de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
Size

1.8MB
MD5

e3e049184dada2fb1fdc9c7ee789d423
SHA1

c1689c5883f7e1e56cfa82322604977b3ce0387d
SHA256

de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b
SHA512

dd8c21dc5a74e7531df457a26165e0237b6cdbab25ed621101709b0051cd9d05a3ef43fd364019f6a07ead391d3efd9fbe232e2ad13d1abaac4db6dd27a526d4
SSDEEP

49152:uKJ0WR7AFPyyiSruXKpk3WFDL9zxnSdRVlbnXf9gPTTW7H1GXC:uKlBAFPydSS6W6X9lnURVlbnP9WXW7H/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
8	alg.exe
4856	DiagnosticsHub.StandardCollector.Service.exe
3180	fxssvc.exe
4488	elevation_service.exe
704	elevation_service.exe
4384	maintenanceservice.exe
2324	msdtc.exe
3212	OSE.EXE
4424	PerceptionSimulationService.exe
1864	perfhost.exe
5088	locator.exe
3384	SensorDataService.exe
3332	snmptrap.exe
4296	spectrum.exe
392	ssh-agent.exe
4180	TieringEngineService.exe
3728	AgentService.exe
1232	vds.exe
3724	vssvc.exe
1952	wbengine.exe
3456	WmiApSrv.exe
1156	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a83661eb293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\locator.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\System32\vds.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\System32\alg.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exede40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_ml.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_no.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_ta.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_tr.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_vi.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT4269.tmp	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_bg.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\GoogleUpdate.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_hu.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_sw.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_de.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_et.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4268.tmp\goopdateres_kn.dll	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exede40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003060003bfaafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3b7463ffaafda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000894ded3afaafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b75e63ffaafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a06a733dfaafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4856	DiagnosticsHub.StandardCollector.Service.exe
4856	DiagnosticsHub.StandardCollector.Service.exe
4856	DiagnosticsHub.StandardCollector.Service.exe
4856	DiagnosticsHub.StandardCollector.Service.exe
4856	DiagnosticsHub.StandardCollector.Service.exe
4856	DiagnosticsHub.StandardCollector.Service.exe
4856	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4028	de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
Token: SeAuditPrivilege	3180	fxssvc.exe
Token: SeRestorePrivilege	4180	TieringEngineService.exe
Token: SeManageVolumePrivilege	4180	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3728	AgentService.exe
Token: SeBackupPrivilege	3724	vssvc.exe
Token: SeRestorePrivilege	3724	vssvc.exe
Token: SeAuditPrivilege	3724	vssvc.exe
Token: SeBackupPrivilege	1952	wbengine.exe
Token: SeRestorePrivilege	1952	wbengine.exe
Token: SeSecurityPrivilege	1952	wbengine.exe
Token: 33	1156	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1156	SearchIndexer.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeDebugPrivilege	4856	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1156 wrote to memory of 2140	1156	SearchIndexer.exe	SearchProtocolHost.exe
PID 1156 wrote to memory of 2140	1156	SearchIndexer.exe	SearchProtocolHost.exe
PID 1156 wrote to memory of 3520	1156	SearchIndexer.exe	SearchFilterHost.exe
PID 1156 wrote to memory of 3520	1156	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe
"C:\Users\Admin\AppData\Local\Temp\de40a24c78fe597820a869a93f5cf756371e403dee96df44034e5394c08b8b5b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:704

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2324

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1256

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2140

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
cd837d529c125d2ead7139d62e150a6e

SHA1
608f5b8932c166a0cf521f279f2f7551dbd13c49

SHA256
12efd73c399a476a7c2257785a865c79f5ed09b75b5d708fadd4ef8c7ccc0de2

SHA512
0a156cdaa6fe833148a70df9ae7434a6deea3ca977e825030f0624461dc4b8b51a10698ab1a65a5da335abd623b6712cb6daf34e88f991a844ad92785605e19c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
6639dc6c350deefe24e468bee6e17edf

SHA1
eeb307ca4d50176d329c9d3f88f69e69f1e83212

SHA256
8d108f0ba611b431e2dfa39de5df244d10f90c4d3113e8dbb43cb4d69328adbe

SHA512
39d8a3e9823e0d31f4bf413ba617422cab06828e5c2c0ccc57e90068f0264ec85967b0c7dd244eac47aaf2898d7cd04a58acbf1a30b7a50a78bbb3e33451e5bf

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
e2cf97b3f381368348643c5d9e9dca48

SHA1
1981728baec498851bbe5df1a979d2d2d71ecdda

SHA256
df0f967a11f2ef3c18ff0f32e0c1a03d4fd0516d5d7550c008e069d18bb0f975

SHA512
f070af844c51c5ba6f8efa8001608ef4fe8037b7619cdb3f644c9e62c071df732bd71a3aab05477528c9a2433b1b863b324876fa70b87687b1312f4cc7e987c6

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
60f10f3422773626f635afac31f25449

SHA1
580aff4b8904fcec64415ffe65025e2d661506fe

SHA256
a3caa1802ec70880823f2a1bd4e11d516905dca8aa3380801ffc60ff568e1b7b

SHA512
0357ffdec5a2a47dc9d70b04f5bf6e3ba212d4a426db09bdd2bfc96ea9e14f7e0bfee1e7b429e65659f2351407d578fcc01a665b01dd571eec10545c349233a5

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5dc48b59afafcae3442b19fba21d6cc8

SHA1
39833372cf22bf0f354037392d7f167023c4ae35

SHA256
8f4eab69775b227d8d5ff2ba1c4d7e674a65cdc8d312273b338a5bf2e5ce0307

SHA512
701a20059289a636b3248861d4df4717fd867b4049f6afd43deb53b982d1d17655d95203cd4340e76556f1c416a23213cf397f98c81e9180afa5f5b6da04e6f5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
61280731c7faf693aab6e9d2a778cc0d

SHA1
909b8ea816e8bc3ce007acd56333481a370559b7

SHA256
e29610e7d74f676512247abcd8b0bfc8819530ec54a4511eeacc01713fe1b3c4

SHA512
797f7e2b83ae4391045acc110d375f740c1ff1d958ec945053840cd468f3f622a09d52fa5b02cbb736eece468ceabfb138456e86eb3720e8bc25c0b2493314e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
a8679cb3a568479cfc029bee2d842cac

SHA1
27c2293950733df068afbd37307ad925cf789a0d

SHA256
b17b6c3b48181f9f82dab74e65008171dece1c9bb3b21bc0520b14fa3d33d6e7

SHA512
2ebb7b75342a0ec8cc6cf0116ee03fb40a5357c89ba65276b47f8ec6b5e87f123e8e3da719e59b58595a2c5f4b742d642c48b34ed3dd6ba6372a862c0c746809

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
47c8f5ea081d6ac3d20a27d58241d25c

SHA1
9bd85546f8b153f3e50dd488698bf611cc1bfd73

SHA256
f420f880f34283d264cdf9ef7b27c415fa0b9ac418db77c4be6df0e4541364be

SHA512
af95f8ac2caa42f969b978d1e3c1d2635e1ae2dac89a09a3ca1f037856ee241aeee78f0c98564c2dff77ae6ab1ba2bc0eaf09b157dcf1a6cbea2bc3dde3db1ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
287a35737d8cc762983b604ac4af4ea0

SHA1
52ce77691e01e514f01fc88a874e64b5d24008eb

SHA256
26490be60d52bce4d2061ebc862ef8461811ac99c162fea995a27cd560d889cc

SHA512
dddd8dbdc92dddb3a841287a955aea2e555dca7e651c996579a18f55a5e9093af8bcc6f9073b511fb87e4194d31135d867709a94b49f98b5c5046ab6c99f95bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
551a37c922f8015719d09bd401b47774

SHA1
6dbfa83254478246a1f362abf91d2a9a7a858c48

SHA256
0bac93b73e267e42060a0ed2e53cf09270f4600b4d24782aad8ae6804396a468

SHA512
ac18026bec05b9265cd2a449cdaf4cf1389dd9ca8fc2a50b144daa46d1d15124cbc53588d910d9fa02049c484e139740afd6ef27570e59afbc7b743bc737dfe7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
01cbc764f1d63c94b4495bfa6a361c33

SHA1
cd78f5413ac811a6054fa27486bdf338d136a7f4

SHA256
0b0eacf3237d2d11b00c183ec340ce79222c7b7d9f1399c04d2ce83834e54cb7

SHA512
cb55e009ca5b8622ecbcfd6f6946ab80b71fe99c6dd142d8db439d9f68148670b757fd5208be51cac7168923654cb2445590169a6ce82a146c01bb8e85aaa82f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
25e68f72945dceef21799488ad1d31bb

SHA1
00a48ed626e3a50d47d643ead1b45972d75e6b2f

SHA256
f71fc38a282feb381ac9e0a88c5fb77eadc6dad1ababbcbd7dcd150b29998305

SHA512
178066445a71ebfe482a7f2d553c980e598278653d685f6f43da90888d777ab1159c81f8ea3be7d8d64feb5dcea300df56d41f4fb5fadedf3760565cf6c9a935

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
c033ce9edb2e07fdb837b029fc3a5e51

SHA1
9e758d77f92341699a72db10a9c9d0200f343677

SHA256
5464f56e2dcd7bdd4f63a272723764b1c20a3313c86c8390ebe854f400113218

SHA512
0e968fd71807db0f0f3a444f5e52ead57463a11527bdacee01d87f3e72d58aa1935ff017b181e64f1bfccb33daea758831c4291cc20eb418a33b9965b5131cb4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
1bcd1c5b50b9e04d3144022187e41c3e

SHA1
4be9060b7754794ca5b1400b9ae657872cf13fa0

SHA256
76ee11657f39eb57f2d2984bee6b0c920d79d4a6f2f327b6152cf4ded34cd19e

SHA512
b4c171b8d35047836db8fbdf8758b8e599d9345d59623e4a83fabe29d132c67d5f433806d7b7ecf8ffe1006b0d06889669d57357e904b5389362c4ceff369a50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
11e12d08930315a5fdce503b3f1f4d8e

SHA1
07f78919840f36284189c6b3361c5630b9b75ada

SHA256
b3c0bece37b517e108a7fcbd2a576a3cbcd5e9fe97c746d4ece396b7faf0b777

SHA512
9a5c6827f08d5d833397f0279c593414161e38157ffc5025d67936b4716cf59629e845f348ab87fcfd6c8a8bf0e14549fec304971c69234eb1f396045a0ad220

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
a90746fd40ee6695a929c3b7d8cef1d6

SHA1
1b05de4627fbdca853353c76f9c202668e74dc35

SHA256
6dda26a81b1d80e045ef407d0b08de908b3a4f30ee89992ed4b7911de424b14b

SHA512
4d2d8cc6156446db79bc4ded0d196a9cd78b7d61dd6365f82368adacd8c37df1f22764be85ed1cc887cc33121aed933dd55605036001b0a2f4e2dcf0c8a0a8ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
c98c0305909c7f619bb279c0b08f759c

SHA1
9254e6a87f147989dab938de95c285ab94962301

SHA256
82d068cfbdc7a4fd19c25b353b958f2c7c48448ed13e42a1d0acebb97c3a5961

SHA512
0b1ed4219c1d517e76e1a004b12da4073ed5b674bd7a63274187ff7dce7c019813d1953687b72d1c996b9013e7b8714a03e2aeb14b7b998d03e8b605a643f4ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
16edd99990a34d7afaa5ad4a15791341

SHA1
448d084ecc46976e326881e5d8ec7e0abcede40b

SHA256
82986793af76892047d92d41247ad1007ef34e925201673b20434fb05f927d38

SHA512
ee7ef37d5d595064174bcd237e54c4ca3490b42115352995cc1aada9ab5c5b0917535f050b5dcac9ed281231d8e589d3b6ad2c1596ee318337aea542653125e6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
a747d457c657d8f937f125164cc23127

SHA1
8c7d926a9caa2539df9ded986e8bcd173965244f

SHA256
e9d7637036876e1d0282d56658b8ecb05f914cdde66de286572ca982d1da19bd

SHA512
84cb7a128a81ed1cd766a2e23e7b59324e0b73d9808d29310d5e11c7849cb95a8a1b1170edd7adecb151a9962c79894f3936ba0cde117c7fed03a140d73306a3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
0f576eba3b2085ae1236cb4c0a0694f6

SHA1
4b81dbdc106e439037e9f51411c8cb7be431d642

SHA256
58371c0d2e85cd481feed0be1fba82976ab9d532baf0d3d5d0345ffa19cda8d5

SHA512
30dadfb5edbfba5bb7cac2589c7142ed573d7037177c3e70a5ec398403834ae64c82deedbd5119be8887d73b89a222a4f476f6f38fc6113674c0e0d6f73c277f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.3MB

MD5
c331e401ef98d9a438c6656cf69a6ba9

SHA1
a4ff2f449fe3cd883b27712daa6100afc8e2ca23

SHA256
1d45a6945568ee40bf19a5c3fd18a48d3407e610be6d3fe99960311d8860f240

SHA512
622fb2f17b79abfeb867c51befa63b1f536e7529180eca2da445c9c4114be2822089aed1562a44674b10f8a5800424d07c034bcf57f5cfe15bb0bc8d9913b4c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.3MB

MD5
114dc1330fbec4c84c04db4c9fbb890c

SHA1
95ef60231482b5915b72836a7d17104d769db9bd

SHA256
de3ba38063bf2215f993fd945c9d652a4701249993f36438a983cda898493a15

SHA512
dbdc7a05bdb583293ed911eb5023948557e9dcdaedb0a54b391beae17be6e79f9712c6fe44cf56b85e41d24b59a02e00c93600073554cfc395ee28000f48f5fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.3MB

MD5
369e73afd9d6b4641ab9136f11313e3c

SHA1
5ed7ff4c586132732273fa3284b49d48f156f785

SHA256
afb730b96c53914d11892aa02013d2147258c2237183ca1a1bca2a956b60cd5a

SHA512
2d52d9364a016bd2344081dc7658ed2399b494a801fc76bcc8b7cbcb3d7ef438b072e91eaf5489b6c613416150a3c0f4144a3b88e22ce55d33051090847b4b66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
80b25ec8c7dc8d8ec80c403b1e14a4a8

SHA1
393429964cb50c61abf4ad342e707f3c9883298d

SHA256
bef8a98629b2fd084e0ba64881ed7ea7624ac22b7f390ab548375194c173fff0

SHA512
547344c1cd66507af541bffa94984b5adf368f8cf472a779cd894588db8bd1da38a9c830ae750372d15bc162bea0b1bf20904dda6bbce55b52b3336e917d49dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.3MB

MD5
6bc64974a2bb237af9b205eaf0499adc

SHA1
7e596db018fcc101e08c92847e140da2456c761c

SHA256
db8bde564046f80972b347cc7e5b5fd75fb297d24a05d3228acb3bce45b858b3

SHA512
8ebbae909dc27c4f02dacbfa23ce36305e09cefdec9891f62d86c1141335760552a391aef5920f70c5f42573a518c490604b699d63a26b712673f29ec62472cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.3MB

MD5
388de007a1f9b22f3bb44856d31bd11e

SHA1
ad3dc41501df611af863e889623620b2e90be730

SHA256
d75ccf52d2e87726cd13238d9951ae80a29fd2f79b7fc467bb582f8dd236e1b4

SHA512
1058c81e7572cc89149fe96b213133714e17f5c0e68140b585874188ed2608468c8abd1203b944b161bf909f22e44ab39b394d12c8999e113045413d368ed82a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.3MB

MD5
68e52134d54901e60be9fdd497c46296

SHA1
9982638b3703c768dcd7d2f73fe96ebd6daff93a

SHA256
0754daca6b3e642baede6ac1529813ef4adbccc87046c549d85bda24710137c6

SHA512
ad3b0bfd10f1b0cf3a211b934948f2c4e3668bbd8129440e847c7810fe4cb30dc885a85ad4dc56f6e52db518b299519e9df1ae5b80e3517b744daf6d56f95c5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
a68cae80e91dba814f2005d5cd5bc033

SHA1
16b5d0378bf4ddae50df9047734adc0d15540369

SHA256
c7b153797234e40a02312a1bf16a50179a8cfe8c6f67059ddb2c3da331c2c786

SHA512
1bdf17509f6bbe84ca2e812acf65102de8853e7b567ad44e5cb7a5036bdff9b4874a0bd837213cf9c64ceb2f22935c1d09a56b2ef096e368e7a0d5c9ffd58d94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.3MB

MD5
4c31af3f3c5a4ff6c037b3ea956658e1

SHA1
34c4b408f260f5a74e2d201058a05b480c6341fa

SHA256
0478d0533a5b935ed35831d6fca6c9e94bc768969d37573afbabc79a20e16b20

SHA512
d6ae56413a50d5351b4026e191f11563eff930547462797a128717a21bae9e8f8c50013de6eac7d87316fa2b076aec9dcab973f198b5c497dd62228b2754dfee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.3MB

MD5
76688531bf70a50b0413d132615f6c62

SHA1
c736fffbdf3e279b2cf62d6db0677ab6fd9565f4

SHA256
913e1198ab046bf54f1a19f93ec940d19e856c21e6e76532187b884dceb6c5e6

SHA512
9ac5cbb85ef0af4f7b6e3df3a4833e2659f95b5ecf8bd063286e2045de8937f4485d49f48642ce2aa01b025adda1ebc43471b568fa0e6047d32b9cc3db283d97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
eda546ec07b0a478ee93df7ba746c65d

SHA1
7eaa4f09078b402fe6a197abc4d6479f6b4729bc

SHA256
eb137602b9cc9d8e6078fbb95b38dc711b7f1592628b0d6b50d679ea7bd27d7f

SHA512
efd7b26f86f6e55503d7cdccf7800af6c232b57b07a52efe5d291bad2603740639f0b9ec2e6b1882a8bca9493021c55d8769f5de32e591297bd6ac6fa3da2ea5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.3MB

MD5
1bef2dd2e67453540b1c5aba4f87ef19

SHA1
d20d1110161267c07c219184d5d17cf0bb5288c5

SHA256
6538f092916742242c5c7c636f3333479a3ed6748e01aa9253cbea2d2194e5ee

SHA512
4c76777c5e362b9cdfb621189066a632e829177e1897ef80bad90c21bb5673505b0a97d929f538f9e5c6a1e5dffcd80c1f5deed6ecf01413a4814395dc073645

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.3MB

MD5
48bf1ea726706dd48555ddd058335fc4

SHA1
4f7ad11fa3c5bc4d9c2423c9c351719f0d97e0ad

SHA256
91d01f2d6541be9c2153f22c01246349d70061c69983cf45097a54b0daca4ad0

SHA512
8ab37404b70fda13feebec427af6154ceef3e4ed5cc6bb16656778618852d239f720a123bc47da85f0006468b161578e97db522cbb7e854e895716e79b8a3ca3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
a924d4401c9c144b24ab7d04af42a2a1

SHA1
ae9a5eb7b5754b810c8e877dfc768abe2f08c88a

SHA256
51ae8aba556473aece786188b7ff90b56afa25cc96fe767bd5482f874008b7a7

SHA512
aeb548bf4f4f1a45dbcec23ac93b407ab31b04da4ee3a016d4f52008e3ff1d06affa1b708be757b52006749cb01d030723699e2310471c37ee94dcbd8cb5f1a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
5b0e5ec5433df23416e8722b15fc3852

SHA1
36601954862b14d5ee08538d9574eecc84228f39

SHA256
f4fe44b2cad8e2fc769badd4e7d53a9942933ea4104114fe09b0e3afe0d1e2f1

SHA512
a53d0af7788cebf694dd25c3025fc06a9e1835c05e3e496b4cf319b5e8649043ed4ca1f551f87e3e32172f5793fefd2cf002377b3be694481398e0961f7cb5e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.7MB

MD5
9493541fa7043a1a3b78a52ebb80cb02

SHA1
15eb35b7cfd710f9802be10c1ef45afa5a91fedd

SHA256
c10a5b5f3cf7fd2d163c1ce3dda6d096018869de9dda3d4561b043b237eab2f9

SHA512
a718c21652cf7f1978ab555c62c26b2fcd5e94374bac37a852b904b064784f0ba79f3aba164ccb20940ffe8f1eb8ec3446e431efdd8e7790e598f94a3169cfed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.3MB

MD5
9bcb350a57d1747b379f8cfb89202360

SHA1
cd4ac2efe10df421910c28525ecf9003de7846b3

SHA256
949baaca7041f7bbb545615f1b54c201260461ce037cca59c2f3e8c7be90f36f

SHA512
e4c15c389e962316eee44546a342dd4c81340b2adf15d459f309d89436eda67def084da75721730374e350d520b448477f245f91a16fb84bac9b59febff0a195

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
bf6834701e38cef044dd6258a99719ad

SHA1
0dd829db9cc22b149f7cd3f7c9a11990d0e1b179

SHA256
9dc1574a6573cb9f43dc68b2ace7dd6f8a5a6f3d9bbc46c2d7d3f9b2aaddd793

SHA512
9318872d9e725bd566f1bf94ada44825c232c1bda67497bef359695ee9494c47fe45600e02317583b3cd328932444023b771da55d5e4e6ac20e6c77acb8b9d07

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
4a6e0ef6f9e2872effb0bc3544da106d

SHA1
e91d86d91fc3adad4d9f06109b04ff00a1e5c457

SHA256
2ef74a036be55dd7f3ab197a0a682ca0b5e47e537c9184b1ec943b6649cbed20

SHA512
8195bd1ddf1a73ddc1bdf99fcd8f882442d58c595bf5a9b644b28e348e95b1a3f1e518e5520cd76e9056fb518b26be1a94a1c812a6c5d36061530e7abe65cff4

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
ac0de0e43cd886487c66fc28c4126bb2

SHA1
c54094bb999ec4efb59d08680332555ba7477571

SHA256
9812b550924a24248da4dd8353667d1e609d1fc0ed08e6f2acf621b421b51102

SHA512
eb6ec9cad5b4a737792c989e2318e09ac28e31d14100559f39214da4e3015b4c94d236ecf6030621b3d7f987bf0f44be67256154084cb694f68a71a9402a348d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
59a702005a719bc8e1c8c2267e4893ab

SHA1
d37d2547d7fc9555654972967bcc62141fe717e1

SHA256
d10fd5ec4434e9124945dfa36b2e4e1620e370b5ef114176a1a2cf6067fc546c

SHA512
a1f3d2e208c53f4f01dd7d2a013ea86abd9f1971f9721342282b4038641df8316288b523c683e9542d62ba140eb36d8ece502e5542b3acf320ad7d764afa8159

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
0def26711033b0b111fe78032e1b5ffd

SHA1
64eb3d8acdd3a259efeceab1ca746756f3ca9f76

SHA256
bb7014ce01f36c2d3c4f17eedb3c71421d27868bc071ba85a3c7233443448bbd

SHA512
944b4540fbe0d76da94e9a6cc91cce5b68c6ad63f964202b5e87ea6d4a4aaaadff17bb4ebe059b3ae9982b46213f5ec802eec978cb911b3c1b6e76dc0fbdfa55

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2a5cf36b835db68e6632cf1cfb6ab7dc

SHA1
cfae20ef4698215d71d9621a40a59cc53a672e9e

SHA256
1643fddfacc2a5073914edfb7271840976734853a44b520b042cf4fdf73a73e8

SHA512
a1360daee3829f68a12c6bf61bfc7be09d5578dc2f92142cacd9ed726e31aedc1c992b94358e143d8d704cbcf2292850b9673b16acf9698399ca01b24c79cff2

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
c4e8fa9d30c78ecd9afe799736a37528

SHA1
9077e23ca3b04e164aae1ae9b398217e9920cf80

SHA256
e80e94da33da7092fab3183744eefc8e2f7e7e83bc30fa056a65e6c212c05523

SHA512
80b0eb3c0bb8fceee87ad49f8648ed2414c54bf1c7d7ff070cb434ae194705cbefd89d8e67b7b934e09f103603ed572421cbdcbdc97277f1ab7aa403ddf87f4e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
358e2fabba71fb6123914d7d7543e17b

SHA1
03b1f03e34941c96ed281f109d0f53e031eca012

SHA256
b1eddfec5bccfb178b66f6bf3932b22695d56202cbd642ea05464cb65985ecdd

SHA512
788220c7afa3f5348ce77bd82206a13a4cacd8af6fa39bc23b5ed41ea1f22c93544e18e3f58c42105905c599820f10afe35c108359618ebd0a19c7a7959471ca

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
2e4f9d3f5c2d8f2011943da9b94bb30d

SHA1
1229afdf016cf5bba4385e7c5a8d0cc125fc7df2

SHA256
00b63447bce4825d94251955f1d453a314c2b330d76e21cdc282ab40a20795f7

SHA512
07eb6cde8da975365a8f13eb1ed5654119b7f1d7d7a4ee4b38f3e31a60b3bb8659ad0661ea1e0dfa75672dd01ffab031730da270b7fbd87c2853eb944f9663b5

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
bde4b5fd31a9718c5a6443f9fae6a5fb

SHA1
a341c7da5612c29f4e1b80efec79fe433099a665

SHA256
37560f366bd9978f2eec70110979077d2c807992c3cb70d8e2c32b2f41bf7671

SHA512
33f5cdb0435be5513848da6441cbb2cc04094ff0b6aa7b5596aba7defc8a800007b4cd31465748139e376fd84521081f63d6bc8d6405f5efa09ae4ad8231da93

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
2c4f621517582bdb2506b9814c4b476e

SHA1
20a8ff7a1dad099d6c8da923f6008cbc9890dd94

SHA256
389fe320dcafb5f6c2c3c3fc1626977c1b6ba4995a0d2f6eba9fa8c3b3934df2

SHA512
6f928ce482e0f89e9235ebdddc206a9994e231963357d1c32cdcd357f6ee9664e42dacf54d91863975a76f5ca16e9d7e21cde8de798606628d674e20827927aa

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4bb4ca5dde9a06a468bc14ef629fabde

SHA1
ca78ee64506186c5c042085195634cb980c9f802

SHA256
2ac8a7f9ac4138d920a7434a9a5bf098c2c3edeb623ba0cbf3e7cdbcef68dceb

SHA512
b00eba2c3e46a0662a9cd8e5f279d6a0fcadf95ef4be68d41cfe353cafd93f56473c330be0e1cae23caab822ce4aea19e698055add5680b3cc87f93581e46b44

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
966d888e2cec7f7e094d2bd5626c8df1

SHA1
8ec25d3c9b9524b3e74fafde1c163abb848d51d0

SHA256
f73128b47563d8a2daeb5ab51acd966b315819600a8b3f986fd04096777a67d5

SHA512
77744cc4bc99d4a92448c7c4f66d60be2b39829d7e0b3bdd1d835c0b48ebd6cacdaa50526e7071e90fef701c3a2e9c4a461c47a826ca8ea25dbf339de481eff4

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
6efa48a0cd0852c409b998f9f0faa04d

SHA1
e399771edb620ef7500f9deb163599ea90f0c7a8

SHA256
58eeed3d92e9a8033e0931dcb8d618bdf1376fe25ee65c0d6387d736a235de79

SHA512
577e7316131112a6a5948911e09640a8f248ce3f7f99dababc7b7315b9d32131a5433972b0d3cc91eee2187a74dc54d6d1308be8181dadb91bab95e4bd3a9cad

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
b24b02972a31150a74ecc07ebc563684

SHA1
44afa06ae96a5b96ff1776a6724e8d05acf358a3

SHA256
94df0e93ff9001f9e070a5ed748e8bc4e59a07d244a2a15fdefc0f6e92c755ef

SHA512
9ec88a8ad6f006848d641eee879ab8255be83fdfb501267aeb53caa000e5dffb46586f4e9926bafb18b7d6beed0132ea79e22e7019bca3a034e79ba46dcbaa6b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
48b84c320505d1a37a4e0042f6e96e97

SHA1
b929db4a55180e4cd8377e2d93a27d87171150d4

SHA256
2ce0222676ceb02e16741f41cd519484ee1283c94d515386917f04be2ae40b29

SHA512
9fe267e1e2fca034c7fe535bd03f6af596d3c1ab674085b971d71e8c74a2fb4474793be1b2f59f0eadad1fe813b3c15e4614a3a3db5ffa5ab805db4d73fa5938

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
7397bd7b47d6004dbed3a030403f2f72

SHA1
e44f40f28e985a2c1df8ccd1098f85961cb02889

SHA256
a2feb6f5a9311bb6c6ec8a54bcbdcde574d0d54371e6f06f32e212f9e04f5bb4

SHA512
a1db65d1a03e7c7dc99d6703ace0fd345c3bafa060830f32c7902217cf5f1af4602dca19dee864aa140ca514a1f574ec60400b5015afaee53f97891d63ef3864

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
ec34ec870803c19c6c1edd7c8e3ea8ef

SHA1
d62cd064590c2dbc42dc035d9afa408f53d01125

SHA256
fbb6fb1eeb2db57b6d61d886f9cfd763e5d3944aebaf99b9f867aaff72c56c7c

SHA512
d7ba064fae88222ab7b9511f253808236815629a268f5db8a0075ddf6e5933e52b953b1270e409fd9eb265df51176c7d830a879b9e02eebdde70a89740e154a9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
4f92bab8545256ce75bf8310b5f337ba

SHA1
2fc976f34e9f2c7844af6d6b1346aaf637603680

SHA256
b191a9c7e39aeef0939ecacb9b73b991844323dc84cfda5d047b9a3873a6a683

SHA512
73fb97dac305d6fef3392ee5af5a407ec5ee1aeb424038484a986cb254a1290d9af34e7e4e1877ecb881ecce0d69ccb1844cd51f60f1a27f5d06fe26270a7e3d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
32ce77fc8dfec196b59b619fc7e6052c

SHA1
d970fbdb0c6944397d7e69c1b774e75d8daaadb3

SHA256
b1f0657a61001f4130f833ba4597c61c857da566447b73860d422c197679ba4e

SHA512
a35aa5e1444463f2c2fb0a1c609dfa3c5142095348d164a4a7300868b4b72c4e6961329e0eba87d7a5ae684b1ad427b9ea679ee1484583f717a19bb5c5ea5b5c

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
25f93007b8a2fc952d73a7593fbc64ee

SHA1
52dd39e8b406ed90cfe42776b88b069ae4db6290

SHA256
c8641c2d5b37688a49844957a55e31c94d4fe1a86a1dac5afd30366772b4469a

SHA512
5462f7e46104845717de1524849ae11a31d218a388a219aa607a50960969b6ada575158736e919ba933caddd60fa9f5696de64ba24b69965b67876d6597115d1

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
11a7a9c85ff13490136113a6f2edf696

SHA1
302482a2be66b4432e5c009ff17be32d7dbb3afd

SHA256
379e2124f0d9490f6fad5eeb8301d86b6199b20d0cd390e9f5d3372f88212b6c

SHA512
0b46e07e751b48c29a8241be31555d5568c251b67563df5077842ba614ffebd145311b40eaed502191155e646c4c20bb33ec17d56ea6a94bb3f1f21acedda04c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
823b760d1489d18e42c8f0e25b275ae0

SHA1
4d9ae9e4ec54e60e709c67ab05bf90090b93a035

SHA256
ba8612cc526bfe66f354361e28bbb3a5ff29bbf16af21ae986a10a2082535c00

SHA512
68749fd230a37f7232803d89565a12c98ba913d1e0a3728285ffc2ae17df467e45d7dd5984b46b1155bc393186bf9c644f6ac5c9fb87a5f5a23f5dc126e36de4

Download Submit
memory/8-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/8-192-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/8-19-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/8-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/392-336-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/704-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/704-750-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/704-127-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/704-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1156-379-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1156-757-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1232-338-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1864-754-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1864-204-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1952-376-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2324-157-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2324-167-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3180-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3180-154-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3180-155-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3180-112-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3180-106-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3212-179-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3332-334-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3384-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3384-614-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3456-756-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3456-377-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3724-340-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3724-755-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3728-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4028-6-0x0000000000990000-0x00000000009F7000-memory.dmp

Filesize
412KB

Download
memory/4028-544-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4028-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4028-166-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4028-1-0x0000000000990000-0x00000000009F7000-memory.dmp

Filesize
412KB

Download
memory/4180-337-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4296-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4384-148-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/4384-150-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4384-138-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/4384-144-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/4384-147-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4424-194-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4488-699-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4488-122-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4488-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4488-116-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4856-93-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4856-101-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4856-100-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4856-99-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4856-193-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/5088-332-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download