57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
Size

1.8MB
MD5

4236c5c7175f3e10fec8f3856fc548c8
SHA1

cf02168a2b56730db52be9f9ab9266a2e8a3999d
SHA256

57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4
SHA512

3637cbeda26073ae2ebe2fc29a15036dafb59ee3790ae4077030da6c0a8180479a14cea623e23ec4c778ba0e79c678580b403dcc1da0b31d570e3ec702600e15
SSDEEP

49152:wx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAprz9kaq/:wvbjVkjjCAzJ2q

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4348	alg.exe
1256	DiagnosticsHub.StandardCollector.Service.exe
628	fxssvc.exe
4608	elevation_service.exe
3164	elevation_service.exe
3244	maintenanceservice.exe
1632	msdtc.exe
4764	OSE.EXE
3464	PerceptionSimulationService.exe
4452	perfhost.exe
1232	locator.exe
4276	SensorDataService.exe
3004	snmptrap.exe
1636	spectrum.exe
1900	ssh-agent.exe
2896	TieringEngineService.exe
1228	AgentService.exe
1620	vds.exe
3956	vssvc.exe
216	WmiApSrv.exe
984	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 38 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\System32\msdtc.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f2b88fa6aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\System32\vds.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT352A.tmp	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_sl.dll	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_pt-BR.dll	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_hu.dll	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\GoogleUpdateComRegisterShell64.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_nl.dll	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\GoogleUpdate.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\GoogleCrashHandler.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_de.dll	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_es-419.dll	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\GoogleUpdateComRegisterShell64.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdate.dll	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_pl.dll	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3529.tmp\goopdateres_sv.dll	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\java.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd3a51398799da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ff9d1398799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000226c253a8799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3ed23398799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060940d3a8799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f830e398799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000630ce5398799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ee5dd398799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f003f9388799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1256	DiagnosticsHub.StandardCollector.Service.exe
1256	DiagnosticsHub.StandardCollector.Service.exe
1256	DiagnosticsHub.StandardCollector.Service.exe
1256	DiagnosticsHub.StandardCollector.Service.exe
1256	DiagnosticsHub.StandardCollector.Service.exe
1256	DiagnosticsHub.StandardCollector.Service.exe
1256	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2156	57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
Token: SeAuditPrivilege	628	fxssvc.exe
Token: SeRestorePrivilege	2896	TieringEngineService.exe
Token: SeManageVolumePrivilege	2896	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1228	AgentService.exe
Token: SeBackupPrivilege	3956	vssvc.exe
Token: SeRestorePrivilege	3956	vssvc.exe
Token: SeAuditPrivilege	3956	vssvc.exe
Token: SeBackupPrivilege	848	wbengine.exe
Token: SeRestorePrivilege	848	wbengine.exe
Token: SeSecurityPrivilege	848	wbengine.exe
Token: 33	984	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	984	SearchIndexer.exe
Token: SeDebugPrivilege	4348	alg.exe
Token: SeDebugPrivilege	4348	alg.exe
Token: SeDebugPrivilege	4348	alg.exe
Token: SeDebugPrivilege	1256	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 984 wrote to memory of 2404	984	SearchIndexer.exe	SearchProtocolHost.exe
PID 984 wrote to memory of 2404	984	SearchIndexer.exe	SearchProtocolHost.exe
PID 984 wrote to memory of 4108	984	SearchIndexer.exe	SearchFilterHost.exe
PID 984 wrote to memory of 4108	984	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe
"C:\Users\Admin\AppData\Local\Temp\57b798f734c3af2671a86fdcba317339a04d4e77dc08e2c49c9da3758e5673b4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2816

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3164

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1632

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4764

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4276

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1636

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2404

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
9ebd3580cd3921ed680cae9a9bfc6e2f

SHA1
0c9dfd81e469f85690eff37117ca11eab3e8751c

SHA256
aee634677c58cbdaffaf1d4ca7ae261c1dbd917a54a3f968496e6f73039b7898

SHA512
be22adda844d9a1cd7ad2d7e99af54609e9b665c110b176244a6cf68555c6c459e37ceadc2861cd11b49ccf8b566fd163b36deb07ba684d7696150f9628365e4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
146c06f657c432c438544d5dca9b0b20

SHA1
1812ee5c3adf2d343a00c3cb5927c2081f65d8d4

SHA256
a46b539f623d255f18d7be32296af99e84811bc177081116dc3aa6699fdb40ad

SHA512
74cd6f5e747a4d62747acb4d82245a41dc3cfa71d07c1b9f5de3408b9095b388001f0d757375e6a30b701380dab569b373c67a78fdb3d07a92a20302b16da7bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
900ad049d7d09650c0d76e5b67cbae69

SHA1
f3c8f0821a50df373cd21e4e2dafc85dc0fdcd6b

SHA256
a0872a45afe2c4f550e09290c40a8e495d2b929788c460b75a5ec7bf5476c3bf

SHA512
acb94865c896f95f3b38a6ae0bc1ac19ead0ee34456d190c1caf4da527581a85228bcedbceee48ac95f5a8cb397204de963d6a612a8651c9323810f33ebd34c8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
24a73f96beab83c7565c69d87a51a08e

SHA1
6393c9d5e643b968162f821e9167c37b3306dbd9

SHA256
4dd259a4f0fd38ecc4aa7a73c1e2510be6ce4c6798b8f4e0d5b9a93e053eb5dd

SHA512
690e12b9881484603a2a2ecfd9ad17ce9f33c687b8cfb497833863f28685f8a2a6ac23b7f63efd41418328aca9e19b2c9b6b049baec23aeba31c26e0f52f3652

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
72252ce281ffabd5cbbecf57601ab251

SHA1
d3be0282ded78bac7d01f39bb98a8cd41e7639cd

SHA256
d6e67e38f267de778e0a93305669df2e106d75be19a59714fa607f729788b119

SHA512
08af273716bd72421d74b6491e6ab434c0f1f07509312a9183faf533b73bbc43ce45b3ebe5c9a36a5f855e829c7c1a91767adfebd1ebbf93680fca00312b56a1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
b58a3aaada6ea7d653978ee2b2a41ee6

SHA1
2b14418f2eb2eb38e2e667f5bd2866fd640bfbd1

SHA256
6a6c4d9d8383de3da2c13f8c2720613ce9452e5ee51061f2482e2c37364caefc

SHA512
2e2170dd988c328f9b5b04ed19feeec75ae072bd54c781422fb3fe5d05875fb6d0cfad518263e9048880aee9600c03eb469a430fb323b499991e23ebdaaaa1a3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
aa48552b9fb590534d4a822205c4ec20

SHA1
9bece9e9d7c24db479f19da312e161c30f011ee5

SHA256
6d00b132b58b390bd0c8e4f43c83d4b268e3905f9ff08ff1cfa7757a481ff3c6

SHA512
b8ffd06642c6e89f4b4e79b7329ab659ed3930e5fbb5af85d5ee62f525f9d06cf9666a8d00c92b45ffcd9e0e0746cb6c865027dfa18617894fece07454d32053

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
5bb151474f2125496dad4aa50bfb3150

SHA1
485f113837317e1076ce27955698cc82cafce92a

SHA256
3e193d7412e933f570acbea1115b98fe44b3bc58bfa98e8ed61c0bf581cd0420

SHA512
9c47f48b0e4b0a8e2f54740e3231f8609d4ccd6f3144a03fc6280ef273f18968a25a77ff749bd6488d04db894b6cd1b8648053df363458e2a054eb723d6129d4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
53b286a23912ff1b2684893ec27bd7d6

SHA1
42e18bc75d30194d30212ae2797bb71939b5a533

SHA256
71fd08aa6307b1a78984fc626e665838e1e599810f7942f69c9549428513d736

SHA512
4b99f87932ecbff7996b0eef0061384c7d80ef025c798c03f208241451c067254b35b1736796a2570612849186a381cb0e9ac8f7ba4b1f9a3ed4170007d2ebbe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
7cebcc134f1af107c085252b12121907

SHA1
0fb2d41059021c4ee1539d38f5ac2c902f58d285

SHA256
05825b4cd3c5fa95c39c14b931e33ff7c1ce0753b839bd637d2b8cf2af80e0f9

SHA512
1d92906d5ce947d228989c16ce9a318d7275ab5f803a9139d34695b21562a94f13977fd996d9e9956b4ebe67cf39fbda8177d503f4ca0bb469fde61800e5a49d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
6713657231b013eac430e1f8ad1c29ab

SHA1
411c49cd484234d848429defd53cce705f51bd14

SHA256
ddf11444cd077aaccf2d3eae3e100d51012cf0a540868f71b67f81d63a5cba85

SHA512
856b0a726ef3ac2cc539b5099ffb79d1b1528b63b82a38e7546162201806d44e2fce143fa0e372db4bbe47a3fe1c087491e879b296717e76771cc41823b1dbf9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
430bad98dcd6d3b52fca637fafd1c793

SHA1
46d4cf5b40dca0e2ca4a9b22bbe0200cc6294386

SHA256
c922201cd00c53603560631314c80942ba90079d323cb8c5fc41d9882da34577

SHA512
3a840d3f4e458c74dfd7a56079f03030da4daccdad469e7efbe9d4111bac9edb570c8cfc01eee496c3e40c1ef9f4f6b3faeeb4162bcb572b351bb460ecbd5462

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
e2a85775eb8288cb46124594fcd8eaed

SHA1
609a4d5ff2a3cde35bb60c79020f4252cd6c22a1

SHA256
833da5e9831921d221176fee9f40d8d0a25a066f14de0fa8047b1435ff77cd39

SHA512
4d0818de2ec655060b2e7b8a4b6734d9f8cdf3333495b7505eb3df1b6fd4cbbfec70dadb0717dcb6a6dba523ed8b5b8eb60d22d5aff3bd224f6e660bd347b908

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
4ab005218f882e0afc911ba12b69fbf3

SHA1
619789d5883599a42b09a235c807883e654af596

SHA256
ba47dfd630b09688deab9ad5ba32ff4e4420dccaac6f70a7ab5e0682694d843e

SHA512
1bfd4ac85547ffe727b75c28d825af19823daa19f706878a3b2fe67fd3a57d7ab8af6fa40160c58d004ea3add73c61daecaffc1d1d8c48c3e02f9365fd526ce5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
d1e43281dd17132d44af9afa3b303eb0

SHA1
88686ae85e01dd9ecbb3ba3ac0119d5c14683d63

SHA256
a76d001c52b2caeeff83e1a23cb2c8b1c1a5a55bda5eb3bb134ca4ec06fcd536

SHA512
47af9765bd616bfd0f7e980c490cc05e78ad31cd0e29fc0d33860a3dc8181e218ae569df16267f03fcd0df8182f38323d2a5289a067c93e4b6c715a36430ffcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
feb934d2db036af84b5bc464b9f0baf4

SHA1
79b33a832de3791a05cf3469b3bb8ad53e018c81

SHA256
1f889b0d6081ddd539d7b48405b365c33506b1fe2e386e41d462cabc3635768c

SHA512
2f098b9ab6168cd4f65d5651b1a0d5f207e5ab13dcfbf57aa422b719b2f7759bcbd85ed7a79d02bb2d5ed8cd6b9174718ca6d570211a39635a748bd95cc53b73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
737248fdd0a9d3de4b88524777120bab

SHA1
f28d25ec6d5374620ee9577eba074d899548f641

SHA256
f90b9d842484243a5fbdd16694dbac0638d20bf4decea058b855db9ea32d3b12

SHA512
b3be803ae5296a69b9673ed48ded39a863dd9c0afcbeaa5fed715ed542fae65a57556971dccb2fb08c66dceaf36d1a460518fec486dfb13d236c8826feccd04b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
54bb56763cc63cc614af4fd503511524

SHA1
03523633ffd4e89dd70dc59d454d3244d7c300be

SHA256
f42b6f7580e0ba76260cf540ca8439032f83aedb140ee92594ba9dfd035b78c5

SHA512
dc14d4e4d6338c46e028053ced1483da9b1474a24c66e775f9d94366aa83286b181b6cbd82e24c0afd1a41da0fcb08aa5755af1fbf28d31de79e838b24ea6a34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
6fedd0941a94745bb7e00d8a5f69b1a6

SHA1
e765931b359dbe0c9e318b9c14e54dc6dc1ee426

SHA256
3a57ca7b1e3cc68335fc062548412c07983af2b4a505d2c1d4969122020ba6f4

SHA512
07eda2b7a30743e89560bd7a8276ddcf5a51efe38df63d1d70af1aecf361e00f321b86d270b7d0a918a0f7a524b9436088c77cd65e118b3bfab33bf1e3b43b3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
f578d55cd26fdbd922bbd067aa303e3f

SHA1
52ac815f1ba06a8813d995beb95e50e89f8cd9a0

SHA256
37a66578fb91f45823c79199e46e595b0595fddaf902d41402d78d0d70a354c0

SHA512
1e6bfaa07f5b1956782910c4545284c974e2a2e8f83f4fe9ab8515fcef48e3dfb59af8443c1fbd8d2d3c046fd81496267f7cbffcb58fdd937c259fe677434d44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
12019b5a959bfbb5796680da4d0ffd1d

SHA1
262873742593ef3923bc2a1d2d6c019e851d9950

SHA256
a56d66119ec2375a12ef317ab4ce2f76161db500f4fc5475a4c1f4d716525fcd

SHA512
72fb03685cfbef3954ee48e504ac2aa654bc3de27db8d42ab1af1a2d8f9c0a99a13c9feae52aaec66710d3df2f981609dca5695e98368478b668271bc5b7a9c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
d6b2ac488647f3f7534ca8c57b977bd8

SHA1
22da090277650c51782f23ab0e065a5f9c38b268

SHA256
9b238f11fb37fb439b32d291241e647b395f771309347f1733fce6457a86a191

SHA512
236c36ff7c8d8e38b933d7cb1074d86649cab99c74292ad1da71f3cb88eac3ae6027de75cc24f068bd193f4194fa11b529e2daa4754a8de58e24177e4bd0dd09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
d0a935db28b0dab062bc2c3ab06c4a99

SHA1
c2ca155b7ae934c52633c994dca9cfedf1ab1f19

SHA256
2e47c413111340bb3d4df2075c3ab72d16361de118a84466bafebfe191e2a02d

SHA512
b14812db92860613e6121a8caf9344b5fa0ae4d09156dfd638691c163d6111a5c0d90cc8099c0aa482ce46959ea1b6f73e776047a34f878f059d7f7dd57bbcfe

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe
Filesize
581KB

MD5
7965c3a5191661f4d2790d50bdd273d5

SHA1
57b79cf2d11238df956f3422c29fc95f229be40c

SHA256
77c0ce5ec2def72b642728e62f03cee83ea07f21713bdebd08dae446974268a8

SHA512
dfedff1d8e9a437f7a1af9ca2cd03b73c527735bac6c23e45047d217ba0c53c0ecc22ffadc3183ece469e759c7904ff4cb4189953ff46a8b9949c63fc9439f04

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe
Filesize
581KB

MD5
6ea9925f110161971e008a0ce16f02ae

SHA1
a7774e9ff64df68752645be94ed75524b7fba90f

SHA256
9167fa7f0c4b478b59fdc956d9ddfb4a09aba5382f6c6097711536451e800f48

SHA512
5317947342cfd33e422a124c86e851156c8f5031207d93d4c0e1b8717085260bc97acd044a40d355719c9ad4175c1079505eeffb3d1ee718a71e4b44d9055e69

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe
Filesize
581KB

MD5
7337f610b1529c02987a85885a9e573a

SHA1
3d0c4e3e27daaac9ab78db1cfb27be11978f45ef

SHA256
c35f6a9e71e4a50eb74f77c358444c0e0592b6e4d61d429b75e40ac82a8dd9ce

SHA512
5b24ab548c7f8dfd67b541980ed6cca300f3b1c31c1b71a02956a00a64c40dc106787e6b4420c04feb298c4bbb1fcf12011385eb6fdb104a60b97ce5fb28c7e0

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe
Filesize
581KB

MD5
fd43a0ea1b94aed45159526c37860934

SHA1
2c9e3c0549a081f305d940e90e4a0376b635acb0

SHA256
4dd9060765433cee6584f9fa924c9304975d29bd8221b6bfbc832366183897f3

SHA512
c6db9d4e555bf9832606a739294f4c28aa43df6c436561517ec41a37582e67eae4e5583182ca22f665a27522639e902e4b7c7b92b40b6d139cfd379499f65161

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe
Filesize
581KB

MD5
93aa3019635a9998bc0077ea6f9c2c6c

SHA1
338b27cd7d04caac1527314a585909ae02808a46

SHA256
5fa4ed7b990e0257ba6be160bc6aa72cb9bed840052baf251c8ae73d160f3011

SHA512
979c9988be3aa1fceec0b41d2a95a37c3d091b1516e48c9eb49da9715b1c5fea6fddc99f99c97536b7c7633b1747b712b8573c7968c01b017717f874627a2dd9

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe
Filesize
655KB

MD5
81bb9d641331cce1df84814188bcf0a8

SHA1
c7a675e7fef68305c3a72c44441ff859e1737662

SHA256
a7c79cf1a3e187b065ecf3dd308fbae1a1c200c6acd1a2ceb5bef0f7e40f65fe

SHA512
2871a0ef35360cdbf7cb322d0237f90f65c6b3a0c0c004d25241592483e8bb6b2edf1431c4cb3625c27ea96fe28f2f739d1f3ec45123b273297cf06a87560b07

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe
Filesize
776KB

MD5
9a6d17da9794a83d2c32c0231b33616a

SHA1
c63226fc61b6ce847a624a2ccbb94221993b2b89

SHA256
b341d017ed505876592c36ddd0fae836f9541d21dfd2fb17bfe6a85b91c8068e

SHA512
550f6cd6b018346edaed09a91dc6c42ec96fe6c395f7014eba29c9eb561fa53f271e1a074a2d1380c626f4ebe53eb6931f5ed153a0dd096b3fe760688c3420fc

Download Submit
C:\Program Files\Java\jre-1.8\bin\javaws.exe
Filesize
1020KB

MD5
041e2110f8a705921281995b823ee13b

SHA1
0aba241672f5708ddb90c2254b57d31920c293f8

SHA256
653056cccbae45d5da723cf13547f6136a73bb680cbdc78dd804b0888c0154a5

SHA512
92ec23c510bcce12fd887669a9744b848a57849f0c8c7582d8590cc12bb9a25020854369d1a8bb44fae6444fe05f185986df7317d3cf2197fa6ad3e2948d774c

Download Submit
C:\Program Files\Java\jre-1.8\bin\jjs.exe
Filesize
581KB

MD5
3722f42784d0c699cdbf12e1a9c80be5

SHA1
74db5c1d73f8569f78a986e5dc75482a6ec1904b

SHA256
721da283f2f6a74cae7c921c6858c41fc5c8a0df3a57445784977548f510cc84

SHA512
867d662a0ec7817214bf41e307019deb926ebd6ab35851325345edb08596681adf0ad5ffbc786b27424bfda31f8ccc01420b693489aa9ea302fc54c0ab44f83c

Download Submit
C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
Filesize
706KB

MD5
fe4a18628a6d6fe4cf2d52479fed114c

SHA1
c4c0aee28b87fd14344dd280960bc656dce58c4f

SHA256
d8cc2680bc711e527f397c82bee9b5e6b4861a3934fa7b6dcd7a0dd56c7134d1

SHA512
a0c18e58ea783210c0f6126de45ad914a3f24ce19813c55985e6527a40c2361f6ece484591433624b39873b645ec5faa53ff566826053730c7370219741544a4

Download Submit
C:\Program Files\Java\jre-1.8\bin\keytool.exe
Filesize
581KB

MD5
4c468b8fd6f661083338a53b69a5f489

SHA1
d3161ddd67229404027fd940a81d54018f1e78fb

SHA256
ac7737d3ab81776e1ceef3b39262908738373e68ece90951b74f8f4d554dc991

SHA512
5bed1a4b2688619b366f4ecf0b266ca2b32fb909160ce9206d968ef23ca5dfaab51aa63edf6348b861fc444e96b85cfd3f58502a7f9623f882a58206a8ec8996

Download Submit
C:\Program Files\Java\jre-1.8\bin\klist.exe
Filesize
581KB

MD5
f28320732c8f6f4facdc9b9b224a1318

SHA1
e9e0170eb10c95939e3f8f8d13783d17ffeb3800

SHA256
6b62bd60d548b04127a2aca0f0249465e97f5023ec8e71f966ff1a7bfd7306f5

SHA512
93bcff5a890c360931afa0df459dcf0e9e8456a8939f916f7b398dcab11fc74ca3baf10eabc7be641c5101cda2de169913afe8ed130436f5414674cafff7d114

Download Submit
C:\Program Files\Java\jre-1.8\bin\orbd.exe
Filesize
581KB

MD5
51fbc683786747b69b484cda4a587bf2

SHA1
cacd6d7adf843f00fe89997154dd2d6630b9b493

SHA256
7a5301d6b62c6329b68a92ccacbdc01afba60d07071ff6bb84a30c7e6f263825

SHA512
c7bb146df0bfb3701f05cf46abc6e68c26a4e91889550eb327f31ce4cd19fb8c1b3f753bafa165455e77264747db4e441d73213c6e9e71110c2bbcbe926ee9e8

Download Submit
C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe
Filesize
581KB

MD5
ec313ab8d23d1160af80e206d78acb68

SHA1
a9566a7945028ace1a171fb55224570ee2904006

SHA256
1998da04d0ac7ea95dbc3fd0e692bf738e93969db7cf2516c69e60cbcaac12b6

SHA512
b8fe32ad1db02f3be76baed4ab6a30b419f3f3cd5a8843c015dff0ae187dfe52e266ecdf11d094e1e2dc537fad18bd945b143e510e16ed63eea794aa773f27c5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
3f44d70e41e44f15b31f603615b3c094

SHA1
7b3621525b52585de8546d2859cb24d43924dda1

SHA256
b1e83173cb3f1d820306d23ea62cbea3e3696f1e5411ef467759a451c8938f8c

SHA512
0a20d4d3006fe2d6315cc60c548d4fc1c8845fbe2d6926581c74a712915d8af697f1830a4c1e9fbe8dbe02ec66027c8a3dfde8c6c6f4df8f1e246a1818525035

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
685717a827136e2460071228c7afae76

SHA1
43029ce3a7b77f2e7e6ac62c518b424afd8ef4be

SHA256
7e6b57270c57b40ea1d3a5ca2d9ea57ccb822b46c2b75c9fe8beb2cc9e348c44

SHA512
3947c591a5705bf2ef84d439f90a4e5f961a8bf98c9d8ed2880561dd88c383109d3b3698eed50dd576ea41d8f699e0bdf543309783dd72896f6cad49692b6706

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
ec6815c0d7c128abbaaace3d52f2334e

SHA1
f828661dd9dfd838eadc0649c4280ad61eb5dc27

SHA256
da4196cdfcffdb90a7782bc69fc594a3314d29849995e717b25242d6b59f7c64

SHA512
51f7bade284f71e21fe77adf83efd11817a50eac9da4b9dba780ecce265eb4c7c3e0a3d7b992fa428594bd94424c20642116ef65c7dc370fb75cfa5d94583f0c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
507b6ac5159a0b4c4a6c818f6c377cea

SHA1
72fe3e340bc136a9aa217f21e9e5853a576c5bec

SHA256
1a2b9280bd126a4e8a1f0c0b705ba8578795d8d380f72eb6ab85ad7d618bf448

SHA512
6907c8ae19c39507dbba5fdca109a16d75937d2fd4deef352cafb11584447138e43d10737694855d3feffa017e7753f8c5badab25db2d40581b1e82d00033276

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
5abe2aa8c4d4414d8b4048909a1fb591

SHA1
593a2144aba90c02d877d69182bcf53220b023cf

SHA256
fbef056d829699bcd91b225bbbe0574a2d6c44f02a603d7a22c5c4d53031ec3e

SHA512
57e53dd10e2beff8d880cb38197578ae3944c81858af4dde3e0b8b83ac0c8128da08e490a9645a3d2b3fbf8dfed2071bcb4daf46c40375f60ac9ca395d112be8

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
085d063d1296207d646d9ea0b6dd6fee

SHA1
111ad31d15cda76f48afd2d6508c9dd5b35088bc

SHA256
0bb2f63029a86378e781b8e8ecf4e7faec25b29e49e9d632d7bd6457fcfb2bd5

SHA512
9e12b6af8ef9e45554c7cf1645be5da6d390dd4c3505e7e2ca7ba3cfcd261a2fd2437bb47b99d80a43c9470378434126305b0847f1379728839b0c9c61fe25d9

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
2692f18fc13f2b6a4aaecd4f68ced9bd

SHA1
1eed56a774fa8fc20378def54b700f2c5064cc29

SHA256
90291ec673b8b48a48886aba7aa2f6efb191bfa704878aaeb0b61b031b24c750

SHA512
00a9af3abd2024b0482f65da22cf3b40d88bf2a70327e8079115e9e510c6aa503bd6172f0b2f9ead4dee2a0976eefb6408652839067e8adce19226531500148e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
b6426ff8b7fb80d1a570c860c2532ef1

SHA1
50e0de182e4f0e309543861d6b2a888dcb6bfd03

SHA256
4ba967c9b307b384b2da4e773823f276ec25209552670c84937f2a455272968f

SHA512
2ffd115e594f858f3929711b179d4e244f2b0ef7c6d2d15f989171629962c10b178d995b9a42b7900304dbcd71def3d39811bcf1ee7fc5609727e4cbb4f0a769

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
43e126fa2db320f56b8d5df13a49e92f

SHA1
5243b23b00306a8b4eef540b0405599b63182a18

SHA256
a73b9d0c6f5f9c35ca34dc35b9f373cac18395febddcf03a676690ad62438c6e

SHA512
2bd476015710c82c3442c4e50b1001c8ae361434f96773bfcde28b05de4677f37a69b5f076f4d6a23a7b7064c4294af7689dcf9c48a54b744622e5167fc1cbdb

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d8177fe5d42b37373bed379aef942e3f

SHA1
c9f20df59d7ff2d9380637909b539ef8f60e121d

SHA256
accc016b3d4defdf761b0f0577a6a4bcd7479ed694610955b65e25736fe574df

SHA512
000db41cf057d3c83dc983331a8a80fbf502819dcae3fab46f9d98971c4e308318e129d9b92accf3d68254a22df3fd861cde37f6874971126c41a4457300c7ec

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
64b6062052d2a4900ccbb315f9439a9d

SHA1
5124c4087b088d91f738208fbc861348e68f36ad

SHA256
825c8ea8e8bf318218cd468e0b6085e7470ab52967dd2309eb1a1c53965974c0

SHA512
cd1ae59eeba63a36aecb029abc4fceed4dc6fc7e9ca1db605b5a76adf0a9459610ef8a33829883af8d970933129577aad696041b36b2d6c276a48c2574017bc6

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
cbedce0e79c48f23ca04bbf7d123f287

SHA1
bad71cf9dffb121dc9dd0773007f2e07989b141e

SHA256
5026d0cdc8b4060dc58716c3529c21d84830711d849cfb485724be425a1a32b3

SHA512
348ad0183222e6ee0726984b6241cd64732a30e8848b1e18902e832dc7cfd2b1aa4e33e6e03e157be4dfface45a5338094d869364cd261fcb8f4073a464961e0

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
bfcf2dc67f6e489b171fad7f63bd3246

SHA1
e3a5fcb95fa55fa4d784e391fadbfdea2f5a9c06

SHA256
e4632ae360b12657732920345d28f6bb5f0da7ce65eb36407ab9f4cb61221dba

SHA512
a9d7555c04efe2707c0cbb590852532cf9ac24e65ef98289ffe6b308c9971b3b220439baf8806233d230b9393670949c3dce76547fe2158c48dce14bcc420465

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
6a4aed4abe8c3fa36d54b76d7f63bc63

SHA1
681b7be8835112b7acc05925161c04a9f586e755

SHA256
af8ee9530291f2719e430bcdf47fc5705c124a7caf3971accd91247ae9b0e097

SHA512
a9b624165c8590cb5ab4a49e0bb411763288f592adf4653d8ee6507a1a27d66466843e9cfe5e9afc9fb754f00565ea33ed5c53e931db8d921588bfe9686ff2c6

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
9710c2437f8960dff841a066c8bce092

SHA1
62622ff4a8e3b0eea4e709cb7711026ee66dfd68

SHA256
53973069eeeaf504ee389b91563d0b0fefbdb05d8f44bffded432d8ef6f50ff2

SHA512
da271b80e0c0fd0c5470a9e620dd5386523a5ffa0b6496388deb2de5d3bd0a79679bbdf6e0b5188c046fed99446c61b706ba98dd5c2f017e1c7d8e7a9c70aed5

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
a8ce30752b7d727cc1d7181f18476432

SHA1
913727ab7776fbf3e2f35c3835bb78a7f1cff48d

SHA256
6f9ab0b95d77465bb3559fc44981f49e98041d18baf507d2862682fc7acb9ca6

SHA512
49bc6195f918eaa8d2c6c37983d3e088dc8c79bd4e30587d19f6fe3e038488e096e40b4c139c899328858af56ad4b8da6ef478b34b65e02ea37d5ca9015b8ccc

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
59fd71d9ff4fc60b54c8e55f7bab3836

SHA1
b4dc9a01cd663313784567bd858a6c3276bee421

SHA256
e4ebbf65b2e0ece8229ddde08000a63b5a67dd1ae34e9eff84f31ecf77384dd3

SHA512
972e0ade05a685666924c2e4f1d422c2cdbdbc428578a242bbd43174902570937fbef8217fffdf52d4a515cba6a5a44b9a229f1a077715bda08716686ebfa778

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
39010db2644043ab11f9faedb0376adb

SHA1
478395053ae747a2d222cbe152865be9306bb517

SHA256
6ca38cdd7bd9c2c60af704f753cb5e96be79d7324aa22d322170c621ade1b3f2

SHA512
a400cb1acdc6436ce21e0d67533360952613aa4957939570701277309a87d48027a29908f3c15a211d5cd059870fefca119247d6e76d17ae10ffcc3b9f87b40a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
c2b0900fdd4e0eb539ca4054915a2702

SHA1
d1b3738f2f8ed6b892a61b7e0441d6402fa35328

SHA256
8e1f968cef0cdf307c317bd155da10470be7849f0132b89f95a9d837c47b79d8

SHA512
346aa728c29e17971eb6f9fc7dd96f9bcc9b2428deb9e8462ac82d59dd84fd11da1d4bc5541d9c6096a3b0048f246810e378960ca7fe563dd6b6250d01ba6c46

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a220d422ba2a43b1340183c51cb98c10

SHA1
61d50162c0c42a2bad843a1f4a9bc80b94c3bf59

SHA256
23d0b208a0e9c87f460981ebb5a182e7fb63783e8d8b90b05a51c25c9cc1cb22

SHA512
b5855b0e0e5fd448e365cbf240eeb8ef688cd4b8da59df4184bed09a11df87091e1b15c9fa4327401294d0b0bfcd82b7db2b1658154a3f9f74ae59d6af3178f1

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
bc4ea8a979fa0c38a7cd4d9677e144cc

SHA1
490cb2357ec4731e3917c0348b71559985050dee

SHA256
efa277b21a213d5c2fe5fbd11b2cf54d65aba208d593e76a671a41b76f32f4b7

SHA512
5c80264ededbb69441e3d08d635740abe5dc90d3edba5a204c34200c3504216d6ea92ad987dc356f2ecb78c3cce1c776281d8ff2240dddbf2f89a511cfda7cb4

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
7eab24b36361fd10d21e80c57b531a89

SHA1
0cea3a2c07f2b1a68a3e9ce22e0694af4716d8bc

SHA256
eecfba842e23e0c15edf2cca299af377d1455e7a84567a418068f364b9fbe228

SHA512
ea46d7c5f5a6b157142a5226261da3f5f0828f5447cc251b4bd80bf180f9c76fcb825348105fc319e129536350a02c9b4321bb960740e11cf4d6698f672db4d2

Download Submit
memory/216-322-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/216-616-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/628-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/628-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/628-36-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/628-42-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/628-60-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/848-319-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/984-617-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/984-323-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1228-195-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1232-242-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1256-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1256-31-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1256-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1620-317-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1632-86-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1632-238-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1636-306-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1900-310-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2156-8-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/2156-567-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2156-1-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/2156-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2896-313-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3004-304-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3164-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3164-614-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3164-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3164-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3244-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3244-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3244-78-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3244-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3464-240-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3956-318-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3956-615-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4276-566-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4276-301-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4348-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4348-569-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4348-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4348-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4452-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4608-46-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4608-52-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4608-613-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4608-55-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4764-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download