f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
Size

1.8MB
MD5

a8cff43051538ea654874fe3d91106d5
SHA1

46e4990b61bf025f08f58eb606c3d5ed96c4e38a
SHA256

f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3
SHA512

c511697c8d79968e9c84c4253d166d58eb78e2c3ec5aa46f8b58174af4cdbcaca0b7edcf16fd9da2bb5d142f461d3c3de99e2737beb8cea597dc27dbce2406fa
SSDEEP

49152:cx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAfaB0zj0yjoB2:cvbjVkjjCAzJrB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4048	alg.exe
2624	DiagnosticsHub.StandardCollector.Service.exe
4524	fxssvc.exe
4652	elevation_service.exe
5052	elevation_service.exe
1192	maintenanceservice.exe
3388	msdtc.exe
2356	OSE.EXE
4948	PerceptionSimulationService.exe
2432	perfhost.exe
1728	locator.exe
2948	SensorDataService.exe
3000	snmptrap.exe
4640	spectrum.exe
3452	ssh-agent.exe
4268	TieringEngineService.exe
1596	AgentService.exe
4796	vds.exe
2732	vssvc.exe
1516	wbengine.exe
2500	WmiApSrv.exe
2856	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\System32\vds.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\locator.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\efbed91aaa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_ja.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_tr.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_fil.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_bg.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_zh-CN.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_es.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_ca.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_fr.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_et.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33E1.tmp\goopdateres_sv.dll	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exef08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c65852bd7799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca0dacbe7799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000226ca0bb7799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000777dd2bb7799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017e0d4bb7799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e992a7bb7799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089fe3bbe7799da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acc5b6ba7799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2624	DiagnosticsHub.StandardCollector.Service.exe
2624	DiagnosticsHub.StandardCollector.Service.exe
2624	DiagnosticsHub.StandardCollector.Service.exe
2624	DiagnosticsHub.StandardCollector.Service.exe
2624	DiagnosticsHub.StandardCollector.Service.exe
2624	DiagnosticsHub.StandardCollector.Service.exe
2624	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3960	f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
Token: SeAuditPrivilege	4524	fxssvc.exe
Token: SeRestorePrivilege	4268	TieringEngineService.exe
Token: SeManageVolumePrivilege	4268	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1596	AgentService.exe
Token: SeBackupPrivilege	2732	vssvc.exe
Token: SeRestorePrivilege	2732	vssvc.exe
Token: SeAuditPrivilege	2732	vssvc.exe
Token: SeBackupPrivilege	1516	wbengine.exe
Token: SeRestorePrivilege	1516	wbengine.exe
Token: SeSecurityPrivilege	1516	wbengine.exe
Token: 33	2856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2856	SearchIndexer.exe
Token: SeDebugPrivilege	4048	alg.exe
Token: SeDebugPrivilege	4048	alg.exe
Token: SeDebugPrivilege	4048	alg.exe
Token: SeDebugPrivilege	2624	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2856 wrote to memory of 3968	2856	SearchIndexer.exe	SearchProtocolHost.exe
PID 2856 wrote to memory of 3968	2856	SearchIndexer.exe	SearchProtocolHost.exe
PID 2856 wrote to memory of 4972	2856	SearchIndexer.exe	SearchFilterHost.exe
PID 2856 wrote to memory of 4972	2856	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe
"C:\Users\Admin\AppData\Local\Temp\f08c4d2b077ef0edd3dfdbcd6ad20e71800caf2eedc0f5ed67ed692edf6ffff3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1388

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3968

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2a8abf3c6170ad4eda4769b86ee2eda5

SHA1
cf7382c0fef8e968167519f1783c4193f6d30390

SHA256
7f317f55f12a004d18802ca87a7136f33de52f0e2e0ff5fcc33ae694c9a8e037

SHA512
53c19426ce32c41a86f1506be8bc0c57ddede4154f6458fbbfddca7a641dd733ace7b76750dfb36f1f15961fa4e6ed204a32141a664b296351145ca1400a1fa5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
7b297592759378d798290d928e6027cd

SHA1
81cbbc1d5f3702ed6afd1aeb95d1826123f546ca

SHA256
24f92cd0cfe2ce733d02a3cd3714e32284003d5d01769990795bab09c3a07f89

SHA512
d83ab2229c4812236ff5a9fc901abc330ef2f1892df1487415ea2d78f0a4ac85277341b5f571a6742325a5d43eb705b7afe92cc38d2b8207bf22337185716c7c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
961787490af0cbcf243ceb25d9f969c9

SHA1
117a0349701e47e208140f18af9a19d1a5eba238

SHA256
b357941eb4a05ed75384ff2cf553d4f8cbce3e29d24093475648dcb3a6c4b04d

SHA512
83f690d2ad89b5b04fb551bf1b8926901d7362bb0f4efaf72d2f05c1eaa1c091f9604447b4549c948421795cc6d3c1ac16358197184592b0899cea55793019c7

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
bd6a77156f53550c8c675498a551af7b

SHA1
8644b8f051f7283a99996a570ca471c6b3c85e77

SHA256
39c0cb4e12790e1cabb74df9b3217e29ce5a57b831facdcf564d735e6fe61e17

SHA512
0b6288e4c12f80c40e8d64eb3bf2cab828813d1bd17651b61c24da918939049ee323a58f5634f29784adc8b06373a0098e4454483f51273ef094dc7a2c19d8a6

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
4083f7a5e35fce229b4b177441736f01

SHA1
a791a4e790ffbae52def3a012632ecc07a9d61ad

SHA256
784499e4206d9616227bd3b352756477f878b27f15907b34f919186605833bb9

SHA512
e962b36f2a7f2979231057af946fe1603f94d06656ff8263b9397e65d054ebd4bf8407588ea460bd3206809c90ca804370b8cf8038eb1abe9b1706f70944f056

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
f67ce74c69498585e07a64cad8d0260a

SHA1
b71294d7061c254638abf0cb3e222149cceb6ea8

SHA256
42915a1aef703293d094be1f7e88ddd4c261b9b2a252402d1d4759b6c55fe809

SHA512
04500fd0407b8bceb5615ef08338e05713029649af9d7bbe43511c7d2b8d16289e4a9506a562c70e44582044a7ee31a72f5fbbe4270eff1f60a5378f1c445bd7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
48f01d5b13bda6e7c8fc1bfa87c1bf9d

SHA1
0b1fb13c97cdf4a15c856dfb168bffd832fef9bb

SHA256
e7b54b7797f4b82271a7255580343caf9e303ecf90aed52a5ac35e59d9ca027b

SHA512
8a525af6bd50d19c94e7864307615d23d91bbc9b72435d7c726dc01e1eb14b92695b13a55068ad3dcdffcd4e94959dce4d50c7996fd41dd169af3fb062566fa8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b4b272ccb3374cc728fe8bd532187d01

SHA1
44990d3c394eec18745addfded1246b9f1496fdc

SHA256
59d02c0c0951eeb51dc294a472f0e9cb5f6bf19d8ae6bf48045f9a5da599ab78

SHA512
a7a905b459fbcb7a913a844e3ae8a39a2062824c4349fabcf5d9ae411bc2650bc0c44e74222c213fd6dfe4d52bef4a76260b9d02c82d0515e359c42cba68571a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
0f98baaf38a41dc536c6765af5d2284d

SHA1
533c66c88ee24111aed7ea0721b9b4e93faf4c7e

SHA256
f36b6a33e585e9546b9e617ec6ea16718f9913bf0793dc9dffd1030ccf5030b7

SHA512
784924b92ffb0b7a5f5c491efbd924f934548b7280f449f0262adb11e7048aa3f787e315578a951b19addade1acfeff09d25ea541423a18c9143bb4052be0666

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
6bdc6b405b285b765cfe2d7c919b55a9

SHA1
b9f68c1d201f5503f24606bc252d4c98247336fa

SHA256
3b849320bf4a1829191f4105684f990ab8476ef1d03ad22d47703a5702e4b14d

SHA512
85a4bcf8c46c0c7a555bdbcf5d8fd18b5de81a2d715721a7bb3cc8f10cbded9c4076fbdc6ccf6ff25a8efb82cc44973823a82bf1857f094b9c21acef38840df5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8b6ba994e02b25bc56d6b6e5804cadad

SHA1
5691d54b878f6006c3d8517b0039cdd6aa20e04f

SHA256
5518f0b2670adb8dddc30d9101b2d03081b99d98b61048599362be15f4576440

SHA512
3a4567cf02881353a1d38c3beb1f042e6b656b7517ecd599177daa0893d2da5fb0ca62e3e137ac6c4e7f89505f2a202660ff01e59bd69afe47c18df39d896ee3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
4e928cc9a964f016fef4f5ac6204845c

SHA1
f9764dde48b7c1acb654fa1a2fce0a092256b3a1

SHA256
3da9299209dc729d1d3d711db3a3e5504907cce5364f40da3d354bcc58c19cc5

SHA512
a44be3619941a79a3bb86d93577c7963d7acd5d79e7ddd84f4b2c1d05cd556ed7751527c97bfac2f7f6e3ed795fcc1e188702d21e2194f4fc116cc59031cd16a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
32c9de6b4a17710c42b24c43fbec95bd

SHA1
1b16b2511472c0dcbf885e99bd579162918aab29

SHA256
5510d80760e108d0029af4d64e55d0dce83a03bb8062ff99f9e5ba7a32ee42c1

SHA512
e32f248560335dc2b8fd2b9142d4dd769f27fd0f3d6c5ffb1dbe77431be941958d23fdf7aabc0ddf561f1bef892882f283626211ae692951dada5f903c15433c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
0b51fe7fd0dca11ca8a9d1ac2ff7c8b6

SHA1
408550dfbc81148a9d7fba50095688f1f4eae24c

SHA256
2c47773b2cfa2e5cf24024b25ee7d3458dc83915ac9bb32d18f6521f4f28fa3c

SHA512
5ad171dea51123078f72f4a67295d8f6ec91445a4eed041be2f427f4209f9c8a4e93d3171685fa0481981b0037340115eed2bbe246cfe2218ca60da40f53e3de

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
4bd1c0b890ee7078f69e9a986a4eee8e

SHA1
4dfc9906c7a31900551e37bc7d84ea3f61190616

SHA256
33f8f1174f7c68e22e78905c471dd4587ed342e8f0fbce2962024f05d122abfd

SHA512
d0a7e4fa4a1732fdfc715b27a43156c446ce32c38b332b707df0c3250b7b5cdf7b6a58de17d6420cb432b214db5be45478308fa78a1fc4b8a409487223774b94

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
f9312759f19203a21684c87c574d766e

SHA1
208a9a30890f297cf247beae10bc370d1a1756df

SHA256
58a6e0bb6b70727500531e5978ce4ec9f4e58d53ea2cf553aa984fba3ec667f2

SHA512
1b016703579cba981addbe737c4e24165e1e151ff133a0d29e1c51d5da5109686a46b53d46eaf5419bf0f8deb1113122265cf64474ebbf3be9a2f887e109fdfc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
3a2efa6bf15c601553ff9bd4f9ae9574

SHA1
f1d996cb680b68ede16e653de1b41946014ef117

SHA256
eda1c201920289148591a8395fafc0ac04be1898022e2a428f52fc8ccc3343a6

SHA512
1bef00ecaf9ee9a2367650883a86bbca9dabea70a84881d9eb43c85bf4c5edbaac956ae664b96ff8b6b8efeb06019960c5d4a7017130acfc7d33953a6179b18f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
a9bfe3adffa7d9547ac2f9b22587a779

SHA1
6bf8553bb703f044ab6854c51511540820c7b925

SHA256
bfb6f068dede1d58a7e5fd706e23a712e3ec4fc91a86044f89bf06672dabc014

SHA512
a14efc21ea31f9a40b78153bbcc1b408d7b8a5cabeae7b31f3a01859266589355687cf1d6c764e3eb8ce3e5d6a231b84dc58bcae70a42d4a36010d4c8b8238d8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
fd18e7bcee120357c6d1a96eb2b61aee

SHA1
72c7c9472b637b47b525cbccb9f329336ef9f779

SHA256
985de25ae9b0f41232948655f092e6452b0cd1f289c504e779f65063f0e7fe68

SHA512
88bb606f809f12c01037655bc42676edd44c8e1a8dc33e8161800127473ed123636bf40a327193976538db6b867059b93f0a22436407b39b8f5eacd500a58c96

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
0e5bd546f331bfa9aa99c2f491db79bc

SHA1
9bb10864d6ab30f3bbfdf9c016315bff45f0d792

SHA256
cbd11d6de5eb335161c4dfbc05b68b9beebcc0921bd2fb39b805559499686f99

SHA512
41f728f5d30bd11640c10fea34cddc77682fdb8c01f1cf068243e96e1e1a06180e217b369892d4ded961f36121167b3c859e654c3e09cff105145a6dac380fad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
dc4a02b2ea3bcb9f376369a21d699d0b

SHA1
89caf7111d6b1ac58a59b5619d28dc1fae9301ef

SHA256
486405c1543fb5dad0e7b15b831d736d201e78b02e48399883aae73a45cb2ed2

SHA512
61a68340649db03a60d89f809d7f4a547a9b6af564ab8ac4820e89ef160c29cd518439d84d6949042111b1f5a30adf3cb283848379e184a30b011e497f5fa0d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
8eb68c477e5a67135cff01f19702c276

SHA1
d99c92cd72b1f2dfe0ed2db408835a4d2f3e9f97

SHA256
2a59b96c9c087632667eff1e451bb6884232087538b0797aa1d04a440df761b0

SHA512
845a4ec3a933dad84cdb1817b8a06514f9d9992b376ec14778f4ae6e7d27d7848a40c6d843c62ac0445af0266e5368f6b177eedc233068e6c23aa225596941d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
b6e2ac165ed740b10e80c2e663d6bc66

SHA1
10ddad342398921fb101a3abf67bdf4b756755b6

SHA256
7f0cdc611d4965b804750bad6e1f0f0d63fa3d427faee5fa2c78a778d644cc82

SHA512
45789d7613886fbd60b8de01bdc864ad5d5c491fb0548c669fb5b33c967df1777ede6654ff9f88bb97948a8bd901fe9bd5d72c99da310e5888259ec0010f3354

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
00d7bd12b73b74abb2c8e238f6e86f6e

SHA1
0e2bc422c942eb60b3110f6ca81b56f17249d0c1

SHA256
2fcf030c28d6cc332347eb9726623d00ad78dc33d80487a4066fc34a75dacb28

SHA512
380ed29f9c4adb1ec1835a1acd6d63233fe35a77896e1d32b1ec5b8e30ee93eb18bfaecdb63ca1a2afcd8ce5b331e785b161dcd87c968573423defe7d87b3b35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
5293ce68de994f7c3ecfdec758a5598e

SHA1
86bace740dd0ba79552ad4e84d948678341c0568

SHA256
a799e83baa0cc6957a06c460e38b05c5778fbdd4dba7659796eda2f95eba540a

SHA512
254b13fe43a5e82a9d8058ae173238217fc581c12426dadd35084850f5f713acda2af1e2a153cf12039e1b869debb0059b29858f75ec795fc0c2b6e94b57244d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
a018eb0db92762a2a147ce8f5cb1e1bd

SHA1
9e1bc789cdf0349c7c4a61baf8b6b5741ab7f179

SHA256
09df14764b8081d31c105acd3b83c0ec5bbd6a6ed15b24eea82843cd15adc39f

SHA512
0816775fab864aa9d0fd71e2f86fc96530238908c18352c863dfd68943873c40e0319aa84d84b9e528fa9887dd840ea3f7a6c3fd855634c60b99f979eb4bd9c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
6fbc0b593efe205b42b8c530cbd96981

SHA1
86d28fa2fea39fa3220be3f165a3510add39aa0e

SHA256
ea91fe830b020d62e52f97f7a2452c94beef962245b5319a5a1589644d1e8619

SHA512
3fb04a5c4ab9837400a8cd1b0cf7c3318ce1533ad9007eaa922d2f828a1b336d3bc83d00f19dbcd1a7c6ab7142f05c10c63221cb3b03237203ce7987abfd96ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
17d2f70b4de38f2d3a2ca4dc6aa542c6

SHA1
f5c639ab5c077b361513ca171bd23b742b42d625

SHA256
9ccf1bfc223f92c1f6be865cfa2e78870637b00f16880c897366c85aa5e20cc7

SHA512
2dd62698d0b06532e66be44ca1e43834ef4d2e9bc5fc160ff41c1c106292e9da442c55a21f9df64a4747e49e7d5ba2163f5c66f095483e046a9d7344778dab65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
e1ca5f3f4afd75319a83a7add06761fd

SHA1
69cc4c2f6df6a8ac94af84fecdb74d65a30d4cdc

SHA256
6f81fc2d144931611d6f530816842c509fa9b375e937815dfaa80055f0afb0dd

SHA512
d6f6eb13f4b4cc6f54deed91ab2e90321eb23f2a30140e26f4161701641a7a5d3fd63d70eab5878c2337346088f66284b0e04b09eefdcf3640f54da72a320a36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
fd46b52ce133c12812e3d98fb2c37fcf

SHA1
fbde5abd8d677703b3c257c04d5a8856d27209be

SHA256
7a50d4e5b19a92a8903482c905053f40776dba45ffd50f679c5f016b6a4ac2d2

SHA512
5e11c51b0ad83957dca71186d1929954a83f3666d4a41cfb375deff471fa246c5b5e509a24839d247cd886bbf837b1d44f8ff24b0072644c1fe0de2e138c0eb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
194df9a9a0c04d6fec7c0b87c35b2618

SHA1
357944b46eb49b0b7fb5b699d6f46aea871bdcca

SHA256
40fe68a9b6ce79e7292aac68ab5f4c788dc3c677cf844e833deb2cf89fc69bb7

SHA512
fd54ab42bb9e9f7661b0c308c6de6db02effedff13e364937074493ceb15e6bc170539aa817fe615fbfe6a210d05c82dfee34cd859fe2bbad14f3d49901f8b3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
abc10c40e8e6beb6b13bd3a607dadc32

SHA1
f51dc6d9072172e2cda56061fe98cedabee504dd

SHA256
3a652e713ae807cc16bbc2383f73912b5b72a30c141951fa326ac2287e0a5078

SHA512
01c5a67c7689ca387c792f7648e418567716c18b18c85cd99a3ff3f81174463ddff2692145df6f2a8954d9228e2d95350f616f1013981e849931553940042188

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
4549aec355dbb331b038c3c37dcacfdf

SHA1
6b844781ea53e1395f7807f838c678acaa810e5e

SHA256
14022b75f90848b190db55fb7d450bda0aeb6de4e72c887fdf6691de01839dda

SHA512
f89a0b1f2f05dfbe4c255b63c51ffcc07b9b716bd5d17cae08ff748ad974973679423fe40db196328542c87c09b6f508638aea87c2555b0f5eeb80bbb870a3dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
db5fe9ae290e1d0b507e2f716da32e9d

SHA1
ae8247cf67fdafa798c6c5300f4e4a6ce3fbd020

SHA256
c99478c2da6baefdf86f79915c32f5acb4578418bf3d4efe1b377fdffdac67b6

SHA512
cec745830543bbbde19292bc07a71567a80adb29326451918e6f39ef1fd5bc7fdd2f7792d748790f39e2ecd2cd4fc23926f18503db22ee4b37100297937d39b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
3c962792e95db6a5893fd97e118df649

SHA1
98f0fc4e260dcefac942b7c67048445ae46dc2e3

SHA256
b5b9d14a33cda92319f9c00ab00a34cd631bfd78e454ef822cee0368718ea5ac

SHA512
fa96bd8ef966bc8f9597a3dbf15c95edce1772165b677e677631d5e24eeeca49ac165e8be60107528b2fa06c6cdfa7de0027b68b2b43d9d0f63232f4e428d36f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
9eb878c3735d9c4faeec243d594c7b31

SHA1
7d4af2c737b4330087d2f0857555eafb064aede4

SHA256
9b349a111dd403d64fdd9d4408bb36f240f3673a3e95003d4ed81a45988ddd1e

SHA512
b6cd2ed4455266f13e8f7fd6b28995ee5cb6430767fc57d3c4f016a6329415024b0e6d70437ffbc0f86ed3ffb26f933ee38b9edaaa489df79b3778d3b8e070fa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
5c4f36877d09865328fbfb64d94b4ea3

SHA1
c93d0aa72a46a33d0391c4692d4590b67b73c2e6

SHA256
d5816f96b5be0b517989fbb8a39288f90e4f9e39ac9e7de77791c3aa2ffe671d

SHA512
fdebd13e9ddd73fe1cf00606ec033b837f73ea2f994bc91ce27e0a1dbcab6ba58b6bca2b8576e2d7260f0c4657d12ef603b56934d21628c50adf87361f6ad87f

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
75adfc8845d862b942b0e1eb8eff7bc3

SHA1
e611009b6484789c62a7bfdacc820f8d702dcdc0

SHA256
d54199c8c03223f20c5d920696c042110d5432f845c3c0730899d99d169fbd85

SHA512
0a6541d97c5dad04c17eb3f5563e1a4ba539c58aacdf67cc284b3f95624f977a9200b8ac30a07fa9e0a2d70ccd18654c68e1a5ef34a15498f4ed9eb29398c4c2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
c3538e9817a1c6587c51d830e95e42d4

SHA1
0f9945bf51c074a5be68001b1cc68489b99b9172

SHA256
52f385b70a7842a664507a6228fe64e9b81a7f71c38e8b72373b40a071ad8ee0

SHA512
8d360fada0cec79d621576e00306a5aa39afa2b817513d270ac99f32f8547df26d3666dfa6ac4e6dfa7f1b620f93c69bc66497ba3f5e60891454e27c6f4f276a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e758c630d9d317a2ae0de4f801bbe722

SHA1
eb87574fbe84811956825bf737da08b313bc5ea3

SHA256
7425d96bff2601f073e2d1a6a018cadfcdfa729f0c8b1f7e5350721789277552

SHA512
e5a25d0802be4f2c6201bc79debef4cba8219221d49b7779fcd50c5dacf81b478cf6a25f8cd54afb3e0b93c015fcfd8f282b3f68eafd0c18ec475ed6afe297e4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
fdc64aa8ff5197c5ada4e620fad2c407

SHA1
8581275e7a922384569aa091052aae269ff6b28e

SHA256
adf3f275b0f3df1dd4b213a81364ad0baa35d8aed2d20520479a7f26fee4963e

SHA512
5cfc7594f1775c62383c29233d84e6ddc64f3122c4e1766536e23c82bf0628df57eec90216295b93653a579525713263c75f5ed14460a8dcab80a6e47b47c588

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
5b7a99b73aed548d160518c5c284a311

SHA1
5f9eb6d477cb49bc9d6b8137fb79f2e9f7cce3ed

SHA256
7caa0fff49b727d14ee964219de4eee6cef66fa384bea9cf4efec5d9f01dace2

SHA512
4736209b7eacb9ab1658dbf95de9ed67db32bb3ab8e14c3e85398b5d089f0d0659c94dd7b46dd043c9c100e47b92122415d0d2b8d72f531391ae85f88995199f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
4db07ffe3e123404e185f25434f765cd

SHA1
71f1fd98efab658ef449a91321820e20b09118a7

SHA256
3d4c5006faeb98cf33cbf54a9e47bfc2a65da72f635a722699eb71468aba52a3

SHA512
bc23adee6ad931df31164b7d60a8f342e572bb6334780129c294811bbcc67ac6da2ae88b1986e567541390b66a7d421c4843211996563eade6bda2b5b584ba49

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
b1160b199b22917341c31de63f7f7fc2

SHA1
dc598c0e34b2108b00e3c40b128a6a7a6c98740e

SHA256
42e8c0e49906bd6edc343b1107630cfd900e957e34ae430c0f42c07fd21e0097

SHA512
7b542e7469824f11a76f297bbc53786e779f1452fbadb603ae02f79dada4d67027665dc1ec7d239874b92361d6b1b5bcbb72cf3a47e323f0740db55411c066b4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
aa5728d62ca76ba9090ce097bc91a58b

SHA1
be5d0157a1055cfb60f00fa7d3facf95e64da21e

SHA256
5c53ab242c428af4f35b53e3ec54b50f98a697ab96013c564c450a281a2a4842

SHA512
c12c71d9193a7100e65b521f86daa218a7ead3ac5f21af1979c7b4c2abde32b9832b17ef638dd91fb8a5bc60d1aead4df4cbc3b659cf3d194fed2f05633270a5

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
827ac26348c14f60907c1526f761e5c9

SHA1
9092fb8cf589292421ba24bb396f9480d9025a1a

SHA256
7408ab9dff3ebc7c5bb089ea860948cbe6c1c15e4f78b32b86ed479a936bf7d9

SHA512
1592b7e8e101aec0ce47b57447de01b1b6d32616b384733285238b9e57e71f7416eb66f05087e629b349f873862780c2e9019220aa1976e704794f737d0d17ce

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
6552f0a34d0f875e56f52e3391511423

SHA1
2e9206ea56a7465c2df1380c370ba539a38a85cf

SHA256
91e0f559fe8622ff2f5829ef1a832f2b456f17c4e8b1ee637128a94a9f7e15ca

SHA512
5c64b7dfe498bc51544b98dda823bcf2f4ad9bf5db8efd1c82f475ff996f9ea472425b4b3730117639ac8bfe5a360bc0d63d604ac29a1db26d58f6dad9e4a559

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
623580b583bb93a92d113c654c44d782

SHA1
860ed5b8b3894c7ed49a21ecb177b4b115ad0a00

SHA256
bb4063d620464237e080c098c864fcbc05fe432a6f024202c20744a3ba17f723

SHA512
92b2e8c66c9758cd14e9cabe6731ddb10cd4c8e907e89d147ba39efb2b5f62009855c8aa13bf16640bca6dd8597a1eb6c82fde174af007db51d33df5fc17bf02

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
ddc959e433b71c5fe36f28776f3ffc21

SHA1
48a82652ebeaa7e46d3f32a9050b1df5ba43c380

SHA256
d86c3b012365031c4632f8c7b89d8a849dcbecb6d2b2078d76a474910dc4b6c9

SHA512
c9f18a092196f6381d21fa42a24613c513ede0028e00b5d10f3fdd1ee369b1bffb35f8af77b870fe0b3dabf9119fa8d030fa222980c4d87b80d49f1ea1fb83b1

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
8213da1898302f3a2c66dfd4c0b32e86

SHA1
1d30d2feaf87583917a66f9b40288edaa91be707

SHA256
7f3304a4e08c6c825f0c91b00369a4bf4e3d07f7921341defb33db5e05e33aab

SHA512
6d95da2f9a742f7f9f5008160be5b110a5fcba74f63a99170090e337b2aac2542ebe61c4d4720c1eed681974f304dcac555791e50d3dcdb23c8b1191bc11eac6

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
fbcbab939ec572b538e5c4cb3c027712

SHA1
64507375de394a680b26f0dccb6c3502000717c2

SHA256
44e0a54b1bf14610041f0a5df3aea804be339e573d71a316db85b2ff64db499f

SHA512
e8603fa35bf754155e5858cab4f6387d61f4e5b322e6186c40caee4496767993072154425a47f72af808a1360d00ac3a2179de12cb40a912c26758494aeaa34b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
d2836a75174f124d5c1f7139389b3e4e

SHA1
d593289987c60ee1ba6431ac273c9c914c7190fa

SHA256
2ff3152d4f6db28ec564610b7072b6b89181d336ee2b8e40b9400d28d8749076

SHA512
c1d2e81012986d0130ad562e608d4e389b4a9633ecd710209279d640bd62c096e33a9e6939cfb761c611a7f5260988565419d248960512c80be628cc62f74f42

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
99eabaa96215c04a11ed8af32572eba4

SHA1
6fa8c0de1f200b9cf39dff21aae703951beeadba

SHA256
ad60120b8a1a0a9c5d9b4ebe36950656fccad1f14c23abd76e4343d39ea481e3

SHA512
931d1d293667e594597a9c7b38a298a4859622ce7410f0b212226ea5256fcb83d5ad0d1939993659aea21172c790db5844b729011852144573137b6b26c8d7b1

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
3a6588544ec49f2917758957196a9938

SHA1
350821f5849752b48bf3948e02f3328193b022e6

SHA256
4195ac75e05eff41deba06ebcb57da10234beb5927e86db31d4a4b428bc6a874

SHA512
b2278715515664b3ab0fbbbeabe6295657127a57bba3d694314a8504f8de7eaf7809118d419dd4b18025e295367e2aca3a1d235d58656c884832590d8c46aba9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
80c51c3467afe7a5d39150e7ded65670

SHA1
d4552853d09b7005e642185b8efac6411804f2c4

SHA256
7e030c667ed62d95034b82d0eb36e19e645b55060d90cf946de0f6cd9b957e80

SHA512
89f98ff27036060db6b7b7e274d95237390f83eca35b0ad7a25900b550aad901489eac4a353deb9e23033d9dd8de9aca76fec1ed78f781f5b2b724db8a3b9f52

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6d1d486e9b50733633c09c17dbb031ca

SHA1
7795f55d19c2b25edf5d7c7da47f2ec56499cbf1

SHA256
c3d4c1e370aea07ccf1d6e083e80de7fae52da8e15b88049ba1495c10a1c9c60

SHA512
5435712586926cd52715e0353a48ed17c1ebc32b216b7439c0ab8f8818303c5a9939a5daeaf46110ba4f76649934b6e376cf073823c3e2257f6af1f76bbd5f81

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
def2290f88abb40b996cc1392bb7d911

SHA1
3f6502889c9abc47b9d16d18435406ab3e391844

SHA256
c471cc6b96d8900275fac12d895596ae3a999f0012e534e0fe75945fc054bcb1

SHA512
196166110a83921343fbb14503c870236d3489c4fca679d55f13edd65175f261cfcef54b1a711babac02382bdff17ada700c31b19382158e99eca6b453f0fafc

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
c999ffdaef32e34eaa08c907cd04fa09

SHA1
6da47a4389f70f630538b8701526bf7097966d04

SHA256
9d69a94e4557e837b322d8f735062f245c7ced81c039909eba7f7fedf166739e

SHA512
dc0b4a6a0421984e41659e154311cfc4e54954c4e0053774c3a865248da23db52d37e12a767b23b1b9961381dcc99c0f85854aaaf5e7511e3450a7836221077e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
50347416aa4f7611c625e539fbc9c5d2

SHA1
1891e807e87141e97b59adf8422f8254945a9cdd

SHA256
568a24905fcec0cf7c0e6d4b5b6b374a474fee93909d8af7f98b22cde649d92d

SHA512
9240629e3d7b605b4884c092bd7d67189fac38e4e45139e41a55a2373cf8c5a44faab5fdf4393d9112a330b559dd1cd3c3060b95cb7bdaff626516ce0dcacfd5

Download Submit
memory/1192-143-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1192-149-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1192-155-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1192-153-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1192-151-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-784-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1516-310-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1596-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1596-271-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1728-201-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1728-321-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2356-285-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2356-180-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2432-309-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2432-198-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2500-322-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2500-785-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2624-103-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2624-94-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2624-102-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2624-186-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2732-298-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2732-783-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2856-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2856-786-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2948-212-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2948-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2948-644-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3000-224-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3000-620-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3388-167-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3388-158-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3452-778-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3452-249-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3960-166-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3960-1-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/3960-8-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/3960-485-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3960-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4048-12-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4048-21-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4048-20-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4048-185-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4268-266-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4268-779-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4524-118-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4524-115-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4524-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4524-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4524-108-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4640-236-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4640-703-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4652-127-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4652-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4652-129-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4652-120-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4796-780-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4796-286-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4948-187-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4948-297-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/5052-248-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download