943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
Size

1.8MB
MD5

573734e6d4639cd9d47e19030ee6d328
SHA1

897231bd8564ca038c692bd5df984303e53dfd4e
SHA256

943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813
SHA512

e04b0f1867c036f9f6ea0f8196e8da082a753de957235005696852711cec6a3cf687c7e839d94db6b215ea2e8f61705549c4f43b1588c64230d5d0091034a5b7
SSDEEP

49152:YKJ0WR7AFPyyiSruXKpk3WFDL9zxnShaB0zj0yjoB2:YKlBAFPydSS6W6X9lnTB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1852	alg.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
2000	fxssvc.exe
4964	elevation_service.exe
3852	elevation_service.exe
2572	maintenanceservice.exe
1856	msdtc.exe
2324	OSE.EXE
528	PerceptionSimulationService.exe
2184	perfhost.exe
3476	locator.exe
5092	SensorDataService.exe
1796	snmptrap.exe
3104	spectrum.exe
2792	ssh-agent.exe
2512	TieringEngineService.exe
4776	AgentService.exe
2676	vds.exe
2440	vssvc.exe
4568	wbengine.exe
392	WmiApSrv.exe
3332	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a082bd51293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\System32\msdtc.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\AgentService.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\System32\vds.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\wbengine.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\spectrum.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\dllhost.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe

Drops file in Program Files directory 64 IoCs

Processes:

943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\GoogleCrashHandler64.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\GoogleUpdateOnDemand.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_zh-CN.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_de.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_nl.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_gu.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_mr.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_ta.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_ms.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_pt-PT.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_ro.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_zh-TW.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File created	C:\Program Files (x86)\Google\Temp\GUM542B.tmp\goopdateres_hr.dll	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c10dcaab3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000680f93b1b3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f841a2b0b3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ae09fb0b3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b773bfaab3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004faed9aab3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a172deaab3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cafbaaab3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
3092	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3128	943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
Token: SeAuditPrivilege	2000	fxssvc.exe
Token: SeRestorePrivilege	2512	TieringEngineService.exe
Token: SeManageVolumePrivilege	2512	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4776	AgentService.exe
Token: SeBackupPrivilege	2440	vssvc.exe
Token: SeRestorePrivilege	2440	vssvc.exe
Token: SeAuditPrivilege	2440	vssvc.exe
Token: SeBackupPrivilege	4568	wbengine.exe
Token: SeRestorePrivilege	4568	wbengine.exe
Token: SeSecurityPrivilege	4568	wbengine.exe
Token: 33	3332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeDebugPrivilege	1852	alg.exe
Token: SeDebugPrivilege	1852	alg.exe
Token: SeDebugPrivilege	1852	alg.exe
Token: SeDebugPrivilege	3092	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3332 wrote to memory of 836	3332	SearchIndexer.exe	SearchProtocolHost.exe
PID 3332 wrote to memory of 836	3332	SearchIndexer.exe	SearchProtocolHost.exe
PID 3332 wrote to memory of 4308	3332	SearchIndexer.exe	SearchFilterHost.exe
PID 3332 wrote to memory of 4308	3332	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe
"C:\Users\Admin\AppData\Local\Temp\943a51600cfc663be477efe5cc9d0adde7176cac7bc93ca678aad6753d55e813.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3440

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3852

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1856

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:528

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4912

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:392

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:836

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
8c107a33dc5392d624fe01772bad5faf

SHA1
e8db203a7437ee1aeaff5058e4c5c7faf804d9b4

SHA256
3c5c8be51065e1ccd6b3d5d5fa2ac5a4968fe13fb07f5386f2c03d171e17489c

SHA512
a6848cfbeb118822db3ac395b7d23cb42eddeca648797e25ee23de94feca81086dbc8fa7a2ff4b9af6026d28ebdb90a71bcab3e4a24ba60d58ed631511698162

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
a07f5ffb7355042d04416a5648cb4793

SHA1
7e83c215801b7c0d20cfe51572e19dab24d31172

SHA256
9719f48c8d29a9f15e0fae54c6db9ae33f7b269d07ff082120c2e5dfde7a7cda

SHA512
846bddd2b89ceaff56a91b0412045815857398765de8c329225a329eff89e44c86b827a0a745c43d30d255463a1a21f95ac397aba265828c021253ba03afcb54

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
9cfcd0c7aa3b4707b89a0e9d63ac8dca

SHA1
66b9be00a4cd16fad48997282c399c91330c20c7

SHA256
6fe11a9102546c2f961a3df9353a0ca9ab033f949f9635e377efe9474df56eb4

SHA512
67c73b34ac814482f0be0a1cbd96a68259b048819e51b69aef2a1496f5137aab400af56b291a88b31aa4acdaff280f65d0f1a0237a7f8106a38e96303ba38420

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
8ce3453c75339b0ceacfcfff9580fbc4

SHA1
183c0634d04e56ef52e8c13844f5846f9c81260b

SHA256
d81985c51791ca17f487c4ad6555867eab805c3b33464147db8b9aaa0925db51

SHA512
0dd7c731a4d581d70d7351d28a6ac6fe80d7c76da2fc60dad23c902f7bd970be93189b89a413fb1c6b605fc608991bdfc97eb040b1f76eb5d7e0a92621f20f4c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
52907d9346f086bcd9a052738d8af767

SHA1
87c100da4fade48c65579ecdcb3141ce7145ecff

SHA256
82f7bb291c9fa3a823aa77d18d286ff0852509c0dd11a1db7785f19ab716b1b7

SHA512
56d7c1c18e5ab49cd32ca0c2b39f55d30dd2b20c0b4954f1f0d3938e17a02167d03ce747cba4f3dda439b68055b669cb34c92fb33c7b2032ca77fa0b5d1dbb1f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
3ca12ad4354439d002504995714b1865

SHA1
6bca5e68916e12ec1e2bcbd36b7a15a010c97ff1

SHA256
47a921ed2b464887718528f320e153b240799c6ff5b6fabfe3c854ef2fba9164

SHA512
e762ecf596c67445f4116075c24d6293524cdf93215565c5e4ca1d1ad57459b212713b12e52eff94556c0e650bd624ad222d751598b39c7a9e47dd77486cae57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
b5b5e73019798efd3761901888107571

SHA1
9a7c2de36cebd90dfccc6cf6f1231b445d4a1b0a

SHA256
7ffb7cd329c0045f2ecb96c371f26ad87895cd0258e30c7be815dd618697af4f

SHA512
6922c2aa4ac0c893ce3e19567c50ad6dbb095f239689aa1d55a6406015f4417264f2c0baaeaa9ee85b6dd0d1b6f0a8728fe23e370dbee802854e74bba6020a01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8a4b05846f6c4006979eeeb562fb98f5

SHA1
2cf738f7f8f91d3ece1f9714f4e3bd3b20a5b958

SHA256
671eb8616c600a9362ea8edd9be8fa33a1a4c0e835d481d9a7dee733a38a2944

SHA512
ab402f7d73c46266ddc871661dab56fbffff175b4763304970b9f101df6bc044e2144ec3883f78aab418257707e8e259968b9fa58e1576edc43a9ad7900695fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
83f5726a23b7d594c832dc6e0cf9ff9a

SHA1
fa3e937d3b0897bd24af5a1482eb9205d8ab922e

SHA256
74e0eb7c318b017c3e580fca2461059c6da5fa30cb3df5f3424db2bd73767251

SHA512
ea90e911b404fa2b86f781f28ff52336a45a3d71887b7f4a43708f9572bc91ee1de67433974eb94783b0ee8094bd9ec3af0b2ee1a49019eeb394d019b9b698a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
7f6ab1db7fdc41ead570ef3c30691573

SHA1
8c09a2894d0a676384c707600f183a13a6b28723

SHA256
ed3e0a1123e661c77872ede2e8738c558a61d8abe31e44733f06d20218ac6308

SHA512
cc71078cb6e72737f1f6a27357bb6db2c28fea45c654b68b47ddbbcc1c21b12b71c744a36c8ce5a7e1b27eff80a9a1080eba121baefd3d7d7ae52efeb0aaff3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
501459fb09f916fa0c4bd9d6e42fb1b9

SHA1
075691266b92f4bc5fb9685157a30296a0ce6191

SHA256
7f07feff457dc7788c415d988cffb94e9b3d1fe57ccd2f6d02add33fe7a125ca

SHA512
2ba31fe23f4ff0936fba385db28dcb47cea0fc3a328ea23a2bbba90d96f3739c7b07d8cbd0b556d1461a35459b9bf26b8eba7f57b47f75dec90227b8804d9856

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
569ea9ad575252cbd3b7e61c0f409b32

SHA1
bf6fa0298b7881fe9780c78eeefe93e0f3b5e799

SHA256
d07bbadbb45228139f3c545322cb8d506e03d6e84324bbebddbcd72f28fd233f

SHA512
f336a0cee5a93e05af783aa9dddc92bb8d569eef78cdcdfa74bffaecafb2e68e9f56e321dd16820af006e219d0080a7491bc502ad46e9e54356f02616580c945

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
f13988d7f3296d0bc548aac2724fc96b

SHA1
cbce75a739e2ad848c1a5addbb7fa32cffcdfb76

SHA256
b8fc938a044fc86134a095e53a2e8f817304be827c9130401fee748fb415e7ed

SHA512
33a94fcbc1f71f75daef4e3f023c2e1e2284fb121296d2d090920318b9222ec8cbab1027ace3b00804f54b09744715c04e91bf07d44b471c2e0b0015ca3f28d4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
eff2099f277ba4557bd787e3d0b86b43

SHA1
6eeb0effed2581cf825775145a0997d252bc67c1

SHA256
26c6ca0b182cfe614257d38dfd0b590ba637201f3dcca78ad489f7c51824a238

SHA512
27899e847c9253a13c193923bf9f0d300923b125583c69bd22264cff9ee9e9fe029103a067aeeffc627b069a79fc8fd96351abafeb116d562d41cb0c74b4af49

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
4669a2592a870183a31ca47e0db57090

SHA1
dea2f097d4a84963929a1061858dce9348f366cb

SHA256
d0c53c9b6392a7322f092a1f666ec53b5291a8c262c303a6ba225ca5f153d909

SHA512
77edcd9e12af14ea101069bce6d6c1ca63419d5c0dc621302bf02f801497a115b88640587a1dfd2c4b7f97a45a0553d87ddf1f98e393268b766e88181ab91d07

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
fd77147d255982b226e76fc062b5c6b7

SHA1
855414762ee9c3db055b3a03ee47e3c98b3ae1cb

SHA256
1b7b5ec96d4b60bcf80a28c3245a16f9eedf8f238da1ddb16ecef4cbb4c50686

SHA512
971cbd8e5576cddc55a942e764786279c28263ad9a2fa336219bc2a9011d3e6a0f5c065868bfaa9b45e01dba64a9bd020a0eb70351176875bbe319324d5c0ce8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
391f495f3be270fbaf398de79a59888a

SHA1
e1a301c02ac19322a1b99abc0cbdad9fb01fb148

SHA256
593f205dcb61c285040205e822a9d2d716b253d6c9cd3ac84398cfb83ae3b3e1

SHA512
272751de07ca7be5ae4aca495b0948de76f96028c57fea6c5714b69dd1b8f3466e2c639360c8a70e98f609a553f296c8d4b819f497a0ed3ca84c81a057101e9c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
f574c2378ff949e4febe7a20587751ef

SHA1
619c8ba402c3a2f561a533f2c6e006cc502ec00c

SHA256
2569feec5ca10016f3756ccccd8e97fc39389d1f346b75dea64f2cfb9ce2daf9

SHA512
ac7e71ca598cc3b50d4f96cb886935cd73e107211b09e90430da7c8187d713f8806c4616e823a27bb62afa264f71cdfbaaa2e6bf1be11928c304502db7aee63e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
68f00bd8688df99b0f107c29d8b3d896

SHA1
2e6ada6902de3ba4022e054f158c79c720364a30

SHA256
6aed393323cda1d883656d376344e6e4011387ee7963f536dcaab5b1e1ab4ed0

SHA512
321ebf0ab3429685d1b21419c3e6ca935d5f6f3f7bedb7c1bd17918c405c168eabfe5e9eecf3f05609948788c929b0c776f7ad08a2a8cdcc6c70f9ca5115114f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
1a2d4b924c5edb81a067bc3f44395800

SHA1
d34900a749d5c06ade894b51eb3213765c5d9685

SHA256
2d5a3208f3600401cef69396fc20e86548c749e38b3bde2b5350b93982946740

SHA512
766f33f4eef4fc4c9684d65ef2da0a2e91b961b3587df80d6ce7fe5c23a876249aa1453814f1e2f38ec4b15348a537d72a61f07ad23a590270afa2f86fd653ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
2d2484bcfb2145dc1927338fa51251b7

SHA1
7fe27a0e93c4e1ea242e0f61ee0117da72e1f23d

SHA256
8abe894613008844df0493a0c2d12feb5d74801e6bb9f19a2b442593f115b3ed

SHA512
75d83abf6c409a3f91e88e29ba0c24d467a1ebde089495db8201ec2289818460d215819b8b2591baddf2db05bf804f6b3a60e58cc915fc008089b2ccbcd4506d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
946004f3b3f96935b214d57ce87788d0

SHA1
af267e65f52371b3e4a5db8c56011bceb67ef770

SHA256
adbaf42dbd26e5ae45bc697703bfc56730187b394a46b781670cdb9e6584a123

SHA512
f8c20eee581059c2f9b29ca3297cf05efc4ad09d99101f53784d47f8ef6d822ae26819796ed652108ed4a81002e9d94a750624ae3d864a7b7a634a9723a9fda5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
e148e52c765a3cdb188acd4f7de63425

SHA1
de844440bf14b285804b0cd01daf111c1408b5b9

SHA256
080813ced26eae4e0483f5fdde152c9e60a8a86528ab37f7a7cae0c76c60b76f

SHA512
682cf9937c5fe8e0fad28a50f654b5c6c4814474d1e4bc6515b0bac28591036bc71a8be7135aaa583c912bb6ce74f23b20a2c0376dfb95ab63dfbd41967f54e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
d40eee53d3a4e82e0e66f3aa925ff14e

SHA1
2c02ab5f116efc1fa17c79315d22506efa11e499

SHA256
3041fdec44603d5b2efcc57ff1d918ebe62346cb034dbab9e23329bf3cdd861f

SHA512
c8638a5fd2267b8c0ca947846090d6e701666b4be6c7d092a5ba6a1493ab64c9617b3e6dab7fc6333641ca97db61354150340402bb87ac9ed59aded740ea28fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
3457ce29f0dc0d03ebf731bfc490247c

SHA1
aa6dda97574f92a38025c658856dea5fd0e76ab4

SHA256
fd3bc185be9b36087b4eb20929aef61545ff2345b6226f48e41c62207f59e2c8

SHA512
2059c5557a437e3533b1359aba872ce4f91ecb0c8dfe5239257a8ab501a4f3ff12867fc217387499b1ab6326a7c9e10c4199796f1f6e20838beb673a6d125d71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
a73897f8e7a5cbdcfc3368fc9e6c234c

SHA1
6c4169dc1b0d0c5fdecb131c8802ccb5b14810f9

SHA256
7eb9c83d9e517f5910c7f58afc93f15e4bbb30ca62d56f3037d9f1a872e08f54

SHA512
62afe72a62b3e3d2ecd7a9867186225e57ca7fa25eb4380a4b6e83ac4ded4ee5ad147e09fbe6f78b3d0efb26579d3fa4d1005e7f859ec9e4d685c5744016f7d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
bf5c35380aadd3a952dc6a2a03899a9d

SHA1
8993ad753ba7ef57894a8ec7d277954f33228972

SHA256
4eb46d5008f2f6f7b2135530c7f78dc901b220415ffe36921e7c457baf670f51

SHA512
b837f3d1b44cffc151b0b49bec21fdb4b89913035065e937e413735e67fab7ac5f1594e1f39d0abcdacffef24c91b699f1eeeae102093239de7bdbcbd06b113e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
91f3af4793c9faeb89a25a1e711990ce

SHA1
c183de8aa7b1b0893a826204aa8ecf8695ce2777

SHA256
b11770c8a1b8433836dddb6856337427d3d8e637b621d677b70538705287efec

SHA512
0d3fbde09ed4634700a4b56c5dc60dd54b4e12363c486d99c314bf2e7a93b8b566e6a95b85c91bd29b4e20db79fa12b9a3a89087bd6f20b26ebae00d87640d40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
68eb86ecd59c351217e77c8a231f3cca

SHA1
65075313327ec586b67ac44656a387824b377045

SHA256
74a251c42ab501701bb10e0490be24e3d8eebcd692927d4a740af1be91bc5e07

SHA512
b6a96640a9db296670e41f2e26ad38b376b2bb22d523722b2d7784c114d0b9212bae38ab19fd3af3d0432df73587979f9b77713d236ee318eadd10754d964799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
8ef642978173538f13464982a95bdf98

SHA1
e8785c783ddbbcf72f2c42b75f7176ecb2c77e93

SHA256
a9ffabd1ae26347cec9b5a87cf28102373612ca350c3f58315746af58ae77604

SHA512
cf04341dd0f75676b9fc173e088bfe084c07bd1520fab729a990a3caf20645602d3311582ad637fbfd281780b55785d5a53af5c49a6c527f5e92c39789b33ea2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
a8bd9517d04d438ebbf0085906810e1c

SHA1
b44f77ea95954ce31c640ffa9358e0c12784e124

SHA256
9e08eb4e43d11c405ad8c00d8af33e294ffd864ac7baec34fcbd313a05c9f87f

SHA512
3dc7463e259a5cd7cb71250b04dba2cc444e8c532ed769fad8580473ad29152db0dbda2527fc0f4e6dc49c826b7684d5124af5e5f35ba4e010908fca23869372

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b7ea78616fbdefc158663fe8d4be5f2d

SHA1
8a7c3d809fda95e88ce633433b4cba37056c5193

SHA256
080c7e03cae9b302bf31329d5d81fbeace6d8b02947e48ed08374fbec3c10273

SHA512
b56aeb69f185cf335c156046e24868777f451d102fc29b3e395e1642bbd361f86a6ace3486d0addd81d07354554ad9b62d6791977f5ee6e1d257a5fcbfe7cbcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
792c7c41173a0a8414db438cfa84207c

SHA1
e3d499eee6e9a5b831786d11e3f7e91953bf9822

SHA256
c868ae3850512068c18dd4caa52b9a19f9c2cefe2216af6327506e6bedc725cc

SHA512
4edc5de1f5501bfaff2f8b9b76d4ddda5895b74e86dfb9541631989be862dd049fe57a94803fc3525baae55846f6ba46f37807ad4dd9531de677ed185054226c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
c28fc64891fc9426821f3e3ee8d3b4ff

SHA1
fe96af85badcad56f949a70c3d92013244cd5ef0

SHA256
2887011cdb938a5408ad29ff07f4acd88c1b6b5edcd4bb7ab6eba050060d3cd0

SHA512
2547424b86a10f5c0ce38274598d84dcf0bdaf49aafcaba6cc53f7e8ce571c05c6862a9d083044cce1771eeddd0a4b54937a62a6fb57a4c5a69a2dcdf6874b4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
9e46f5290c0ba0a557e42b18a353d0d1

SHA1
5b73f5400e5c7fcafe6c112d706b0ebe115f560e

SHA256
91ca82e42bacfa8c0679db4ab818f62f7f9a7df24504897c1e97c917d765b04d

SHA512
81ceadbf43738136ed1d7a37f1f0292b680994810ede770d569ff062b6dcc5ccb07fee4811d96b506b199b86ac7f83b4b8f597bb5f784ef3b502738e806db516

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
37017da032a5e942dee87e5e8c3641c4

SHA1
dc52108a64a051cbed4f9482dfbe2f5e02d2c503

SHA256
6b55be6d227ed73e7905c01031a9fde8eeff955e3a637cfea47292e3b7b920c6

SHA512
38b14185d3084998ff5606de9b181a3a39e0a2215a9a9a7a9aa3c826d1b7f317b320658cc55174f657cecf5cd40d0332cf3598dbe4ce1ce648744f2bfc4605d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
f0c46e4398809bbe1163246f77e95ad3

SHA1
6179747868eed74efd9cbf800c78d4ac82e1c4c2

SHA256
614920f01b8f63008890d0f9da11f8e0943ef6f80a43ce38a5ef2c4390cd4182

SHA512
ff1964b6d7a130198863136ffe1ab77e76171aa1f78605097a7f4c873df9ecd28927e295a23b5f695d94a81c1465f887ef48d25efcea858c183b8086c60bd863

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
82af14f817ca5fa3b370d011fcbffe6d

SHA1
347d16f8dc5a93bf26ae07894738729a5d99d986

SHA256
0a059b6336562a510ab985bd107d9fdf1cf456ae3faf51c086a6e58c1c372062

SHA512
8e1b42cec83943c8e415023bfbf5b9de72c94c1c1eb5848c9536b29b945c07e169768d9f906d650b0b38b8b08800d1e88a7a321d79af410e75731150501d5119

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
414caebf5850a77fc1d8009c3245d723

SHA1
3b3f7d57a1c047cfb4fc97e24236a65c62544d69

SHA256
e5587a4f487e64c0c7576f21b043cdd86fb3745bf3d42b665a78d94f91325075

SHA512
f1f5166ca9f40300fba63e187e3656a88331c058b4cae30e8bc27437f6323a688a20586392ac37a81f200a6a49abb25213bc9382f1b909738100bce72c03530f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
e0109d6ebb3578efcbf06050d99cd19c

SHA1
4a46c0ddcb36a76a17900bf90585502a5af71b73

SHA256
385b04afd0e5d1cf1b32c437e2cc1f06a6459fb3fd075ed56b7a5c3c90cfc840

SHA512
873dd17d8c929113d249e5e361104ca2f008b898c7edeae8bf67308dcf3b3819dcc0e2bf1bef51f6ccdb12fa24a44bfb5e58cf2b58ba2849f3a7f376c2877b86

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
3d4ccd4339b9c185c4f4fbf1aae86545

SHA1
1b440f66478108d5a0275a1618b3ad3a46e813fb

SHA256
e2b2765b77154c8d637e99147a90ebac405683cd0ceb41105c3840bff8d27a23

SHA512
53742548107f4bfb1c7a021c889bd3e5dc0ffdc758347ea6cb3cc9e3104c6da6cc1f23028b13cc10b87d80b910388052cc2a123e26e6b691499d48e2d09aeb5c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
28cb3995961e2c0339f935849b21b6e7

SHA1
974d505f5fb9be0c007c946528b4d8535d874fab

SHA256
56e0ff5fdadecb0164668c52526ad65c3ee7f64264e87307e1a67d4fe56a2a23

SHA512
201bc72b45aa3aa7f0933f6bf21b79276073ca0a191aa98bb9046dd36c7ec7dc569d99ade39489180288715dacb30fcd24d666da34f74370e506c4d175d3f901

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
58359dcc03a3a220be533d8f99a9b8a2

SHA1
5afe03add8561defbb7a183bb33342b312d7aa9b

SHA256
f85f17f990605feeb0853ea9d4a04b1ac85ebcd3ea6ed8c82ade98473ed4491c

SHA512
f77f2e415b8d295f2dbd02fa9c62c0469de3371fad0c56f504b6d7dbcbd16624671d45a2449f95effd2545fa3c58cf11694635fd4eda4cbec4fbdade117ced14

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
06cad7d54a9a4fbb8e9f8647a8d4e39e

SHA1
dae3e92ebd3bf27a9e25d84b0f0b413d118f5f28

SHA256
eddb8730fec5f5e3b7286d95eeceb21b771c1b24242f1eebdc14d97e693dc096

SHA512
9d48209da4240cef0825a1e47aaeaaa531d1360ace0a51c845993368d7daae7aa70c249f9567723d65a7fbd7c6537d6106bf3919f81053a3450f0330a71b4b49

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
dfad405b2c9baf8e8955114746d7c525

SHA1
e1cdf8888134f956a290f7980a2407592cca3ef3

SHA256
b8873bfafeef1fb160b90a1f50c822b7a409a934f35d781cd5ec2e6b50380a47

SHA512
f383c96982403bd6f7e2e1d5d60e81fce49eb08520e71aa872abfd5f5c3560e7eb15a5e3ddcc8e0197dac0fe6f40e399ff6938d5d1e61835718c65ec0beaeaf8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
1a444a39dd9d51cddccb878e75c72e0c

SHA1
dab8ee8691aa728d64e8e061badf81e2b7889ac3

SHA256
b542f03caea4933b73460ba3b9acf8d00a44ac7d13947cb3aff90b467bcb8d4a

SHA512
1cbf72fd8ba544ffad534072c3c9a5801c935109d1b981a41660896dded5f953c8dd35b901c21cb3beb063df6c9d4a9d197fad855b4440b252ac3c610546edba

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
06a25d3b00b930a191c082481f732637

SHA1
6bd8886d80f8a1aaa107b8aa21fe0c7596ffab39

SHA256
32bfd8edf5f2394d3c380d946d50ca6a9ff3cca27483756eb2e336d1bf49baa5

SHA512
7c0fbe9448e6d419d263d5485ed1a49e3be6275fa17bf5c90b745eb7c1deef59f1b105f5901ab0e27d5a2950b739d368636d6676a48c897b14bba1cab117c0c0

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
433565a22a4cb571923fdb0c9e57c9c2

SHA1
6e14d7cdda95efa7d435990e94e6f4c1cf3c9b78

SHA256
8feaa768e3334a666dcf474ecd853d84528da3ff2f6c278a8e02a1d638376ed6

SHA512
eed5a54a874f0bd0a7ddffd83883a6b50b5f85695deac4b35579b9772b38b1f2040f0374aedf536213c24d305f6fe1868c5be5841e270c9008b34009540e6fea

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
cfa442ed68ef31a87e181651645017cf

SHA1
99c701afb2d411a8f41c4e99ffe461977d99869d

SHA256
e9542246795ee5ea30bde09b96a032150116ae52ed23219dac1bc0d4be7ae2a1

SHA512
354abe26143c5cf33f30b8dcbc7ebbabfe41ba8d1fc5f2e1c7bc2aed56d8a60d9fdabc34f9ca697eda5714a7ae833b92f6d7987e51b6e925e65ac678548f019f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
1e3a7696526f392377642094533394d6

SHA1
8c317dedfeebe4fdda290cfca0b8c1d9516bacfd

SHA256
0d5f79b1954b6bd30fc93233372b1827f402a6150065e71d7203214940bbd765

SHA512
90912834240f9856b975bb3ac0f7ba2919ce3fb3fd3cb0fb114e26c717ccaef5b1ce84c9bcf0f4972f05f73f30bec242106d7d46ef94a1a0ac443e0b24a2e786

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
1a0a76786c3f6d5ca79d12b2d14d9302

SHA1
0e74cdbfb95ce38a5ed86b9dae32fcdb20343bf7

SHA256
c7ed0a7f952d46207ae15930090a47ffc48ec99b492c8fe4f467174412e6f8c5

SHA512
a03e53e8b6833c89effaa53a2a4e908c8db8a05c6fa6c6fb09ad5f1970f48e620902caae0331724a06e3e596c1cc9eb9bc490b8fdba448275908ba37a90f9a1c

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
74b5b00e81f7339b3b7a874060c3c817

SHA1
97546c31cfc30ed86a79aafd21de1a70ede20a58

SHA256
0383ddaed8937ca77bdcbe4d5b0869e4c7feb46d5d426a627cb2af3c5f96a352

SHA512
f87fcfef34a9cbd438bd2ecd34887c112cfc146357ae555858533b94982374dd52bc34e4245692f60fc97f3d6b405110a68eeac7da620946407e96f25bb5efc2

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
854e8c37d0588a28b22b5601558cb85c

SHA1
43bd3d64660859472d78a8d3b71fabc6c0a6dbbf

SHA256
319935fc4bb620607cfc3f8f0a6f8d1dcdf51b7dd94ddf020053c81da187e7eb

SHA512
23830fe94e80a33805b522908a3166596cb0bfa51a7ddebd31c65694defeae3d846cbe96db4669be157120f498d51fe629c1c4ac78952ce0098fcc057531a9b0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
4658a3283f10ef3e9603a32ea48a5b6f

SHA1
2721e346535506c7d8cb2891f949754f716e1ec8

SHA256
35c127535ae0a9b356b88cc82cc9d314890c51b8ac9d960bcbf29e58f589571c

SHA512
6259070faaf06f843e3a35ecb6c0a7127ced82bfa8b0cf7c8abdbd4708c071bf68bf4162f34e7205bec72ba616d8cc4c34c6d5577ee007d462c24d1036137c29

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
754440f3e961cd5bdca7d802f389421b

SHA1
89ddc95f0d27fdfc18d6ea70a2a31c06f8b30161

SHA256
015e57b71a64ae81c09cfda3ae0824ec00f62630f82805f3fcd72e0127d70fd7

SHA512
29aaae26fb899a640ecebd448ed7db3146dde9cddac0c94cab74338f38972aade35d3246bdc87f72d24dbcfbd6032d5fb640e56fee67f44c841611a9f6629e7e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
caf589bc130e5592710759a0ef159e82

SHA1
8443912cda3b2f4eb3ef9a5cdb7cf10b370801f4

SHA256
5a73969deafb8c5b57a5da886db9253d97f0f7345b2cb0d964fd7c6095d3d9c7

SHA512
bdd15f38da2c5adbc92078a0e212dab8bc1393821da3588dd8b591b4e6ec7806be2dd90fe2d5078fd0ccda76af48d46cdcdf892d5b99b3b30a94ade28e15a1ed

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
58c5ea3e4f3173fb27a28de4045c218b

SHA1
c8e151bad96e9a5bf65798fcc659dc0e47707816

SHA256
0d8d8925051fabd17d6c24905dfd45174a10717097774e5318cd1cad64f6e0f6

SHA512
b9a9446f0ded153bf81d45b1e584f5ae95e2f9ff9029de4522fc475765d3296b44a440bc4a6d1a2f293d634f8d9714dc11ef63940092dba7c36ce761d83e5ec6

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
0b439b7f5cf8e3a2bfae77535995acde

SHA1
37db7d14e3a96d3f5d06731c126764b5bcf6c234

SHA256
58b7392187d31fd57bb2f40e4fae91861a2e663e95aad5553f35ad9a996aa658

SHA512
a450151afb871764a125839d71f0d014fdd29d1c2d4a474ea5337c3157317481acce4062dcb737a07eeee9bea606663c428e3513558a8a2755daf4e6811b4fa9

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
696a3a0b39d5d94be4d9f83f36c01fb3

SHA1
e7e8e4b204f0981de7a6c3f5b004a63d8b4779e7

SHA256
a76952a66ede6fca9aebe40739b033b7dc708fc776ba6847b86d184c52a51876

SHA512
f5f51f68a72e538a365275058a416c2839901f5a0511fa9aa11586f054fc9cd34279c3d16cd0c95418ba8a317b5d8a5ae9e82096ea80e74b90230e1d901adc71

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
0851143fafdb176cb13e608eb57cd513

SHA1
1ff2ee90db4cfb44adadbb90ad83e10e821497eb

SHA256
58c248ddcfbf33def1dd3f0cd23f701d516c16229c1552cb57feeda19e2a4e50

SHA512
50200875655bf887a845b55933159a9e14ac8a515c351aca079955dfd605a57cc17e68b55f669f3ac8ebbb6a697df6e6dba83db1247cabf0a88bd56cfb42b184

Download Submit
memory/392-780-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/392-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/528-256-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1796-260-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1852-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1852-19-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1852-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1852-501-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1856-156-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1856-254-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2000-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2000-128-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2000-36-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2000-42-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2000-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2184-257-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2324-255-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2440-331-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2440-779-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2512-263-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2572-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2572-141-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2572-152-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2572-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2572-147-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2676-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2792-262-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3092-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3092-659-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3092-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3092-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3104-778-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3104-261-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3128-8-0x0000000000950000-0x00000000009B7000-memory.dmp

Filesize
412KB

Download
memory/3128-1-0x0000000000950000-0x00000000009B7000-memory.dmp

Filesize
412KB

Download
memory/3128-253-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3128-584-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3128-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3332-781-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3332-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3476-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3852-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3852-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3852-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3852-774-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4568-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4776-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4964-121-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4964-775-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4964-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4964-115-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/5092-653-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5092-259-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download