07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
Size

1.8MB
MD5

42129e5c87497182d2008a70d52b5785
SHA1

83f43728011809fed4a2a96dd741c0fa2b813d51
SHA256

07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d
SHA512

8553febfd54fab0b439cef850299c8cc1927fcd798d1fcf4c7ec3b7927223beefc1d02a0e3e5b16db899f1bd9336e2cd5a9947d6e697892c3e5558c3c5df4df7
SSDEEP

49152:CKJ0WR7AFPyyiSruXKpk3WFDL9zxnSyrfPOkhqvq:CKlBAFPydSS6W6X9ln1Okf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1928	alg.exe
4576	DiagnosticsHub.StandardCollector.Service.exe
1880	fxssvc.exe
2436	elevation_service.exe
1640	elevation_service.exe
1256	maintenanceservice.exe
5036	msdtc.exe
1440	OSE.EXE
4056	PerceptionSimulationService.exe
5084	perfhost.exe
2672	locator.exe
1740	SensorDataService.exe
4636	snmptrap.exe
4260	spectrum.exe
4456	ssh-agent.exe
4572	TieringEngineService.exe
1208	AgentService.exe
384	vds.exe
4592	vssvc.exe
4088	wbengine.exe
880	WmiApSrv.exe
4940	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\locator.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f79eb163e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\System32\vds.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM470B.tmp\GoogleUpdateCore.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM470B.tmp\goopdateres_fi.dll	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM470B.tmp\GoogleUpdateComRegisterShell64.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM470B.tmp\goopdateres_de.dll	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM470B.tmp\GoogleCrashHandler64.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM470B.tmp\goopdateres_gu.dll	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM470B.tmp\goopdateres_sl.dll	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c208383212aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c41bd3512aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa37773612aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000606edd3112aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003520ee3112aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b7e2e3212aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006aa0fd3512aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5d1df3112aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cee0303212aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c192223212aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4576	DiagnosticsHub.StandardCollector.Service.exe
4576	DiagnosticsHub.StandardCollector.Service.exe
4576	DiagnosticsHub.StandardCollector.Service.exe
4576	DiagnosticsHub.StandardCollector.Service.exe
4576	DiagnosticsHub.StandardCollector.Service.exe
4576	DiagnosticsHub.StandardCollector.Service.exe
4576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4232	07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
Token: SeAuditPrivilege	1880	fxssvc.exe
Token: SeRestorePrivilege	4572	TieringEngineService.exe
Token: SeManageVolumePrivilege	4572	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1208	AgentService.exe
Token: SeBackupPrivilege	4592	vssvc.exe
Token: SeRestorePrivilege	4592	vssvc.exe
Token: SeAuditPrivilege	4592	vssvc.exe
Token: SeBackupPrivilege	4088	wbengine.exe
Token: SeRestorePrivilege	4088	wbengine.exe
Token: SeSecurityPrivilege	4088	wbengine.exe
Token: 33	4940	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4940	SearchIndexer.exe
Token: SeDebugPrivilege	1928	alg.exe
Token: SeDebugPrivilege	1928	alg.exe
Token: SeDebugPrivilege	1928	alg.exe
Token: SeDebugPrivilege	4576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4940 wrote to memory of 1460	4940	SearchIndexer.exe	SearchProtocolHost.exe
PID 4940 wrote to memory of 1460	4940	SearchIndexer.exe	SearchProtocolHost.exe
PID 4940 wrote to memory of 4416	4940	SearchIndexer.exe	SearchFilterHost.exe
PID 4940 wrote to memory of 4416	4940	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe
"C:\Users\Admin\AppData\Local\Temp\07d41fa9aa7150646b6dd1ae3073a2886f31bcb3cd85772c48dd9fb16d897c4d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1740

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4260

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4632

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1460

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
815d092290c061410a385369e4ce2c46

SHA1
d834d8103261a8d9c787825e4ac1bc64371c847e

SHA256
867f86704daae3814304c827962ef2d5fe9afb864f9a636781a236d52ded2010

SHA512
487144c9505296b94b2775dd6245c74424d9c35beb6df574f6b0732193e719953d4c32a2922dde827335c213b270acd5e938adcf077e944cc3e3d38d521d09fe

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
61473e0662c7b0146b62aca10a1fe05e

SHA1
78a4200e789cd9a0d54da137b9685b85f977d1c5

SHA256
47ec460871a7146c6f5cf9009e64c1ae4aa25561d19020a8214506c167174a12

SHA512
daf5ac3b3bec2f75521a3e753bec1916b3659125efaec053a8c7b6c60d6f18b4c47d4fa578943a92b26726c2ef1844967d1150554a8597eb52258d6676303167

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
75d29fd981bd6d4356c78f3ff5b8310c

SHA1
65146f09810939061e96163b26ca6901b323b944

SHA256
7172c9cf90abfd75d1406c0a9e1771f10487893fdc4653504f5e86a27fa8df81

SHA512
6c2e5aa42260606f7e481f177ef20a91a2eca63a09b17c052d3e171332c482292f57722eb67cbdcd14dcce4257059dce709ebffc1d0846fdac3e836469e403ef

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
65d1cae8de590d993517e56e77380a3a

SHA1
074647c595ea0e0b1e489a7624db7c01057bb1ed

SHA256
f4838243f32bf4037952784085c353c543eed8ffdc8c4402a115afe5d847957d

SHA512
5fb665633850b00a54a3cb0cc87fc45bb63a9fc38060f545ffb7af2284d06f163b228103e2dd626c81a956bcd42f84c389f028c2c62445d5788c063a921da2cb

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
eec2a803154c00b92eeb8e2659eea8af

SHA1
067c4df34c06e50b5a4d024ee217e4ad08429d3c

SHA256
de92849d6bc6711608ccbf1718a733d2de4d81c42f38a732cfc0cc50672c2c54

SHA512
e6aebebe608e6fcc27e62a527284502e74faa1c7c1da73233935d9ca0f375ccb2f1ae275ecd8da5aac3ea40b1bad6245fca465466fcfdb2d72a7eafacbb19f79

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
4f145ae23b46423d26cb8e8095a11870

SHA1
e8f8793b281f0ce45a18f93381b600d18b1aff3b

SHA256
687e9b4b8275910da5e6a48976a292660659947017ef158b6364dc0f9a1b5fd2

SHA512
54af912e0700b746b60411ad5c179940b27a8deac65e860372b1a2abb65086f51ed9d4c8774f0260fcb52c6ef5b19e2be75d9685e5690a763023be63607061fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
669a3e1ed29a6fb33f33d2d7acc9d4a9

SHA1
7286487a5093e34b927bff478931d19e6d063c50

SHA256
6aec470a55cbc0e78867f2ec6f2d45b801c62c4b8530a75c265cc73995fcf7a0

SHA512
15e15f0c007287213a982ee07a62ddc892a87e90b4381e299d7b192c3a19415c2cacadcf3f7aeb5a517ad491297e920d9dce9b1f270257a23a035343bc1c1ca1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
956848a1a452a8404c30e4ec2adb57c5

SHA1
411b492c0808050f3439a2416b618f0af6f46d94

SHA256
90fd26528d73dbe20866d3d20839f68131919cfd690d34094ee3d510a12eb6ce

SHA512
e0d11bccdf544affa08702a7f94921d161ef255cc4dde698ada71527616eb9541de0d58d8ebac712d40fc98babdc7580142ae5ef456faf08d0139f7760e44705

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
6e15e95517bd34d427c46e689753153e

SHA1
c9725467dcf78e62bd1200735e56b39ef697e881

SHA256
6e749696668d622d79ccc5895aa5e9468961a2794557f02a127f97f2ca19e905

SHA512
c49d88ffcd1679fdcbfea62c8a1bce3465550da97ad8a11520983fe333f4623879f974e9d30d3489ef447ed49481c1183c39287d37475911a8ef245046686656

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
009b3b596ad861449266d27eaba3afcd

SHA1
59dfd1441594194d5ac350f49fca791f39097da8

SHA256
de060b9785919bf01a3d2645d61ee2e896a9b4d9e8674d0a940cdbf1250843da

SHA512
b91a23e2f8c1a31b8f517b3ca0b91c783e922f42ccce4eff27f511fc4e6c7e3bd0dd9279a77f75e7b21ef844d438df6d05058c2484c5162683b7aa09d6f2dd8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
385b97b101dfad6d08390736ff10e449

SHA1
8ae67c7581db415e1ea6f876c60fc857eb3014ca

SHA256
d732655b11e7393eb559c0338b32cea1f3b27a2b7d5a2032b45c1ec3792e3528

SHA512
51f631b68430491fb2fc1a33450992a7e9dd68b923a5725048dc8c6d93e291434121dd488d433a7c07fe8359fa0aabc513c21119fcc6668cd95798aecc5e8af8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9129c536115d203b938a0767afdebd37

SHA1
08dc8a604a16b9fd9680846b96263f764567ab82

SHA256
ae33ec30d2f02b7c05255e44337dccc5a293fdab0b8c4948c1966e557418eec5

SHA512
3bae43b67e5b6ae1ffeaa737dbe56d2970b705a65a2812832a606d5d4842af7cc7e8c772e5ee378ca8dc5544061120bb5808f58527549cf179f4e897848d52b2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
2884b43bda229c5f79700ab4104898d4

SHA1
f22f2df37ba503af9fb1b7ead8d1f6ad19c77c1e

SHA256
9970f91b62b189a0544a002ff4c7b90f4dc4da6f3c07048f61ea5e7b1c30e2bc

SHA512
4bbab83ed35ccaf9c2a214598a893cb9dfdb94f854ec2c23b97db6b82c5bd52f57338dafb1bf5b4108808c6fc15963bc17be985651161cacd4c4748aef6c7ed6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
9ef07ef0b5916f69f47aa332a814d901

SHA1
23af81790d381cbde7636e46aad3d437b55d771d

SHA256
36c541565bb625dab7e783644af7a48ff249b761c87c460401005d39f2c5fb3f

SHA512
b6213a43e92dad117ab14382470384986509a9389cae31d4ed8bff171bf7915a312dba234c028099ba0d0c1b3dfa94a272e743b6cc7cdd6363f133dfb2864b19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
14181fd296eca7e2da17b70f176bf57b

SHA1
c8fa1e0f91ab26350e3317d0ee634370af1275c6

SHA256
1768f69fccd9861329ab995ba757aad1e5844dd1d5aed891ed87cebf5828095b

SHA512
65f7e05dac65129525600c25ee9f9819144e88823b18fa33d3fb751b93dcf7f484b6c886df0124ad331e451b64e3351ff7046276627d431ace8a3c5ab544b9d5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
ccb299693c3ed21f61495b74bf442191

SHA1
0f9ca24618b5b4693bb35facae7edd16d0904682

SHA256
d625d3167e9b67bcd73e7f66cd068c83c84e7f6886de2f201ebd541f643c192e

SHA512
61bf520a35d0ae092432f29625f6938037d937f66ad6cd3b5a13c308a1b142ad943af5a0df32522b55258d3b4cf69d0942b7d03b7ab90e1f1059153b186042f1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
0a49ec1f4788858c9d857bae1818b391

SHA1
6979debbf83c089946d01d06e2db1caad37d0578

SHA256
b6d053351d2388f9f644de0c944380f0930330e8ebb7854e52262e7693ba148c

SHA512
7d1f731d1dd76b7a40aeb53276e408a34ee5e2f2b71a5c9d6fd9b5f834c5af3acb48db9adb5cacdb0672bc0c6acd3b5b371c62f6f40e1a4f860717da7abb7dd2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
fab85c63b6ca43595b41aa70c41a7fe5

SHA1
c4e69b7536ec7c0ece4f2b90e8d6fcac58fd81ee

SHA256
e7b827fc062007f0310e6b4591d42224e6b2f631d5efa94c82a665154b65f910

SHA512
5edd3ea169b73cbe61d79918885dbd488aba7977b574a6205a1cc8996e85ccee95d80b25161b4b7c9e714d280f52659ca20e11b3d378b2025e34112cb9e852d4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
41a8976541cf57a811b854febabf52b0

SHA1
6f88ee63453a45640c2c277b17acb23dfc16d4b6

SHA256
8115a23b4cb3b842cb119b66bcde7e9b617fb5ef8cbd63a4cbc38f19728f9419

SHA512
e8b1716401b935ecde8cd2af2f48651cb96a30120cc997496b6867eae9c852b077626d3c3735be789f7cb9f563ad0bf01d71eade04a82dadd4ba7e5fa042acd7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
57fa395d28b82e9e8708b20fd3e4117c

SHA1
41b42336961c42674d63582ffea878cc86f85e73

SHA256
597983b055f6710dad412b0b47bfd1dc047ac7137ff821c8c6d94289c7feda94

SHA512
7ecdd75af84e9613d8441f50ffbcf1b5d3a03086ae3c92ee69173430640cd6a8d3d261a87b4dde668532baacdca09ed89c606b8ac4c0ff7f3854e02b98bc5bf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
3e1ddf0f00e2db3b6fb28b093fe7a690

SHA1
3196dced121dcfec95e4cee8881e85fc51734268

SHA256
79b8cd300054887356bc7455cef4f4b781feb230436b3fe5db81d3e854e4305f

SHA512
ca52cd0b3b1b4da7b6f357cd6397060b96aa0cb3182e1591d019b98447aac47f6ae27e3b04c70a50f4a3cfafa8932526305d1e759f58aca2df9012ad7b5028ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
7e31a75dc1db874502bdb433052d0114

SHA1
36319f13e629508b2b20d080c7e97ffdf08a99c8

SHA256
4c459da823e60a6ec31d991e20f3de812c0063cdbb22389fcc98cdf1d63bfdf3

SHA512
ce85303ebe1617ded7d82d932708007e4e312840a6da26d2c74fd06b4a25649909ba8366f88d31f04253c9b9dc863ec9398f30dfae0ca4601633bdf6b44ab3c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
00716ac66b3664f725d956a179faf999

SHA1
8f7c865325f5b523e33340f58042e73db12243a7

SHA256
bb3f96511867c9f644f2c041f35ba1e50330f396ef1a0fc5ea3c656ca19f3fc4

SHA512
f616a261c9bd767256478af9aaf223dd63d56ce9b03ac3ed25a9e281b4d2d914cb52afad804389335e5e310a6655d3494276afb2b8fd7b42a47c65dde274b99b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
7bb22852ffbd05191b2dbceacf8eef44

SHA1
c2370b8262659fc3c15b30c8203fb7b7bd8c9f41

SHA256
e0f3999cc9e877439b6563b458d8679d4aa4200f70fb0ac619c855e350633181

SHA512
f955c6c7b6cb3ba26d6b8034def665294188d8a3c14a2e0082fcf239cb5d61157287860fec2719241cbd865d7398f6da595cf7221ef995f5e216b39727e6bcab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
50a45e76be7743e90a4e1e9bee0c89a6

SHA1
6b27defaf4179c9b62397cca436ce4d7583f2628

SHA256
4db934141cc9fd977e5f0f6bf34fcf15bc815b90a72cfd64f9a0bee840f66d16

SHA512
6a464d3f0f3b3a07fb8842bca16f66b8d1433693b0ba985981bc2b67e0d1d3a31f17fe939f506af50e6bb6685560e9e33045440a6264018ac777b1560079531e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
ad89155cb3afc24764e5a70d106a2026

SHA1
731be0a41361ac5e077bdd10470299e41c1d8a2b

SHA256
569591e5a096eefb2060039a68f2d28d8dcb88bc41f553f40821700d32ca2fac

SHA512
ab594440288d6beafa6c594bd0a40e12f2c070828fc4116f449be40d8a40c2cd993b0abd264e58db77834d0b71a1e0296d69b42a22e9cead601a630150d64782

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
d3f9b282b58c3f92ef56aa6477d81f9a

SHA1
7cd2fe6ade8a7e8d7cde95cbeb245d8b2f1d8e1f

SHA256
c68dcd545878968bd6fd387af4223382718dca1d771f10eab9fedcb96f3c6c97

SHA512
ddfc6ed2a4c203ff37ce21ee559d0045e4a75805c635d499237a75755dcb96ed45e9c77a7ef76471055bdc9c785abd3f5328398dac81b0b964d52604dfa13814

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
f3776c9491d49668b6684238dc7f09e7

SHA1
7689c96f8a6ae372fa4c536dceb508f04a9c3c50

SHA256
a360cda8a929724c1b6f79884aeaf6cf5911cd3dbfd83a285f82ead01985bb23

SHA512
73d2b25de6b31e5145461c5c650a540cb336117fe5b8f2d62a3eb460e34123de7aa1a94ec78a837b2473624dfc14d3dd2d854c9616548f9b910e6522c9920493

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
e5cadc483655e3d18d11bd546b964abf

SHA1
4147bf5c36f53e650d1e07b9c513c4ca70eef262

SHA256
62264a76f2b2e7bf475f9bbf75434aa7554676299fad6a20e3b67ccc6738b9f2

SHA512
70b3f9f8ea989044a504ccab7132ca1f7037706f9fa0181d4620145b0710f65c554c33522d75d6e8cc762587d40f811655db05ede989f80a8966aa7d035bc93f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
fe0409dfd308f6ab5e2d637b02f89312

SHA1
ec3da2915d10240210434aa34be7e749c5fb5967

SHA256
8b5c9c368fdf637b492e09634f62a03f37d7c51d79600f68f69137673a6751ac

SHA512
ed39a19de3beff7830b33f14123d10ce48d805d590c588e33357f903ef8eece4b7e97c4a54b0025cd20fdfa6abb23375013549a3c4f3e3b326e24353a6b17c68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
63872e984df1dd4a54d0ffe633e17534

SHA1
79852622295254ad7206e3e9ec18bf0dd7dc9e26

SHA256
2d23df7bdb7d2c4189ca25ad2dfe8d66cde0fd1a88ed3708e65140e373f52eea

SHA512
c06db5d98fffe71ee7c5baa8d5bc3fc3d40a85df4b0d429e3cbf47de5e3cb149b81c63854e43b2ed6785eda800933f5f18f7e968cbaf23ad2ccf27cd518cfa6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
8ab0e1f34cb8f422eb2b9ab4f664984e

SHA1
330135598827bf9f724e07b1d73d59defc7e2ff7

SHA256
77d416e9795514caf814ccaa58f1061397bdd0ee61f9d30ff1188f39ca77db11

SHA512
c8c6445b3b8d61f41e026ebee2c442c3f6997c94f5010aaf2d65ce9ef71a89603a15595e948e2b708de9bdf277fb152c9ef67362f58792fe6945c0d83ddaa388

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
7c5bd1ca844507e2da98c41359cc70c0

SHA1
569f3656284151c55d48d95f16d271eb57e50e74

SHA256
90f5b2351ae3b412da37cfe96ddd3ba8f906b62be65d7e4fcc78c0ec6dbfb3c8

SHA512
c66b9ad4617d998a77c88122d494b64e9b3f2890e53e0e88b5ab0f240028cd5cd4a05f5ddf19bb6bbb1af0f4e5157e757c02c01862cfa4979d747b8bf34e3662

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
95e2342ca6c300e7f788f858f9d366e8

SHA1
e4bdd24dd9f6e5435c9fbc98a698fbe25c041005

SHA256
c6fd3b1c4b0ce9eb4439b34fe42361f222e4a3679896454314bfaed50ebd852d

SHA512
f44068238c734074637012096459de0bc161d4e7f0f1c32b4d52495270f8848d3407141e596b49aba0809412836af1a79f453fa2794643ebdb5f93ebc8d40178

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
abb8732c4296a6c4d9d7dd3fff140235

SHA1
46e320c20702139d9166a98354f2feae4c5fe2ce

SHA256
4a1376b8638fe1c69c2500c5d9771199e145c60eeddb5acc17db82af352c8ca1

SHA512
512ab113d8ca046914c5caafacb33e4980d588c313bc5527b32e7f1b9062baa5b347a2e81570b483e08379f32301e9df0f646c28c7c622862ea2d35a048c7417

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
b242a40655a197a69ca0a4a1139f0a8a

SHA1
f0c8066b5445bcadb8a16308b2a002c520c39c02

SHA256
4ebe77769630c7008885f4b197344d4c4e375dfcf22e5e5488ec71f606d1564c

SHA512
fdc37eee69be76ed2ea25ae57ab9141b07f6204589dd6c839b307b8ecc09c09d3de928f27445e6539349dec47d648310a15ef56e6233e3f450bc116c08ff9ed2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
0edbbe326571b9442f608e8185f6863a

SHA1
c7ed7d528bb78a94df2dd7f12ce51f4d020b14d0

SHA256
acc9b85e9191828b3f892c07545356e9dcf69e7329486e9e148c7ae7c7976a81

SHA512
57cec15e9eecb9ddccc90626a9dc1468bbfde825e04577833df4e44c75965d7af657a52dea15a97bb38b1262827bf44aad3ac6c46311ace07d2d220551342320

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f6836af4c00e95e5297ff68c71f0b413

SHA1
63936e16f8382aa208055e0bbd0d6326ab044511

SHA256
0be45170e4fb38a9f7cc3ab0697e0ca5e3addca884a0f29205d42781fc851126

SHA512
8c33d210dc62778f3e7b651b498be3d3c60e06751e2713e5eb23d5db83b03f28305db25f8f97edf2c0e308003d58422fafa0101b1c92c8b5b79f09eb4894a444

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
7e5229cb1c7337d34bef19611692f3ca

SHA1
312f3f18f139954d62e0782c9906428211c71745

SHA256
0b9018d661fba240f4a4a189443c1febf10833b06f449fb31a0a61d856213c6f

SHA512
bd124a2103102c57fe6d59f38f4de64c8fb98fbfa0495e8b5c745cc981407ad3e9455577ed0588c48927ef3b59a60e38bff9798c5ff0c264537720cb57f831df

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
d91620b1e5f56729d66f9758bead8c36

SHA1
6b0a7b928fd883e92e99e342fe70f0ddfbbeaa9d

SHA256
394e6053f68d4f2d7961b3be0a139c51d42a460ac52be573577410a029f9c81d

SHA512
73498a00e96d9e45c00af93b3339f4b11346143f62156b5fd2066920ae3c7b4d8face601c86be1e2b1c83066c137f0e04998cf5412308c1acaf7915908f81119

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
8a76149fa6b28f8d5ba4cf3e99667667

SHA1
9cd74d0cde9afedd74ab85e100f3f0864588b06c

SHA256
d01a00ae87211b11bc866cb98e5c6656d4e8200e0d547678362a099c1ad0376b

SHA512
e590c9be3ac350a70bce958daa73874bbd8d7df5d29b0df13f0e04a36f4dbb60038271850cda7c144552858521199fac2e3f202787d9b2b352229637eff4fd04

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
e31b83eee3168adbc984d43488a95db1

SHA1
41ff2998d8175e4c6d96960a58e58d89d7488c76

SHA256
86c46049c7707f5d9a11e2db5b181cd129050dc493ed430c1c2ce755a52332bc

SHA512
47e6634075becba2a721e1b1874f0b68866c7040b0db5637d4c72fcdbb95f15ffacc837df1a4cfa210fc4103489b6f7ff940ad846dd0b3d68babd75d8263999f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
7fdc3e872e538ef26bac85a04968289f

SHA1
de41b0fa61769ba4b4dbc315701800fe05092a8c

SHA256
e7f9e5480c37a6ef8729b8139c244c9c5ebe59b6005909d0db4bed90945745f2

SHA512
1b892b8089748e626784688daa98cbe1cc744e6d507c07f17214124ef142d6d4a6528c0befe71363c74e1b3c1ff5ba76f8d35928c508ced49cb40312dcd30203

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
67f5ca049bf6591fb7cae4a77a9f94de

SHA1
f36dabd66bc5a507e3361571d1b6eeeefde54024

SHA256
6561905b894f83394682f5a23cd6a496f3d87c80d1478a2dd9fc540ff956b3fa

SHA512
e70fd18a385744dc91f4f4d5deb4dbafc9aaa79903077598dd99a66ec1558c99f54ca1eeb2b89d27f5f39532357047ede3f54ec8db944d10a671306552da61bb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
9190944e2c14389d15a60f490bec48a9

SHA1
475aaab5f313efc79036361d483f3b67699f511f

SHA256
5b01506517c7423289f74af30e7ddda2d616e424d1f73ce79eef6c8f6b05bb5f

SHA512
da4c210a35ea797390a3b6fd758775cf65b2df7c829c4307d878f40601a726586a658fa3504ebf278fd25f63a0d4d5b59025608d27e1656173f1e82e195f3f61

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
b8f87cfa0280118988941255d867cf96

SHA1
6437a4578690047a457113719d24931cb0a8d18b

SHA256
44a477e35bc1dbd64d2084ba729911aea336ef32d0c3ff826fe2aa4fbec6ce46

SHA512
56687827c54cc5cb369f72c25be7e7b6fbbd329f91928eed3c8cfa3798aba630d551e7941bec802a9575d80d341b36bfa79f1be70a8768070d22a16c96ac258b

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e3a54d30778414f43beac7097f1f5612

SHA1
858a849a67a0fb0841cee4b282057d11c317d236

SHA256
8bbc2b90a6930037be40faa5690d70fcf55d8e5c0a3505585ccdee74cec5ea36

SHA512
a529c575d120f9f479f60f2405d8e1b109c245ac67a43b034cfc8eb06c9d2a98f7270d9306152f8921c29b281c28fff4b132640dcc264da97e77e92f1c57f243

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5b2c1ac2e1af21f7ccc88f25f2ed6fb7

SHA1
2a34e5bd8cd398ebfc751b9c0cff64aef75af55c

SHA256
951f462c6004c6aebf7c79ad4d1b64abfa5988c2928910de76ed0cade5cb10c0

SHA512
3d35ccd52a0f43dba62a4e7c225f5f62f9ffc4ef33ad0b51edfdeecbd02c1c967709419cdc6e669a32218d762a2776c97b35721f214b137c4af21e6cfe9fd484

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
246b0d84acc327f5397b984083684bbb

SHA1
1594777871152af35ebed19ac45d1d454aad8059

SHA256
9a0f386a757afe2dbc0be6fcdbfbda1255b9e8a51283baeef0603a7d7991dd6c

SHA512
2e73e0dc547c54c3e606b8f37cbb64f86a7eebfef00e7ea752ec78f446db474d2890339dc49695c4bcfaae8377b9e264845f05bdb550845249bb041ea80643e3

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
0c90419beffa116a4f0a6bcbc6af1c30

SHA1
9d1cb9554889fec3f04555874947656da2b75c66

SHA256
e76cedd3df974c2014995997d40ee8a4e021ec1aa2e4b7dcdc11f36e32eb3c51

SHA512
0c891e7907010601b01ca7bdb7cf03042694727890a5daa28cfda18ba8b3aa4cebf9b94e35c9d4e7d688f7b8affe2b10d22ddb5f13b3b888ff3cf149ebc1caaa

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f91faf9ef51bbff66bf52240b7433db6

SHA1
7e1a584bb5106e17b79c928f90e3648c3dffec31

SHA256
43fdcfd11a8d14db8dd8212864ba93dfb1255584f25b0803f08bc0e7ee2ae641

SHA512
6852f335308a4074eb3d36829cd219560649ea53233de647ae06a282a9eb708ffc4ab04195ca11a4667110f3b19c8fbf83c3f6da7b12b6a69c55add259af0748

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
85f52f53d4b08e3a3b67eb6578a188ff

SHA1
2f8fde7fe995086c0c3be56b1a64e0506ab34489

SHA256
7ffc96c7570669988dbfa6610d21fa752911e6087b2a20f92b651b3faf686be8

SHA512
b87e00adcc5af33a52648dff1f177e24f607bd6f0c0d62a1eb7c576ca35f1bfbc40da924a37d28d54cbf12c8f661b815345e9dae1bdba2b15082be16c08530ea

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
ab5ecb93e9c19530f71d9ebd3f4a8a75

SHA1
a080ed0d6cf30961f8e2ce1996c033a6848a9db0

SHA256
16cf983b8e3b3cc09dbd294b5cd0e60e4313e0e8b9096d4eabc409c083fd1781

SHA512
84f6f8a5898613225aac6f9bb27ad65766c016036217a8dae8975a61976067c490b72902a0071c9a79a3de209a31cff1b80cfd0d28a88245eae82e65d3bc5fd1

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
cac2f9dde42350ae78ec33c5945a4923

SHA1
1c2bd9204518376199d40d6c73497284860ee52d

SHA256
86461cc8fe260b9ea1aa4b16062aff49206dff53e564228325a33ef331237b75

SHA512
236b35e95dc701559feeaf2fd14e9c656dcbc7b99f1c9c7a1b492eb4f5f98c1b8a86320fd1eebba112c7cb47a3239dd4d0b2961fb4600e36c714d978c39c20a9

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
2c6f6e1b0d21458ce04e39677979aa7b

SHA1
1bbfb8241bfcaf27aa0e909b043cbd704cd34eaf

SHA256
52868e890beef35691eea534c6162805250ca5e55dfc13c88139ddd6b262b867

SHA512
e6c66e914fe3469ce06e02cc820ff62a20f863c3d476cbcf133833697dbb97442cc4cfbe7b167ec86b711ee0cb59ca7f1e7018d17fc74736fda644b3b9e27df6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
79570cf730dd5ad8f6b14749f50a8398

SHA1
de921c90307e08a014ee0d3a53ed07b448fef7cf

SHA256
219620917b73c149af128ad0555a08b3c65a93cdf1f20da095a076e3ba5c513a

SHA512
46fd3359757fcf29eedeb1721c438cf8a4114fb798dec6b222b7aacf96313baf10bf64e9323920d0a9aca1a764d6823579f397e6c36aa94da7a673ce0f57f4fb

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6618d0fc027da9076e8513b131a1c68b

SHA1
d4f7e2e51801d1077e4d6bb3f4aaddf291c404e2

SHA256
750302a38b6e2fac8e0a26a28f9d2da9892e7bd8f1cc4b095b6f3a3190be1878

SHA512
04d2fbd2ce4944e808674169d9b7762c77bd4bbc381c329edfda842130b3b5f72a8ea68beaa43cae0fa17ba9901665ad8e5d52ffd602d619e9db427d3093b0ec

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
3388f827ca309bb990b481390f685b41

SHA1
6f26f270164b755f959caf45522300eaa519850a

SHA256
25dac37281538f56fbda66a392666c415f01530c5a06e63faf1ea6124c87a67b

SHA512
92731b92b09c447594684fad759f117dd41a9e37949d580defb797b44b795f4eb2d0a63d1d286f479f61cf40b051ebcfb258dff3fa8c5588545631471ce2f18d

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
702df4264e0eff265c4b7bd7a2bed3af

SHA1
e4bd9e273cc9baf3b1bce47b08b410de6eca4fe6

SHA256
53e3919b4724ff3ce98493d89d038364bb665c5fa9a527e51af6be77b2a1f0b1

SHA512
3e242370431a4bbe7ba07edd0aadbc8a9fb0333b4218fb278a3d02c23af5b924c85b5eedd20f215284882afff9fe796dedbdb3d80697ecbdcd83c860c1b100fa

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
1641b26a098a70a406b46cb01fa3d9a2

SHA1
307ecc8f5ef20f28ed03544c0860036683a0f22d

SHA256
7b96ed165b71fb81f0eadd6949da928210411fe22ce5126de38775135409680b

SHA512
24a691a20f4140bc3e183bb89c685e72818f6cf25763169edf24bc7e4631649e6e6b627f4ca51bc44c6817c72e918f848e2c3d27eae863a0e09dc3c3c3cbbae7

Download Submit
memory/384-340-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/880-338-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/880-783-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1208-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1256-150-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1256-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1256-146-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1256-140-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1440-175-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1640-135-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1640-779-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1740-623-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1740-261-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1880-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1880-114-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1880-111-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1880-105-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1880-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1928-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1928-498-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1928-17-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1928-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2436-118-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2436-778-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2436-126-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2436-124-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2672-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4056-258-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4088-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4232-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4232-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4232-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4232-257-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4232-587-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4260-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4456-334-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4572-335-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4576-100-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4576-92-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4576-101-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4592-336-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4592-782-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4636-331-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4940-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4940-784-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5036-154-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5036-164-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5084-259-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download