHA1
316e4d7c060822501a7cb30d711b4553aeb39138

SHA256
ee42d86fdccf04610d081555d58a1e2e1f28928a0d8742249f6ec6c60264df30

SHA512
55fb51bd073ef28b688018b9239f26c9da926d17aa2c4a796a1da60725c410a6c7ad475d0620ee50ec8fd73347b8094d93314cf4b1556bb91c57187cf53b9226

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
4c74a93604dbb326286c8c397284d8ed

SHA1
b860a39924bb7a066d877314179ca527e0d23b96

SHA256
49fbf3cf682a02d4bba2dbc2600f4e1f69ce99b6c1a05b3b89d026d2b2cac8ce

SHA512
9a349b1bd8af994d7f42f131e1c8bfb9b65c176489519ca13e6db3c63e2e70bf1202d83fe926de8be945ea0170505d52397fe21b830cb3d4ac7a1c014322d65d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
86abfa928081ad41572f804e6ee1f92a

SHA1
30b7a6fe1f286ae8416ea4134b65812fc735a13d

SHA256
6f55aa26d3aa9a71810d37ed48c52f78a04658f9d2e61dc4ee233863d07e9d51

SHA512
45cbad3bcb7b96579a0a751d6671efff86b1caeab1d1cab7ba6f17035106aa0f7c54126614da1d5a419838af47b5b275068130316a62eb0754001deb5933e18c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
570d6943d530170c203e63996e89b983

SHA1
9b9ea7baf0301b569fe4f8c98e92ab0edf636ef4

SHA256
1e083e46e6c029e55772c317fd537fd196bf101c1d09a244d453f8d54fae683f

SHA512
d6f08e4d26a18a16124e7e9ea89d80f3ee2133b4b2441ef6c83d2a30b49692e43fd1abfb67a9ece7bb44cab57a335df4cbf1d68ac99e1b91d61ff923ab884d74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
6051c5b22298b631e9577c91f25ccdef

SHA1
e60f2944fb77c9c00daab712c506d1850deafeb7

SHA256
2243a018413af489c453f0fc09cf8940ca03ea7c0349c311256f505a712f3cc1

SHA512
63d3109c39dc2e329d9f4311e2551b3a8905eeb054ad5e646f61a0e32f1aadae8852f471ebd9a18fcb1b3dc4de1179a417d4d11991abf3b0a54c053de544a8a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
6f5145b7590028a01bc87e48668ff9fb

SHA1
1d3c8d668662cc9ab124b7f458ba98886e97a802

SHA256
d690200d8223fd3e80199bb63bcbe3d224748a6bbeef44c5f4c4b1b2196f4732

SHA512
69c92cce5121a3c90b364489107358057ca037a3e6af7476e4b7de202fa41e258fa77389605f046d76e9e629087492880c11576171b60479914d182d3384b30f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
6ec66ecd0e3b37d4d700fb2ca4e7f7fe

SHA1
fb6417ccf512578ee5fe76482ce0aa6621bdf466

SHA256
da6d8dc795352633a26239812a1272ee2d6f8a0ce6f507e49779ef4be065fdbf

SHA512
69d786d97ca4d5a6c7e92c1a7911b343f0f813e6f6969759f616ff41867685ba8d1a9329afcb3f65fa447805217d63ed66afb1659bd7328762e23dc379fe96dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
5b8dffde16b9d367fa9f91c97b132aa4

SHA1
f28d7ff735b07657aa601c96359f5281d2bf4d2f

SHA256
6186504945633270c712ff74109b375c1d07da483543aa3e77af4091e6f1bc83

SHA512
b45b3eb9de5eb05102bb4ddf514b8d36b6e31e4d74ee044ca6bdb575470fa34ee344d58bf7e3dd5bd78f44abb1054f25c3ce6a17102dc787d1194a8a3291164c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
59a3411f3876c3df27cde6ecdbc47924

SHA1
4f9b355e10b510f651cf280320e61f7f883c15d4

SHA256
7653604bf1f58debec2ce1c25859934c49ab284686a4188b5b23c0e924306710

SHA512
1cd82236159b598668367bf0b00479ecd6dbea02a0b8d09dd25407f8c7fdc2ea73fc10a1bf13a240635cb224fc47a6f2caa7ccb42420458ecc060fa817a21727

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
f8d7ad606d2df091cf8461908387151c

SHA1
2cea5335325eeb3a69bc5fd9c1bae1fe324de900

SHA256
3ea4c7c1e20f331744a79b88286e6e0776981ad1753c08a376cc86c37afc5674

SHA512
ffb6101de8f8171a3be38fcd278091f4d5f828f9a73c38c31a06ef92712b7b3c53c8defb99ef0126169bc37b9d3071e1fe3241d720c382d929aaacf610117f22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
c5917c1086c13ee749a705bdf6cb576e

SHA1
aba85bafb1073e3d120ccbad40f9b45bec910720

SHA256
03a7f674d86b925ec1ba74f353aa092b9828bbc97d4cb2d8d973c67e83e9b256

SHA512
5e22d0f6cca7346db467871aa925bca879ccd1f7d4b6f6cc88006b56b71bf6bde390011e33967cefa132533d24b7752187ffb3f09a11531ac2b3ac4a078d188f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8fcb913f28edd985f18b3dceef2dee40

SHA1
737ed92fffef10de44b98ce3f4bb8d22fe2a4b46

SHA256
d68483f83aedacc815995c3be0343de4bac756b2987b95b0cb303cbf2f83e0d4

SHA512
3a1da4e822b19950932a34c2ff472561c9a22ac9ada4f94a796e2276840037c0a72e335eb75ea63bf1133ebeb86410e3ac2f59864a3e0a5345cf3a41c759167f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
6fa0b9194972e27a4e0276372134c600

SHA1
084d0049d67d6996eea23f87b39a3bb3dacfe96b

SHA256
67eb6ca6c81e08c262e8e1a5efcedff0bd8de7232f30845aa5552236c927d2ae

SHA512
16ce72278956bcf0cdee1d44018b11ad5f4cc44c5d2eac5e92eed54d8bf40cbc885c62ae2ae9208feae4f9f02d86e00b3d4745acf71fa95fd9f12b9fda9caf18

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
4921c11f1ac3b356bc9815560f80dfab

SHA1
addc275b8bc901d9696bfa29580027fb153ddf3b

SHA256
7dbbe6af5729c34e5c56b356d7d68074d116b694596a1b6157e66234fa8213cf

SHA512
d2804f099f8b36755cfb3ad72dd7678f0be2da9f533ff534c449373b5ca8e34132aa2225771d1cda576b6a56a1cf59ae92980add8fd33dc91203afe7f9e5ae3d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
25f5ed607b8205b28d282044deded17e

SHA1
233dc6def98a5e04ef597f8a73d6b577f67d6d21

SHA256
1eeba6fb0634aa63b43361c25cf4d87123242df77b2d174175b70e5c6a532240

SHA512
3f778e464c5aef9c8bff77948289c8ef5791adc9131b1c51bdf1dcde6d3398870d1b9b25dd2adc4670a42baecff4d5389c42f8fdebb8a62631326d2d9bfa32ea

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
4626302374c07649893bd56a16976812

SHA1
c2e52ca71acb761d1d5b39a9a87c8f0b363b6f2f

SHA256
ed47455ebb7577d4e98c502682c442758e6d95395d140846cfb3b6393039a462

SHA512
c1b0a0d0462678d835b01f58e88cc17c0ca5694d563199a2b91cf709a5e08780f4c3a98bc95d03702cc261774fbdc278f5addaaee7b54289c10191fdc0eb4043

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
eb9863e509311ba8b4e9e06516f5b45b

SHA1
81d952f597e77f63672048ea948fcb385f6e5af8

SHA256
03aa238d726206fa463fa633e5802ff1161228321b94c4329ea24685a62ed45a

SHA512
d54c824e9985646192ffa58c85a3fb2565754dedb365d921aa057932956abe4d6012e1bf1bd5fa6483ccd0481911f35e63a74ec28916ebd495ccc6793984a325

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
3587a1f25fc9744cf28a0fe100164bb5

SHA1
d27d33b8b3696433cc3eec1785087f299bfaaaac

SHA256
9a1268cb4cd9dd19a2ab6d83fafd1603c2da21597c84f2b58ad62b14d5516ce9

SHA512
50c49962b897ede81cf810ecccd58fa301777083f729fb5d3fdd14152bcccc64cf0b2e5106e9dc6b7f135145b6165e9f8e8518d4874da4cc3ce172ec60ed04e3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
6d979c8e088e453088683b8b34661965

SHA1
ab1701c44aa25bfcae494851cb0e2a0348d1854b

SHA256
acb81dffb3ceabf1620caa5889674b968071fc6104e5be4b9f67b5f109f0cf78

SHA512
0870ba247779ff5c0d2065fa0bc8f78c4e44fe117cb26d0ba71108392511e1c2811613f3a836b98a93294178334fd4147a79769a8a37a834bc125e56cb3ac3c9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
46935c4406d58983f0cc6c78b5dbe1ba

SHA1
a046ff784b874c9709fc177e586a2d00be8c44a3

SHA256
bfa3c507be4c7d62dc4c7ac0eb387ffe9eead60b5490106a32a984c0b1d28e66

SHA512
6064613f353b3e6014931075aff514e16f18096320d89a119dace9344267a8cc4a2d5a6ee2e790ed2835fa70cdb7c213fed800d637c3d657f78e04a5aee46252

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f965a4a5b4060d392f23474d884f6b3f

SHA1
b1bde59c94fbada62b16ce789c4ea5a68e5a0e4c

SHA256
f07555aab515e2f333321a1d3ef0fd36bf86c5bef055c3de6f236e34a969dcca

SHA512
bc0fba43f1c613c28eb6e1e218ae25b834a54e77394e6cec2aba73d424a0449cfb3c7761aba8c7b216ca8c151b9fb7950e8ba5a0b7d21b7b2b23647fcb550a0c

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1af981fc6127e20d3ed30a6aae32ee86

SHA1
fe8392ec86833fe22da81d99dc826263a21e30c6

SHA256
492e491d51c50b89359c6ced7b2eef90632f00e0d1cedc584def7c4c9b92377b

SHA512
5e05861b8b7b56b372823087d7fb9ccc6857b44318e1cae287ba3f3573356f0bf279c8412a32e66acdd8e84dd2a2e0ac5cfbff72302652c7359892e9e54710be

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
e92c09be4c47d1d9aa47eea61a8f2299

SHA1
0a05fcb77fab8801bf1f609dab54c77aeff4bd8d

SHA256
694119fa677994c8cb696f3a6ea9b3e6165b15b45001033740b81a735837818f

SHA512
4d2a455f84cfb10ce5f06360f3afc90cf3aa3f0467e0f78f0cee8bdbe5a6aaed0b57ceb512db4f02351196481529caa1a64f6b4dd1c5a82cf7087b60b88536d3

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
9a93cea68e5bcd71590dacb3e050cde1

SHA1
d4edb3b69ffab4425d41648db03e9bd4b7b42bc6

SHA256
305beb52791b6528fbe30bfb91b2045597fee6e7b77752d422537196f746b376

SHA512
c9fd18edf71f8af76b2c7ee680f251a3af9d3f9e48f1f207d1800473e0c567b8a40c4be211ba86d6d7e486c0e9cfbc259a6771766212a03e93dde5a3eb98055d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
493f11afe8756bf65f8ca9aa2a9fb9cb

SHA1
ee2473bf2406f9871fa4fa5f9a9b24295fa3ab6a

SHA256
26c075df13d3cb460b74604636e68e7ba63c770d1e163118f67a813a2ca95b58

SHA512
c725b827fa4ac5274159d643ae830a7389cce76e3ba71c3706a782577b34cbdc5f9f4cb88a1c24a8b12e773f08b4c49e7aaf3980e86bc902983faee1d2ba90a3

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
4f647b0d11adf2fe9ac51a4ddf24b36f

SHA1
5bf58df0b6ce86fc5350f6ee2db1451db8c90aff

SHA256
115a28f61a899aa46cb5eee6fe2c1d991e053537aee08209db0be037a86d9f61

SHA512
078c4bf109f1854f28bed0d799d31a3cc0f2e46a17b93f3dead8de8b4fc645add4d3bec3b10176c9aac8153e1debe89c3c1d198a5db0b052e6ac9053d5c4a827

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
1e16e30a3ec9f6da76ad881206af6d90

SHA1
f9727d25e9ae6995d8e975c79b51a18dd3c62c8f

SHA256
abb59ae6cf0ac0d61aafeebccf374c34988411ce76ad0f2d0f1cbc7c7b30e6f8

SHA512
c125484d9a81c5d6a1c3a65116a9dbfb174c77889d96810bdde320123e8e23ecf037c43a89d72bc072b49841351d63b23a2e4d2e7efcbb71e201f97033c3d6d7

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
27951388a8949162795992725e26f79d

SHA1
e8db7356a02baf0afe464c197daac0015a2f3a7a

SHA256
d6abb7f5aea2842894d52767bc53fdb13f8a64eb3105550abadb2ca3f750f789

SHA512
3a6d3f746b9cde129e860b20730e32f23f941e54786309f6412d7faffbbd7b9939d562c557e04997fd73a0efddc5e5562b622234bea3c9b3c9c6e2663fb166ed

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
12c4a765e0dcce4af343306529998820

SHA1
6099bef7ec1a9e04012a39227bc1b2b2b1361e9d

SHA256
3e9fb0f72e78dc9147de1d1ecd6a558b8fd37d6b6ca6ab0506cf904cdd20b272

SHA512
4de5a612596cd9cd7d9c066332f512da71f0f74384c9427e7fb5b329c992365eecc3df4d3be0c3c856e3510a43b4e9d4a00fbefe2a67e92cd26c232fd5aaecc9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
257d1016bfdeb8f173fc0aabb3696ffc

SHA1
c4f2469999b455252ab86de861c59583b157e500

SHA256
8683c7d1922b38b7c00dc90037560bc6014adc8018c7b35a04b290aa85647b6b

SHA512
e539b805fb6a6e195ac63e12791b147cafbe59a7d80d1c9463e927969ab2c9ff5662ba1219bb5bab5dbf484ef400174f0ffef775f6776b1c477ba0806eeac5a0

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5db27b544c77812ac66583bfad4e6ba5

SHA1
2357bdf24a2ce61c21430f3bacbd97dcd7782624

SHA256
6957d53dbb021fde22f23326193559d73928fc9d84eb00e43e7dabd40722b0a7

SHA512
1a85cb2f293f6f2890445341d5e215c0f282d06694cd65ebd6157f7e84b56d05debba79a57d2493c48614eb610eca20ec979f1e511e6229001ef4c9674640d49

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
507b22a2e6b0609a945f109b47960720

SHA1
8cc43d408027c28d203c202cb9563f7e5c2829c4

SHA256
24eb64f825afd000a0d2f506423365c5b5de251e20cc5b324da6fcbedfa7d876

SHA512
249db163adce7a026dff27e24db1df0f23511023659437cd6cf4dbec0d16604db3e54f04df14912cf977fbebf881832f08977b9b734491bef32a2b287769ba14

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
6ef82c9e466310094d54240d1a70b10c

SHA1
1fea374e9f6a900b11cce2a03ebb6d8219d469f2

SHA256
878fe94d79e281f228dec8c796c386b7cf7b8e26d99108a90107ff19db6f376f

SHA512
dfa810cb3a7071b943b0e41d2fdff64f446876fbc06bfd4683f723d25ea0f239d95fd7a3f0509412ab9b8b4617091da1920dcb504af6290b4edee6bef4735cba

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
d0629eaec54351c59d4b9a97286b34e0

SHA1
b5cb03c36b0cad68a2d04f750328c9950ac7daa7

SHA256
b9c896d453fa973da7df2286eac5ac95f7fe8af14943c57c7bc32db2f8de95b3

SHA512
24ad684da3204d007fbffcae7529fd6cdf48cd975e0e2146c36a9de7249ce46fe16ffbdff7062565ef1a7e09db20de3f3deccbc6c4828f1616c9c39e06f35475

Download Submit
memory/1096-613-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1096-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1664-248-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1664-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1844-612-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1844-260-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1932-148-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2220-38-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2220-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2220-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2220-59-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2220-48-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2796-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2796-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2796-160-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2796-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2884-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2884-114-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3060-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3060-604-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3116-83-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3116-479-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3116-477-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/3116-1-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/3116-7-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/3116-6-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3116-8-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/3192-273-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3192-169-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3216-147-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3356-87-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3356-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3356-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3356-75-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3356-81-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3372-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3372-161-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3372-601-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3672-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3672-605-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4048-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4048-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4408-245-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4408-610-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4412-198-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4412-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4412-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4412-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4480-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4480-603-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4632-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4632-602-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4644-92-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4644-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4644-233-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4700-14-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4700-117-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4700-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4700-20-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4896-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4896-611-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4976-186-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4976-50-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4976-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4976-56-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download