560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
Size

1.8MB
MD5

6f700a72e324ae4ac8055c42ea02ed06
SHA1

e0ec0e9e5b1d3c8ff76a23148955056472e16891
SHA256

560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8
SHA512

c593d492be908fe9b22cf87c1c8d0cf56e6758a708883fef6b248a2e24f68de15c77c1c81a7b3a884b39798a5d2ada8227b64fe0886597bd221b499984c0444e
SSDEEP

49152:Yx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAngDUYmvFur31yAipQCtXxc0H:YvbjVkjjCAzJxU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4700	alg.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
2784	fxssvc.exe
3900	elevation_service.exe
2044	elevation_service.exe
2928	maintenanceservice.exe
2544	msdtc.exe
904	OSE.EXE
3216	PerceptionSimulationService.exe
2532	perfhost.exe
4164	locator.exe
1448	SensorDataService.exe
1176	snmptrap.exe
1116	spectrum.exe
232	ssh-agent.exe
540	TieringEngineService.exe
4408	AgentService.exe
4200	vds.exe
1632	vssvc.exe
4804	wbengine.exe
3356	WmiApSrv.exe
4696	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exemsdtc.exe560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c8de52f45e51cbec.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\locator.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\System32\vds.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe

Drops file in Program Files directory 64 IoCs

Processes:

560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_sl.dll	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98734\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_ar.dll	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_de.dll	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_sw.dll	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_fi.dll	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_et.dll	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\psuser_64.dll	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A2B0ABAD-D5F2-4A72-A502-841B087E8C74}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\psuser.dll	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AA7.tmp\goopdateres_fil.dll	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042cc2aba1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d74710bd1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be943dbd1a99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c912fba1a99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048454ebd1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029cf38bd1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c34040ba1a99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0b2febd1a99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed87e9ba1a99da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
4024	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4296	560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
Token: SeAuditPrivilege	2784	fxssvc.exe
Token: SeRestorePrivilege	540	TieringEngineService.exe
Token: SeManageVolumePrivilege	540	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4408	AgentService.exe
Token: SeBackupPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1632	vssvc.exe
Token: SeAuditPrivilege	1632	vssvc.exe
Token: SeBackupPrivilege	4804	wbengine.exe
Token: SeRestorePrivilege	4804	wbengine.exe
Token: SeSecurityPrivilege	4804	wbengine.exe
Token: 33	4696	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeDebugPrivilege	4700	alg.exe
Token: SeDebugPrivilege	4700	alg.exe
Token: SeDebugPrivilege	4700	alg.exe
Token: SeDebugPrivilege	4024	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4696 wrote to memory of 3812	4696	SearchIndexer.exe	SearchProtocolHost.exe
PID 4696 wrote to memory of 3812	4696	SearchIndexer.exe	SearchProtocolHost.exe
PID 4696 wrote to memory of 3524	4696	SearchIndexer.exe	SearchFilterHost.exe
PID 4696 wrote to memory of 3524	4696	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe
"C:\Users\Admin\AppData\Local\Temp\560657a2b7e773cd25e0bf8dd31b32cbd613390c9b9cf3e1c870fb318b3201c8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4448

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2044

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:904

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1448

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3812

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e557ea395d909a53e56022a97ae9f890

SHA1
6cf4753a6bfdebf6044c3970cfc071bc25aed3f8

SHA256
0bb2a9d9f2a7905bd99aa5943ca0f92e0ac736ed8d89e56c29877efdf14672e8

SHA512
803bc4c76533161153a57c9b82fcab091f0829e873e60e38c42cca7403e6117535b63e9bf009ffd82bc0556239e6897ab0de972473477a8319c27d02cd8d4eda

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3fffed8a7ea7438e3383a3bc8682db32

SHA1
db0fe59d4c4bbd558bd2367bbc527057edb7504e

SHA256
10c5dea5dd947f5f400a3e2f1f478e7de6b096aa76321fa5a9e8b1ae8f3f9a83

SHA512
9a81e2c486bf93827a235094933d464ba4d3acaae7a5d1261ca7dbe07e1f2430c49627c10d4d55822187207af0baabd7bdec3ffe7db6a6be950d3dbefb10030b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
7c4f808826ecad23277d20e515576c46

SHA1
674c99dee1a47be304cd1c2b89ce3732ef89d37f

SHA256
5dea9a1fb34d6e3d00065801c22e3926b73fb61ed86c7bcd78d7a6dd64cb8c68

SHA512
39cd3c8372b2a10135c716a2181d2a9c55823ed5cdd55c86474ca96916b97b69248a495ef5a66318432873968677bc9897fb7e0a9470eec3bb368ddccdcf6b26

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d3648fb86d9d86f66a21460278f68a83

SHA1
f549237267064ac06d0407f0f4a1ffa444341f5e

SHA256
70b55651b02656b1dd2348866152df262d2339edc76381081cccb8ade2a43067

SHA512
f96de293f7fc261f2cbfc5a2a3cf19f6c2a4d9ff845bf9749b738d989ad19bbdff1fbe9ece429437727b32aad641ee2ffdbab76260cda26bce61a3ac384b9859

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a33185d4aaf75a587b57256b0889ae8e

SHA1
d178bfefbd07edd1f44fcb67b54416b08e87c44c

SHA256
19022df0a975c808b2d990d42b9802f8f698232f92ece8b2b07976976e81a2a3

SHA512
f188186f00194410a4bd44f98ca5e6747e151b1de597aaf89daa643a1f3f6bd1d264d6185ee5c065eb3f6f0adfbd9e77f1e37de556251e327a735e1495eeec90

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
9c4707bf4bdfe3c5038af7d22631547d

SHA1
9cb1d0668afe8a44e32c7a59cd1a5f6f3dee78b3

SHA256
0216ff097e3bf35dbedb40f33a3ed1780514f8c145f39c4ed98e1533c45acc1c

SHA512
f63cdcfe2ff780a3aab3eeca2da1e66e430550fdc47bac12d54cdfd3d004aac1cf57e084924036fa405a90f68431ef92ad669bfec57a34251bbca6d7295f24dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
90b05c38efc7f8f3e95fbaeaf8491397

SHA1
8422ec69dec30b0e81d663d17a651f15b4b915b7

SHA256
e8278f53275c40f2dd6a51dfe93ab1ce15c238916df260bc36532eaa086bf5e2

SHA512
bfa0be19d13351ba6c2b24ba53e892d2cdfbd59ff760d31b899e6448319a7bae387b1b8e64cdb51cba1240a8045c147a40e0aa3f347ad6aca6f2dff45294d5a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0e6f16ad27627a73ee2eb11c7cdd2713

SHA1
637140d3d1abace7fd2af0005cb9906a79e81d64

SHA256
64b536d60ef68d6a17cdcc79286e661a48c7e28f25958797a1d66241a1a076e2

SHA512
482fe21270569d14c91f2543683d22c2b60be4db62b573b6e970825ae2e277418b2c675ba15903ce5d990f53c0ee0747b71f603a0fd714cc481f349a45b21a29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
a4f6e8996b82205e1d254879bbc93dee

SHA1
fe8e9c15b68e202937d9ccab306cff76cda9c1ae

SHA256
764bf15ec95b49388bd11c48393eac5bad52586daf87bc27edaf0e5f875755f6

SHA512
0d1b792f57d5cf5c9da13773514377fd01b9a0db3b2752b74c03be4e0ebafc7014c873fe9c62dc92f13964500e2362940948efa054a9564a6e748b3027fec982

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fa66cd47b343cc3f120139e6c6558afa

SHA1
d25c3668b786b26794a7e5e2916e1382ff8de304

SHA256
fe2f7aa3b3983176ac35ebc7b1d70fb714f098b3e4fd0d6a1c04142e59348862

SHA512
81853880818d7be89f0c454d1ecb2f51d576af171adc691e07d142188aeb882ac6c1976816dc19bf4a45d424344586bda121fe0288d4802cde48896780ed8f2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
993b3c3245a820a51280ed9a745ea180

SHA1
4906bd975638c73755bfd8f040ea22b8eb732ab6

SHA256
ab03b9ebaf36bbab56e02db92b57120609dee83124bddb9aedd5d37358e216e2

SHA512
b071466de2f557121b530cd9ef905f35b5d6b7ae01b96d30a3ae4bb51e0b3bdf0bcaf00f7bde84dcda40fdee571d7df996606d6aab738df68c4466ebe645f073

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
21742b166fe55660faf489ea4ef5dc4b

SHA1
b03dcda37ecd9cce928dd9d65abeda2dbad7a1f3

SHA256
feee1eddb3cd65ef2c6151cac288f65325191b9a1b4b982991784c7b654551b7

SHA512
10af858627881c80b4670ad3deba9328a52543bb2eead73b78eb1bbe256156bb50513f2c4a83fa0d289ac3ad204a70672eb15aa55dcc4c31cb64d71ca840e21e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
19d3a549088a048c1d626a4758aa4255

SHA1
9ea6ad50efabb865380680e562e3bc08f206d911

SHA256
b8bb74ebba4dec9f9d5d0d0459409dd49fba5b146ff4b194b5ced51edbc67167

SHA512
d5571937b24b2677a05163a89a86369f0798b28d27c0a30dbd7fa98e9d0fef51ab59d9eec34bfb99bfcda6aa958a72a28621a968fb1bc3f9f468579343e55e86

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
b0d73bb530b5000f945270c1940e4693

SHA1
ca0ba12404bd3e58eae1aa5b5226e2e204859048

SHA256
c7f082f9c2046f63d6f2ffb172c7abd5f7e5089289db12ec9d441f371827ea6e

SHA512
b1f92e4373f20d4b6387360c89a999d1160133754c96a98256cd1e8508ce937c5afb33802d026b6c79ad22ad2cfa9b623f509e660b94a2a0a6286ce43149d3ac

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
01d8cc40b2719cf6efd236a61dd7315c

SHA1
559f17c01253be62254e7501d4809e4c5d50ae46

SHA256
79c9b340b5ae4be21b8b5951cbbea00f1f0e29c453fd03e9e69c829c5d418745

SHA512
15ddfa5bb40797715f37be7f9c9b7037b1d9a84f38ac772443799c03088c902ee2487f1773400e43e00b4c9db5ea80837415bf60a27fbb3465773447e12190e0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
08645135741a28b8cd904b9fd91a200f

SHA1
83dd81321c7cb56cd7c6ec07fdbb6b77099e9893

SHA256
5d91d5981642718273071fff7aa4ac5d810711536237852ff37a26338c79d36c

SHA512
42887ac3d3cfec9512e03895f2022828a1231ac5a3f3acc5092b603167a1d1bc31103e168558ab342debcf518b0c9287d1dde46597b90996fec47442ee788731

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e4335bbaa2af0513817d8e7d8b975db2

SHA1
0ef2bcd6b3c6fc78d16aba9a9c002337f942635c

SHA256
cadef172f509c0a24e5f4d99f3774f8fed6aa963c5de19b2292caae15ac57d76

SHA512
dc5437768e663f43f32c52879d84d673193ff164478461290b2b7fd351d3fdc4cfdb4d07cdd158c5f5dc58a5530a0b06c0f6184cc61149ae8b8d071073083222

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
5c0de09fc18ad4573eb47b3e858e0235

SHA1
6b7fa4fc4a7c23e08173e744f23798fec9f74eb8

SHA256
3b3f80ea2015b9deef1402c85f8fa9899cbb943bbb9904d455bba861e6578f4f

SHA512
e3ac8c30a52881da83d7d97ea3db509f9ec0cf592d1e7370ad4b045169fa6cadd1039b939b819e768decbcdd66a5015b935257b60ece4b671e04ec9c51724be5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
67e3f3e64fa7850620039d7bbdd96c1a

SHA1
a5377005ab8c35db6cbd51fd7bdabf6c275e7242

SHA256
33f83e388d4a854d4a6cd1515e5f81f722e22523d23a136e006a5f2ea52d2eec

SHA512
3e82ecf0f967090fb6870bee8dc9379b0b5a4ebf0388043c8356e79c5db201d2110f03ebc79724ea38836abc043adeeb6e069924fcdf74f05e29e711ce85caf3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2a912f028f84cc73ed02743da117e892

SHA1
724e1aa8100107275a2463a9a5c05d99778cf688

SHA256
c6ed63b9270288c99d9b1f482b819a7f7f22c23bfb001958ee52055e1b5d579b

SHA512
65c0ca3ab55b2bfce58d834f260765e1cfcde478baeaee6d92749eec0b067fc62168a3fde2386cf56289e887482986841749d33485312b183a1e9274eae2af37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
648b32db6b47c4dbfd8df20bd713f800

SHA1
3bc9059d2d53090dd492d4ef04b685a861937d2a

SHA256
67427bc8d9fe6c6a296afcf5daaa92c2acc16985446efeb171817a2bb215812f

SHA512
7bf4a02c7307dd330248bc4730874c4591483707f532426ff71a9e38160ffd49258dff42fecd72b8374c126004d8aa99fb573ddab93e5e17f5cebe027b55cc8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b8ecc34aef5793d0e42fd34080b0b1ab

SHA1
8dfa59e0750b23b8133377fa21f1235fbe0571ce

SHA256
4efb60751c5ea2ec222baa66b63cb6b4b7e6dc6085bb806c5d2aef3ce25cb347

SHA512
10dbbb8e6b2e6c712176d210ee41e61cae52233cbfe1c7d18255a5d3a7cdc67e3dd5bec1b6a5e21208cd498485dd1768fd27dcbee65932203610b3c1edc80267

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
8680abad98d6dca8587b956a74b30437

SHA1
dcc38a3dab0c5d96539a8a52329e02a36d12c4eb

SHA256
99cb759d0716e0382ae24b6554d09e1987684bf8dd52fc26672180d8074a4ad6

SHA512
d6f66a34a8f6f3171362e33db8838cd9915fd2727030c2e822048c4871e507320ea063f8705c378f45bd81a472523d2d3b1919c9b73af4101f02089aaf0ebb37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
5ea3365d2a580b0dc135bdcd67ad7014

SHA1
07965b5723a3cb9c3debc1df9a792c1bdbb33785

SHA256
0ed0322c458e889a537b90d8bdec22e83da9571bf2269e0823905ebfd4d58aa7

SHA512
71bbc69506687b8223eaea8cdec947d98e1817c71397860d4ff150f106fb31ade1c8075866e2c827d9943abeadbda8d96e1283ae2a57dd6b8d8041dd7f90b9d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
415da7d024593fe2f9b74aef2878b838

SHA1
5aaac0e5ea8093c5591b9079d2b72feaefa3b820

SHA256
e3a37cda19a1ec5758716810beebb0a71c7ac038af3f5b44e1253b70eed2d873

SHA512
06dc4c71daf3d28cab98bc81670cce1492e8e234317e5d9c44ed5292afaea73cb3ccbe4891dcab1348847dd999aa85e364effaefbce87dd0a5ee8bbee4e7041a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
c72e5736dff3d4a5e16d6118e773f8a8

SHA1
39b11588a94182557491d96a3f64e17619e2834f

SHA256
e877b9c3df49259eede81d8859ed247b460be7b5e97455ae07f0acbfa9f57a46

SHA512
522da03e981555965f4f95b7f9228be4db0ac6bd6d61b86b72b39dbf89a83c71af3eac4be1d751b5e166d1550e8693e9856f8a446f2ea73e33319bfe0450e1be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
f46c673279d2fa79638fb21cdb0c8e77

SHA1
44a3811cfac0d53ec52c74d5d0e7b4450c75f259

SHA256
83a182e7561aee6c3bfaf65a26177d80535a88115b1ba002adec00759ce0c7a1

SHA512
978bf2ec53d0fb7f49fddf0cc336577a4a4e758887a412e3dbd8af7bdc8bb63849eed6d09afa37457e139096eb3ed51c918ac63fe2099621984ff9c0b2f32e64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
75c1fb6e51427897f40f63340e3c29ac

SHA1
c4f9e719afba3effe427d6b9662565822947565a

SHA256
b94d320cb7162cef5501a4bf55d0c404489623969e6b6abab1c0e141a911c22a

SHA512
901ff086db3e60d2542427641c69a6694b32631e5537df1f48c8295eb64807c8064dd7c9aeecc2171a01e3278b75f599544d4c7b045e81ad073a3ef726d7437e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
73e43597b948a1c3cce40108b27bff56

SHA1
46a62fedeb265f805078f1cf494d82f3abfdd6d1

SHA256
09682388e0cccb65c1d1990a3eed56397393b9dedddacccc1e21370c529fa539

SHA512
e2faa3f4eaa82e7e8da360a85e4d6f468d91abf631fff080e032966808883d22f7a64432c9d3fe2a8d57998e010d3aa515caf3103d499ccf13ca00e8e853c806

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
c62b48a6cceb4dc106029385a13a37db

SHA1
6395fd16036225d044140e57ce2e360ae5e0f498

SHA256
1b225d1490487f9bc09c89c40ea81b34058346e3c6c8bcc60ec3e0eef42558ab

SHA512
3cce4ca5236eca2c1ae539274e6698946503f7f1841222ccb6d62489eefa2dc011c490fbcf7cfee95af6bcddf6e0aa8b2e6eb767b7457efd4b47695f76add60a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
1a0390b5d06ca1a07fcdc22a7d0b68db

SHA1
e9de5dd03951e92edd32c3a3e32265f76061b26d

SHA256
085b399104140b763285bf211e872cc6995488de1ac9259cd565709fb53c59fe

SHA512
6b12cc783f8b3dc5c15dcccf1e384657b58d7371041834dce36d8e2e4279abd13ed819344cd24149a2327876edaa9b232b1e99a537268cddf9dfec20b85c6a86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
04fadcf4fcc4fb97b57e14334c246171

SHA1
988bf686f4fa1c2a787c1a59e01736469ad2b364

SHA256
b76e3eb0afe573d4cbbc941b499be25d2472e28a4b7456257bf354de298ed13d

SHA512
d5862c1d81af31a87cc6498f6236dcbe612d511afb184fd942e3f7438aa2013a698558686e793bb114e3c0b3edea01bc0161a2e760960bad1974c9e0b58f5494

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
55676c7fff1f63aa2dfc7eec0442aea5

SHA1
1965a5c112eb313bbc67e08af6e1636c18d79aa4

SHA256
99ab5cda28cd9e291dce51f6cbb5985842d0e64a9a35f44b7d3023deb58cd426

SHA512
a6b9c3dd58613644d32fe2bc58fe6fcc08989bacff9a2fdbee3f92840f31b9b2b05f9a53cad5f1dbaf0789c4ddce838c4e95db323569e7dfe7d7245f72f7434b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
27a38edf55e217c4cdb0b56ae5a79ee5

SHA1
8e8abfc273466e293fda9993d57439d4cbbdd25f

SHA256
fa071a1d65a8616b59ef94e247bff790f82ae8aa5d9f2c38776e48055a32c5ba

SHA512
645c467a8489a1ad2f3c2c960c0c5e4cbb586e245411cd2d52d7f7b19a80c01ca876c93a27864fdcf9e4f4bbd717d4c9e84dc85b26fb79ae7fce18aa8001e72c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
249d622d596f9b27c31a1997b89a3166

SHA1
47776eeac743ed9b0ff5f2cde9ab18a9502d2826

SHA256
8acc025e1bb31d57688d992afffe44987a0b08648421f9f265f181be988964d8

SHA512
f26b51be6516bf3d9b63e473005f9ba46cd6570441526cbd796a88d68abb1f9ef4e60f82862ec4eeafda066da340745462b9e1ff34976d0820005d03576c14a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
7df17085d2b8da3f14ff68eba34e5384

SHA1
8005cfbe07e2039546ec57f1864d6bb5ecda0a15

SHA256
6c6a226aa9342b56b7c7f2684fe06e83e5df3f65e3f5c1f982f2b7362e6f5a2d

SHA512
883363d1c8861c9f77d7299a26725e9ea523300cc5437c0e5ec317bf903c17568eca8636c2cb9d5eee27e5df58affaede9a697f299c72d5f321829ae43484c99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
7be187d50abe1c0b3bbd184466e2a2c5

SHA1
d2e18f35e87a5902ec206090ce6378865a9bde58

SHA256
731f7660e10d502fe39b937645a619b990ca6826e3e4a54baae0800fd27838ad

SHA512
0d73c8e1453676549af6462af1d3600adebddfda49aca65327ab47950cd4acd740187661bec54e13af1f1f6b51d9e65dcaae07ed8fc1002f4cbecba76dee2863

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
08bff03e5d0ad0c0bfc1b74d314023db

SHA1
6acb6b34aedcd012ab1880a5c90f72ddfa0986f9

SHA256
87ff9da1a03d0df199679746b492b9193dfa9de16523b703ee173026e14fa975

SHA512
f0dea1bb5ea0b3b6076ccbf40ee72c2fb075619215b2841352ccbbdcaf4aaa0547bfbb38a80610dc81df69171adfc1c74bea62765f7183b3384a78f0b207a258

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
305c2f6b59dcee534f7b7d7056a95f13

SHA1
19a600d551724f868d2b5505e6e7594a27ff5853

SHA256
7b4c19ca92fc62f54cd8d1c08dd8e0e09c75f9a801771360cc1f0812a05d565b

SHA512
aba0bc2f9b308d465f69c617f421f20a15f65edb309b4698670602994d15f9bbd4e71af9cc1a73fb63023f79231089436ed6ffaddba6d9d1132110efc5ba0ec8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4393f5cc81dd82308b6d6511d8d803ed

SHA1
486207474722721f02139db80139d584e572dce8

SHA256
b91182af3dfb50dd047a5c490c7aa019767cf884c70d46ea38f85457d57f9ca3

SHA512
9f5780696f1c914c47213236442b67b6c10a19da4f42a5c6c1ae654e89465c3393ebc214a0e83635b3c709bc352153cc9c4c8829571d6b8384313038f5cfbae1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ef2f86d6ea69c9e86c8ca0090b5d5d00

SHA1
2061522542b4fd0782721e997dd05e6d9c9341bd

SHA256
f4c2d7d3b84a42bbeb510c8b9a02a0763b4de135c2b2b6c4ab110882abfda4ca

SHA512
80f82f23765615940eb30b26f99d4f83194f98e0cd4041e05738933b4b7322cf6ea2d4305fe8812325388d7cd4bc158345da60df47689e60c4c9ee8d7e7c751f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b36a676450138433ff4c92a3423060b2

SHA1
f8d13a66dc8a045408af3dcb0eb926a41893cbb8

SHA256
eb328e4d333846327e2a3c0acc360b8ed276c4cc229351af3c3b4ff919c815d9

SHA512
c69aad5d9483796a4e3fc250a5c238f3a06facc61c1b1db9f66e2fb6e18e8d34933093f9ada65f01b227d1dafa9462f6c59ffcdbe41f79be953d3f4fcbd69ee4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dbaebd18f5640f7c05a8e4dec333837f

SHA1
e0b2b11086823887655221585b5ce4f9b84e4164

SHA256
4a5681af6eb1c875d6edbfc3dd730686220abf6bcae2c3864201df8d35bad835

SHA512
ce6d0fded52aa646a52bb40140bd9ad22ea519b37c724698c323b2af4adde1ac569722754d84f6471e258ed33ca2c8dd41ae1bf223240f1e9552bdaa89f6b12a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d5deff2e6f9c47c358c5ed9acb6d93fe

SHA1
2a1f93db60348fd224dfe3b24df3f3f4f2e7e45a

SHA256
e65011554b520f881ce149fb767917776bc50c58558ca1aa05c71e17ba1f3b88

SHA512
e79884e1d8ee0f04f2eea0748077841d6b57fac0a8de023f0101d03e1e611cdf456c64350a82b75f6e3e91287cf9a16334afd5f1840716e2e5ca5696a4a79abf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
91cab9d2f49880a0d8496dca893713e1

SHA1
1059b448fae02e15782e5f4921ca0bb4b28392f0

SHA256
fe5478bfd5360f54b8ae5b677fa8b2ce4bc5fa8bc4e94e37bb153f9b2a60e764

SHA512
f9894300bb57a5602a6a9a40965a896110753ef92b42a73c3b6d166ea371db9b46db5b69690fd8d77a066d8ac624642418f00db41e78916d8e337410b049c7dd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
08ee277dffdd6b7f6bab458acd11909e

SHA1
7260479f2eba6e516d4a9031de754e5c4d7e71d5

SHA256
717dac24b77e6d5b77717b99b3ee0b5f22ca41dabac0185e1cb2397b06d32b9e

SHA512
aba2c593a1e64ef7946f881e7c0456a2d19f7c87d01bccdec685358fb525755f5451f0aee0e0b224fcdc18915cf81e44aecdd88521fc5d805602cd73c1fdc945

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
28215b4ca850e62fae1edad45cd87b65

SHA1
a651661e381bca6af384105e918ce5a791d41ce4

SHA256
196052b457f7b9006444ce9ee6fa2de2d0d4ec751117939e7f635c39d4bb55e8

SHA512
196bc335dc81d0447bd858609bb6c8256760644ba08c3ac45d63d8f358dfaccd81d90e2110176e7de8dc4b5d81e2ff53b0105feabfc23f4bdbbc0482d282304e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
71116d0fb5a3aaedc8e9dbb870d8d41e

SHA1
89da537e70bef03d0562700d2c4bff56219fcb14

SHA256
dc4c5bbe722c86f6c8050eb3d1b3e844e28e5086f021500ad71b4a0ea4f7d127

SHA512
a5997c11e679aa861f986917df03a759f57f1033cf6541ad7c794a6c09ccbb628afbbcc07d14aecc13d7d86d2c3d9a6a1d7345a93b8fe93f7713c96b97e944b7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5cddf7c4cc931170f9675404515ccad8

SHA1
6d42cb5b086bc4a26653a938c4ccb5e3b0593915

SHA256
1d81b7111fff801206224c40d6629ee218ea2941f6e89dd1c3aec64c0433aa81

SHA512
a88ca7f9c1e3b923c732fa65514ea11affbc34e57f19a826e1cb976c4447e83981c9110e7fd05644daaf9a081b3b1d15e2aef12108187b3a9277476139d9504a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
d15d8a0838ab4839e3f07ac782412add

SHA1
3de16c9f6106843427702a6cbeb93bd3440466d4

SHA256
bcf6b4f55815b06e9c89950b9c2dbc8448f958b76ea97ca88dde00360bf53752

SHA512
e8bae20705a67e8a3a588a167e239a920900f1226f09a1881ca1e214c6410eb20008ea890c8ccf86f34b542adf591dc6ec081d2d007ba49d40817e04fcf25887

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f36001c9644820eed3d25f3f70eace0f

SHA1
26670eed77f6be1f91acc8a45a5ae3788c5dab75

SHA256
0a4565924c3e872d93a74d0eb79633202ddf920e4e994644eaa68a405054e48e

SHA512
b8b5ddd4b8a66e8cfca4f1f5de83cff5f6b6ac224c586b7252f74a13b4e2151d8cbc29e871e66494cb3171505ed891ce7ddb2f21c4413a1792ed5e5f452a8dfe

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
c57010ae570fd36c472ac651fba42957

SHA1
88683548bc309650a027bf1b5bc3c76996c0a662

SHA256
79327b04e53159a2ea2f682bdb07adfa4929a6015bb1ffd90a4ba521c226e15c

SHA512
be7ca186327cd11c9b5e790a1e6b1dfac648a2ce930c4ac6afc7525423a33fd2ec384a9dccc2d8dafd8310179cdafd519b004ba3f1bdfc2565b54aa4d3a7fabd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
6462c7cb65d9e91b761299d0f7dd1466

SHA1
72f7ee8bb3333d0c225f9ee2c44842709284739d

SHA256
27eca6d0f32c0e486ee14d07e84a2611747fe8c3913e33421501946391ddfa10

SHA512
390c31a7cc535720a2ba845c98d279e0b66a19da712e844afdbc005380e9d27f0a033fc2620029264e21dae9349d70db1a6df35678d565649017f003602849f7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
e331366a64a006e17b5ebe63783289c1

SHA1
732331019caa5625945ed19281aeb14111334875

SHA256
4bcbbb0cf322ddaae25e9cb5886102f9ff6782b7d3ce3042666bd52951b63635

SHA512
4ec4d4ddbb1579f1cb33bb36cca10177c97c953d9162e9dd2d1a2ef28b5c3c65b142e4f7e722ad1f84b876531123a9c71fba035a129e5cf568a980ea5d8c9ea6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0883c6f28a24c79b88916c48b1204666

SHA1
8c26d497d7d5aa3345223117115d31c61a17dfa6

SHA256
527c3b4f3be8f7645a45903f968ed68bce46caded383128d5e654e276f06b062

SHA512
539b49c0b988b5be0ebb461d8688840d34ca5a34d393629e65a89f1107c3149b5f902aceee8b06930d0897759cf0956b98619f10ab94589a00ed9552c3093adb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
23330091829903948af84df16bb23637

SHA1
fc1aab54d94aa4bf889e9e16f3e9f0d7ba0257fc

SHA256
e374d032bbf560aa37536425bf1e51b077fb17839d2126504ea9a48a20c15d5c

SHA512
47ddddb26083bd73235cf3d3a0455954267705dd90eedfd3f4c8c49d76353018b3507f8b4c5f59e3f58b6b572cca832e1b575f820fc0cfe9d9c9ca7abdb0dc80

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
12ce501e427dfe9e4b183e75e82aa435

SHA1
2f8db32dd9572fc5cfa3eaeae38e761d9f11dc30

SHA256
ed72547a748448ff4916ee42639b511c2901a6036a903dac555956fd1075d403

SHA512
000ca8367561f61b85302f6052b9e9e031d2c9c5c89d3ee70131bc3bed2d921f265aa91dda8d715f72fc035d6168916a2fede40504258d2ff9329e2f15bbb00b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
da90ee8df6f7d8dd68b63c880c1df95b

SHA1
c9d32f2061bd2d0a8e99a7183ca00fd7f88ea727

SHA256
d9c01571a621b8cb4d6af411896e308e95ddbbadc7f7b4662644bf8d489a1f71

SHA512
8033737b7eeb016aaa8ba6351a4643a71012e70dbe8d49b1ed0ccb0da6eaf333c92bd573130791db7086340747ecb5b1792804e49c97e1651caecfde6fbafc53

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
d693e1189c6bdff121260ec91a91cbb2

SHA1
9a86f406d13efb635ef431ddb6aa280c3b568189

SHA256
8ebff4545be92e7db554e0c765c12ca6dbaacea1dd86b17d897c2391bd7cd624

SHA512
9e3ccae1d2898bcae0b50bf332413ccafd93b3d66e3908471e15f848ddb79f252b8424b43b0e9b3f89dec5b1118955a57a269ee365c8462a84061c4749a3d169

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
3bc18f1e9cd4312fb2208df7dc23dde7

SHA1
0aeddb2c715d4f4d9bd64165f2a261eeb3591d09

SHA256
9ac7ab9386b78e3503b34513a55c1c6b84bbf2c4aa3bf574761a8cf7d8a711d2

SHA512
9e618a5d31f92b98112d7b4cdcd08fa9f18f2273da264272ebe7a38468cef9776d8689bce3cf3cc59c1a7908eb1661877bcf49b5a294c3bf7a1535e99f59b33f

Download Submit
memory/232-252-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/232-754-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/540-755-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/540-269-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/904-191-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1116-239-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1116-722-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1176-665-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1176-235-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1448-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1448-669-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1448-335-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1632-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1632-759-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2044-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2044-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2044-251-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2044-135-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2532-194-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2532-310-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2544-157-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2544-283-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2544-156-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2784-105-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2784-111-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2784-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2784-125-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2784-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2928-146-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2928-150-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2928-151-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2928-153-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2928-140-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3216-192-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3356-761-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3356-331-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3900-115-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3900-121-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3900-123-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3900-238-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4024-99-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4024-102-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4024-93-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4164-322-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4164-211-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4200-288-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4200-756-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4296-503-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4296-155-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4296-6-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/4296-1-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/4296-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4408-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4696-336-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4696-762-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4700-180-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4700-88-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4700-87-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4700-79-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4804-311-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4804-760-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download