78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
Size

1.8MB
MD5

08a92a7a46516fbf04e012171f395850
SHA1

1f4580a78ce4c233433a5f2ec9fe4f0b70fb692d
SHA256

78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68
SHA512

338394cbb01cca296ced1ce6ea386cbb8980e956f5558b6989607a89d57e89bba71cea40022e41727d0a42b2ee5d8f2753ba9f7e48dcd36efc57235a6e05e9c2
SSDEEP

49152:tKJ0WR7AFPyyiSruXKpk3WFDL9zxnS8UyuFlIAFQmd8WU:tKlBAFPydSS6W6X9lnjUyuFC4Qmd1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3108	alg.exe
3824	DiagnosticsHub.StandardCollector.Service.exe
2188	fxssvc.exe
2480	elevation_service.exe
3252	elevation_service.exe
1084	maintenanceservice.exe
2292	msdtc.exe
3800	OSE.EXE
3764	PerceptionSimulationService.exe
4032	perfhost.exe
4740	locator.exe
4440	SensorDataService.exe
4044	snmptrap.exe
3492	spectrum.exe
112	ssh-agent.exe
1584	TieringEngineService.exe
2328	AgentService.exe
3224	vds.exe
2168	vssvc.exe
1608	wbengine.exe
4156	WmiApSrv.exe
4172	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\msiexec.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\AgentService.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\spectrum.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2e6ee282c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\System32\vds.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\vssvc.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\System32\msdtc.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\wbengine.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exealg.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43EE.tmp\GoogleUpdate.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43EE.tmp\goopdateres_is.dll	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43EE.tmp\goopdateres_et.dll	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT43EF.tmp	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM43EE.tmp\goopdateres_fa.dll	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe

Drops file in Windows directory 4 IoCs

Processes:

78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079f91ab1b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a6d4fb1b9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000213435b1b9acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061096cb1b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000656b8b1b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a26a6b0b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc7957b0b9acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e69537b1b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035b552b0b9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3824	DiagnosticsHub.StandardCollector.Service.exe
3824	DiagnosticsHub.StandardCollector.Service.exe
3824	DiagnosticsHub.StandardCollector.Service.exe
3824	DiagnosticsHub.StandardCollector.Service.exe
3824	DiagnosticsHub.StandardCollector.Service.exe
3824	DiagnosticsHub.StandardCollector.Service.exe
3824	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4824	78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
Token: SeAuditPrivilege	2188	fxssvc.exe
Token: SeRestorePrivilege	1584	TieringEngineService.exe
Token: SeManageVolumePrivilege	1584	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2328	AgentService.exe
Token: SeBackupPrivilege	2168	vssvc.exe
Token: SeRestorePrivilege	2168	vssvc.exe
Token: SeAuditPrivilege	2168	vssvc.exe
Token: SeBackupPrivilege	1608	wbengine.exe
Token: SeRestorePrivilege	1608	wbengine.exe
Token: SeSecurityPrivilege	1608	wbengine.exe
Token: 33	4172	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4172	SearchIndexer.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	3824	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4172 wrote to memory of 1132	4172	SearchIndexer.exe	SearchProtocolHost.exe
PID 4172 wrote to memory of 1132	4172	SearchIndexer.exe	SearchProtocolHost.exe
PID 4172 wrote to memory of 1340	4172	SearchIndexer.exe	SearchFilterHost.exe
PID 4172 wrote to memory of 1340	4172	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe
"C:\Users\Admin\AppData\Local\Temp\78c4fd8fb8955896edc5b7acfedb4fa1537474f0ee782b90b9641bbf25e0da68.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3252

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2292

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1132

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7a4d7e91973ee826f113b47075c40fe1

SHA1
d520451c2ff64143fd4d4608db1506df38927426

SHA256
f23b372ce84b76bd624f2cbecd1144310ba310f4639408406ad56686680688b3

SHA512
ad0a8e004174307e6881a7c243b9101893ad21d8a478b5972357b91e15f30258cf51495be47a27d2e4abd4ec124c2d105ce0edfde8391ff1b82b173c2aea79bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
0700ee20517fdc015050373e989d0c06

SHA1
737c32f19d838e11a4f3dbb1b6b08fb22a7e2ffc

SHA256
8cfadb38a0822f82c0e90e741d9ecd6c8094eaa7ec133d368acdb2a211722efd

SHA512
502909db6c25166c9dec06d0df2a543769486faf255a78c8bc3ee41c4d7193cb96067c7c116982886a4a8c3f09ba560c537bf0921982a02b963023b935f11c5b

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
e610770bb314179be549645d7d22d664

SHA1
9463fac36995312d7776e1241b458a69eb789b50

SHA256
de861ce2c97d83d7931123e709626220854311530bba64a177349479db699725

SHA512
e24ab490506a7134123430651991b4aaac699f6fcb218661560799c47f235b748beab7bd78ee9c243a9be320f31afd5d2294cfb18d64a74b08f66761cd33496a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e746c91fbbccaec18060d554c6170b68

SHA1
94e054d05e25b39e0cfc1379f5630c5943e6dd9e

SHA256
e6e33e0957fc7cfa442a8afcb234924a4b8ee4d1cfacb65f9f81b330b1e7a2cd

SHA512
1c927af7e46255f5bf94d98688e15fbde1ccfebd5a1dacc33c0fef807ab9410a7b22b42c1a9c40287c042f2621a27eeb4fc777c6dd1b0f297159e48169044d1d

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
de5daae093c220d9fec9c83799a6d23d

SHA1
8d618fbf38f6485256b5c25e6b59463f9d74a94e

SHA256
d473ee00de330e191689369b6f50793a94f71dc2a17eb910b91446002efeb709

SHA512
60789cc5128346fb3f7d45b79196ec682def7b6ca458dd741166164e19a4545ef052cc80eef063bbffbfbe3146317408c4f433791caaf37ef3ddc547c67f7bee

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
ce0158ff9ef7fdad84f083b26f41aa96

SHA1
dda8b47b4b107b9f409d37c79dff12a62f6a703c

SHA256
4c4c0986a4237f0a7c19684d898fbf6b16639aada355563439622a29be0635c6

SHA512
554d81a351bdb31e6d88c7bdbfd16298ae183f8c1a3640b80d34463bdc6fd7655f138040afc09ffabf0f1aea41aaf8184fbacccbe1470e3b594783b4c4e1610d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
b42bdc37e164c3f4dd75a15fa490b6ae

SHA1
17f4ea33e4b226b468f36639dff969f97a76be97

SHA256
ef25be5c21c692207a5f1f86667d1dce1efdf739899fd154b4e76debc74c263a

SHA512
f5e836c7a9bbb21f8dee481b14d0abc7f8508f627001cf10fec6ee1fc2e32894f8245646ba5051bcaf9ef17c4daaf7ddbd3cf840c55fb096f5c77428cc51504c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
d006388273aa72fed6b62514a5d768d5

SHA1
2dc54cda529a24758cfd57e1cb0a66f4d818f897

SHA256
09d0cb974de37e640af92352f05d39967e0d50d5837987a693662917f86db968

SHA512
6f36ee441bb81a82ad49f35acf5862264c54ef427193a6b5978ffb5a5840b07fb49c426e32231a8e1c7124ca6e9b28debc26140a5ad036246891a9d6d8b324ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
1f43106e6a0b0a7def0036c73bed907f

SHA1
a50dca57c657e785da0b6d11c3d9e87a7da7fda1

SHA256
bfd82652ea288324c2ca4b783b7d02485087c11f943f853008d97ccc5b7ee336

SHA512
38a626fe33eb0e67bbd124d15a4993e12bacd6c4d992e0df893c4c38c2c44d8b644ee467e37e6d871da50999de633e328b7f89ed50033ff5e6c4b6a5f9a36e80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ede744bdadfa3fa0fc0ea67f665b985b

SHA1
2267768ef6bb1df2eb5290e7889f1c3c049287a7

SHA256
d9f82e9830b1a669a908876ef0cf2264c90f100bf50685c45e235d550ba6e8ec

SHA512
f63c03c51478ad53129769f34d8e07a095f897c3f56b93a7ce67db13464052cdccd7d1612e53cdf8e6a6144c75382d2713b3d2ef9aa125895ac81d64c8b273e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9ea7905ea9aaa2854e5526e3877538d1

SHA1
fedfe61f9edbda4f18361e72de1ad21b01e48d91

SHA256
e9449e7cb4bef5f3676b9bcd0460a782cb71727bc73c0b7add9bf5568128d897

SHA512
93d1199fcc9c73153bb88a79500e2bf72710c1f17ea445523e041330283f6ebaf6533b02f0ec541b9396d729bce6b4629c6219d19def384426a417ac5ad94f83

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
83e1437ee720b2e6119c96036e7296e2

SHA1
519f6175352015ff00f3f7586da21571a19851b9

SHA256
6ff5ee1b3bb17077d04aea2f1e9e05e54e453f968acfc3564cede751564a1593

SHA512
0b3b1beadf46b7058b2d20a65151140998006142a8789fd30fa859e9894da9bd572794e5e307dab310dc27a1dc9bb35db49d447f7c29832b59c98d0e2166b5a2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
819446d329bea7839c27aa62c6e69621

SHA1
bd685b42a471d38b8b09f0a6d27d64d1d9cf19c1

SHA256
f4a1aeee406b874e0f86a524a29d891c3036c51f988787fbb358cdaa54865d1e

SHA512
7ada33292e89da23199093d223f1e83891450a43b830e461a6e52b27dfb286d7af007459b2e14a45a3e88a651f7f84a2dd1638e6fe6a872d20cb7fbc7ed4ed47

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
db7edf10922773090f10910c3ffaae57

SHA1
a35216abcac163306f7676f05f212f6a7d866725

SHA256
efb6ad688763b7acb25cc0fb3f41cff7a6396080f68721301bc22d7614df3ce0

SHA512
f8e5917bdc475ab790679945a2ce4cc2ea33a0071305a1b8a970913b225e35f2154609efe7d67950b11c3cc28e731bc02518adbfedb8de94d029ae6a532090a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
bbf7e282c3de8c2e752fa65782e47188

SHA1
cb162d16d82940765caab2ad7adda4c8e0292f3e

SHA256
dbbbdcef9fe5684a7abaa88ec4c8463c854b8361c106e60f164e0d98b64bf1ee

SHA512
bb661e83cec30660db540d56ec7884ae6d7a9cdd2239941675e7b341398bdf71acc3a95b6efecde94a112cb0b0911c08476baf7ebc43e2300f6dba66ba66748c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
1e9b45b14086f8fc18d12712ebfdc734

SHA1
705a5bc6b17b718131c379e5a908bfafa9d3ac5d

SHA256
7e8b0d7edc65cd009281f72c122844f3501e9035bf512cfcc3ad9f1327510374

SHA512
1003081fab46e65ae867c8c17eb9c79eab1da15ebf285efd453529d0a2d70dfbe33c18312dad56e9e5e172c2c1c16517a58372313e38ba76afbba9caae922553

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
dd418d9c60f3053a496bccc61cf4c248

SHA1
f414436919762479b3e8b7e5b3c370479f52ea73

SHA256
497ad3a8bc62afbd26d0ddbab0609cecb1820bd890bfbf3ce88a2d984ea5077c

SHA512
f7c80d7d7faaf69eb13676fc5623400107bad25bd20e887ae4cec852f2f5f33eb213a6f4908a7dbb2fe4920507219df6895cfb4bc3edac8fbd2d345bcf851d1c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
0dfc66f1450cf207a60a68243c95d7e2

SHA1
2e63200667556e9c665196690687b39b93a22ead

SHA256
f896b75007a7ea8c87cd2e8ea5cffc8043e9a942137c3b8179d903aee5adcad8

SHA512
0eceef2917788bdd45ad0b2cdfa4bd12d36bd6522063243b5733c09763327d90486442d219e0eef0e9a7a3f46912b361620f5c705b9298bc7d51641896bd8c1c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
426b49e18a8b3be196de748f10dac31d

SHA1
bf56d55ab449ea0bd3129fd69c59ccc5a46a737f

SHA256
d4e448b0bde06f5bfdc08d409335cf518973ea287af2ebc3c6e55e1f12cfeb97

SHA512
52c51632e8eb44d36acf2e839d8e75b04716079a52171348fb263b3bf4a09f0a6c039fe51e4fef42c7da92d401af37bdb9d9852d354f0ff2d5ca5ad6e89403d2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
1e45b1dcd51d46f759642b0fd69ef9d1

SHA1
1131cf7862c4ba8b121898d9ed92d17c2e27a8b5

SHA256
8bae3c3630c25993a162e28a02f96c2bc9054a8c31ca6194c3ec0ae08e8edc1b

SHA512
5fcf1a211c99b27431e7a3816061e4712224d3bbdf37f237ff7da3b0d4da7f0f7fadfe84876691d66900fd6b27fe50993fd01e8521549e03067a5e24edd2239f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
2a4a3dea844e1cb45ab15f1e56c96b62

SHA1
9b823cf1b8b49dfd0b83997c71340ae6b1f73095

SHA256
668969f340d91bc846eabd4ea6b95125562f3052ea0a03fe8cacf9486546c24e

SHA512
8c461113856196396337c148625dfbd0f0a7cce9c9c785627984554c56fda0df8dc9ef37a35c3d105b27d6057c6031ae38458ce4eabfc5a855a22ced4af92b3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
88ca107809fdf8f2e431e10317be8e85

SHA1
1c3ad94fb317dfa12905787e270efa35a7268c69

SHA256
b2517ffc511dc671818c51e54a06404791ef15f55595961913f4dae48a553fbd

SHA512
25dd7945b673d6fcbf0e4a7f00782434e9a887c4fd96403e5111c6dc9078ea3d701e857fdf58fc25a273850c68a2285269bef677ccaa9f4c69539db2cdf56dab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
38ccc72a51edbdd222626bd46550ec0d

SHA1
3259b0fb76a42a9410f489b1c3cb00a7a0b7a1b4

SHA256
3ac14776cf77c90953e2c72dcbd6243e525549415a7edb7a725941dbec1715c7

SHA512
a2047b120234f1c3e04b0c3a717a176494cce30112ca836c28cb09d00d04d99e7c57723a726c945c8fd5a7c790510a72c0e4a113a8ffa2ce94fb78700111c822

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
3b072261de165bc840faaa41a47de33c

SHA1
ea485a7216944c512ffe96aa0dfa10a7ed8ee5e3

SHA256
4a0b17f71dcebace2c0c2576998f1bd1c1b7b46f0ee66da4798b279a480171eb

SHA512
1ad4e062995951d43ed24e37613df5af83dca0578fa1836738dea82941d9fc969d3239d793a7ee977e16969730592e666069ffd20c713cf7f468890bdddbcc11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
f48a1b53e635be7663795ce10a3c39c0

SHA1
7354f1fc01f9b6607a7ce0211ccf2d83eb4b8ae2

SHA256
59f54f14d4b91a1c3df19fe1953d34b51e07326ebba1fe66650978ca7cb70cdb

SHA512
72eb14b1008d538081bb6119655000790c5708416379d3c43e0952e2a67b58235f7e6f9c2256c07b10bbcc1abc159d38d398cd8b195b6418dd7a9e0489c14306

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
19b894d588f037b9fb41c615fff35175

SHA1
66ca035d537b8f74977ca502e5400c5cd890ac60

SHA256
746d661db91e3e7bf24c69904de9bd5679f4bed9fe7048c0924a1095ffac283b

SHA512
fa56282257a5d816f3b6627c6a7efef817aa620ca3be21083b9519c57bbbcac8484aa96e5c58a5b8e7db2eef63c64ae390b27c7b1f322ddc0a75921e6215a862

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
c0e3d2f394f1292236f1b790c0485e1b

SHA1
6267617067e9a0af214203bf59e5684b763caaf4

SHA256
f07438c28f1ceaf2452509f99783482482eae5c0514dd654d7f4c84f6e0db2f4

SHA512
a3d8ff2bad725831428e4b15582abe08832e9c56c319c5d890a8e9801059dee82f9d052c026c241c777bb67eedc1b916d983f3bb17c67458d1eacd67e692fc25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
5c12f6b04c450579476a2bd63c959fdd

SHA1
67cfc5ee779b00cf2a0a9c0e1603524b0deb445c

SHA256
023a612639d77e66d70c04a123cebf8cfd22224dfc2a61f2a80b59116e0ed328

SHA512
720b922f9412cdeffc52c05151ac69577f49275b558b2b72917824132b2639759905d076a545e8971239f5760d0860ee1e010dd069591c15fb76444be1d6d877

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
2dd56ee7a7692cc2f345aa9ff46422f8

SHA1
81548041035dcbceeb1a7b135a80e5eda917d950

SHA256
d4b89a738645f5dbfbae3117d9ed155a1ef77da5c30a66427a82a4f7356d03f5

SHA512
4217d6a20a64f166ba9ca201b499520f936b974d3af8ffed5b61d435a304a0d9d118d552e920ce549be46e06ec343edaaad29f708a6ddc9e9e33fb799b8e76d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
98f89e0688bb40864234b1bfbc60f2f2

SHA1
57a8cf6119518269db6f5d1964cb1fd7261bd8b8

SHA256
8e31cd5f5e60f6c28ed779c6cf2f3c8697bf4d01916c00cf199d8a082406e3b7

SHA512
6b4d75f7bd057adaf450e5cc50ed90f9025f761ef1ec713dcb9a8b057b774929f5571440a2d3c9cc74fa985bdbb3b54bf88540bb75ee8f03b276027620178d21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
884dd760c7ec740959cff9d69128cd4d

SHA1
38433823ab8660cd8564a834d7b7323c644f1ba9

SHA256
8df558ed7c71553b965d088831277f46bb55285f45f60cd00fd6eb7094bf8e7e

SHA512
092bf90014013e231e3158e3f79c85f28de2b0610cdea8ace69e49662d0f942ba2e335ace86453834e3441efe001f9bd34a27b850ebddbaf3bbc5d235ae57b6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
9ed28ce1be1eba8a26e0ff199640e8c5

SHA1
8966a4149d36ca5de04fbf10450c94ff267000ec

SHA256
a63e9b18ed5ee1455fce2d499cb371930eaf0a59b14d26a02ad29c7989f1e0f0

SHA512
e20fc8e403d9ebed7f51a577a0e53f89eb17c72b69b4de65bef6d674205b04556e218e6573e728f61b027e6f5e79cdccd2c84113f5e31508907a327ff38cf3fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
32d22ffe05639f57137101a7adcb0463

SHA1
c6b11dfd1ba8fde2a6bfe016806ba0c264685648

SHA256
f1f156c5a5392eab739980de11d4a1695e8e12d2ae9a68eb5c0b851aa5b560e5

SHA512
e8ee2fb0895e633153492bdadf1b40542d5ce9c53c0c5845a467633b53b5e7bc0a46384e4a851345250cc55c2e2761bfd2344037a3ad71ed242a75d4ad1329d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
93025e58ef685d5fde95d17b475aaa0c

SHA1
9c22e1ddc0a36b9564eccc7d2a86cc69d74b2c1c

SHA256
a50fa6e727fbceb7927b78947be00e90b90cb1f114c80838fa4bf356b5c6cbdd

SHA512
98eb2df0432a090b0db23990121f5b91e65f34768158124b35105e7eea4521530f769d5279d01d48f4476cb8a9ea7a9a275774253bc293096bbb588ca60c2625

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
a4b32601ea029acbf73d96f0f144c4bd

SHA1
01fbf7513dcdd2bc7325c9bc67afaff78f3dd01f

SHA256
1a7d061220b85bfee8a1691d5ce5db7503e9d0c66ccd190c0652b09b627adf62

SHA512
004848b3d34ec996d0ca80e0c20088e4a33ba98b54e33b3c16b6b0a267ea1ad6b7b7a54484070ce63774cd4eb9a9092fe8884e2c77ae0582395887c6c7a26093

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
0a14f87b55b2b1be7f4ac80137dae7fb

SHA1
9875e057d1d4456ce64b28298d6de698ab755697

SHA256
2e01b09a2b1d968a1dbd502f9c4ff048aff3989c34c2a6efc1c3cc3fd7cfe861

SHA512
60dfb2f07f7c39dd1b895abde5d09e879c667c93110b35e8cd73a4801dbe931d03331aa7166e2d19784744d9e7bf1b18e55231630bf23c9644f62524b78097ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
42845d7cd6d8dc1d5d575cbb9739d2ae

SHA1
a450f2081699b4b09c77fb34996cbbd2cf6c61f1

SHA256
c92d4ed404174763d8d67252ebf88c098359f8443ee4f03e635c62f3aac92b70

SHA512
3511c37270f2fa48f2359a07316f3251b69f413d5ae3b452232790da0427104a280ce5e7f2842706be8a9f0510a566e9b1b0191e1ad6911b45259cd8645e69f8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
b2a7cfbd3e0472a801927369730558c6

SHA1
3b367fe66e19274c33637f40f6a85177449a3ae8

SHA256
32208f1e5f7eb5be91b6756796a83a63e764ec5bdc79c093ebc92773c28cf040

SHA512
3cc905a3a1785fd7f782a750482ef1cf14c5d776cf8c586aad1d952ac6dcdf27be7f6ac2924007e64d17978e2d5309dc492c3f1cd8c05c0f6c00dc34966c5011

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
cd85b6518ee5efd734cf12997a6250a6

SHA1
f2a237015b7a32fd67283b9c7dbf81b3bf592c24

SHA256
4d60040b7b941960ae5e8d83572415c23fa95e0528e779b5910efd8f62a987ca

SHA512
61561ba2b802b72bb1e08469fbbe7612372a68f59c728bdd64e90ae1c5d6f5b3b7d28eedf12d86d5d46cc02d46572cca4e3d07fe0af1a863203abf7a016dd6d2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
c347c16ee24db95d65fc80471d96652f

SHA1
b638760308ba4b3465bb26e398a422421c466cea

SHA256
5b22863ce14ef541b87448f14faf3889d27783554ac8d9d600fd88034869af14

SHA512
7578c784479d52a19c4a51a961cc9e8e8fb52044ee4d12bfc67ebc338ca07cfad0d1b383b395d9f2b7a3e14d5d3b0ec8dcf8811f44b92ae769efb720cf3280db

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
862e8a79435ec3e7092cd6f57fcb8883

SHA1
c88cdace9fd49a0b6a27606f4a4e5dfd439a86e7

SHA256
6132c7e07cbfb38ed3467cc574c8f42e267cf34c3d071d0374d3c2a6ed83ac40

SHA512
3829354ca99365739b179291e860814b9c759f9c23662d7c2cdf80d72c1fbfca5e7a642f18e0641e54509aff63f1f70fd491d86151e8a9f7e6da56a1e42049b8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
ec8adccc6dea7aa252c31fa1b11afd4f

SHA1
f34b75c59b8bf151c92e6ed72fbabb9c65f8faa9

SHA256
a887af8be49142c8558dac16f55a644368e49e0545190767e29d242293212a1e

SHA512
2a9a40c580a993d3e6a0a067f50c1b4f20629c9873f6fd79477dc87e370d7aa397ce269e31211cd9c9178d7e2c7261463042e8cbccbf803c310701968532047b

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8617d59aefd03003a96d3841a6b9a845

SHA1
fa3374d7c4bef8991d794811d9f673fceba0094b

SHA256
9046e20935e7241cc3add7cb9e19a90d9d2984a357ddaa0b182d9328dd3c8055

SHA512
f8b7510712c736867dc9d2bee79ac29d09c30a2b87bc54353c3ec3cbd0069674a9af0bbbeeccd7995fd19349a67d4767fc9cc8e5e0bad166b57055cd79d40221

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
88eb0c34fdaa60845cf17d38623c5b1b

SHA1
ab25e7dcf8c80b4d79aca1c316a6ab7294edc75d

SHA256
0cc4f3de8ebd02d0cb97d47ab19ac9415e245bd177aaed93d07b520bf3b2d28d

SHA512
8c9f11ac255d58e7e47d8ba8ac025b3dd9f24d924d1e1ac8d2b95be19cc9fd04a0059e46e8abb3a1e6d71f8ffa96b3da6256b6fa33ec0abe0fbe3c87f3af839f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
5b95a47df1f458fd241a986fe6d56633

SHA1
81c0207ead358b8ec8b853aa40879096859c9054

SHA256
5f5c7ad4a9334f3cc92a84ee5a33d1abd305d7ad54a80e596925b0bb61d001c3

SHA512
619a2ff6f03fc94ace07e32de55da5c0594745d68f032fa8f7004705756cb74034655680e223f30ecf789d3cfbb9e542bc6ed99dba8f0eaef74f1f2108189f2e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
1f46b4dfc32aaa9cf213740cfcd538f7

SHA1
66dd223b74c35a769a68c4de354f7efb96f57385

SHA256
f444019d033f38a492101d0d9f8b01825b5aaead08dbff35d92ba78b0bd0560a

SHA512
b5226db875778bb651cdc496536ed46b76ad94bc22b859c1e24abfebfa282dabd3c2e9a5a5c7ebcea8e63c5283faad7e61e685e08800b641e8b89879d1eef841

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
175eea8834e8a5063bad7cfc4cad8691

SHA1
b0b420ff4fcf24761e2be196640579960b7e9839

SHA256
9e8230f668ae7accb4840e0adbdea0fee88d95db1e2620863f4906bf4f1432c3

SHA512
244536a51e40d6d9a54e979e34b6c174f847670040ef26ccd0ca29a618ab63de02dc579fd0a7e6a906b1491866ba47ceaf55bbfc8da9658683b21ac50241fc32

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ae27fa33af13f4bf41ca041ef05abb7c

SHA1
cb9bc64c9ae67ae8492488bb2ae9a6ec1de4a30e

SHA256
f4c75dd1fc342d2df4d499e471632676dc072f4393ecc88d2293ae66c4659755

SHA512
77070c9c110b7ea869c0485cb7280929830682a38985364089a1fa8fb860824e3f47cf668101e609db8efdfd8c58e62905b246efff5cf319eacbf13c86925cba

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
dc38c25e9ae42c2de01e1a181f8178f9

SHA1
b717e4620b5243a04bc9bf0b656ce6c35a972c29

SHA256
ff5ea1c3de2a1e89a63fc27eae142d2f79805e86a5f4a6ab954e86e4072832a2

SHA512
8b2898a7bf511aa6fea4957a90d487988d92f683623dc43687df40980bf59d97559d3a28e9cbaa2ba7d673d494eb5887532ef77290d5cce5496cb7ff263ebeae

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
a8191e12f086514fb975e671dff5f2b8

SHA1
c0c94add115ffc8085fac0f1fd27417cb6a6ea6c

SHA256
378f02d63f16084306cded0b1df174846b78dfc4a43016c8e4341bee7fae821b

SHA512
dda64fb2392d9d34178384856a833db09b9f578a470aefadffb2f8a4b8796fdce44c066f23bb93292f052c426dba100588e5ea240c7c72300d535d1666415939

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
07d7881e2e924619e54735a68d63c6a8

SHA1
89a61a407e7fadf25eca77cfec2ba5061d0cb7a9

SHA256
f5087492191a26f08009a5736c53b27e63ac4eb674ed7165ac907c9dd4dc8419

SHA512
b3daa862df9ea8e3407b6353356cb5f78905ed61fc79aad8463b0d65e746f2dc9c7e1de24487f3d6a540f81ed9db8e5d3ae9141b5031ea899ca288464f2850e8

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
9245ce93f4af07abc81a66d05c81adae

SHA1
0cbc8d2eb004191def06b6d0ee9f04a018de3eea

SHA256
7a48e235d9f6e6a57ce682d7728d6b6f4ca20ab591c866116133d4129a79a0a3

SHA512
12c1e9919d57215b0f1f6e08eb37b581d078bb5c974254500f496a59f76b9d024fe37595388bdcf241b87fe942c75851bb106d73e159a78d8a1efd17c7653f95

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
99c74a3d26bf56ac028245c2b61ece34

SHA1
0f98d3ab42aa05a46a659d4e70ec987895cd7a70

SHA256
40eec15f2e51bad2a7f1a298c4427e28efa960baa9d4e6674f9dc3234142510e

SHA512
0ddbc4705961f3cfb8c5266b0eb497540feb408e5780275dd9b040666a38384cbca5676f5b3f4c01c0bb373d98d78328ae040c5822f314155133b24c43bd5bf8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
d535e6ac61f24c084f22d662a8782ede

SHA1
83c32adc5c791d898b8773296950f0270c30d793

SHA256
6f8b32edfabb143b564df19f173544a3e9632a7becadeddae62ee5e49e105af4

SHA512
788ab9dbe50f9c7426f2d33b9897802f9d247d8faf9b54ce244210a639f8db2b6eca61fe43d93d9f36ba97ee5c90e3b9f2aadd14baa2af3291627fdd3c2b8404

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
7bdb58ce29cfefc7e16c8752c5921c53

SHA1
5bc088e5deebaf0aebd8a4104898de18b6ce0481

SHA256
777bc38e8934c2d002d7260da39df6a78ae2cb52e205686df32b22397a436533

SHA512
d854bac57122d248d539964c09240c04358b7e5845d10e7e61586475912b1c787b7d00f22c5f5d474c6d73e972c3b0d22c551e31d8513ad2a1b1cd69fd101c6b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
ca1575d144350bc6cd17757714a424ba

SHA1
3efd7bc37295c8b8adbbf6c7a1b5947699ed3b63

SHA256
e8179a417d721179c4d3563bc04a680d001a4e8c322d6b6e75406c0f9c9bd8fb

SHA512
86f2a17d0bc3d34c50fe3ba631041e353603cf136df5d6487a269569dca846bfddf0e32e247a6bab9ddf4c433139276892b93d74913ee3b3730feb2f56f0b2b1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
fbe9e5d2f141904a031823725ef28cb0

SHA1
90e087b8c175fe20adbfcb58d4792cdedae82f23

SHA256
5d62100e9998baff1a0324d0137aae6f4823a54380771c1b0734114689bda126

SHA512
8882ee3a2279bd4cc5a5cf6ccf6e7308f12cd8044beaa2653efa4be29a706dd6d0ac2bb4f97f3eb300e3c40018707f72fb7ee93208a524cbd8ff0250cc8c9c26

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
41dab35237f44f3063833f337ce1d7a6

SHA1
76bb4eb4264f99aad683b4f0ee1e8c3853dd92a1

SHA256
0ee80803bbcbde6914c8f3e8bb1d1b0278a64f94ac0b233db87c7d701f69e298

SHA512
55bb04379857d92f252e271866754fd8bbc337f9f9aada12901547df12eda49afb388be210527943428bfc6ec42b83558e2828be71516b947462881735b067ae

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
99f49934a0e7be18954ffa45bdf9927f

SHA1
f25efa979b7c0385974e40dd3c0310cf82174341

SHA256
30d27cff67e412ac1066547f75bccb30aabb47b97725bf22b7cf5be28ca5cef4

SHA512
e84fb803ff0397277ce7cc4bbc8653dac7d0b85e2eee2b75e2a8e3513875f6ac58b4ec83cdbd50c86dea1f76d5ea704d2b0902961d5062572ce828a38321cadb

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
e8bfa758e897523e685c2ec3c11e640b

SHA1
1eb0bad035e36a2dcdebd85e07f051b1ff6d365d

SHA256
0ba534a7f6774263a3943f60438487814faca90235f2461faa8a5b35101fee2f

SHA512
df0d4f413627228a5420dc928e28c50c4310d412855d39887ef3e2b8d60af488db27879f8b380c21b301a759d65d3b383cbebf860cc28cf8b62d333266f31a74

Download Submit
memory/112-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1084-148-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/1084-142-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/1084-152-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/1084-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1584-270-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1584-703-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1608-343-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2168-704-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2168-341-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2188-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2188-107-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2188-115-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2188-116-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2188-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2292-261-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2292-156-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2328-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2480-700-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2480-127-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2480-121-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2480-130-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3108-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3108-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3108-649-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3108-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3224-340-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3252-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3252-701-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3252-260-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3252-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3492-702-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3492-268-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3764-263-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3800-262-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3824-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3824-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3824-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4032-264-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4044-267-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4156-344-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4156-705-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4172-345-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4172-706-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4440-643-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4440-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4740-265-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4824-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4824-8-0x0000000002380000-0x00000000023E6000-memory.dmp

Filesize
408KB

Download
memory/4824-588-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4824-0-0x0000000002380000-0x00000000023E6000-memory.dmp

Filesize
408KB

Download