e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
Size

1.8MB
MD5

284a8ec5ab3ed799e7a859d1d0380a6f
SHA1

14a22ef6816ce1174580c881bc7845616d005e38
SHA256

e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11
SHA512

39d133c701944cc3903f648f0a58681a9030b79d6caf06fb450a22588c21c07f8a9b3ba54fd8cb49a4f1859283f9b9f160b7f4b9b93b7cb4008b802e0b019336
SSDEEP

49152:RM9QPdxwfE7WlFwKAfzuTiDFUFkvgDUYmvFur31yAipQCtXxc0H:R1PdVQFwKZCFgtU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4860	alg.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
4540	fxssvc.exe
2716	elevation_service.exe
3548	elevation_service.exe
4880	maintenanceservice.exe
2960	msdtc.exe
5076	OSE.EXE
4720	PerceptionSimulationService.exe
2348	perfhost.exe
668	locator.exe
4428	SensorDataService.exe
1256	snmptrap.exe
3308	spectrum.exe
2436	ssh-agent.exe
2452	TieringEngineService.exe
3280	AgentService.exe
2444	vds.exe
3932	vssvc.exe
2928	wbengine.exe
4708	WmiApSrv.exe
1196	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\System32\vds.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c523a4e58beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\locator.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\GoogleUpdateOnDemand.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\goopdateres_bg.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\GoogleUpdateComRegisterShell64.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\goopdateres_hu.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\psmachine_64.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\psmachine.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\goopdateres_ca.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT3355.tmp	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\goopdateres_id.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\goopdateres_it.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\goopdateres_is.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\goopdateres_tr.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\goopdateres_uk.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3354.tmp\psuser_64.dll	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exee7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062068d19f8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003a66b19f8adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fff37919f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076436919f8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061edba1bf8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002db6621bf8adda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe
2844	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2112	e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
Token: SeAuditPrivilege	4540	fxssvc.exe
Token: SeRestorePrivilege	2452	TieringEngineService.exe
Token: SeManageVolumePrivilege	2452	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3280	AgentService.exe
Token: SeBackupPrivilege	3932	vssvc.exe
Token: SeRestorePrivilege	3932	vssvc.exe
Token: SeAuditPrivilege	3932	vssvc.exe
Token: SeBackupPrivilege	2928	wbengine.exe
Token: SeRestorePrivilege	2928	wbengine.exe
Token: SeSecurityPrivilege	2928	wbengine.exe
Token: 33	1196	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1196	SearchIndexer.exe
Token: SeDebugPrivilege	4860	alg.exe
Token: SeDebugPrivilege	4860	alg.exe
Token: SeDebugPrivilege	4860	alg.exe
Token: SeDebugPrivilege	2844	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1196 wrote to memory of 4596	1196	SearchIndexer.exe	SearchProtocolHost.exe
PID 1196 wrote to memory of 4596	1196	SearchIndexer.exe	SearchProtocolHost.exe
PID 1196 wrote to memory of 3032	1196	SearchIndexer.exe	SearchFilterHost.exe
PID 1196 wrote to memory of 3032	1196	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe
"C:\Users\Admin\AppData\Local\Temp\e7e73743f6187259c7f338e67471d3db970a0faed9d091d9bd1840a388d53e11.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2828

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3548

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2960

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4428

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3308

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5084

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4596

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c0cab0a03a2d20990109a8f951131ebf

SHA1
ac7edba1b5eeb56643cd6b05b99ddd0d2121270c

SHA256
1fd808b86935e0e9dd360a366a04f2ee1b78f4d6ed73dfa927bddcafe003f4a1

SHA512
6bddd62e9c7e97dd165e4e15a6d243e52e95dfb689d16f6ee574fdd7ea79130c69ae97305bbdf59a9561c980a6ae5c9034d4b64c0737d0f33b785c9b2a5a8692

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
eb173678a8a1e18c8ba1324c5f4fa97f

SHA1
bcf0fd51a3bfc4561460f26b081585149daaf820

SHA256
394404c9990422b148aa41e4ea93af86c43cf0822ad3ec8b143b01a1604034d7

SHA512
5112afc8684e969af4ee3396eceb1034cbf253f02445d0ea854845053f5040d7403ca6f3ffaa7c24e38bbfc6cf95c58746ec59d750ddd3576693a8c81105d71d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
9a2882a1b7c789cca7998b61948cdd2c

SHA1
d0a5d5330c940f78828da21a9766fe911ff3f35d

SHA256
abcde30f15c753b339cc4e7492d684ddb72a3684682d8e659a648c72f5248054

SHA512
f65c66921df4949e0c42663e60afe9026461569f16d6a44c791175cbc1ff8f5dc9306e02776745a6c0edcd7a8644a623c5dde6e30f8f7150194808989134d23b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
42e5e79cf1a31975d54a62982f316954

SHA1
8783548bd4e2952ee72e4d8d297a2b2f18255b8f

SHA256
39c73a3b624f5c25e7eecb58d27ba080e2d3382cf234a25ce0b63e27dac12343

SHA512
038f6654d18bdcf82cbda5214823103a86f1b574e459d7129ed369754c80f1d1fd89d2cce9bedf57ad26ff5cdd5be4d71be9e985117c8b7bcd41b7422c8b9b9b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c0e21bb39cfd30b705d15f1434b72792

SHA1
fa5d7ed657c7edb6b08e14a8449b902d899a3d18

SHA256
3f7a89fd93490f42848de7bbe1c7c864365770220cea57399a67cfa551db3d57

SHA512
08f612527d1440b22c6ea43b9a76d1c2e21d6fdfff9ec28ec22e67cc04a2403f512f57e2cdfe952dce50ef85e5be25f1d70b5a9417d02eba40f8395c57ea89ea

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
e5314ca9ff80f5e1e48055f05896a523

SHA1
9a83ee479ffc4bcd92868cc5f151aba2e5aef59b

SHA256
5882e1bb9c380d24223aa4f22fa949d69ba902b67ced4d1773c32a5d4d34bc91

SHA512
d51d1233e1c2b71150526279a1bfcf942a8f36e62cbc9c86ebcdf8060c0bc56435d7bdac8126f2a17e4d83d39fa359b0461648230b9a9b06f9f398f5cb8b03db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
6da807ed58f6f0d06400958aa0a0b4bb

SHA1
502da9690eb4a440817e89b371d253faa5b7ffab

SHA256
8ffeee3bb795aa65061d385a6790df8afdd2362f587dc861e681dc030f1f086b

SHA512
bc2db6757b041eb3cf6d327775474bef8f79d22312eda6c9f5c48816cd494bdca4836d26b2ca53e0bdc15a85e33a4d7614dfc1d849bb0971a2be723076d95396

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
33b5f9e7dea3ac7a4abd5eca76cf39ba

SHA1
378cf5dd9b842d629a598995e885800cf98eebb6

SHA256
ddd5e19e4787a7ec84744c101455c82e45a4938677f0c0c116853fd8405aeb38

SHA512
c3b1252f6413107d2e57eb41b09199f5fba55e2a1238cd198127ddcefebfdc7770e34039da49d5006acfb86b1fc5c8f25660e61fefced6e839eb3bc87298d8d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
747db9539f16811cd29bf2638cf529f3

SHA1
57653cf288d9a51fa4df688bfa2fb6ec1f24f6d2

SHA256
daa9137029cf2e29ee6bada09b39794dcade2c0d4ce3f6d73e73b05a63cc6359

SHA512
b581abd5333454b9c4b1949f9ae577d8af645ab6631017640f786b5b24dbb2d06a7d2a559e990c2d386c5aa768aab016589087bca4f7b67a7532ea334f5d9f1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
5.4MB

MD5
f54b1e247527456ba4b0012949d690fb

SHA1
7a082f187e465d40acf09844d8d1ae7f84fbbb06

SHA256
3ba41a67370eab858b64d5b1923c5e13ce653dfb1a2afa371f504280b18e7b5b

SHA512
3e82ddfd8beb29271482b3dfc737464a956caf789585304ce71962db5219f2e9847dba9c9751d462572f21781e087f15e04c57f8b904a8e84b181e3f68b80582

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.0MB

MD5
623980e912781ba26041b15096b05e2a

SHA1
0ca419fee6351ba95564ce923899d35558d9bf32

SHA256
799213212e4a95a872bbfc2a2391768d63ebb9a73ec4d4ca174dd79f2e3c3e8f

SHA512
8d22510bbad3bc33af42f35cd8dd907a5053d5efcf16ac64020aeb09bd13d15d790c2bed9f6e2db44450ee20057ee721aab755c138c4675f6e6a055a375951b6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
749e856e3756798c17875877dd875374

SHA1
bf400832550540c62134162c34c8ffadce8b825c

SHA256
fe2714678472ecc55218560c96cb8e021acdf36a2da67b3c17cb60677a84dbb5

SHA512
65124777c82469c3567067c5391f98e26c686a520361e1b86c1be4326fae0df49c29b8fc47c88592f484cb0e76bd7a48b2352dbcb187c6ce57399b392b23513b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
038860775a2c1b50cf0e5906271d5805

SHA1
d1e246411f410f93e2c67a2352e98e54da82427a

SHA256
b966e1287a7045a3211e5bf5331ff3cc91b80016b949ee56e917f212cb24e672

SHA512
bad1759dbcfa3b296805abcd591d1f7ae482bb5ecd5468ebb9deebfa7cf483664c163e3a07b874597a41e91e9bc0cea288adadfc53fdc7d0be2346852c449ba9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
5fadcb8c602a01153a9075e0258a1d4c

SHA1
7797d028f58016b28dc81a2f94236f7b2f28f2a7

SHA256
82c202b3631cf7269a3613e64357adef89aa6077ee6b55b5f7650def177f43ef

SHA512
5e9365a69d6f7806f36fad9ce212235280c4960b4ea654ec0e38fd04a72a8fa366a7f0489913ba3d371107434caf3ecd9bd16332db1c144fbfd26c2dd124c0df

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
669d23e96bd86a0c03e44ed4a50b531e

SHA1
eceee475f49c35e52fdb6dbb6cf316c4ecedac48

SHA256
822ef22525112398cbace91acfdba78f89406783d39761d69642ccde12af73e3

SHA512
1911ba4e64f7dc22151d808c466334084f5406fb3ebb86fca5adffe8a587dfdd8d202e8e3990b6ab30cc60c8d21445b74c23081397843f6aa17c300ef0695390

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
be2c3f3f3cfcebe205665531ac944631

SHA1
f9db316f1b75f08794b9735e365a1af31d179982

SHA256
1cea0129fbcb91882ee99a7665e237b4dbea9be65e5e35c1d942fca08e6ecc0c

SHA512
3e95c1b8392080b2764f32b5cc446f5e68af177a1e59ab2b8609dc01f0f6cfc092be804455b249b1ff5d7742ac3e607e600569845024750387eacb1e2b9f229c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
16a495710285b457f7fe27749bdc2358

SHA1
bd8218ee5a65b06646e14a2ca079c01da4f35aed

SHA256
5994a1f62bc2ba4576a02b91bf19df59eb97b2651a43e200088683cee4e203bf

SHA512
d47689916a2d6eba3e5ffbf64479aefd952e659d095ec943b3f8e5c7099d1e29d8b7f86783ad2ec2a27801fce97cab0d9113e95c6c81c48daae3048414b75597

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
4fd6f038338b8cd3b1ac3808e07547de

SHA1
ed7731298212e4afcca36a788fe0ddba4be8b642

SHA256
26165f872840b32b1a981089fa399ea1debb3aa752ef4b45ad2b1b3a19397151

SHA512
b6542c22eee880260a2b06d52676707d870b8269750d84a730ae1921859a678030706812e21b353a6d042fdd5f8e822fbe91a97117182842ae35d05dd0edc297

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
4c864aedd12d675c90ca411ad515be47

SHA1
21231c9dc7a13e3669318ce5043514029cfe5e19

SHA256
c0d4cbc9f048fd4ad13532846e9babe365ab17033af557875bcf384a7df0c338

SHA512
fe38d11d02dd985a11ce38855051e4b6504f34569ad7e924d790a929a7d131a2084a1b66c5e5b99666ad049d77a020308126690ad1a983c07e4e57ebe114f122

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
91bea3a2ace1122ab51a6c615f2baa85

SHA1
4a3d3dbd2f085091fae4f74eaf66c5624f2e3da5

SHA256
1c6fd5117e0ebfd909e08d32584e4e1333d41fcb65e1490296f92bd6087528f1

SHA512
7656e700180042edae647ae4ef86759ff4808dc34e3b2d20f0145ffe9aebcd4e1c24044aee573574ae5f4ef57eaee11dfc946726ee3e175947f3da45291816c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
9b7de9f7ce27bb75375362e4dbe27108

SHA1
4657d0a4d8f0aba583ce87d2c62317419adeeda4

SHA256
ed1881a9b98ebbdbf7a7eefc6800ffbd133ebbf64f2312c8ca7d024c9908d659

SHA512
72c35ba33fdf36b0eafd4d82b1e93b2445e0404b8d72ce8f6af1e82948ee1142c7caa9181f857bd3745a13c6126c86afb381398fde52b37cda70849927f8fe1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
1c2edbd2bcc149322f23e1e25b57d167

SHA1
818f0148550af0b3a096463835561beed71c905b

SHA256
e7180c46e76bcef66154e2fb2536cb0b9cb16a47719b8d90d02717ba3ce7e35c

SHA512
88fccdb6fdaa275a0beed093380bf4ebf8e8d52d3800cabf342d87d4b4655e0d220706e2edd410e0430a848e91d1c2290292cbcc056abc5c616172425e0dbd78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
4682c178b3e5f0447f38864c36919c0e

SHA1
ceb838f74b7bf0c240ff9acbc169646d6bdb42b4

SHA256
066c16d1a4680819d9f2472a77e1e5172f1986c02f4280cdfba48bb979d06bcc

SHA512
5d127686ae5df9b0bc416686e7c7f3e947c131a94692dd958b43d2c9b3b97eedc3325d346886999c4112c93db1ac84678175904768613f6f066c1178082e7974

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
9abb2c3db81c592d02aed07ded209975

SHA1
7843ff22b3a52385db94b6d260bb8f6a86d5affb

SHA256
ddf9d8340c7b6df5b977342211d89ff6613cb9facb4b5a928e0e8f06cd8981ea

SHA512
f222c0b6a13c09ad3e6d82b289c5db272083ccd975e944da0d1421ffac32c805c6ec1f32e132ac93203a5873bda352f84ce17b137673d698956675e8721bd0ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
6a22ea387459c453e9b79ca7b1abd04a

SHA1
4f5fd571dde8ae0f950256193b345434b4a8cd18

SHA256
94d7930259683263f66b1b793deea553b201147c24253d2c7dfce49dc97fb34b

SHA512
cf089b97219d61be3e42496ab7eb070aca31908c87525ecd3af75d80eebc82ee603b5def9a985570a2e5c2c2db7886ba591098ee62833997ddc1c415eddac991

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
ac7ae210de791bd5f0fac8a4a702da21

SHA1
1b49e7330f0c9557e6a80ffbd706531f0dbf59fc

SHA256
5e577459eadc495dd21426e1da8c96c684aa76c8bc1869f1011ae1a925dc703e

SHA512
bef1478d6e11c83642b0f0cfbae669edd351cb17ed9a53b7b5c54c18f7ada9b9b43e63e128fc2471a4928b96b9e2279fdd0a11324efc6b19c7a3190fd82dce48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
3d0b47a4377d1f2d4aedf04ebc5fb389

SHA1
380c334281f346f776924f2ee2d57133302c504a

SHA256
d953a38635192a25f9efc12967c84eaf8486f56cbee7bb0549ef92a7b3454a4d

SHA512
d68730b846c5c352acc3fb88929968cf7495b5626573efa329835becc350a95f186a7b4e3cab5a0df72effc3bda936c0a9f177e04dd90b29353babcd78b0a608

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
3f20458964148fa15f4e79caa0993352

SHA1
fb345d9f8c9fe43640d86a1ae0ec1509b4beb063

SHA256
c7bdf980b60d1d81f233b4dd47046600ba59cca035b3a7cbf6c13d237c865c09

SHA512
67f127cb6b7c185fa1f309cd7214875a0c92ae6aebf9541bfd58b6069d6bf451577d00971c25b1209778e4fe21a566be975f654543eb6077956cf2d846bb4547

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
6dff161d933b6788864046fa0ec3c4aa

SHA1
88e6aedbaadafd6a2d2be81f9b023b0d29dee354

SHA256
f9d1b0c26b43e943c4be78374d77b9f4e76e5f1bc9c28f6a79b88b1e3f13a8cf

SHA512
95dbb8a216d0efcde80c89e55dad75e1d01d63cbba17b27ce0dca38688ed4bbe5234ee64a884a833fce8ec159a940ba4b3261323ac3dd12b5e81137e36d826d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
7ffc278aefc13d071a55d9b7690c937f

SHA1
0744e061df4193ae0992ee5bf165aac0506014be

SHA256
68726f56ecba97a2ca42df258d354ecd49f4778804f9470b8f2a90d2a0cc2ebf

SHA512
d7ae191cc775722e2dabb166a07236cfb06da0823f2dba8a994ec40a8215ecfa910a3f53b731296c3c9d71399276cb93d242700bbd3c350c25df3bcdb64003c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
00121b7b9f49722a05b1c255a3af3628

SHA1
3c3cc699f59ac72138ffec64b0c4eb6056fe1e28

SHA256
2d0a1285c92d057cca94b3ff4046a2207a09be3df49635066242d41dc71f7211

SHA512
38109732d540a9b7a34436d65b09368a0b64150d9172d548bc5d0cabaa132966976edd8dcd42266d0c8517b8eac31852d940c05a9d2c7b1698a7e602767df805

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
8b892d7977aef0d6843f6ac0632a7fae

SHA1
cc7cfddba1566e817dbc5005c0abf2dc0b59913a

SHA256
e0eb7f88fcf1371f81ebc9dd90138f961b154ba906c1d285ea11ab527d024555

SHA512
4cdb8aed22759ff6556a095771a147902d7daa8529ac7ba65b5a46eefd014698fa0bff68e7adee9580a90c94da1ae58b4d8b8abcb9ddc644bc1f981eb5903b34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
f9bc5f67e12d1612092644083b481d3c

SHA1
5c7730f7e24dbbd95d13d208ec9897b9d2062c73

SHA256
eb109238835bc5e0e1e69eb3aa569a8687c3687169a074a407fc67a296ae8dfa

SHA512
e8f46235380194296d5237ada4bbd37dc6dd34076b13b54fe5b9836860d8800f17277e3835b3b3e79e6f835ac81d3ffc5e64bda43d7297e908206a7b0ecda28e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
470bfc3bc17e434362e1104742ce0d0a

SHA1
c92bff86e9cf88308c2eae1c8b0b5a8c38f05827

SHA256
a95b2ac0ed030b2a8bf6620458658da2ebb456f72ae1e377a353615789081843

SHA512
9de462948ad325f2c8150e894bcfdcef76e67a72e78c2333f076a7f49059e8bf351b10710dc742315e319bb3607458980783258e0c2efa20a42f5ed596a02141

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
1fddce13534de8d59f71ced93f18a7cc

SHA1
553d00476e78cd4b7c197cfb4b36c53c126c4383

SHA256
19ee7023baace73881f082d03a3c92faa671682569a70a8a32d30938f7797d23

SHA512
c042223c308730c7345f433864492334938f2d86576657687725c592e034bb16aa41aedda025e673f89d3bceba1849ccb06067b91d770659a47b7659443f62a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
033a50d2949d86a17383328cfbcf0872

SHA1
ef9f88373a415e2e5cdb42c75cdd82c5b6bad75e

SHA256
29082c689facf0ed7ef00fdbf3d12c5893bcab4f5a5db0f3513f70d2e30ffe60

SHA512
07f45527f610194b16cfde6a615ccde5841771337cb8607090737aa207a5f260c35d053f895ec7fc3ac55727b62ba9d0206aed62a9e2ac4a548706aa4a7fca08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
8284909dfe2c881e9bd7c540b5202a35

SHA1
cfc84e6cf45189a5c9d4678747197f667fd19d4c

SHA256
5bd7a767656ea42e1d5acfdcbc409f05478e39f70e8222dc7f201714da2a12d2

SHA512
39bd51e5b5cdad5f1fd46ff9226e69122c98d7c1a522ae21475124714f0b430a24a7fb7ecb6987b70ddf3d37c8d43287fff232a71a6dd1dcab9c1788404f3579

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0cd7586d9046350cbc79df77e9ebaf43

SHA1
2b91882b0074d60abf94cff60a75091ff23e399b

SHA256
36c05fe9c28aefcc2c16bdfa878007e0685e3191589791b4bff8fabb69bc232e

SHA512
5eced777f1b97cd5495a0bdfc0a8b802d3d0e43753251f9d16e6dcfd2675ed4cc93a5ecbdd322fd50941d8dccbac991ac738d4c395a5aa5ea8c0352f3caf03bd

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
a8cf0440b1a6edcd9e7e79a2c129dcc1

SHA1
638f557d030fd5414fec619938090a7f586ada2c

SHA256
dd1dec43360df165d0f4e35bfa16638b9082856541dc39b97b826e7c4a33abaf

SHA512
045889a079b188a33835b3f9b871028107cf30c58027ea589e9fa5c7d429040c5b3607a694baf96d8cf7d77d07cd4ea086c9cfe6f759cbcb1d18aa842851ff83

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.1MB

MD5
39fe81b1150b69fc620484959408c768

SHA1
32255e8dd550dc11d51a2f0b8b0b7da44be198fd

SHA256
ae0e74d5a1c3c8c3df6014eb8a009b27c524e7d3b5cb50f32d72b92aa8b52515

SHA512
8dab8797b07f3d8d46d20f09ecb4350fc355f064a9403dd012aeccb5991a591d12b252345ec343c3d4b61b457ace25daf8252d7cea558b4359705e8b805aa7b0

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d1dc5e84e245928611d4b68327009c4f

SHA1
7be4e3961d581915841ceaf89785b038db9209e8

SHA256
dd3d93f00c108467a6cb0acba6b2532ccc01838dca40befce423668cd700c0ea

SHA512
20be7adbd5b463cce577e895ff7bdeff98e06e0667cf1ed069a211af04358ea40ff70e7deef65c0965ee015ee6c52ddc0a03d713e4affc066810e3f3ccbf96c6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
1a834529ef5b8fdc94e000bf6a8d42b3

SHA1
0261c4d07886f074129ebdcaaf9e8e53b5b479c4

SHA256
d54f28063a568994802fe6859cb0e9fa097e4b6d6d3908fa34ea561cca28c5fe

SHA512
a06c9e2ef0089c05a5302110306e14201b57f4a0d8c966be991be4a7aeb88a40fe38aba4160b4949a193a1a274b3712d4c51c817981109bdfc13af57d6328941

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
ca1202008d66ac23ac13de56863e646b

SHA1
da2825506e59c5e06199b431030344324505d400

SHA256
46edde674a5a66877180eb3a48ce6c406a408e18e69a2d388fb7d2956b2e8aee

SHA512
b6742f1f9a672d974dacf4664d7e2807c98f118c0f596dee3e936d3c1e6b2d6151adcbe336291914ba66a205df3d569d30c223d59c32698c87040fffa4db6f22

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
ec0b8556c36e511a2222afaa35ff39c7

SHA1
c4c0e4017346032ce5db5721488196cfe52813b7

SHA256
4d71539558adfc748b3ed38acfe04c4f26d3e60ac2a0feb892c431ae427d7900

SHA512
b03d360d2c7699c82f603fabb76dc894c3e4aee185daa83f9b946b996aa12805d8117f4503bc406d58b16402996e5280adb463579527281d961b28f17610d321

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
16f37ed734af12e34b0db2964d039f75

SHA1
84938d2ac0e74cbc7be9542f65633a1741f8e939

SHA256
602f13f8697afdc5f4b521818c4564e536f93b2744e62c6a52db122dcbc852fe

SHA512
aa30dd39198d9593c6647ff3e151dd91c3cf44b7b8aab93e2689a75cca13902fcce65ace1f43f0a6a99ae16f0a3de55f6e46cca1b461593c10d937a45651bbdc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
097101f6e02b33e0b34b5a1d50c2c72d

SHA1
1c3e6b5e23e27922a72efb26bc3047fb9f31b54d

SHA256
67d03b12b41e3f3a261462b1f2dad72c46aefbe8003c5a9287d48c5e2d3f1d6e

SHA512
45ffc211a4e04f5e9aaa332ad5aa321c0de43b210989d291a2a6c22cb4804fa008525c6af2f7e7f1c1ec979abcbcca45eceb24f409e0a15d61f174f0cc7d097e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
70e48a112c52955711dd0a7b50ffefcf

SHA1
c3b9bbac47d67036028e2218bf0537077dd0da65

SHA256
94a01853e358072e671c87d2c4b30cd2b8afd82c4e1030fb9d2406bd85ff2087

SHA512
6918b4314faeaff4a63f3d54c631e17fce3c9f4105cf703e35c97d39409cd52f1559b7c17cf4ea68c3c9d459a8fa27d2116e963550197e0e9fc3a3a288c8cfc2

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
fd2edb50f5486affde24d84377d3809a

SHA1
ec20fafbc124f9e785509441d63107d441cc49c5

SHA256
b86d5edf04959c35e38cce91331fc9679982338bff0963cadb64ff22cb990ece

SHA512
bd2a59da00c6d7abf0f4db0ecbed8a13d0c876acbb9a7931684b9835ae1b51374ea836069f8c2a9607cae7ad57760cb1ab6f057fb48cf9e761cfe14aa519f806

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
b1fb45322577ebd07b8043961555ca35

SHA1
5a46ef81990d369d2ba2b46c247e829a4891ab26

SHA256
3cb04506af4b8a9b52e2eedf4072cb36dcece24ace55ed304d14967c38bb5b02

SHA512
9d491a920dd02c3eb1e05f0b59bb6257b1d19f4f1b12218184c2730e893f663ceb90e9bd665764c6f065dc8f45e2e58666195d2d9c9f9296d67a9268904eb28f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
6b7c8b985083a5d1deb5338a42f340a9

SHA1
44de1bd95ba53fa499133c0a285d200576c67215

SHA256
9378f010b7b3b7d2d594b8640190532b23eb177d88f445aa48ca8b7c4c11625d

SHA512
3b34f087eab578fa9006a8eafc14a9b8ee2f329f8652c616935e0e1c98e9abe86b9541e6cff31c8898f8ed7a5487a0c72eb041ca5f997696d46387cdd578c694

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d7a84b7bd9cd2eb9cc68dd3b86273bdd

SHA1
3df2bc15a65f3a15073ad7a1ef69ce7b66b54a7e

SHA256
812da1b3e5f6664936d7fe531104c97fd7138c2286e60a2348296f2db7b73111

SHA512
e25d241928cddd4cc67c8c00f5c7c16ce12ec405e961b58eaad42950bf31d3f59305a58fa063c943a70dd69cda20e2353b8d78877eff44da4f8b7d9f8b4a19b5

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
e20285f4080d08dafe7d8f7a18b827c1

SHA1
b9c8195c2446b4665841c791035069181d7527e0

SHA256
0013bc49d6534253c0e05b53fa7d0c37aa3dc2883907ee7651045223b79c4a44

SHA512
37b5142dc6ab2266dc5a3db3e9687c6d538d6adb68b6d3b79055e484e8f868b7da3ad379aca77d8916d96119887991db48eed4764ff7d326fe4f10188641a8b6

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
87b265acff30d43e4ac0fc580e4a500c

SHA1
b3f1cfe15aea00b4f6c0903068508166adcf38bc

SHA256
427f8a5fc8928aae39e8a9a9d6fc0ad835867cb214a77cf75bba1a7fb16ae8db

SHA512
a758c50b22ee3f8c95468147e1c93f865ce9d03260f620ceda24416148a20d86a8af149e94df41b7ee5504002f44df3eb570f83023b149ea953ea1746d37d6da

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
2636b1c766c823d19755ad4c650a97ee

SHA1
546bb27fd969c478a21f19787d73a54bb90f33cb

SHA256
168ce4e5ae6a98a649c2b46243c592f0dbdfc261d02e8af00e07d93ce5375904

SHA512
bb1df6492a502ed1e5fedbb90a3fea407ba18c1dad3852b599d7e7d0aadd8916acef6bb76418b97dfc9eb7c61662d362875787fa21165c9176a39b4f8680d750

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.2MB

MD5
fa9b92913d280b7db7bb5d3edef56bb7

SHA1
46c8ee35674d2fd00b93fdf2ba8ad7201a167893

SHA256
3646b7b686332c0ed22fddbdef33c9d8b8fa2962c976bb2d3f833ff03500bb3e

SHA512
f9e27eedfa0ae7a2127d1963a0f1828a4fbbeb50e2d7042356f994e0b1b3432e90056f1c295781c8d589592d44bf292b2df94bf328b9d7f334c16f804a1ebe1a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
692114e8a0b57646f587354b60be6012

SHA1
bc716a8e6545a4577d3c42c806a39b88a9fedef1

SHA256
654c8d88ec7ae7fe1f2e1f559f45798ef6172c41b4c25cd6c19dd633acf5532d

SHA512
9cfb336aea7af46843aff707533a15a4f58c887562b21421b4ac4bb441d8178fdc70ca28a16fab99617ededc17edf1d6faa0b1039459fce22fe6c22fb6a6234e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.0MB

MD5
13c4a0bd4549a8491627a77f6b7bc12e

SHA1
d421f14d1918bedfd81a4c595564f40a1bbfa0de

SHA256
3978b4a1b1a36c00e1c48cac3b7bb2d82f1876d4fd8730806f5343e8bf806f72

SHA512
18e191315f3599755dd4c32427a8e31f037af0ef9cc6fcb8e344fa72dbd03bc4dedd234baea83306fe8a43e2f5243b3181024626b72599f07e9c90f18a404c0f

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.2MB

MD5
b88677bac09dc4fbb9672fd8f058c093

SHA1
80f33a36bfbf03cf47263995da3cbb58268b4fc2

SHA256
f9b082fead6baa9eaf230871d3eccbdb244de27271c413b77b4ca4b69358bef6

SHA512
5f7c7fe7428ee073426a273f2ea8bd3b735de209ed6647fdf899d20de6e9e0a1995808e181d44d1f8954538f2348d331b16135d9ceae6e2213b17366bc72798f

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
76aa5f4076dc6a3c12f0be8c785a587b

SHA1
5474a4c7ebb8e97e8523ed917a8a539806ea2ed2

SHA256
93a7b48762e3945321cde89e97ef3016f64a2f02431f18a66dbf2402d16467b2

SHA512
a2bc917b277ac0f565339ade1e4ada01171bf537bf551bc830e6ce86bf6062f6c1d0013d2cecd60c6e645b62e18d0adde354880615e784caf0190640076410c2

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
8ff85bf98644581bf8aa35ce4d8ac0f4

SHA1
46a8fe07dcebe08021f89506f25928bb38978a36

SHA256
543000dd595b6a3d7177939ec27333a26f1fdad242ba9f149e65e836e8c3e2b0

SHA512
e54e2f0e7c467246ca1c3136c6840fd33e6a2936f68aa57ec08f0d3d8c555c90e3e339bbc2bd6517d718518408b014ffebcdd05361c4d473adb2f29ebedeb36e

Download Submit
memory/668-329-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/668-215-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1196-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1196-766-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1256-237-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1256-468-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2112-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/2112-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2112-165-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2112-572-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2112-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/2348-201-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2348-314-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2436-755-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2436-262-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2444-760-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2444-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2452-759-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2452-273-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2716-248-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2716-126-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2716-120-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2716-119-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2844-93-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2844-101-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2844-100-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2844-185-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2928-315-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2928-764-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2960-156-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2960-166-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3280-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3280-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3308-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3308-655-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3548-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3548-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3548-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3548-259-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3932-761-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3932-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4428-758-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4428-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4428-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4540-112-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/4540-106-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/4540-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4540-114-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/4708-330-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4708-765-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4720-302-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4720-192-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4860-182-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4860-12-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4860-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4860-18-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4880-154-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4880-152-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4880-149-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4880-147-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4880-141-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5076-177-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5076-290-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download