d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
Size

1.8MB
MD5

1192227cdb385c3048d8b266854e5344
SHA1

0ae1ba2aa5b8fee98f3ee3f3d28f3b4ae82f3216
SHA256

d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0
SHA512

b7ff086dd93224106aef0f77e697ae9e385c7e106daa58f3e21ddf88d4631153ae06ac6e1bbc0fdc8b4a9e9f53cc0d1aaf1d7666c1e89099bbedb55b2e632200
SSDEEP

49152:zKJ0WR7AFPyyiSruXKpk3WFDL9zxnST7DcMlQpRQQMKMZ:zKlBAFPydSS6W6X9lnu3zlQpRQQY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1208	alg.exe
540	DiagnosticsHub.StandardCollector.Service.exe
1092	fxssvc.exe
776	elevation_service.exe
2440	elevation_service.exe
2916	maintenanceservice.exe
3632	msdtc.exe
3672	OSE.EXE
4852	PerceptionSimulationService.exe
3024	perfhost.exe
4332	locator.exe
3800	SensorDataService.exe
1132	snmptrap.exe
4592	spectrum.exe
4000	ssh-agent.exe
5048	TieringEngineService.exe
4284	AgentService.exe
5016	vds.exe
3744	vssvc.exe
1388	wbengine.exe
2500	WmiApSrv.exe
3280	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8de0b2e0a5bf65ce.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\System32\vds.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_no.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_tr.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_bn.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\GoogleUpdate.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_bg.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\GoogleCrashHandler.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\psmachine.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_ru.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_es-419.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_es.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_ur.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT5F86.tmp	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_te.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108796\javaw.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\GoogleCrashHandler64.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_pl.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5F85.tmp\goopdateres_vi.dll	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006491e5c5b04eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1a514c4b04eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcfb2dc5b04eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000568637c5b04eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f4fdfc4b04eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef7d4bc4b04eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a60917c4b04eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007edd31c6b04eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
776	elevation_service.exe
776	elevation_service.exe
776	elevation_service.exe
776	elevation_service.exe
776	elevation_service.exe
776	elevation_service.exe
776	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3768	d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
Token: SeAuditPrivilege	1092	fxssvc.exe
Token: SeRestorePrivilege	5048	TieringEngineService.exe
Token: SeManageVolumePrivilege	5048	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4284	AgentService.exe
Token: SeBackupPrivilege	3744	vssvc.exe
Token: SeRestorePrivilege	3744	vssvc.exe
Token: SeAuditPrivilege	3744	vssvc.exe
Token: SeBackupPrivilege	1388	wbengine.exe
Token: SeRestorePrivilege	1388	wbengine.exe
Token: SeSecurityPrivilege	1388	wbengine.exe
Token: 33	3280	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3280	SearchIndexer.exe
Token: SeDebugPrivilege	540	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	776	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3620	3280	SearchIndexer.exe	116
PID 3280 wrote to memory of 3620	3280	SearchIndexer.exe	116
PID 3280 wrote to memory of 4180	3280	SearchIndexer.exe	117
PID 3280 wrote to memory of 4180	3280	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe
"C:\Users\Admin\AppData\Local\Temp\d2d8e3df51f7297107b1b5f539d9f25b4afe8b5202ce9f9c077258e2211413e0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1876

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3632

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4592

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1120

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3620
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
317KB

MD5
6f4b4141236eeef3467f12900d20d46c

SHA1
6c2bf4435fe8e16f3366ca7f287291b6ae08342b

SHA256
c18239d11d9a5516ba17a45c7f1e8dfb0525dc3a39e6bbb243466870f6977bb1

SHA512
4c3f1ca80feba961248e8c352f0bf76a452560a6c079d73a3d70a50f2d2e5fa643a4467e6a0e237e1c21b55cf9586563cfb747f3b022c3ebb3fe82984db36313

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
180KB

MD5
8e576384c4d3d096253f7ebf729e5c11

SHA1
db73f86c02b58837b334f5d93371f289eb8c5526

SHA256
441ca8a12e7d92512ba35a884ae2aeb21bd71eb52d7d1c31fb13c856a4456f8b

SHA512
07a8f600c0ed220244504fb92ffbe6f983798fad13c24d5b32ca6e9e84be3ac4b3fcdace6352e104cde25d2474a029248f4849511bca78fd1a01f0e38d5a2063

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
138KB

MD5
06085d117dccc0791b1eccc55f7591b1

SHA1
de23ee014d09dc1ca66af144fc4de4423e5d5c1f

SHA256
be9d760be7ef9a5edcc1545f587f7690d89143172b8425ae385cbedca0c96008

SHA512
cbdc327ae3c88365794eefbf0104e8b23df6afe3f136b2cba700801da8b53db4495ba2568f0ac572053e38e412491ba69cf4a6e5a5a9cbe24a364421cc57d621

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
340KB

MD5
74dad530db973fb64181a26edf342256

SHA1
dac3de9d8d3e9a993a63e00388293ae6602262e8

SHA256
3f84e98ebadfd5f3a5dac42d68c06bb00d7bc34fc573526be3bfdbf65913f57a

SHA512
926ecbd0c98eda30f0cc0e4ad9c77a4698a1878a3cb7189d8e627712745b8b488360ed4ea352ebae43eb64c960ad718b6ea5966927d770b360991eaf90c400d4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
87KB

MD5
acad540971f18cffd7f5b0b0dda461bb

SHA1
343b9ba8834aebc6c4d6693aab5f15d42475f1a1

SHA256
55181e9eccb417ccd79cea2db51a2da599fbca6633e901e8c6de2dbffd804286

SHA512
c1a8460149ccc9e3cd1de9df7e142b87a1088b18583884aabb2751993505b46dddaf8676aba37d4f403edaedc315ea3b039ac3c0df6939139780e409d71d8d1e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
118KB

MD5
6f6f4867b15fd17ac7dd0a82af5c8842

SHA1
8fe357d874e3ea54d265d5aa5eaa25a5d4fd6af2

SHA256
ca2326d147c110a3bec5e21fe6113e161650468d0e3e0537bbfc8abc4849a8fe

SHA512
c87a8964520747c2cb2f84b3dd3368d0543f141e3c27b90efc498937bb9002c3170dad6292ffc8c2640074947f2f428882e88626485f9083901f0da5e469fded

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
108KB

MD5
f8653320207b1f0be11ea0a39c56b364

SHA1
5faf45837c8deeab4d7df2e91a2d0828166239ae

SHA256
e9d9c4d310495325d181c2025c2f1452838efd13ba2da1ef71a0adc5dc6c9495

SHA512
f404a587d8bf998594cab8bb76f9e07bd86f65b42634ec5640315b1f73f7002560aa572960035c69bec5f90a88a16cf31f566dd8937b8b25fab0b24e527f0d12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
118KB

MD5
ca6aa5c7e84e92ca8b2a71aef72a5551

SHA1
fc9867732caa274a629fa1851f5d85bfcb91751e

SHA256
6f479abf574de533fc2d7489179a2fb9ad89ac93927f41bb1a5f724f0bb6335a

SHA512
d6ff853e8e00bd0bc7ed7a07900ec679a87812636c7b70c85ced9e22a1a434c312fdf15991ee0ecc158e971e431ded1f5f0c93578e0fee4c735a101c4c787a8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
162KB

MD5
fb91b79659a8d0376e5bf52fd35c42b0

SHA1
5931863bf532575d05ff2c5576d490adb62cd24f

SHA256
79c1daf65d899d2c163bdfb561f0db8f27c655cb45163b68b067b1e3e55a18d2

SHA512
36f765ce7c3b2a81cefc4322b4946223e5b88560b642333b4d828285c9ae0dd4bb0992d4efddb1a6819ae6f28b6e7ba0ca5ea07a7a2d01293a096d983a6189ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
137KB

MD5
26e1975ae780c099db53b4c2405b80cf

SHA1
008e16137febc49abc86bebd4e0d1433deb62eb4

SHA256
f526961a957e79c363ce2c900ff3bca97efca04e142cc7bf52156c7b01d93f16

SHA512
f743f648821968a783bac46d4355a43ca9fef2aa740dc40e931a60af0de057874a29f2ed7de9180a1db8a9ff8c60a48d2d61111920c46ca0b0cb18ebf9e35d17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
88KB

MD5
53813a84b43bf02faf11a64dd8920cda

SHA1
8c34fd01beb6557c1bede853d87be769b5fe161c

SHA256
711485233b16493dc4724afdbf88db5f4c9409290a5312b99156498154f415e9

SHA512
481c87279c96d7e6cae5bbe904aec2c18143a51e0776438b7c3d4a06a3d696627be2c360ae49fd956e2ea05dbb1e3c1294f6012e2d1edf3f5c02cc9cb3d2b82e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
364KB

MD5
59d0f9482f9dd6809a701f34321f1746

SHA1
9f99866faf6d10bffdc92131b74fc9735d208a7a

SHA256
7e8b5bf87422c80f13481e9d308d7d116666ad264580e1a5ab17037d6b9f01b7

SHA512
cdba35db71e30105b6588f128bfa25711bb0fdc8b8d0fb483c0803893ba1fb62a648e5c92a0032dc6c387bea54a1f41033493aeebacf2abfcfb987f74826b770

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
83KB

MD5
9bced47597b478be5b54bbb4f1652927

SHA1
31b6e82a530c53c1b7c2d6c7d7360b3d53de4b7c

SHA256
75335be78f025f2398a3481465780db633e0c3ee7ee889d4d942024637e2cd04

SHA512
b66f9bda6d638a8b7a3ba4ebc3af4bc144225431e11ff8e809ac9a27efed551e911c0994f5c6a448d2a6cf94e1289bee86d6dce33d53f1b11e6319f8e8da33cb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
51KB

MD5
dad3bd4c28cf160ee49e1488f9337e0b

SHA1
12e0cb31664f2b8e95be56d0a7bd5d3213db8944

SHA256
69574b84eecd0523a85fa1031c7edcb4bf35e939d0b5cb96aa7d70250c4c147c

SHA512
e60db4821c6f442edf0630c0943ba08ac6099723cea1795e494d91129f7b96943671edd6d834e22b2659c1e35624c9970d3752d167c17ae825702e436d2bedc9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
56KB

MD5
9d7d82083534b7f0476d775dd45c039d

SHA1
b3b5a2c5148ebde685d2d7798c47a17df490cbba

SHA256
e92a74dd00ada9595d1def5a646c507cd5e5434599d2aedf150102e7e3f1e409

SHA512
60b2bbc3c898000429ad8caf52503032ce50f40512f41b61644c0746b3a69cf1c433bf61d0af4f89113978f53aa0eebd35618701b7e903d315d94c87cbbe6b1f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
107KB

MD5
087341523b62fc994b487f23b1935c8b

SHA1
8c130e4e82474b3bdebd3572fdf3155a0e62b0ba

SHA256
977326e3d4054078efd53d734c79e371bce682bd47cae3ec24b3e0035bc6e38b

SHA512
4e5e768568a7828f8978d438698df02ef41f7ee65652fc8f6bf0ba1df3c963c43cdb5d6f9c56a7028e6ca0d72482b7571c5fd6c4663db7fc3cb38cd80cbb8dfb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
166KB

MD5
2ce313c29f4a5083d3e375582452379d

SHA1
f58e3c8eb802b3900aa7a499e1cb7d4a27bb9bb5

SHA256
11794252f0ba8bead901fe058813776785cb731a9e59aa99b284de1e43dfdc28

SHA512
9a27b35d56066bbfe64769b186f358bb1ae7aed3ab48f639ade07d7e0dd3c06b8c352a23afb63acc3f58707832fe2469ce415a77e0cc8e346babfc62d06ba9df

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
77KB

MD5
f0831439a09dd20f5d0d3403fc45d136

SHA1
929f48efd602cc48955bbf495872718935c73e67

SHA256
a736589dbcdcfc3876dd73069303e9c47613d7ae028eb636992b6e46435fd67b

SHA512
3974bd2a2f86abc9e3aff28b15526eaf9ebac299b618a3bdb61a2b531909760968831db81cf2a3d8d62051807109881dc1d769df3b0502e5c0af645d16df4c2a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
837KB

MD5
297dcf1d589fe60559c0384269c5e25b

SHA1
ce0b6fed706a3fd4c1321c99bf216860e92ff47b

SHA256
95a0c4c7f238591078417706d61882be06f65fa1738fceab10c1fc23c09fb495

SHA512
28dea79d0adfffc4bc665879511089f1b3aaa3d7c24e2f2e0a40ce313a9fdbc3ee24d64c54cf7e7a84210aa66460dba4ce6ccd1934620d9774c71fa52e294bd3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
122KB

MD5
faf7ebd077ca27a4e9aa456da7e9fa43

SHA1
0710dfd5deb7ec7aabf8df25e6ce369b9fd0cdb1

SHA256
5df40f58ad41f9187a68d77c6fdf1c48108b96f0cda437c9207ed6a3812f62e5

SHA512
315389a1e6e0fd7cc70df0233c1b2aa292198e07d62b40b8b98ea8cbfcdd7d5ba917a79a618287fa0418ed69237b29280c38dd44ddeeb766e310582528bf7da9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
88KB

MD5
b7a3c77e4c4ffb2026ec5c50175a7df9

SHA1
81eeee1d9b9a7ad15c051c4a5de6ca6d9f8bd34e

SHA256
82e3da27eaf8a4b9e3f70ea3923c1052c57e2a4538c9fa9ca411cdb0ed5b309a

SHA512
ec6a228b7c5cf40e0fa499d72c95c7378cb5aa54050620e0f30715d2e553eedbd802e3e621f0f0ddfdc3fde1fd143423ac3ea118283ee1a4d06af023af67ec79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
46KB

MD5
bed48a00b2b35949460f5569f02392ca

SHA1
dbb6dfbef03371078350c622e1e60f96f428506a

SHA256
af6b1f81d3974b7b0fbcca0377ce0126037dd575598c7180fa9241b27c2f78f8

SHA512
76c4551b4d7786dd871ffcb414b5dc19285bd72a91373b6fae4a2f1f3843349c10cb4833af9e07f064186ec5b45f24da97b32351917fec31114b65f8d0a6d9d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
93KB

MD5
995ad91696f465200816321a81f935db

SHA1
e4fe468e1920a1970fad3c7cdc80ba99a979ce20

SHA256
d7eb6a66e7b5406ecaecf58e74c62a5a2985d0d0febd8d23df60fde2591d6fd9

SHA512
29307968edb4b5fce9160f58c28772b3ca4bb83b7fac9c04e11f1e232e1d6a41d8911c3ecef6b1aa4cc6ec917508a713ff0d0ec802a479833b09d7955286398e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
120KB

MD5
af75198699f64008eef23936629ad905

SHA1
835aed06e35a1ac3fdf220db84bb062757fd395a

SHA256
2866da4f366e5d5626ae90c55d782c8ca1123d20f464d9c247ef42e424d03a27

SHA512
833eb4de1ec0658ab11d12d7748c203602125e28af0a5b35e12a3c44d9711b7910cb53e659bffb5c83e1cf8c261c02a74795d185c5c43dcce674bb9c0be94d2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
163KB

MD5
a63488d850cbab250d0f85508b0d9ff1

SHA1
1d2b726eb14d3b9ff21cecb4fbda4f0bd4cb7ecf

SHA256
869ebe1d059e45acbfafaf24ee847034a4ff7b2ebaa68de54a1f4cad36a175a7

SHA512
38c1645d9bd29af9f0747f0aa678549e1dcf81857e39fd1318bd6dae39d6fed50863229f22c028ec67f15b1d9e0217f2cc4919fb5be81c7dcd0b8fb53557874e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
94KB

MD5
f5894e74a19d23bbfe48b2aed2201c8d

SHA1
09eeb45ddccd119fca755a06a70355b44d2f6160

SHA256
155fc3a954157da91623fc1083ceb2dd10ae6b733b752c2cdbfb96e3691263ee

SHA512
2a5eda0aa6151eb0aa32ed6b05753721a84fe616bdbba8b228cd77fd62b3a1084b80519269b4054bc7c8e7750964fc39c1fc7d4a84a777e67514279b30bd31e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
119KB

MD5
928bf8ed44fc3cfa8058a5548f873d9c

SHA1
b48ac098b1148cca9152dc8a96e3548e29316ae2

SHA256
e41ccbbca06543c4e47e1e48ce07b0eb5fc2227577bc592068258bf5278f24f4

SHA512
3d84d089a393e153d3b61f8da6c9dc70753ef73cacd5f92b7ff9e2d23ca477cd3d394a8a466a2bd1511f1b237e1d2240f340f931b31096bd1fc7e48012758849

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
48KB

MD5
26f79694d3e7b64f2482cdd2d2d181fe

SHA1
3a53cc4eacb12f09b5b8acca429d08a8e6e44390

SHA256
7717d6c7e4a9955c919607613ff378eaeb2c954d0201d8495bb50d506761fef4

SHA512
493212a2164345c6bac3eaf7243bdec907d2ae8ae86b486d5367dbe3368c7b82c1604356a51553a143b7bc4a10b385d0ddaec4283e6646c4a407cdebaee15f0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
101KB

MD5
81988621ebdce1075f1cda3809261bce

SHA1
1fb570b4a30757dd01e8a208cc7540c8012e6ec6

SHA256
e395e3aeca220182db5cebe5be2077481c80370bbe23db5d87a27d3b1f89da62

SHA512
25832cf54a31c06c3f983c23f95b8a2b23e942f6a4816933cd04a65c4bf6053e81d93ca399fb1931fb62e12f0fe3de3eaabb75dcc984b7d8782bce9004f157c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
146KB

MD5
5d0b88dd437c5aa3bd083d46ac1bfaea

SHA1
e12fb26bb72fc62f98eccbea5af2b5690831daf7

SHA256
8d31ebac80252d8056398ed1e84938307c8d73090cd1aebfcdc65148db0678a8

SHA512
d1d75fef44875bb95acd51e2aed24b110de72ec7e62437770949cf00f6eb000f36fe5b69830a4d53c12b5e060f444b7d532a68e23395dcd2f4a1037297aec1f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
48KB

MD5
0a5c6e005ecc265de0c20c172fc4712d

SHA1
25dc3bc0f6e25f8add83fcc4422e13030fe48d7f

SHA256
22c51242265db9e8a923fe5c089fe466000ba0981ca70911bb094974647ba809

SHA512
5a7d432514c6275837e9ba6112b174ff91b6fae7b3390f7921a809f243d6454b3b1e00d2a9ffba9b84015af4e3eba615dfa748a27e08410aa14c9f73b2d16c52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
70KB

MD5
275ccb6c2023e341444a82891bab3390

SHA1
74ac7920ebe3bcd50280379bba3b4e23dc4539a6

SHA256
6c37052253fbe133de4246269bfe3ffb7047d07c194406b006af82dae4d5ad37

SHA512
597cd57e1d9744f273cca1c682c19774ea90dcdce0d19c2837d61030cf19e5829ff3741fba5724a531916a3f49c982a16011b6576cfd3dc4b5a944d58d44a87b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
56KB

MD5
213379dbb2b780d2cca9ca76256b4154

SHA1
d05e0aeb93b1e0e29ac6c0e5e775d944017229e0

SHA256
26f66c1346688f153bc0fa256ef2685027dbe1e01113ddfc1b71a59db47b4218

SHA512
dd65c9fe842ef77fb3511d1614cb86e288b8e5ba49af7f4037250b9c014b312a4bb84c7650adb4184c3379e54573819c4a43ebd9437ee1e83792d5be0f62a0db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
56KB

MD5
901645a9c465158fbd563b80ecc50937

SHA1
44a8781b595db9ff4ad18b969c0ea7d167c0f2ab

SHA256
6a77bf407f853c5561cc468189a003255a4e50ed13f0640302d62cde130d6b74

SHA512
379ad0361a583ea566da4fc1c8b13878b558580dc90ca0d3b06d7d29449dfabf90f4af6078293d66938e9b8ca4f4b2c90291fc6d733658fc7415a562794e28fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
31KB

MD5
461701381b4bec5e2ce695be7ab838ff

SHA1
393a91875d91e386085cfda1dc858429948d7f86

SHA256
a1fdbc8c17ddb2ea91d9891ed3fe977b28fb63a685685cbedc1ab3664e15f587

SHA512
6661eca087b81e852a8dbbf5cdc059a5d56f9b22bc41e154375de0c11c945c17d4c4bda9dd8ad901551c2059f32867ed715714664483bdb13e4aabe1f96e9462

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
135KB

MD5
ea4f46017563094c3c164796a9d7c5bd

SHA1
dce5aab13aea4fd2b4419580156694a80a673863

SHA256
277220539e4b00f48b40edcaaccccb7a4e550c7f41a499356156d56c14418a48

SHA512
84e0267d9ab337f3281aabc543ecdc0e375cd3ccb7faa5c60836c700a329f594a984dad9ad4df05677689e26dd395ffb0054f71c6349653e73b86fa7dbf280d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
130KB

MD5
c108385affbb0fa54d38314ad6304c2b

SHA1
5f777c362233e624efa82d3842cdc111abe488ff

SHA256
78d87bb644f6e2ea7712ccf6106257b24dc183b8015c1fed2000cddba62c9778

SHA512
f9780586bbb97c07ee9cd45b7112e40961dd3ec162ffe11507d4f8b51d8e5307b3d82d2db602b44226b1f81e7c2a5153503f18c7a6f3109b8e2989b4aeb00990

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
250KB

MD5
84ba5c6d7b3bd9f78896baca3ee1cfbf

SHA1
5871c19018fb54345beb0910febcfa4a3a698faa

SHA256
624ae79d227ca3ccbb5bf277a39b4c48995279ad0db07a2754a8175d892bc482

SHA512
3a4cfca9cf89c4bf55cde48e36b30a83fff58411cf8ef624e26bdc47125146c1171b586850a023d9fd6477765c9e0300c18d9ee1b5644668524f078dac89fb20

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
107KB

MD5
6c76e6a80207614f3281a481f9ac1147

SHA1
f85191cfc131fa8204bd3942c6fae8dde485c9d5

SHA256
135a271e65b40f3aec2cabfc0257f6b0857b5ba1af5196cd20b399442ff27ab6

SHA512
4b3d54c3e572244afb9228a95f04d88d93253eafb66101f2890a3d130bf17ccf86fc32ad64931a5357d5499b07b7825c806161c5c407dd14fee6ba7575ca8391

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
58KB

MD5
1529c950abb930deb5c9c17f04263906

SHA1
cc0c606d10f9afde332e2ceb5c34a9bb581d1ca4

SHA256
f5260a11cc3dcf492671cdf28cd0617bf2625d276ccf12adf48ccded2328ded7

SHA512
22a2f119c01358fccedfe42225cf78699bd6df00a30241a05c9d120e948dd15bbb0320efbf12f591823477741a92e58b17c3b0f0daea2c853403ac91b48ab34d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
380KB

MD5
1d4d41e42766a95283a7cba81a291522

SHA1
39b09a8851cb3a8296121e6de49f5eb3f6e39232

SHA256
fa8a73bf3a5eb78c8521f277184a0254521c6ecdb5de81f04a324f59b864938d

SHA512
e2c6a4444f17d983cf652d7cdfbf3f8b068d9a3d5cff27ff35a9acc24ac8134c4723997912c5c526b635182790b5c30eadea6437fac1fe08e1d5182b3b88ec83

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d5a8e8178aa4712ca02926fa89715aa9

SHA1
437e2ca796f57e49fafa9362b408e21ed9af4f5c

SHA256
aad1d7a80ed75ebefa6f816d35a5af0d8db96cc93dc78c67ee6d9ed35d854e5f

SHA512
1ad8d922e620751a43d3cde8cb95ec7554f234d23b9aae67446b2ae2c312410e4bb3fc28f69e98e6331a1a1fc52ac2cd2f9357b211d068eefd42035557a80374

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
69d067758710809477eea436950ab8b5

SHA1
de3cd1239f9020deba79e4f29bc43d140dcc8c5f

SHA256
25ab45e888bc6b3f49afff168809b466471b919409c4905e0c523b35e40645fc

SHA512
a02946c4f49ce8aa0d84aad22c93d5c472be19a172f1913b5216305542a79b74fbc6d6eaa071004431e18e7afb67f4346cc42543eff80006f88051e80303ce5f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
220KB

MD5
fcac9b03ac2ec81cdc1eea9de83a9d89

SHA1
ecb631e550c8151c3809f5e6fa8051e6994ef313

SHA256
7cd9966fd7c0aa38917a7603ebddd02b3d1ee87811f7f6fae648112d7c5e1cd2

SHA512
8dceeab7c07a2278d59b0b1c9fd1f5a3c693fd548b47ba45d6bd681a790f7a68a76e57d4dd2f4e2baa49d1871103770412b62f3899ea47ddc1c6d00cc580f83d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
175KB

MD5
875ddd703902384248ff18e0e9d1d56b

SHA1
84945560777c7bbd54bf169ca38845b594bd0eef

SHA256
6793976c29a100a21ec8622fbd0c56d0415a70bacc02f875b984dc0bf6804008

SHA512
b442c743a0c4cf2d6b82c9ae6e278094bcb6971af430847910b1ba6b63ff19281e772edc1abec857b82aa40eabcd2aad0c6821e753aaf8d8a7a0570c0b3cd4d6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
158KB

MD5
95cc60b93ca855339abf9ec3cebcd0b5

SHA1
bb69d5c86a45ddba7864fb9090fd122a5e3aeb0d

SHA256
609465e855a045a7acb5297a3dff6bf4eda022d183c6fae99d9e138b5f32cd2e

SHA512
23779bd262b07a664d0105ad01eccb34db6bbb61dc21b330996dd5ac8980962ef647b4b7e6d7a4c5792314375a50b469d209892e8a5e45c933aaaab26d449af1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
393KB

MD5
4dbb9c69e27cf10d67b44911fb3963bd

SHA1
169bb53e79f4b08a78b835765a3c84350357e8bc

SHA256
d3640495e178d094d5dfd1607af2676c58e574ef60d13438ff5a4b716387d498

SHA512
1da0d48daf209534222320e9108e5cce89af76ea32f14b27ef268fd3d18fd5bc251aaa0f7be5be3a5e1a99f7600df257fe06f21672779ba6f769f32dfa0e9d33

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
149KB

MD5
6d29baea75cb47834a98bca8e9bdf8a2

SHA1
903c50d0b5e9dc0d8bb96a766825dda42a2dc005

SHA256
8e697e6191dfc48c7761b13bc45d412943b6cab2f92dd777265422757d78595a

SHA512
53786b2fa185babb97d9ca92b00a504fdbe287cc348e1fcde0636e191c935ba2bba5ce4a07b8ae668e8a4076280236d2df04bc3f80f9d1fac75f02db32be6b71

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
251KB

MD5
d4c074e0158168abe312989a5db8c324

SHA1
6d791d880e4e5ed6632b3709cba520d039d01c52

SHA256
795090c382996af3babc119d7a2bf4f995f146adee59cb1e966a74e0b86e224c

SHA512
698adf7899ae5731de7c3fdae88a33b21b1d8223707275a46bff663aa912c83865129b6dab03fe332fe9d05327475af4344941fc48a869acabf7eb01ef02898c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.5MB

MD5
19bd31b213b6e91d91804ee2f5b1dfa3

SHA1
ca766de5a6732efa9a3e2fa94025ff4cfb88221f

SHA256
6f60879155df23cec2295ac30c5de0dfa0a7984ba2a5e0f50ebcc4acf2ad7d92

SHA512
d53995b1fdc45de2796d503430e70095fbd479983ee069a121dcfd9af7bae4342265fe9943a0cfcc26ad74c95b8fe7903bf64e607b740b150c62c2063adcfc0c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
311KB

MD5
7bef05795bd061ddbe7246e9465ffec8

SHA1
ebe4a0c1a36883442b41f976158f61987f71b9b0

SHA256
7e0d02e676668a8df3d44a8e80d8943acb76dfb48247b11bacfa8f4c284262ea

SHA512
1a76341d748823f43f04872c93e68c44f34f25245f49e9130df47f0634332a52f81db8b34235cda4f93e58c679ccc588ed3c4b116e7de10c4a8aec062f6467fd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
130KB

MD5
ebe26bbd6b01b7ee53f36b176a37f411

SHA1
de8af3b818abe91b020b987b362814e175fffc70

SHA256
a2a2d856885459c5ca5c44e0d2fa39f0d8e54bbd10c2ff3417c4b61db024e6b5

SHA512
39b322e4f9a769058ec03fd648d84e23bd40a3166870e614ac9876102bd137791c703a0239a4e6b6862d58feb62301076f749f7bb4f3f0ceb5c98e3fd1c51939

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
123KB

MD5
30c55a315121d5f8c0d438432d21b279

SHA1
595d3247a8336e1d09d0a74485f502bf4d51c91f

SHA256
734d33e8a86485cdde778845e6e6b05baa12d0d8dcba02f0e406378ca504e5e2

SHA512
9602c2410d7bf6d489330ab1799a708f4a079f4fe6a610fd0ba415de2096de5bdb0bc1b404caae53c80f484153224d3f1c387b4f2263c74fe7170edc4ef2b74b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ac7098b5721c143aaf5065f6b44cb830

SHA1
13e49f7791929fe70254925f4241bfaf552ebd5a

SHA256
27338fe1742ddf4c484b20e85e6d1542ff7d27903e5a1876ea350d12d823008c

SHA512
185a494bd2f7c0243b24245259e16fc38364ad94d04d44bf0822f47e7412633bdaf95a72fbb449fb48ac998feeb02439a068b56d35abe747cb9bce3a71647a7d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
57KB

MD5
40bcdfc18daacb58a63ee761b0b4bd33

SHA1
54afd01d64bc346f01ca4ba4244fb381fe0f1e93

SHA256
20eadbb4ebdaff4d0b552d16b47359e0533f29a5056138be04ce36106c6784a9

SHA512
38b0b697cc3f978495861a6894c57114764441c68b611ca48a0debb78fd380882e6b4f4c327e7a1f6709524f544ebc53df0d289c00e09b1da50de1ea77457d52

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
268KB

MD5
d7b57b3827e0b5f8f94b9e63cf625d32

SHA1
13e1be81c7c24abe7dee206bacfe3c52e1186406

SHA256
128fa43f9840f6f0365ccb0026275df8a1bd6e823a6f2d3135b67827626b733c

SHA512
22045cb29cee4cebc4ac781bccb0230bbe6b18e4705e71c2326c954bfda0984a6e285bf2b1c281999290ca7e54badeb1f1a33ee60fc1bb87749e78d6215a39d6

Download Submit
C:\Windows\System32\vds.exe

Filesize
76KB

MD5
1c449e5bfaa9b33d5bf72013ac05ab72

SHA1
1adddc4544e4ed349853ac7eb5eaec71e266ae04

SHA256
48bd3dd7094873f33891e12b025fe22b821adfcb76f04abf70e9a673af948d78

SHA512
7c200b19e0c649c3d70f3393a53a30c422cd1fa8671aea8f6f192d7bd89fbaa166e39e3bb70219e3638ce2d7bcc39b65d11d1e0088f42dd8c1a4704cb8a85106

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
46KB

MD5
168b0242fc7e43b8da52252b66574764

SHA1
fea76631c93561cd7b6f0d7a505d87b0027bb1b3

SHA256
d87fc548ae09753aacc2236bdfd74784778ac87c732d255fd16e5816f76e9e8e

SHA512
1a795662a5a099d187ce5e3a8d239c2b35a801d5988ff0a0ae4a3c8e1bf98c7326a61835fa8c9a9b164b41389f308bea22221933d42b56e08485ad5871361cc7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
106KB

MD5
8f80267211f777cd5d119040ed3de04c

SHA1
8386bf94ec277ac20dec7a200610076d456c8a34

SHA256
a9d84bd01c229f88e2e6cc8c65f98a9e049cd485baa22af4ecc8f6a83bdd4c0b

SHA512
e99401afbc4945096fe59994c3928c218401d2017992bf096321f88c404fbaa99bf88dd74a91edfe84930335bb6ff85daac8867685287cc4bb466591f5a48b97

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
155KB

MD5
235fdd3a0e7bc5b8bb1c21f21b059387

SHA1
029549c5897e1e87b4ef65f5a76966b06d028a27

SHA256
72cf12077371cf0e1bd7b3b8166d53ba1e45c87ed9fbedd36c29abb8dbb3a689

SHA512
90054c0892868349656cdded2a19458b35efc9328b6fb8fc61e2cdd6e5615e22c12b130211c66b9c5969379a78af10ae2bb5f62ad5f1f3641c322d2b102cacfe

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
157KB

MD5
324e44ef9ed3f4e88823f28229f41a4c

SHA1
8db838cfedb0ef8d9059580d0931ed56d2046963

SHA256
e7a518be5cbcd9bac785a1d2ca1899b78f19d8f7a8f3155991ba0eaed1230b34

SHA512
728d6a7057ddd97582fe4b442b972bb34b0a15cf836193c64c42cc3bc16aa1cb7406c2de017e4230b98cff15343d279edaced6439ef987887beaef19750a4e8a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
207KB

MD5
a749382a5c96621d03d91e9c92ee5d9a

SHA1
d6141b116bc715911599d805cacfc8570b077ef9

SHA256
365e50cf4ada10bf4a1f562cd952861cdb3e0a1990a6632fefe1c948c65b7b33

SHA512
1bdde613415b06a0795e0f8fdd25d6fd4cf4e2982d6b6a16c6d99c1bedbf1aae1be769efd8a55507fe4661cc5da2f09ed8e5c9da30a49ac3e598c3fb3545f748

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
255KB

MD5
e8ecd78919dd03c4d3ee181b5d8e16fd

SHA1
0f9a217a6b50b0e1bdcca41ad2e7ec48d5bcd22d

SHA256
86f2c7a69f7051631935a1a0aae8dff7026ec8d719f01a7c577bbe08a5a402fa

SHA512
dee356a0b57916473a95ed6c3af4fafe83032c7d3ea1e42999647c5fdb6caa6e4659491e76f2c0e28f898a68e2ffd1c465c52cc3b915103c36de4a02ed0dd7fe

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
156KB

MD5
e6db3c9b15a020eb504cb6b001a6e8dc

SHA1
f30783ba215550ea4843e42246694316a6aee76a

SHA256
b1c872c26a8b3f5fe609af88452479a5f05dce3474c22b6181996f9c69641149

SHA512
a14db394c135109538b19b1a6ebfa95a8cdfec5f0851a724bcd938971e9f69de1b404f42eadd59917b7bf51b1afe5e4acbc726a55fcc517f7b86c8726a539e4a

Download Submit
memory/540-145-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/540-84-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/540-83-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/540-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/540-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/776-108-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/776-101-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/776-170-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/776-102-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1092-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1092-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1132-238-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1132-191-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1208-141-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1208-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1388-235-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1388-528-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2440-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2440-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2440-120-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2440-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2500-535-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2500-240-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2916-124-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2916-138-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2916-135-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2916-128-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2916-132-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3024-179-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/3024-174-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3024-173-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/3024-224-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3280-314-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3280-546-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3632-142-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3672-157-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3672-147-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3672-202-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3672-156-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3672-146-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3744-523-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3744-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3768-7-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/3768-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3768-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/3768-325-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3768-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/3768-125-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3800-234-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3800-188-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3800-519-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4000-219-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4000-208-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4000-515-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4180-530-0x00000215585C0000-0x00000215585D0000-memory.dmp

Filesize
64KB

Download
memory/4180-561-0x0000021558680000-0x0000021558690000-memory.dmp

Filesize
64KB

Download
memory/4180-549-0x0000021558600000-0x0000021558610000-memory.dmp

Filesize
64KB

Download
memory/4180-550-0x0000021558600000-0x0000021558610000-memory.dmp

Filesize
64KB

Download
memory/4180-548-0x00000215585B0000-0x00000215585C0000-memory.dmp

Filesize
64KB

Download
memory/4180-552-0x00000215585B0000-0x00000215585C0000-memory.dmp

Filesize
64KB

Download
memory/4180-537-0x00000215585E0000-0x00000215585F0000-memory.dmp

Filesize
64KB

Download
memory/4180-569-0x00000215585B0000-0x00000215585C0000-memory.dmp

Filesize
64KB

Download
memory/4180-560-0x0000021558680000-0x0000021558690000-memory.dmp

Filesize
64KB

Download
memory/4180-536-0x00000215585B0000-0x00000215585C0000-memory.dmp

Filesize
64KB

Download
memory/4180-559-0x00000215585B0000-0x00000215585C0000-memory.dmp

Filesize
64KB

Download
memory/4180-529-0x00000215585B0000-0x00000215585C0000-memory.dmp

Filesize
64KB

Download
memory/4284-521-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4284-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4332-184-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4592-204-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4592-313-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4592-194-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4852-168-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4852-162-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4852-161-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4852-217-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5016-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5016-522-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5048-221-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5048-520-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download