45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
Size

864KB
MD5

5163b94409c377348fbe1f695754f367
SHA1

a41c633fc9585fcf8854d3532389db9d4a1d63ef
SHA256

45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8
SHA512

5365cd7e4bc0cb9d098562b14d8a1f37152bae702a000f8017b171aad8723212ef20d749b9c6e40c4e96e74abeb21f69c384613f7cee88610b0e27cb803791ec
SSDEEP

12288:fYXJkWHSE4ECgYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:f02WH6xc+pFB5z+//ufNRoZW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4196	alg.exe
2736	DiagnosticsHub.StandardCollector.Service.exe
2644	fxssvc.exe
3516	elevation_service.exe
1048	elevation_service.exe
5052	maintenanceservice.exe
1820	msdtc.exe
2560	OSE.EXE
2872	PerceptionSimulationService.exe
3712	perfhost.exe
1152	locator.exe
3636	SensorDataService.exe
1860	snmptrap.exe
3844	spectrum.exe
4464	ssh-agent.exe
2324	TieringEngineService.exe
3180	AgentService.exe
2652	vds.exe
3200	vssvc.exe
2852	wbengine.exe
4344	WmiApSrv.exe
4472	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\System32\alg.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\System32\msdtc.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\System32\vds.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1a3bd1781299d6a7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\locator.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124781\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9f715ab768fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000513776a2768fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e4e6aa2768fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020df9aa1768fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000793cfaa1768fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040d935a2768fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091c141a2768fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039a79fa1768fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056e6a5a2768fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
Token: SeAuditPrivilege	2644	fxssvc.exe
Token: SeRestorePrivilege	2324	TieringEngineService.exe
Token: SeManageVolumePrivilege	2324	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3180	AgentService.exe
Token: SeBackupPrivilege	3200	vssvc.exe
Token: SeRestorePrivilege	3200	vssvc.exe
Token: SeAuditPrivilege	3200	vssvc.exe
Token: SeBackupPrivilege	2852	wbengine.exe
Token: SeRestorePrivilege	2852	wbengine.exe
Token: SeSecurityPrivilege	2852	wbengine.exe
Token: 33	4472	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4472	SearchIndexer.exe
Token: SeDebugPrivilege	4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
Token: SeDebugPrivilege	4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
Token: SeDebugPrivilege	4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
Token: SeDebugPrivilege	4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
Token: SeDebugPrivilege	4424	45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
Token: SeDebugPrivilege	4196	alg.exe
Token: SeDebugPrivilege	4196	alg.exe
Token: SeDebugPrivilege	4196	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 2696	4472	SearchIndexer.exe	114
PID 4472 wrote to memory of 2696	4472	SearchIndexer.exe	114
PID 4472 wrote to memory of 4440	4472	SearchIndexer.exe	115
PID 4472 wrote to memory of 4440	4472	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe
"C:\Users\Admin\AppData\Local\Temp\45af654200a65f622051bf962e43af7a4a163a05599b44e5e53c706d2fc64ce8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4968

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1820

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3636

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3844

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:376

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
81440d9359a49f4bf2054cf7ef453ab7

SHA1
ca4092b07059fadd60c9d36dc5674a3b0364bf5c

SHA256
18a9eed42f1294a383279f982595b0f0cd0972a9ccdefd44aae8cc0305b7b6ab

SHA512
e474acd5609a54f58335e247c486ac69289df4b5f05e64c2adbc50b6d24f883023f75af1550e0f2cb2c9198ca8686d2226ad5a86eb3cf5ced9050eb40f2f7a14

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
527666a962d48b78c1780660ef96eec2

SHA1
7e1ea95f030f2d882fc4cb5536c7c4f0b76d3e17

SHA256
86e2f8a4ef32dc44f367febca46434cdceed2ef47731891b4e57cfba499569be

SHA512
a94f84c3d1ab337093acef06ffa664d9bb82da6ce076f155731bb588a8300027afd242399daf294490c91dea7a699053af1f929a31ab56680abff8cee1b4decf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6f4b605f77bee61da8add49d6d3f6995

SHA1
1a6dcd2bfb89b63e519d7227fdbe44db913f06a0

SHA256
72320a2720dc44e135bd77ab8cee2e1326e3085b6758a10c8885e556f8c7fcbf

SHA512
1230e869bd09d869364d8a3d285c3bad46b5c55c5a86d8a2755e7c43588ca7a0d5d71601e7e26d1df4efca3bbcf9fe86c56721f5e709e620111d4099a0393040

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8052c13adc9db33b56fd4268f50cac71

SHA1
01ce07ddc8b8aece1f96a2db9d3913419519a1bd

SHA256
cb14efe3786fbe17c38c5c583dc2c2bda3ff7b8738439ee413f66b43363af509

SHA512
9f2c630877e948e56f8af6aa9a2feeddf83ab89d4d0b96282ae5fe30e7cdc24577b8a8bef4f60ab66600f65db0cc09cdf5f43fbf9a231a55385c68fd74c11bba

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
49a1ad886d230a30ae3099dc6755425f

SHA1
3ba7643a9302e5a6726def53760775ed625d3165

SHA256
2b99ba23477a0e13f1b979eda4f415cbebbc36478bdfedbbdb383de5e02443d9

SHA512
40c5f39b5bc8035947c443e8431755688f26d7f9f9ad810a988a275d5d38791938e18527a876ec7216fd4ad4e437d87fa50a1cef9b97df845d4b47c70f024426

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3f6db991653c7648eb57831b8086450e

SHA1
ef03130541db202553a7e4c6fd9dd44757e3f697

SHA256
48b48378e291f19b58e4aef3bebdaf34eb0fa18e94c51dcf23a5e5307e2903d9

SHA512
3939c3c35105558729c6134c1da627d5017e69fb0d4a04b797339ed5f0d89f2e28b7ba926e3d53ba6b0184cf8cca19fea8ea0e385c4adc87a18d8353e171ebe6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f14581deef7656b2965e565c51d7ad1d

SHA1
33401368288c041fffc38ab353a15d9799bb1f50

SHA256
3550c4ab70d6a0ea46e60ac7837ccb85d71a03881637757c7b613acd1f9982a2

SHA512
dfe8d6ac27d6c60bb94b81235015da4de5cb090ce1771cd3405fda0c5f25552040b30f5bf35b384de1c47b712ed593e437d47ae8a2af94b5c234f59497f11c29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6625c000ea5f9a55cf9fc124eb620b42

SHA1
5a80f93327843210a9cb6da828feeca48a023948

SHA256
2754b88955ad036065b652fb0930f6602b2a4740042e65d5fa530b88dd4075b4

SHA512
37d87aa6becf79f2efe3f35e26c612c8c74632bbb8b6ff6b34e206e794b2fea9abc329338354700c1663207a0f15ea9cdde79786323f4bf83a2c100d3d4ae73a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ab01827a6a43c205fdec58b2d147a863

SHA1
05f53e7c1144d59e5bc42e670f0572f17b1ae724

SHA256
6c8fe1a89c42b7aad593d2b6f3ea42d64a5ba2b339dcaf623d47517cae33d248

SHA512
294914230cbec23d108552e77ec8b5e0a807f9f2dca4edc93c67692d3ae7d9110ddec24c8e9cbbbf5d167267c55ee70cbff6286769edc764996cb22a2ffab9cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d8d1a6d5882e1ec509691bbd7765ec73

SHA1
a6337d66c31749faea04d496bed7b11dfb7d242e

SHA256
4ca0e0ac5e0bcad2cf07cc476d06daf3398ab8510cbf36d98309350352bfbe71

SHA512
a2faf9b187d29fb466edcfcaf2e654c7eb0d6c3bcd5aad3ec352e9e615343db10862ecd125a8ab72ff7a0449041343fca76199bdabe4f305ab6f1bd930d41781

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
72e16da749e9eec8ca90d3ad850b9485

SHA1
e77c74cbce34f8653910ed4720cead7eb1c1a061

SHA256
0373d32c5c21e2f4945fbd646df01e617615d660f07e698c9195ecadbdea766f

SHA512
7b7b63d8ad28c1a0a3787996760f40ff1eb65aa3c8c00ed91e7d721c92b8e485d54d6a42f14786a18641a520bf44535d27c193dad9940a8c93271bfc2554d7b2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
72e51da5ac668bab4cbfc2a6345da35f

SHA1
c9df0a5e209c9147a60fd2357f4a4ea131faa696

SHA256
35ded20fc928e04f040de661737512423b4c1a6b7e230d4386c63a198f271856

SHA512
d7e5decda8f9ed947e0193c31aef6a7762bd16ea7ff2a184113cc1046bbbd0b75f6bdff19cd86414c9bbc20f9ae3fbdfe9436a037e310e1272622f409fc56c04

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
75b2f30f22cdb8fbdb5f7328f1a060dc

SHA1
92ed49b722e069da9a2bdeabc0feb42e3f39193e

SHA256
523713bcf838ccc8a23ab35c86941b545edd7418ca92702e6a66cf1c041a10e3

SHA512
a4b859b63af4a16f4bbcabaf731e01601515b34fb2a49758c5e5e107c576d1b062505976abdd948f37d6f91ec75f13a0177e7ff3d8a9d6599f487c61bc9a4ed2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6c87a1e0b93892c27b776667c28679a4

SHA1
2c59211754012333acd3b9972fa017ff2db53b3b

SHA256
1e180b7474a2cced19056f39659f31aafb375e9c7e27017d55d4a24089b1c50b

SHA512
7d9aa1a86d353d1a75c366629b75e69bc8b14c1f8fd6f9cc769d9558177ead638e6034af853d8095903b15a06a9bd2abb88255f917aea90347e6a6b40039351d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
47a59566e4cadf949c611b1934db2511

SHA1
25a7668d02dcbe630e471d4d1262585e3d6209fc

SHA256
12eee445d779e174dbf0e97bcf06b6dfb6c6453d64128d8d8b7bf051885c608b

SHA512
39739d96fb830774b1731f70d97d3b5da84f14ced6968dee24254907ddd8ce97c9983e155305f7f0ed0bccc1fe1f7fb26ce5b1616ab7d292eec4161029b5130a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c8d550b3aed78f2c6e39e85be581c6ca

SHA1
1501782353dbd66fc3fa30494c175fe434da702d

SHA256
9c032e57594b248b867366f9237596be8d989357595daf120588e1e2e83217eb

SHA512
4e9581731e7a7335e4ef4ce498b9cf9c87ce7e3d1a9f076b36e35429601480992e1c39e73c570f6ed589459f59822aa0bfac43392772ebd07f9479d3985b7d2a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c136a51079f1fa1322718cac718f48b2

SHA1
ae34f2d619fae7abd17cb2ae4be7f5315f865f2f

SHA256
0bcb2dd79fb13dbe4ae16c06cd40820f5cd8c087ceaa00a11ec51b5dc65a6dd3

SHA512
b849f8c3aad9dbfd31c8dfb6b7a88941e754a23a55ca89a6f4745253f148224255064954d0709dfdb81a07e283a9db0ae91a7c16f0224b6dda9a8449cd043703

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ff7d2082a8501bb2540e19335b5120de

SHA1
fde241849c69e739cec8ac68e256f90a4fe89db5

SHA256
7c68bc643737369d5cc466dad80fb10d4d0254f70c59837dfd4779890959da08

SHA512
1b113838eceef273d7cce9ef19695023cf0fbe55e578be1a5284621d5e089a757f3ab0996d000296727f773cd7ce7e16a2db287b0ff8ec4244fa88dcb4dbe75c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d681473072fb71ca6f7ba1787475e48c

SHA1
2cf497ae5236388ec4f88bf40c150af00c152ecf

SHA256
b662c6ca22806d67bad9cf7f4f128fefaccbd3213d6adc126807abd9b5ad7abb

SHA512
9e4ad979b0a6351c5ab58bb43f8019e562f73cc39d8ec80eb8642367e2d2f46d72fd74ea3e614565a3f9a9bffcaba729f84a692c352462d0039ca039077e76ca

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
10906e1dd7ff68508d7bdec22a338593

SHA1
0b1c2fc46fb6a6762283865cc0103b9eb6b17f04

SHA256
df45bc0f31cff8ffc9000e477d50cafc23bf03317f249c57cc2cec5916037542

SHA512
e65fdbf60b67f667eb17051cb0ae35c1307a6b76863e22872e3aa6eefebb00faeab0a3fa70542ec59988c1115feef0e6d1155200d25adf02f04f1f34efdb8b6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c7e17338ec3121f7150844b5ebaa3b2e

SHA1
6fefbe1947dd98f93420d107bcb40adc69f436f0

SHA256
a2dfd56d54222302d8156f55043b8c4df1dd39b48cc38973bbd434a0685a7c36

SHA512
ab25fb4ea58e24d2d31df47aba13ed58bdd0038bfae0ea0f1b61fc57150d492bc18f9735d5479d5ac44a219fb323c3341c82295cfa33f444729d248712f605c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a54dfff2a104a4f6550ead0682dbfb10

SHA1
6a304133d022640b46cbf7dd304f0427f27d8c8e

SHA256
71eebe8bd4663c609e674eb933c7b4fa44d2afcf5d99d4a1ca6ff9fbb2e7e896

SHA512
09a978b20e4793e88c2f9c786b1b0157a08b9c182cbe9f83b80d95c2b21226b015ae0a413aae52a105d6bb1e532bbc7c3c362cb0ae6b114bd83d1b076e50a0bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1b4cde42fa319c4ddcdc7ea4854e39e8

SHA1
6528daaabe7f284ab12be7f67292f4f7bb9eaf8a

SHA256
c0092ccb5e755f53eb7e6527742e6f8b2baec96f3e95fad4461779055afc7068

SHA512
7f6baac1e142427fd2e15886712169181b72c46628a378bec717f2abd013281f2241babd31699db6a733db9489f2f4f6d8ade237046b753954b3ac738cf3d10f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1b3e3cdfa959795d66dd2d8c78e95f0a

SHA1
dc42ba279c759540b065875f8905044d7498a3eb

SHA256
69fe823b99a6fdec80b9df2d585e161e709958f1b2a79bdabfc968a70aa69e1c

SHA512
46f3743354607a98f95f9b8d70b20f9603697af65e2cdd6b26a71f3945bf07eb3cf47b8fcdb2aa7e884ed568520922f76f70b8b1ee3c560ec6d678ac7453d851

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
54c1e5fa1a09f12aa73823e80aac5423

SHA1
0116f19265f9534705db80ebe3ff977fd89cf7a1

SHA256
716526f06dd85923adc9cfe2e77b0be52614952147ec461da37a25bfdde79a7c

SHA512
84e83030692b8ef815b76fa8016616e1a764b6f2791468f1c95d90ee6a3b27876c5c4d4077f3ee564404e916dbc9a1562a623406c54105307bd83ef92bc99c05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d40debfb67099594aeb40d870fc3e643

SHA1
1da730803272d07c9ce81e200e38d29ccc54e2da

SHA256
3f0c6bd14d1538f942182a6f079c2638cd72ab620a26b7c04f0f15fb4bf2b533

SHA512
5a1a363a0094576ed2ee2813b23714cb054d22b460ecf7c5b077e0522dc0e3ba73d88e1509ba26130d21e33e9ae37e7a13dfb86f88ca7845fa13bbb15ca7995a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6fe6b9218b27a5830b2dc5ea5d79ecc2

SHA1
d63ac19a3fb62ca193655851e13723f53a345b47

SHA256
dfd639920d7318527193d9afdef3bc3b30803fc0cc888ebaac819305000a50d7

SHA512
f2f5e5cd863247867f3da55c92a27d31efe17500042f906aa84da1e757ef77a4ff6b401d0baad6c6297fc343bc3dd5ae293e39ad882aa432e82b81be2df06b07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
80e7af89d65da133fd3529a397e162f4

SHA1
c623da59fff073d885bf2dad3101df36a9bd24ae

SHA256
5c715ccae5e26791aeb35bb9659eeea1432ed3dd4eb608d043a3a6524f3ef97b

SHA512
3e30cbbfa142dba81c8f3380a3c0fa845bb8c0ff4a0a35add58dc01730900c2ee42c43d7ef26bc46814b1901fb31aa58e8055fecd9d8ceed49a53f24445f335a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
770ff2d3e9e7a250696432cefc466d6a

SHA1
d05089780ed64ebcaadfc399b844a0e0d589afa9

SHA256
2634b747d93236ba151373d6c59ba3314100b74b0393e5b575e809cd5a46597d

SHA512
6208f69a79103dbb0bc2605a7b1797ac401e6058780c9da013e6e10cfc2dac23a42f7d56ac07eae92a666d26491eeb1541fde0e2beedeed95430d0a497b24e83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c90ec6ddd3451290b94b4c47f87c535c

SHA1
d59e07644156ebe259697b2f7a40f132d25b0852

SHA256
977b7a8032f197eb5f217b6734de077d7892022d4df92899a6fca0fb2ba2c448

SHA512
0d2207cc1d8c40e64962cc4e1f6eec9995f72006034844743c4330dc61cd6cca5d0d4396d2e661459ddc8f1ad6dc7514b63c977759607cf7e50c2c87a91b9f86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
3722928208e02abfeda1181461611f99

SHA1
1092f17b9c7076b1627a9beeb51be70a5361cdde

SHA256
4b5041cd8c3a5ecc96e159aa0009b369b8385188f9cfeb7ebbfc9328c3f9c903

SHA512
7b587abb2f1cb78b7f652518b21885ba2125358f9f50d8d62d98841a94cfb2a30dfce43b6b016e3a308b68e8b5f65c17e9ee9a79de348e5ea79f0c04016617a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2f8b70c5effcb1bcacd2d83cf9954420

SHA1
8137b89ccc0c1357a798c23d144eaec9e352601d

SHA256
20c270526a38a0c30d1519593dae5d5c648b858632aabc6a499472ced2105acd

SHA512
4451fe5e8814a1bf471043be4f29af4429e3aef6f77483a503780c2ac2825b2d7ca558d8d163e4f32196033f86c39d8e880ca0b386f0bd8ff6d016723ed661ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9035b8ba6f32a598c8095d7121b67114

SHA1
982a70ab17a947f9cc542efb61ab71f31f2622c6

SHA256
95c1ddfb05bce8af8f271e3cc469a71fa4817a3da5c79d09141140f243de230b

SHA512
e173330d46891fca83b029ab5d5702c258db7d36febad5da31359eb661cbe4f4357fdcf96781df54efec869c56d0f6aea900bfd7ae1c8d41970060dc36141afc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ed4249e5def1bf565d6c8930ec8f7b3f

SHA1
5f48a010bfbd0d6b4a0933ea44cb88594dfd4176

SHA256
84cbadd967fe634c97e6f6ebd4213dfe30432984f80961ca3e4edde46fbb0280

SHA512
e9afd7cdeb1fec79bb37fe026184075d8d9f2416c8a4a11aad3e45f4cd2ff2f4649306806ebf81ca4fc63a133fd7ddfbcd4b6d8e9ad7f75dafdd8332cd0a16ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5db69f3ee7614cd5154ab0094d16cab4

SHA1
5f3a67ac29639bcfda59ff57f06a38dbd665e59b

SHA256
8f2add5070e982f37abdee0aefca4b03c4d2b2b72de59a49b1551621b25ac119

SHA512
ee67252f3d6804ca31d14c81f05198e6ce9df79746975ccff41abe4b831bf433ca7a4edc0b6eae92851418e586e29e4d818c54b51b09d31e505662cb5a391f05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
49e4f694e7c4be1ba609a205902e009e

SHA1
9633f1e88738e604ee130d1cee33a22f3482638a

SHA256
5de031faa889fec068fc88ded7f170c4a6c611f2ea7a1da1b5f4efd0e24dd09b

SHA512
5fa3416efbd258ad98404ee7a8d0624099f8b73be638165d90332d82762beb9bdbe62c66aa6d11faf48cf0606da083f4d3eabbbf268815df9431ec63ef02b25a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
11af4a9e117cadb8b9f272d152ee9e4e

SHA1
cd9e7163bc38f4d9f239615433efbcc055776065

SHA256
bed22004bbafc28ace3cb09ac8e1a360d2529003be78639b4044d9075dda10c8

SHA512
5b6c454acaee549e9192f84bdfe9fd9a9343b6cd66f401f3cf5d3d1f813dac3a2b23bdb51582342f5942fef8a431986263c9f03822f573112e7b99c06dda072a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5b934fd416741a521c6848de6bd001f9

SHA1
8003ac5d8b3fa9201e10a474191c13ee4cb8a2e8

SHA256
e6ffce8a549f57c1174fb32531791db39bc5b918149bd4494155df692868f5d4

SHA512
198f737f666cf788b54a63bc21f01739d1dec3919cbd84884826675ec6c82eb669315e1376e1a3dfc256fc6f973ff7a290f0394a21a320f7907b9c6eae80d0f0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
da6462c166a4b53a53d01d483f656c16

SHA1
9f65d601f70ab886a8c7ddd696751813a8dabe1b

SHA256
50d6276f5042cb6b90466f41152f0509bf2d2b02c098862a827b8dd0d56cf9e8

SHA512
cf070d1dbf3353079ba16c043bae7830552aae513e08c98e7cfa449898fea257e7fff288705e8f0451e9c7873809156ceda9a967ae12104dbc2376eec5632971

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e81ebcde5562d8100256024081a72d79

SHA1
3255a1a0abf45034e886152d0b1f9bb7948d8437

SHA256
af3e4a0eb170680481dcb4fedb26b50758e2c5459ff82311b45d320b4db5c9fa

SHA512
c83c71445ec2809dfcb7d2cb1e8ef078ebe3bc9da9856b879e02edd78e05e1a3418a953484fad23f409fee8416d8c4b1a12bab0da1fd45c88fd097344bbde798

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d80fd1932ed163810c69aae26ce4cea8

SHA1
29c2365458d957da80756a29fae647a3f2145ace

SHA256
a87daab45bdd968c1a8e368e7d81ea3222b7ccf0c087842cc3668480961aec22

SHA512
2ecb82ae7708fc9dc7c0bcb741b4e48130aac83aa37689113d04a7f8d94b03b222dd135ad6d80db53de971ed40c0eea23f8d0b209700530952f8cf200cf0946e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bfc1b90786a97af7d7911c107fb17ed8

SHA1
9f9f18543e0348325dc61c4f22a72941a767ce95

SHA256
58f0bff3ab666ef7fddb37b64c1c797b6b2535ffc799c2544872015398fb5786

SHA512
7e02542bf84c48fcf604adc8ddc3f5528518db56fc249b66e26eede16c67ee2a42e4a80b3e557f9d9d5a73d2bdd113a976471d918e947773decde92a429e21aa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d63ea1ce7f0ce071977dee7f4f687171

SHA1
733cc48d9e49bdf51e39b18298f65f051a8db46c

SHA256
db948e6410b3b10020fcc5a8da4da76acc5297111c6a5e81c2da680d1569973a

SHA512
625c7951498f53298bfbf6afea08fc35b902609f7df5b995889a951aa7eddaf434f5f60c36992f76eb00e5accd7eb3814594d944e59eb39c23d6d6fd181fc71c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
72aecd7fd6d42e6aa1ab086a7c56850c

SHA1
f459e70026cb7b67270ed7ba47a34a00eb1f9657

SHA256
a0c4fa847bdddc1ccd3d9f251b9bdb87b52ae9dbfd3667f98e6494137be50ba5

SHA512
0699c8a08fdff88a7adc624ecad29dcbabccf13fa9b4d56d605db08850251f7625039e7f4db0ed129d553574a888d5666e98d7c914f584abf5ac70341110bbad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0e04884c3148dad72d43519b4f2ae099

SHA1
51ad681a8cade92c1b78ee03af7a4d68a410baca

SHA256
11c1af0db2c91e242fcb0a90ae8d5a8147e9b04a603a23c449946de5f6c5c10c

SHA512
1c875ff7b9477703209f0052335de7e9aec834d642859e39d6eeb21ca9db8845f5cd80745b2837b0b80999bc0b55253aba26e132ac4628222cf7f39375b1ffda

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0b915854c5218236eb331a511500368c

SHA1
8966c41d52f9d80b82913a5a38787e848ee611ba

SHA256
c52dfa9f05152a30c62de49e0935109a353f2d9e371764c8f0d9575d45ec54b6

SHA512
12b3ba6d0d096d4d0294ff229b957c638c7570a56450525f6f6334d5680c814ebc79312039e5bd6440ce0fbee2c8bec2e8cebe3bb9ce0c2f2721f8cdbbd78d71

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
617cf260d2b44dc9f60c31e306d2b2d9

SHA1
5bb415a364c2728f6a5ebdc1a46ffe28f159ff2a

SHA256
8e9405a86b2ecca57c388abfd38e672f8e8709b0724d866225e20d98415291d8

SHA512
5d3726b7ecda710d0e3c640e67df7fcc7f14ab4f9e662d7b0eb58709f5a9cfb7e570a459bbd08252d87d70e111fbbd2db09597d3f4e2afb0df51d7ef3e6f854e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5258398cbdeea5e70458739c4b727675

SHA1
cb67055b60be2e3962f21260f19f9d80e28e42d2

SHA256
0dd19be628332e21b9ba668d741f4fcaea5875069c5e6ac46f66c66a80856dd0

SHA512
471dca1b5beff6ae8ce52264dbb5446ba501260e08499f425e9701f7b67be74286801ae173b604ff03c85ae3be58c165cf3ae6f695b0325ddd3f70a166e894b7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
668dbd7de0c3bbb075bff122d2e739b3

SHA1
f05a5ae71e1c87b31cee3b00bb4978880409ea6d

SHA256
9a7dcf7cd66ac63e1f7a2fe3aeb2c8be395a220dadc40e6ac47f5ef4edc1a949

SHA512
2c359b9d404fb6e50e6d4e809d3bfb95ae9321a80c1ae93848f156498586d74d5e1743c55c0a5d09322301bdfe625a0de4abe42ec4aaa2456299a02cb1de8b92

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c1cd21bd3008d36cba6e8c36885af2c6

SHA1
3959a8e3c0f6221eb80251ecfa4208af0f1bd549

SHA256
a0d9818fc2e71961bb45624ac8b7d761e0bdf07d622abe41dfcf64f9a17d222b

SHA512
b113065747409f1cd738b0b7cfee1768241718d4bb56bb5f788981b7486dc6de2e9f19e43bbd8f36aee04a22499cc97e78692fcbaa0841f09037e93defc81270

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
18ece6654940681f6fe198b409af90c2

SHA1
0aefaccc2b7f504f2d8acffffd88c464bbe430ed

SHA256
0d78c44809cb0f1f6811a3da643815c472c93b4a7acff7f12d82f100d6380937

SHA512
42f7cc93348f66ce20236e07d3ecfb55f1bc94c3ed53a6995a4e1bdee5df56a27163299979aa6ec0069ea27266c2ea4f4f2eafbe9e712358b825d65d599bffc7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
43e802e43d226611b6ab965d9d8cdc30

SHA1
88ab23052469bfa771d12df5d1b23029f75bacb6

SHA256
cde7b8f936930712b2a82dcc4b6934b8a7951f424229a35d4455e7ed82f2705b

SHA512
7b2adc85c27dcd926fc7be3b21c5e041f9ffaf99c8a26e133e91a23114769c7421d6f8a555e7470ade409c8142f508c279591b2a0361b0649fd3bf186312d983

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a3fbe5553d87a330a77652f20f26c137

SHA1
9b830711542d702c3575553aca01278a9ba82d18

SHA256
2fd8700bd98626e4df4cc48f2d44f63bfc477c7683d498a5811e693fe1f0b456

SHA512
05b3cdc03860ab3d8b30d7c7c4ad7ff246d4d54281326cfb289153ff59371330787c960b049d64e34d54bf53b3261dfdd80a05a25a5a17404742a8db4eeff8b4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1f5cbdf6654563f1418086347ee6737d

SHA1
7175b51c5654070c6853fbfc664a435fcaf498d1

SHA256
cfd1f6c0f691425e245342ea5e378b5f032d69a29d9698322d736231cbc59aab

SHA512
219015acdd393456e7bba641369f396a47f4aa41a4d73ebeace572ef05fb15348f8e8ffebf4f7136c0b18af6287032f292c30b86950f81f57f9269f03c6a1888

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1a5e455e9e910450fc5555e59a46e8a4

SHA1
c861e00fb294c39219f4a239d808a2e54b8ecf13

SHA256
902e734abb94b645d398b73417d3a4b38c0b755567b24cb9fa343c1062196f1a

SHA512
f57f1d5f426a89cb0e7110636ee3de02006a878f0480283775b51f22cf552a69a4a21917dcaad6416b38fe0ebc5124a16b4accabc27ad7015931f1760f249f61

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9da331e3bbfc2567b2d4805e911db921

SHA1
0468d1a4f74f642c2881f218b9365f66e49df889

SHA256
3bac794ca86b06b4c1b3f5a5a3a96d02cdcc0f81a287960df6192f88391543bb

SHA512
207dee464244c6e8d614f6e8154bcf2534b5813c1b351e3b093377d6056e4f73693b275af669ac5369e26a3794e2331013dbe414bdac34edae8834058f94857b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
315f70d71ec4ff37a2b7871f2ab454aa

SHA1
cca3b439924ca0c2b5b8152c7d9bb79b866a8890

SHA256
f4f11ee84882ac3caa10e082572c3b652c5f18540fe9410ca1cfa1c1267f82c0

SHA512
00a9c4de3abc19708d2fb7fb5b9953a673e52ae08cee18f4d2fb175a5a8161818e07474712e7d1c858e0935f1252420ca86a1041c81170b7af3f1d08c9d3aae1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ad4db500dc4206325ad51d615265df88

SHA1
8e076d6fd2273098f98f100c28700270aaabc595

SHA256
51497ae911c17096c1100d6d1e5592c88d6a43b262dea4884dfa743c39910a31

SHA512
f8f8ee4002f5dec53e09137d746a17d1edc96a4df53e49444af2f3f962f7353f064ee967cb7ab13877c3a3d665b4baa11c13a39890fd61baeb007ac1bc13c452

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
46cbce3a0f9986a79f4d9c1bc011c1e7

SHA1
493d648addfc677f71fac866a0edd0248385456f

SHA256
bfbcb5aa08b1b6146baa53c4ad8e0680a9ed5c7c3a2324a3cc888a470688b8b8

SHA512
f51feb30f98e06c69b7d98bfad97728a6605447476d87f80bf795ae306f7137dcbfcc302705b4428ea2d52bf6d9cbb178d7d2a950d42e41e9866af46f7ef2f03

Download Submit
memory/1048-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1048-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1048-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1048-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1152-147-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1152-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1152-204-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1820-94-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1820-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1820-101-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1820-93-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1860-165-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1860-174-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1860-234-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2324-205-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2324-214-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2324-274-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2560-173-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2560-117-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2560-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2644-57-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2644-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2644-37-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2644-44-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2644-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2652-436-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2652-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2652-243-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2736-92-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2736-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2736-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2736-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2852-261-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2852-270-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2872-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2872-185-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2872-130-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3180-232-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3180-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3180-226-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3180-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3200-257-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3200-487-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3200-249-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3516-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3516-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3516-55-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3636-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-472-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3636-471-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-160-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3712-200-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3712-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3844-186-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3844-247-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3844-177-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4196-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4196-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4196-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4196-75-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4344-276-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4344-281-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4424-1-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4424-62-0x0000000140000000-0x00000001400DD000-memory.dmp

Filesize
884KB

Download
memory/4424-7-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4424-0-0x0000000140000000-0x00000001400DD000-memory.dmp

Filesize
884KB

Download
memory/4464-201-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4464-260-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4464-191-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4472-287-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4472-294-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5052-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5052-77-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/5052-84-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/5052-87-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/5052-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download