2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
Size

1.8MB
MD5

5c2dbedf992991338b505fb91b8f2174
SHA1

9c654693d9950cc10a8a78eb279064d94905bd87
SHA256

2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38
SHA512

e091a1baaaabbadc16dc36314eeeb5e79545a4296d446ffdab4fb63791fc7099c5620091ff94e27acf1de5426f621d9e522a90d2664c0baaf22b11a957c64ebc
SSDEEP

49152:hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+/snji6attJM:hvbjVkjjCAzJDEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2044	alg.exe
1408	DiagnosticsHub.StandardCollector.Service.exe
4248	fxssvc.exe
3520	elevation_service.exe
436	elevation_service.exe
732	maintenanceservice.exe
2964	msdtc.exe
4836	OSE.EXE
1984	PerceptionSimulationService.exe
5028	perfhost.exe
1224	locator.exe
780	SensorDataService.exe
3368	snmptrap.exe
4372	spectrum.exe
1944	ssh-agent.exe
2164	TieringEngineService.exe
4988	AgentService.exe
1628	vds.exe
3664	vssvc.exe
3472	wbengine.exe
4576	WmiApSrv.exe
3612	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7cb35843c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\System32\vds.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\locator.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\goopdateres_da.dll	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\goopdateres_ta.dll	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\goopdateres_it.dll	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\goopdateres_vi.dll	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\goopdateres_lt.dll	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\goopdateres_sr.dll	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\GoogleUpdateCore.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\goopdateres_sl.dll	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\goopdateres_sv.dll	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMDC37.tmp\goopdateres_tr.dll	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a5df19ab7acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009071e59ab7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c62759ab7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d886ba9ab7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000819d709ab7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1408	DiagnosticsHub.StandardCollector.Service.exe
1408	DiagnosticsHub.StandardCollector.Service.exe
1408	DiagnosticsHub.StandardCollector.Service.exe
1408	DiagnosticsHub.StandardCollector.Service.exe
1408	DiagnosticsHub.StandardCollector.Service.exe
1408	DiagnosticsHub.StandardCollector.Service.exe
1408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3720	2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
Token: SeAuditPrivilege	4248	fxssvc.exe
Token: SeRestorePrivilege	2164	TieringEngineService.exe
Token: SeManageVolumePrivilege	2164	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4988	AgentService.exe
Token: SeBackupPrivilege	3664	vssvc.exe
Token: SeRestorePrivilege	3664	vssvc.exe
Token: SeAuditPrivilege	3664	vssvc.exe
Token: SeBackupPrivilege	3472	wbengine.exe
Token: SeRestorePrivilege	3472	wbengine.exe
Token: SeSecurityPrivilege	3472	wbengine.exe
Token: 33	3612	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3612	SearchIndexer.exe
Token: SeDebugPrivilege	2044	alg.exe
Token: SeDebugPrivilege	2044	alg.exe
Token: SeDebugPrivilege	2044	alg.exe
Token: SeDebugPrivilege	1408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3612 wrote to memory of 5764	3612	SearchIndexer.exe	SearchProtocolHost.exe
PID 3612 wrote to memory of 5764	3612	SearchIndexer.exe	SearchProtocolHost.exe
PID 3612 wrote to memory of 6076	3612	SearchIndexer.exe	SearchFilterHost.exe
PID 3612 wrote to memory of 6076	3612	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe
"C:\Users\Admin\AppData\Local\Temp\2fa27e77b92b6e69f283c9b59867bdad45fe3cee2cffbe2a2cd3977c738c9a38.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:732

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2964

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:780

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5764

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:6076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4368,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=1416 /prefetch:8
1⤵
PID:5932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
Filesize
2.3MB

MD5
2ef0db38ccc3b4cabba73d22d9f4fc7c

SHA1
59b41fae2cbc1dfaa7f0c5cd2ef7f949fcf74350

SHA256
8d1a6fbcac0d75dadb40c02599523446cda0d643d7a13e8231467c4d96867dfb

SHA512
169f6db6abc1eb23d12b492fb969433491d36601a705ea2e7b5f0990707fa8c8112b87908a2fc648788b1cc9e600d85af34dd9bd6f58efeea0eec34e2547b60b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
1572b5539e5df94bfd7f91b4e90c34ac

SHA1
57b996e2e27442838c700d5168bb5ca995e891b6

SHA256
1839f618f7e5909369930a979016967c187c40a518d9c167ac0a8f8b771d4230

SHA512
d3db3ab92097016c6f191fbbd079d449bab4f994f9c4a7d95aae1d4742c5586c4bf7a215c7a372d06392c821be32eb8fd931d2fdca2e4c782ff90a79371fa5da

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
4bc6e39c12616db094d753b59880cabe

SHA1
28389fbc1243c547e67d3508ee6907c663a00cfe

SHA256
4e7f4ecd008d9a7742e0a745e8f272ef76f66fa0e81ee1dc80ab1d428f0b20a4

SHA512
949e49a702e88f8ded2acb6abd97a3ae46715aeb2526448e4e6399d16c71f50103921adbe7ac72d79c6feb82e0cfb41757950529fa4cca4c640dec7f055623b0

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
d38a499bf4f093a6d5ba43e246b333d0

SHA1
550d3611fd3dc6b64ce1387dd2bc2797ef4a8735

SHA256
8ab9cb1552e3c53214d4337ee3b49fc5f30a413d9a7320c4fd1e5dc0e7173dff

SHA512
76c2296545576ab7eab30e1c493ebc1d01a10d13071f040755a9f8018982d28e8063ed9c3d6846ba9ef3bf3d47d61c263052a0d43b9f1fe038c6c331fb53cbda

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
cf3167e38cf060d1e142a38cb0e7f0d5

SHA1
b813be87c236ff57b198ce785ee1171ad0783392

SHA256
313b5c147eb538befdd9e3eef6d40a5030adc6c7b60df6db092ee1aa1665f81d

SHA512
970aeac9491094c71e4ed2b21b196cf632597a0fa403e82225401d88208643b5d1e1071341c62f25147035079356344eb6a5e343861167a69f375ddb7a0bda8c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
dcebbbbfdc9a06c83672ee4d350b3084

SHA1
392bb180d1a9b39ceff369ffce2c762071151c74

SHA256
b54be0dd585c23c92a5eff564405c28f732e84d28f00d8781f71f0f1ccd502ff

SHA512
12b5dfbf59d1af9cc3aa3484cf6a5f64e6a1963007ffbc10b8ea82a7c8e473c2dc0a7f51ec2f85afcdc4374f70df2f0c947465fa3f2de6884df7d47472d623d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
5eb969b6651c36bef6c0487968731d5a

SHA1
0ef89a3f4e7f71f6748141eb1ac100be0a7f62a7

SHA256
c915540556fc69f63a1b170338cb657cca5077f853b5f2f7090bfce04937e6f3

SHA512
f7a852c6d55e0106514483764730a4bc42d42e3debc50954ff381a45260ece62541fead2a41031cd9c6a4d4f2508f69d675045743b9943310fe3a047bce7c6f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
fe2cb3fe71ba0c8b01e3ec60cbb61615

SHA1
299df40ccd1ae2df7e4c47492b5466fdeb42a574

SHA256
6a9811c5a6c175f74e33c2fdc8f0547ed0541893910bd1eaf7c9081aa3466c14

SHA512
ac149f8a5586576e009aa76954851e0023a2fd88e98c75db36b1f18b186424b37a1c8dc3b7256e41e84b4d371470db4281af464671e4e218372498570d70aa3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
1ac1f37dcc0b2ecb60fa6157f1fd5247

SHA1
a11ee03c89e08d8cd6dbdedaee096673760520dd

SHA256
707ce08d09e9f7738a71a81e98b399ba46471e709eec79f05649db72812ddbec

SHA512
3a300bb89635c1582f74066bc03fb40aef8aad0fff5a98a41a3f0cc724e6d9d7abd7e442ec2a25a78d1dc9ec70c52f7bcccbbe5b6c90f088c8c52032f9e61a68

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ed781d5e858840e706a3ed42ac848263

SHA1
2eca12f1f06ae351fcd647d7d720f1fd68d9b6a1

SHA256
7496efb0e1b77d2c222140320cb89af1685bf05cb5331842eaa441f1e4590461

SHA512
7b6072ce14632058ba080a3338cbaccb7899434c643aa996cfcdb8411b93101b507f0e8315fac11f8da6a25d2c6a1c2fc660d9d7ae5f1b2cf84da050e6dc0781

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9bdffc86fb1e65515862bc5a2dbdcdc3

SHA1
05bfb02147db91dabc90a66cd42ec59f6cda8308

SHA256
989b7965301f59b5d63864ec40b7366ea3e078ce127268789924b80de55a702b

SHA512
b704a15a22c7a43805e60f7501a80429e9be4ee03b29c03e951035567e1a10ed92fa03c92e672b619d6cacd9ddaa9cd455e72be08a1880b2c1b835b2a843c9f7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
ff190d65f08a1299500d4888fc61ffd6

SHA1
c77003b50f821fc47e7f81fd2f1eb2a274fc31d4

SHA256
0c71b8bd0ad11ed8166c4c643dd0418b6247b7eaed03bc6e5ae865ba658f913e

SHA512
fdb1241ac8c5978b1ce9894f824e8d590842a6e893d6b6a211ec40e1853f223253afcd0353f05ddc0733ba3384117aae7fb41e407f40ea7abdb2b37df3e4398f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
d08b435c727f3bf0bd1851ce26348112

SHA1
78fec6f3b2570598889f34492ecefc8f36012e0c

SHA256
db15977f531ae4fd948f11c964edc3e3c55e0583162d3d7f7324b467294b8ade

SHA512
4e33a92211321940f792570f3157dd93c99b251de637a4159f3ed61e5c0e06c7c640959a8bf751aff0d192f79ac9c8b0b717b088ce0ec11126b2a3e59f3160d9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
7cd63ec051892c20f241285840da88d6

SHA1
5630131e39dcf7def365226d1c708f85a8c600ef

SHA256
698c0ed2a4e8c7209364c82402538a4e0a06b1ac630cfa9b6cd6b49c9647f4b3

SHA512
2710e4f9746e034be2572b3f2b1fdf1173977a3a949a3fa0afe0f59f39281926ec6b4c08693de24ef67ddf5de6a138af2ca134dc81f13f04766fa3f919ff7573

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
12c0392fc1c0bca80f3e65e9323e73ce

SHA1
88fec1b136c38e283906e26ee1bd2b77901b5977

SHA256
195650e349b5ef55b8fc7d9e2e0610d0a39fa6a4271351ecd17ff297781a6aaa

SHA512
a30da546e5ef4d9f005f0cdd78cc54e45057b2655c2f6d38d3c04bad8a6461b077b2aed191037a04728f85ba3344c92f89f90cf5f2982880cf563a8f60eec589

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
ac5536f5e9283c6bf2147de24f429abd

SHA1
e45a655afa51a32335d0c6301485001aba39719f

SHA256
84dd1c1a0b8293cddb5fd70773ac2f82d9890ccc457cf773c5fd5810b8e31396

SHA512
6d80b37fe5903c5fe4b4b6cffa20445ee6b21547c3730bcc973951e1294416015d5d523997643925437e73a113d2090b22c66523cb13921f02984418c6251a3d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
e0d81904cd673699be03ae615d263a3a

SHA1
34589f1221ff86e738da258dd79f57869be3e216

SHA256
f32d3b80306b8405c849b99a8e9152565d570e4832ce95076527d2bb67865174

SHA512
e81dd4a1a87514db6f11d0656871b8e6fde68bf94d966eb4367c6c5109cd269e3d52c3c30310a07162187d2599ec476b3f1ce51384c77cd439f8d57ba623ed7b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ad34b7a27638679cb20c78cd9674801f

SHA1
c4c2bbd6eb493316b3ced7572992211bde68782f

SHA256
16c6256f6ae472561cc76d6407b48cb80b0e524e1bf6facf015a584eeb407088

SHA512
c53c3aebdcfc2723e0257bfa89bb0abfa66eb5ed5f44a0a3b1a9a6d3925e65ee16fc146a760d736b5ca2d92cf35d39708d271f04076d6ce264e0dc45ee9cb236

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
14eaf306e3a0003f5b53d334007b15d7

SHA1
a09c656ed8e92c56ed41e31c5a5706e2714e02b5

SHA256
b01cddbf43bc8e1b4642455160cfa4f759cfe67d82fa4cdd44fd88331dfe5148

SHA512
f590573b78551d878326ee69ad3a30b776a3420d69455a7bb653511f204dbbcd7def83496fa1b5d1facc4f6bddb5f5789b1ecc42f38b002ff25ce2357fab32f3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
b7c6f5481202d78c68c26f153ab7baa7

SHA1
21e23879296818ad6da781d5ef0cd789c648fadc

SHA256
14f87ea090e8c8ef98ec920808243d0cc2857fba48ff0cbc99e824ef62c69db1

SHA512
412b49f0ae5b823d436da2d59487a2385f70de06684e73051b86abbcccdb52bbd51ae145fb5ae257172bc9314cdb979adb812ed501a66f4d136aef336014c4c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
08bacb70162e9d3ff0dd7c3965c27ebf

SHA1
39b12a0c5c4d69e667757224bb45062fd11ebf7b

SHA256
1de89311294f24cc5e2e97233187142195facea0deaa7248e6ee48fb598f6ada

SHA512
736c450f1885edc05ead31a8afd6aa66288bff62354aea09e96703d0d0a304cfb68bc3b15b134e47e7d4fee26a90c6c5e576b4e87b2ecaca260bfe53b7f0dd08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
4380de5986ebfe1cbaaacd6f53487718

SHA1
22ea7f4d1e47bf7aa9d994636bd457ac7a46d5c5

SHA256
c7d1d537feba31dbf20d43238e235d9956b88962f9c239565e6968b9d4906515

SHA512
32cd0348d9b0eb0ec25431b15c5ad3b6b228fe66c74a3329096cdb216d8ed573b26f3343affb9b3caaa6ef822a1951a0bce2eb7000a0b31f9392cebe25918502

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
40f08e69ace26a669534a48c5b26570c

SHA1
59a047046f42fb510c21c542efd67000ff95090f

SHA256
1911253a74a134f359075de7725556e99f40f05e4ebe2c4d52a6397cd3a445b1

SHA512
9125f38ea032cab0204f76c3a34db906b6a64027ff7744665fb2692b5ed0761e2a7742498276e33497521deed3f0d7e074cff7646b0439b09fbc7b93d4a62f89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
94960b3e81e5c890489c7b2e2a77d1b7

SHA1
78d65e04229c11e413e0ef1bc8fdba01d9646e2b

SHA256
ca3546246d7b034384ecb0b86530aec56d35b004c70efad3b4fa49429ff41110

SHA512
1b363b880b4334d793e0f769c1b779a364894290043114e0079af40dee694219d70b51d26a321a3212436a4624f5b68e3b1d7407e8d7615a9996d91e698fe90c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
6becc297442fcfff7d3b2c80cf8a7700

SHA1
cc9abba2f14bf99f7ff5cbc760578aa3b7bfebce

SHA256
7d9b4778b4a6a0be91e1fc4c1c531c9b948f44d1e89bacce09c75a1177ec41d1

SHA512
aa62eac251b6a931008c5c29e41077092a16dfbad23773fd5ea700f239ea92f95586e3c5f9f3c4379550015215c2bdc9696c8d0eb01df460ff8c7b1902dd0568

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
17680b5aeca06867b139dc70377f2329

SHA1
7a36ab56994159055ec356e90e3cdc4d0f147f44

SHA256
f7cf4169babe644ed90244b425d0c90d44e741b39bef5adc7278b9ff98fafdf8

SHA512
72aeda23e14c9eba100e76676996d5c407e8d5fcf1c475baeccd02dc3b2a5d38e884791bd9464c444d5271c1a6a634701e7c678d0fdb8db84f8dc8e92748ea59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
0b575dfc02d38c28288197683d84aa28

SHA1
c1b542f114c157b49e40aa7078d1500bce416c8f

SHA256
98073a8dbd06acdfa67e6aa96dcae919854b7ece80a7c1167d8ffed4b4f728c4

SHA512
8249b6b3ecaa28ae34d8c41fd3c753ca4b32f42064049b57d13fcb2f7323b72f24f346fac976bb3ba3d899630777c62633d65123da1f35cea5bd0f62fe186098

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
f5958ec4b66ef4eab84b8e8b941a99d7

SHA1
73e3589676f9be79b4bb366128023df83dbc51e6

SHA256
3f0be32acf2adeccd4ea4c39dc79601e507b2482c9e8b99fa1e90a82180a954b

SHA512
57fe390eff50ff102fd2207633f73619a29d0564b311653a9acd52ca3f099c75e0e335c3c863dd0c7b41cc50bc258867b4f0123978f18f6465f5f6f3bce3b666

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
9c8bf08c0fc2f435dcbad541dff082df

SHA1
c850c690cf4d2ef5d2318ba146cdb87c131949b3

SHA256
7553c8c45e20ed772ef22c6bca74c6d62d21dfc2ee1e31b6ad5bbcfd7e73d3ef

SHA512
f5fb0345b3ffb2c8e191ef1c20fd4b1a7b53926cd12bb01970dde118de541b38d989796f287265d4789d748e32cabbf300ed2419ed41cf3011762b6fc774cffc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
ea129deab80acc7689249e482e5acb24

SHA1
d5bf6ad6ecca5b778441f291fbace95e8d70380d

SHA256
caf80265debabdb99fde9232750386119581ea688f852b056a3d7460d1eee610

SHA512
f5aa14bc44da2695f25145b23c8d5f045e56d0a582169130207328061163864dd8116e5d4ddd4e9b17b9e1c2715caba205a7f3edfc8b4fbe29c0fdb5dd65a273

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
d333bcbfa7ff2b000c5543e85f82a4df

SHA1
63c39fc923aa85a9b8036ef0fa4337855fef9dfd

SHA256
aa025ac67058c2a093233465a220df93358c1361344e210ed06ba86344b26416

SHA512
7d6e98b10fcbe8e3227d2104aaaea3e3d853c8ba325844b93e6b614e1eaef7e4950cbef889c6f1b72df5d0e0327910d7d26a61b9cd363b99992877dd7f073baf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
6ef3797960dafc1baa8be6fa422d35f4

SHA1
30109674a4048679a47a0b207e368e719a6d3b8f

SHA256
9536dac4b19d0204e689b46fe1c2280d5917963ac5cbfdd5a02ee0553b0a2ffe

SHA512
9ce5f56c9d58582feee83aa42c5991f61ce4352443e7ab3041772cf8e2daad2d35b969c399057b99d328f55bda20ccf01edad786987ceecffc26d8b5a5854b6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
65908e164e006f70d655595df26bf6a9

SHA1
ab7f3b0c9ec47f46c1248d6bc21905c6b6df7bcb

SHA256
1b332e908cc2204cb9eedecca8e26e2e4c770599456fdbb98ee0b31c739e698f

SHA512
8373b1c0e9131f4566d6bb6bad58ae5dc178348c7278fb00e8bff4919dd334bc1d2a4c364ea4b2947e909e7aeedbe55f1acabe65ee0261ff0ab008bf702432f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
b358e1579ad6ba4b6d94b465e320f75c

SHA1
a59d71481a490b879dfe7fd09de7a52fed2fbc41

SHA256
87f8064859f2889dd6c9e0185382c8a850394d227912219e00b1d2b1b2e3fed6

SHA512
985a38a23b9cf1093bc21cb401b7c5d5448ebfe2fabda376ea8de70bebe3dc1e7cdc05ccac6be76b03b733137a5edfbd6cb9f8728d3226008301751f80c3d549

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
ddc86608f750b6d1caefe58b0e3966d7

SHA1
10c4702b751fef261047ceb54512006b00d661aa

SHA256
6e3c53e18f7e1874766901ae9d77479993e2f6428bc9f72d8574389aef7ce05f

SHA512
09d2d410a9c58ed1370e1141c7cbc2852fd4c6a7a719f9d6e3c713acb5f78e07ceb5ffbc9d5bbf293388cb8f43fc645fc8d92b30d3407130455c20f7f45c33be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
b2e07bc8bf40fd212b43b6542ba3445d

SHA1
d21f3cfc9ba1a2a8412c1eef6c56e8bd8d103ab8

SHA256
7490627561ae7ea5912caef1166aadab98b61175e6b1bfab80a9a0e764e7c9da

SHA512
8898eaa19c0f220583123937cf7eb65d1b072762c5390c476b28b2a158f84795f26f997091e733b8d9cb2cd27a94f4858cfb2d024c2a9298bb72cad9c90a829a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0329ec2be5a6b3dfac80ef88455e1bab

SHA1
145e88deb8b33c32abd2b61fdfbf33560fed8d10

SHA256
d77e7da28cc0dbf7f696b72f88509b3e08c71df27999e094162a7144a4fb51a0

SHA512
c27f289ad350413b7283bc1f3b5999b95e3db4c41242d58c107da0ba0d2070c2750fd8e9fb84f7a6126cb80100a7d550b969ec98e48b76709b43bb16b81a373a

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
5363be04c436e703b32777b24eec40be

SHA1
efcf92e58e0f29aa91657ec12065afc1b6f5c10b

SHA256
d7184a5e65599b82f90833177f3774ea2898e5fc2f684b9f60a4ffb85f15fcfd

SHA512
597bd8849aeb6c719455e36c0e54591c2e5e6f974c7b0199a25e9f34f9c0f246160eb12166061c68f4f14f0ff601a9dce48a8f8e48cfd20282ed90122e5c8b9c

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
273ed6c52cba5f7d63e5077184b1673d

SHA1
d3ac6d8ac552877bd55c56d59f1b9e35f95fc8ac

SHA256
dbd058765f3bb05c72bd56a3ec85e99d71a309838cce7eaa4afb7f4bef715e85

SHA512
ad7f228878aac293c45ab55245c76f51190d93a334c5729fb9ef98d41bae5eb2fb93a19f3c9ecf0b693d759dd182cb199471cab187e6a65fadf6b778586b5711

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
9469306df85b6acc0a835254064dcede

SHA1
2047ee2381e1aa3eb9e3edddaf4c8599adcd67a9

SHA256
c6c3eab0380262ef4e7d2ef65df66aaebd10c7d632fb326373bb4868815281fa

SHA512
a01b9bd99b76a16b941bfaf3e30641a2684424a4d49dec227c4e8d5309694e661ec3694abed8ae27bb3bb2ce4b97109ffed7fde4408d3071a6b57ff61c4daf16

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
749c49ba5dcbec0b8f93975406719720

SHA1
b9ab75340e6d42f2bbd263139c32159c1a6d6ab5

SHA256
6de2425f6d31ba5ebbed60bca1c31c5c6f39231e69175c5e94f049acc4c8e8c4

SHA512
3179dc9cee381990642ac885e91516b31ade429a631aeaa3c9c1778fb28944eef2f69db5487e853555e502b50eaab867225004048fec6feadc5c0b9da19e177c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4045d7adef934842ef8a6c2ade44feba

SHA1
163ca9c99400a6762a820c5c7b714d530a435ec4

SHA256
9b011f6e544b0dada9f3e72b020cc6e05916488126e7da976b8cc1935b6be09c

SHA512
8c191785e0b13428e06a7d8448e1761fb56bde507b2f0e33e7736474cd6bc84b0d6c618b6dd9df5632fc9c4414670965a02829382ca29ff9038608fe8be77a43

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
e8736f91d246f62314a79567b277449e

SHA1
adb74b5dc1f2e6f77729c5977b863aaf3b5ac884

SHA256
24ad66b9274bc889bed7e77b19f20fc825048684d096378d77068af02bdd5267

SHA512
056752ee26202faaed2a1f18e514ca421a80c6f0147af8de23771862cbe4865bb4df8f1697fb90d72c9005042a76bb0de27dbabefb20397bbd1f360bbbd0572d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
5dbce6992db233fc4253edcdbbd1e525

SHA1
eccfb5fa84b3051b4b9f2e4cb2537555cb7d155c

SHA256
606883fe8edca865cc017d7a715bda0bbddfbda01118616231ba891171945913

SHA512
99badaad18ba12c5564f52ee73bafb5c68b4c8f6b53c1923004c3ad905cc8e281d58188291c5350eec481c234332506edad27c038ea32fa2ee222775db07d6f9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
e46e81212d6a2158c2c30019faa1c15f

SHA1
ac808107505985974f09bf6f21dcf698e5f3f34d

SHA256
0efec1d34d6530a29f4a081d10363684d60b10116d7daff8270e4b9ce65dce72

SHA512
2df9a105d9af0dec6b8df2d43f7540c3cc937574e53983ea78bf11d39f6b187fa680aff8165abfc9ad63ab3048f7dd2074b1b512fb01471e3ae84a07a22851c4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
bb2ba2d2510088a9ae24b0e26360f97a

SHA1
e3c11fc0da161ea2bbcb823fcaebd63acd7ee04d

SHA256
52daf72d2a38ebe586d6ee0b90b8ad8f49a283fa026cdb29d4248f00a00efaea

SHA512
718b9580ecbc3c2ecd17a7383a5e9a6038a95fdf78618fb2b9e7887842367f97dbf273e8a52f5d164751f211f0c7a8d5543220f601116a05ef9c641da7a1b72d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
358a79f286355fdff5ff319f185affde

SHA1
5994be28849e52b848456b09d72ef6960b2b31de

SHA256
67e2be374fdf5ec3359445fde214a868718a67abe4c1145316e305bde53f577b

SHA512
4f53ea38a3d6c5db18e9361a2856a596dd422d88930ddb61de841fd3459c43cb4aa231da811bd3a48f2905d2fd6c22c07ec76f24541379a0f02d2487c794694a

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
af70b92ca0d9ef85c9626e424cea8b47

SHA1
fe6e3fb49205787b9626c907222f5e3fbb196260

SHA256
a4d3a75162c8f41705e2ba9a7bed338e24f6003c6e23843479de21473277ec73

SHA512
95226af4daa90d06fe3f1ee37164221bdf96f905d403f8c45c6496636b956b8e984e933c3a4c48de6bd59403866d6f7e374a89c40452087df4603437ed1e69c2

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
b36182e79f528f1f7692ce1d2cca5562

SHA1
adb23b858ec326ee8a85d9f4b19f0494ef6d4f61

SHA256
7edd4faf4758a4fb9a764057f5ade27ca619bbb40174f2a86d28aff45c3dc3ca

SHA512
ed099f2087bda494577b8d6b43b6f3fbf619ddf1063ef809b9282bbe50a78bfe737efc1e179853fcf7d1443d9cfbb8e2b1e3f1caffae36806c9d48901e90d0de

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f2be6fd0e87e21a81e4b1cd75c82ced6

SHA1
a9a27395aca50931702c9391239cfca66bafbdf6

SHA256
8ed7559b31ea6e590e4190ce9219cef1b1f427cffd4ebb33b3d0af649f432c6b

SHA512
b449a3de2bd85e9ed1c43346e6b2ac875cec981cecd3e22f09d4c6cde678be7986f2628aaa1c24267988896c7e81af5c16149b4e91cb4a575ada82640d2e42a2

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
efbffffb603eb25fc11180ac4d40f9ff

SHA1
d8fcb51a07000f7477fb8daae6e66cf98471c038

SHA256
0253abe59474f6c323b3736383f57db6c56cb356f24cc7f94fb71b207b915044

SHA512
2e5c75fbcfe8b2d4f7be9bc8058f4eae32efaf23f89bb2e608c7f6c4dfc08742c1795c6d628ec17e8b9b3a1026abfddf121782121da6f73dcba86e0ae0e51923

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
4e12b49df57873c8d14d3f5b6343f928

SHA1
4db48a850cd0f0401d207ac48616130676683f25

SHA256
0a8fea1a1514f637de7c54224bbad4cc691541abcfd03f833f0c47773a0a6215

SHA512
be47a58246f507bb941d51dc57210cc13d72aaac15542a3c30f9f4b31776fd1ec3e3f9bb995b0c1cd576f032054422319b26c72dcf2d5d602bb496a859e5ad54

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
4452456840a533acf9596b3e16ab5abc

SHA1
414540bc0a887b321fd5b1e799c993e3b11b68bc

SHA256
1ca3d7c5f2796cf26302ddf43c811b8a731be64f3485bd0fb659852c60bde935

SHA512
f9b331c0649f366711378b8a8e9ca4b920e3c9d7e11225be3b8c568e76b5b41d28ac4b85f6d6533b31b1d38e6c6cf890497943e670372d3214ee3aa58734b00c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
8fc6abbba83944d9f08cb98bcafe63c1

SHA1
78c03bfd6b3cf0368f59e0ad95526f55c6b0716a

SHA256
0ce0f49f62a58f768849d4b0980d210db087cf217da12dea524cb6373faa13b6

SHA512
5b8577f74e7b6c8ab0ecd6e13a4d8df074ff6f7cf8aec84cbdb38060c50601a038dd95c55580b24dada42dcc13b5525f8923efc383aada6bcc000cd052797539

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
b4978595df4d4da97a51f274f2ef943b

SHA1
d51a05cb2980ef6da7d6db3f4a284451dcb60cf9

SHA256
a848ca8dc023a97e81ae128b5b6b862e9eb37c597a0f5c2028a1654cff14977c

SHA512
6889a19c80490f2924fdae5852d8414351c306394c2cf804512ec33e337ddbe5ee4b67fa272c1c812b5cea91c2b087870f760352910cbed1f21562fe30af50d9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
0c41d6369a2df5cc507079fe470b115c

SHA1
865088bf812b6d9e997642b8140e8d17b6599c0a

SHA256
31b693c265c2652a229c8671c41ebef7f11b3baf2b3a26032da467b5c970adb7

SHA512
a79ab452de2e3ec14a1d573c0ff395e1d7e6a7bc7a8252bf192f0d9a0052e08a758937f0f53802d9a5de6500f01d53a39d4fda00d67180547be60ffb50a77051

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a61ce10ef22d135064d577ce746507f4

SHA1
688c9369a31f7fe659c3084ff943313ad5a09100

SHA256
36e0d021d11209e366578db04198574a38ff543b6dce03f25b972ecc74105e45

SHA512
098767e490b3c960e182c8420e155294094f8ca871222a29af068582bba445fe2f10bfe27058ca3806d36a138ed06982f9383a3502bd660d7cae209063fb265f

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
04e153ac08c132e3afdee0f5a54c2d5c

SHA1
b16711a21ce25b61ef8a07876479124c0a4a63f1

SHA256
9b8d928cba82d51c56975319121349aad8fa1a14b8280243521503c209b53546

SHA512
8fd152745c18c295c9f90366ab8d2d47e98a52b9d4886417041bfe4fad9cd576336b73d2705ff2bd9b1020a97df0971fd4b7b4699a0a4d983926306fff390076

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
4c39a6614b63ed1e6d62d8de6418a26d

SHA1
0adaea1d3b54bacb0e174f886df7971737719e6e

SHA256
078592f90e2a045155607bf1c9c5ae57212620ba06eac32e49253f254289e074

SHA512
b8738338cbff0ae17d56ec9141e38867c9579cb74ee48a30bd13585f484afe9c646b93a82a8461ec34f9301eaee8d75130caf5dad5733c3530e3b6ffccaef56d

Download Submit
memory/436-129-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/436-139-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/436-137-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/436-333-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/732-148-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/732-152-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/732-142-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/732-156-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/732-153-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/780-573-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/780-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1224-214-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1408-102-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1408-93-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1408-101-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1628-715-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1628-315-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1944-313-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1984-692-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1984-202-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2044-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2044-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2044-19-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2044-224-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2164-314-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/2964-178-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2964-157-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3368-695-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3368-237-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3472-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3472-717-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3520-116-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3520-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3520-122-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3520-329-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3612-334-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3612-720-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3664-317-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3664-716-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3720-201-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3720-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3720-1-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/3720-6-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/3720-474-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4248-112-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4248-106-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4248-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4248-136-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4248-135-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4372-240-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4372-696-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4576-719-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/4576-330-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/4836-177-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4988-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5028-203-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/5028-693-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download