59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
Size

1.2MB
MD5

c303731919a193faddbcf385cde9c4a5
SHA1

c4a5f852149b1af6d17d4a38598571238cec997f
SHA256

59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661
SHA512

a83bc20e94bd120aadb0843365cf43278e11c0e21aa4f371fb5cc3b2d878d07e46f9053a67689c33c10cc0d97875631e6baf6148197e3e4fdbb71673d6a7b376
SSDEEP

12288:7dZMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:BCSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3108	alg.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4372	fxssvc.exe
4360	elevation_service.exe
1056	elevation_service.exe
5088	maintenanceservice.exe
2996	msdtc.exe
4728	OSE.EXE
4756	PerceptionSimulationService.exe
3252	perfhost.exe
3648	locator.exe
1948	SensorDataService.exe
3148	snmptrap.exe
1652	spectrum.exe
1236	ssh-agent.exe
4384	TieringEngineService.exe
1636	AgentService.exe
1664	vds.exe
2728	vssvc.exe
4520	wbengine.exe
264	WmiApSrv.exe
4164	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\AgentService.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\spectrum.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\locator.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\wbengine.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c20e82efc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000443e3754dcc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099f91455dcc8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099f91455dcc8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e6b6855dcc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000219d3c56dcc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eca03954dcc8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed68a655dcc8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3984	59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
Token: SeAuditPrivilege	4372	fxssvc.exe
Token: SeRestorePrivilege	4384	TieringEngineService.exe
Token: SeManageVolumePrivilege	4384	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1636	AgentService.exe
Token: SeBackupPrivilege	2728	vssvc.exe
Token: SeRestorePrivilege	2728	vssvc.exe
Token: SeAuditPrivilege	2728	vssvc.exe
Token: SeBackupPrivilege	4520	wbengine.exe
Token: SeRestorePrivilege	4520	wbengine.exe
Token: SeSecurityPrivilege	4520	wbengine.exe
Token: 33	4164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	4828	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 5024	4164	SearchIndexer.exe	118
PID 4164 wrote to memory of 5024	4164	SearchIndexer.exe	118
PID 4164 wrote to memory of 2900	4164	SearchIndexer.exe	119
PID 4164 wrote to memory of 2900	4164	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe
"C:\Users\Admin\AppData\Local\Temp\59cba94456d3e52a5f34cd7ce9d6f8b0886f0961bec8864e7ece1c1945e74661.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3096

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2996

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1652

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:548

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:264

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5024
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4364,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
99e68029dbb92d63272b5f4f6d5901ed

SHA1
685b1499765ee6826e63035afc2fb0bdd2dc0a0c

SHA256
15f262e2cae7acf2a9198673df8c12220d333ac01f47e40172fbf9355d656c25

SHA512
f319b49978b3bfb6b3a04e6a3de1e81cf204f6ef3f01a36e8f428cc8d5bd12c5827dc59637bed3a3b29d81e71e1261fbc4933bb9124b93faebdeab00c34f9b1e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fb3765d2bcb49d0c6379660365aa828f

SHA1
ecd8954582d2ae72063a6d01297d1ff9db4f7dc7

SHA256
a382004f2f9c6cdc33667c4cf53cb1d81ab50441206548fb482df96210cffae5

SHA512
6c096b8a067e9b85804facc06414362b75cc42734ab998b127eeb2fdec9cc0b33cb2988783722f441784bcc3fe90ebd59f84225a0403e96a6261a91c4208dc11

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
90f91c18c78f463a8e36337d7830c8e5

SHA1
718f43e11b9f29ceffa84d82477eaaddb0508aef

SHA256
ad4048200b108a6bbcc5e36706026d37d10cb7c4859d64030225ae27a8270d04

SHA512
ca162110fe7999cd4968a3dcc25478b7f5eb31e45be91998f29eab146428b35ea9db119646ab2f15e83655dae50cf079e6b022afd4d2246fc8e53749f4622f0c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6906d0e76439d2937e865628405b9c7f

SHA1
24485f9775afe459299b1b955d591b8f8686c8d7

SHA256
8b84a46cb7bf4e26cdee05bc867c534fe1f39842a54334442212e0c72bfd052a

SHA512
160dccb1b619191561d0592fa5ac0c4c8e27fff9e8d2268e488667872ea54a05cd5832f8af8513ffcf6ea6fe53622157a7e15096bfdcd15cc9676bc3925bc616

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e0c9211067a2c85f2d571596f5444e5e

SHA1
b657d0f54d8171599083dbe022be267482cdefa7

SHA256
13278878332c7c2cb2198dd05b2ff5d3ebfb574421da52c2e019cdae04537ed7

SHA512
9e45222e36a33d77188f4b574d0a8937a0ef7231c72e18d08ce930b1ebcd1556f1e35570a74aa6f947d0ee2715b2eb9c63a0813828ad2b84e90cfa63edb7711a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9519397e4a20a44f65915231da091663

SHA1
5788177e51865abc88ce18afa6fa60d66ed03d9b

SHA256
fbe4ee749083d5417f168a7f9b869eaf35aebb98929a10a13e48a2eaac515b29

SHA512
c88de80d6e4ba0e6b0ef67e128b5617326ae539bd3c9737bccf4874bba08c123ed68cda06bb1af518312a8b35b688029bb71a0a4e276dcf8959197e585557f4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
bc37f7f2598339fb6ca73faec7d81c6f

SHA1
d8c46f7b224afb2b082741d6f4cce97b768e5c5e

SHA256
455562b8085e7b586823c15cdb1235c31df8e760405dae4f137e17473710c136

SHA512
859e3d4149f95e0ff4ac92ba145a815d251a992d28af50de227fa56cb07614f218afabee335a1aff725d054b10968d096e758ca75756bee143d623b7a312d515

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
00a6624c8bea113ab57d5cbb9f282b7b

SHA1
d162fabf44cc09adb176141a3926a50c530aba7d

SHA256
64686262d8dccbcbf5ddfc3f64ae0c3f80a9cc56fd9d45c98627e70c802bb8ae

SHA512
4707f9f9284cd169f846a1111064963b1d258cbc8af586fe580ecd9496dfe69455d155da54e790e8d6fa9f288c67d6582c00e23c6984276f05564fc99d897f79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
99b9176d810390537a7f139b77daedb1

SHA1
a3f2b0c560b964b26fcfbda0e8c50964a55b1a45

SHA256
c1d90caa948aad25a8dd00bf9d83404bf1f0febeec70e3aad0d35d9c0fc7d0cd

SHA512
4f1f8e4eb2b50613a6757fe4854f0624a200243510705bd8bbdc5ddc25ee19757afe9832a935c13ed41587b29c7de28db81bf87015b4896fa02bef1c956bc0d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1fdf6ea842771788658216af57ed0f82

SHA1
61660d5a18bc7f5717839798085cd7ad4e40e8cb

SHA256
347ae4ae1f92446958a9ef53b699284cc15d0365d4c0e97a15824850b1ed29e2

SHA512
5c712e2072e88c559dd22359854c00b0e146f44fd7adffa01caf46f16f4ed49e9d0c3a67c4ad2c8b69e876708b3bc8f4f52d3f2e301dbffdf9dbd1dc36b80f0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
34a8a1eaba6dc3d7a3d7e7ef55dd1e2b

SHA1
64cc6129f93a8d5afcb67910241d59035cb77648

SHA256
73d2cc1c7012fc7cedd37146d24998a39e74a198dc6e59955e543c76311f52d7

SHA512
5693f49685a2a59590ce39046e82be62d69d31717b9daffdcb3d20b7531895530ac3047f7890cbd87415442fd5cadd1fb691f6a0d061e5a1a9a25b51ce90eb30

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
305728d5b79b9cc3b11650b3d3d7812b

SHA1
75a1bc0b4d057c682bd9e1c9f410c3eaeb933edc

SHA256
71d3432c470a827643b6a0995f705efad7da3afa1700dc7a72f4d8ca1a5cde55

SHA512
851d991be7d3dda225e136b444ea21658efab6f2277ac86999e6539caddc35f1f9e9ebf3db495bcb65760a89af5ad50cc297c47d1d29a72e4b8f619fa0a2ca2c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8052193b95af45cdef8dd2a56ff37f88

SHA1
ea514dad600a9fa15b1b2e50254b9a179d56c764

SHA256
18dcf601d014870387aa792fed0c7c3cf9515ca9df6f1d24f3267f99635c63f7

SHA512
eda601b943205555a85df6a4455795b0778495de344f453ed5a330356dd63ab2f2031d0d6d0af31830bf94b083b00b075a7705521decf61aa7286f90f7e4cf54

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
6ca9fb95e9957bebf4c03f280f434937

SHA1
42b8e214cc6f135df063a283290331a3b3912899

SHA256
9b13450082404873570b1c37b7149862ba6a4b87f90f0dab4ab9c3409658f10f

SHA512
4444e71886198878a556269c795c92d58f6fbc2df2a41ddbc4df724aad041b473b44d28a67980418ab3b04111fbbc5f143800f6db9f4e06c0acc296c1ddb9a10

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cfd53f219796c9a987e709bf7e896645

SHA1
f47fb9cc99106403a508ccdb3070dc51fad95c7b

SHA256
13e43ed0b812d96a0a41df0f7e8bd8d3ca660c2f2dd87863464cfe925964ed7c

SHA512
b526c160028bbbceb5779d1942e750fb2ab0e486800536c912ac41121f63b1f8717936d9dfa959821a976035304b8299a5a4b89ae0831bf3b3af0a13a7e6d60b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
81ae7fe6c2284409017a4dd47cf0bf40

SHA1
bc8a89d1e119c07cf1b33059fad6a79eaa034bed

SHA256
23b1dd002963bcd2d00dcf11da202558a78ba7ddbbfd796ca9981384db7a26e5

SHA512
b64c40fb6a8fee486ff7e120831d589589346ceb57d55910f62a151a66e15b0880d3a74e54babe9156af36e98f0cd0e2975949d1140c629e2af814ed041786ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
49e5eeaa064a381d03911b8d390344a3

SHA1
f806d1508e4cdbf36d7a965e0208f867a06f0288

SHA256
680dbec0694ae6c14d89ce90447e61c716fb9ca7874cb9443c3d50f25428cb5a

SHA512
d56c91a59e2402f7fddcc55b99a4a2e1a65bf196f6faa4d203cb24d02060efe0e0c356d7e1a9a79fbd0b38ab94f3ac65244dc87eef8ef6878506ca45d625a952

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5c8447748b1a50c63e9c331ca4cae685

SHA1
ed0755adf7c2252914923aa5cf5740814a3e9c75

SHA256
bb1c1a0ae968a0b5db65447da0c1a6dbb54869ffae207c935f9aec471edeebb6

SHA512
c9efbd93606c4d5c8923ef041e1ba93e35a418da185710dbb35a90e071c7cc090dd627a9c5863cfb59cf6327f5c0a04da0bcacac6aa184fb3b2e5bd04c38dd53

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
91a186a9350c81e298f263771759cf52

SHA1
1e3c6052c821915c0486744d88544df641f50b8d

SHA256
b97d9cdaa55f6f6314e2f3f346ffb6e51cb3e8e60951b0c8a9590c21ae6c1dad

SHA512
f8001ee91fc44bf777666f3c5343babd132e9080403b7e8186470e5474480599f3792bd43feb8241dfadf83c91d644838839d778d418943ae254f11380d1b153

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
dfce6ff6f05547d73c2dd19120050005

SHA1
e21a02281f545a9985415bbdadf5350768c3b515

SHA256
ca992a3264fc06e1af0953767389485b458296eb142ee8f96eed985b1dfbac5a

SHA512
bb739cb2c2be334903fbd52d70aa6994d45d4ac8f4ff3913c8fc704d1a564d2c4fb2a5a2d41b5bc89916145def8cc85faa0431bf291a2b72018f16fe4abeb19b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a9c6895d6e54c613be452a8c0cfb6144

SHA1
9bec8df1efd7ba30fe5f8bc0d4b434728e170806

SHA256
d29f29cc6a9581b110526d57eeaa67a7acb783c75b053e1a883b4f6f9931871b

SHA512
17390c2b998f757e54572534c1f21cf8f3049308120be84aacf96e1107fa0594e3459e828652717564212c18b04d2c06cf9e85902d6219e12fa19348e70fc580

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
196e94d6ea2c279a6cbb92f230064f26

SHA1
29c25c53e30524c5b29fbaaf328dab0c5d01f7b2

SHA256
08a9fee9c47d6a35fba68c6854b3d5362e8d12e39a68e034f1bfe5ba5b05f865

SHA512
5ae2fc6e9efb1510f61398bbb9c7c69179c515bc21053115fc0d34c75ecc50becfb4673806f97c24427252a72110da7dec3267135feeea1ff067db8b20445004

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c0c1ed42d0864b2b88b103d413fc0285

SHA1
25026a49d2ca33a79980ef92d5c4f10511e7dcbb

SHA256
3aa0eec86541da0ef07c610356e711a345ffc129a9235a223317a25ef7294b40

SHA512
129760986ad3b292d0f5ea76f96cbb549a4e5c5eb730c21de8ed6348d2d3f4e7a91f139a7d32e52fcb26b8d8c9ae5414894356b98c2f3719be74261b318aa574

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
0fbcc3eaf81b3ef722cbae1870626a9a

SHA1
47a9ed0f14ceb198792027a1ae63258e4c6225d5

SHA256
54b53b2e30d90ab2035d0d7ef2ba8f3561de68593e239d6a74f1c3544e36978d

SHA512
c813b9380cccbcb5930dcf50a8810e044b32fb80d7d429905b6d29d6a9b11356140b25400ded1329a156869d363a366d13845f2971d425f4fb225f898163aa6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d6b8b52805d7df8d01cda47743371613

SHA1
c28c93b9a92d6d53284e31f50150e7e6cfe4abd0

SHA256
2081b39c7ace4d784818af398b99dc3efe6c8d93826e57c4145ac9d9e8fb06aa

SHA512
fcad2b1d70d8ca9fbbd100ed71b3ad2eed3ecb26bed355ffe74ef83da47e57b2d95a0708a85f6ccb9d66978ba80a2bc63141d69a679e57de742466963298bbf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2f8ee25861d02ab014853e4e1f05bd52

SHA1
0c1079594d0a0b0e48a168cbdf4e8527b503200d

SHA256
bf8042264550f4cfaefd2b79de83ee3f894b304dbe64b02500f45c9818184656

SHA512
b4ddc61fdb6762cad958af9bb528884dc9ce23e6a87fb48c943849dc27075d501f059d1ba573e6c04758e0c4761322fc49f4f243e418bc9081e9be6eef2a67e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
cf296ec228b585d2ce6ad65d5a7771c4

SHA1
4721f0c7826f7a7bd10ed4c097130c063c237f3e

SHA256
59cd5cbf3986417697723c5acccf32defeefdd9a43f8d38ef89a4636d73c30b0

SHA512
fe1b26abbd2fd83c5de5785e41c198b4a54bd59594c6aeabc645148d60cfeee05d6cacb75951975f57aecca2086a6a517149aa417c41159e0d92b7def046933a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
0ea6cd9789b128a3ac140e0c77e0214b

SHA1
7684f987332d57d4e17c8fc3a088e7c26d1f2639

SHA256
263e6501e0456ec39426f4251003e29545e209610f67a17134a005f6e0b465f9

SHA512
addcb6f5fdf50c40d60e3c1bc9a343484f1ed8810dfdae6705a0357888f2c9843cbcd2416b8523bd1ed6b603b21f2066edd3fbad106be9276326c59f363fac62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
74976a2bf7254a863e5a5cecd7aeeac8

SHA1
dcc5bb3bc84a942bbc886a0c2decec8bcf37f6d1

SHA256
b9ba8e3b5ab2108d4a117cdd52a5fa61645c30345f2936891a2cb15109e0c579

SHA512
f98ee31ce185f7557f8eb2d441b4ca8c75b106b05c8fc248aa4ba47a038108a1bf11c6b9905ae7850dccab3a3ab40faafe2aa4886ff68033f91df63de8d06864

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3f8fd90f94845faddd4ba53aa777f2b9

SHA1
33722573b668c6d458b42a47a3c51ac76254f59e

SHA256
ecbe8e6b9591b764a27c0cb583b8530e0b954839eede2fa5a5afa1b71ff57ecb

SHA512
80a984ec79ffe56dc64eac838c55ca23a5765575799fc816172bae5eb0d92f11ceddbd98bf3160526027c47cad7e4bab8965d394da392eb8834941f034817d5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
74e91650a62c55f57801923cd3524b09

SHA1
eea78e63a37443da9e92bc4b4b824dd1c662ff9a

SHA256
41a1a359ef0de411c1ef4f3589bc78023e4b5f8e5803940cbf433b2b4ead33b5

SHA512
7746eea6a475e27c964a848b6eb4ce5251d784770f39d3df514e51e7b3d42dc1dd93fd7099b0a31a54e84971407ad139954e175ae490c975cf3d1aa0fa2b9dfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
aabbf000e71caaaf8eda978c0058edad

SHA1
f40d623860c4bf68cdae0128c983231558394dd6

SHA256
c7f391cc0b7a99608b04c8526b79c8c9593f0b90e7f9104b128fa271a0c47879

SHA512
7bad9d349ac0930cc8fcdf8b5633b0782f943ec10b0fc4c00c312f6c082ee819714101391dca085e0dce8ee12f4b0fcbc5a4c3ae032dbf5b5e0a4d2734f9ed6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c3c48654a89b0ff9414421d3e69d5dcb

SHA1
04e3075427851c92650d7f8f95060d2116643961

SHA256
f149176ebdb648c5bcf251b58d84dd091b09b958dd9ae9009c1dde9c27139564

SHA512
c985eb9a532b8ac9aa8b93849cdd57f1242b81ebafb5fa53a793fecc08e12d3deec4ee3cb1afb8c64a338767bd336a93a2a0b05d971d508e7f5a96b300f6a521

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
ddf69a97524ec1497b34439e592a0c71

SHA1
64589a95355517399673c33090f060c083f3aa04

SHA256
745806b04409cc0299d7204624ee067d61a1cec6d6a7dadfbad6f7cdd33773c8

SHA512
6e085ad7bd4213e05c4af77b4b1ea4717f2246f5c5712c3dd0ac53324912e8902ef76bca8aac7b827c21a862d854044039887d8985553435a431baebb58d109b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
8fba9c35fa0524c155e305ddea00f460

SHA1
1f1570cd7e8f0ce7fd0a9336c888ba5f42daf107

SHA256
56580a05e5a0fa09c13650343ef5336283d2a24bc5865a273f25c274895576e1

SHA512
14b1afd9166650d903d1f08d9432d39268347e5c7e64b5d51734ad1fa30f93703c2d5268dc22c37a7c46100485c13212749275ee401b6508bfd188aa4b30d37c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e31f047e41cf7747f2c22d45ccbb23f3

SHA1
eff6b7b7537aa70a9b09d78addcdc6c6bc0df788

SHA256
bea5b98e22d7260dbdabb9904c958dba41f3e08c7fc8a1fb29b4dd53bb50a0dc

SHA512
479939ff641ff51eb8d27dd26ea50cf18419274a8676e2e091eaf2844ca8f812dedb992f7001fdae8c87a0027446726887ff21cfd023b594198a3fd58fca5db6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
77b8a38ec92a1674343065802d8b8095

SHA1
53057f796d6b797a5f2f4f1be60bb79cc15adc50

SHA256
2436149d20af3c530930d8e388990f14bffc5148e1ec1e8bc6e7fbfa1baea999

SHA512
ffbe84c472baa6d4fa478e7a351128b671d9013d74405a693148f8ee412162d8e66bf505c2f14911981765a7316d55053593176d0dfab232abe0119ed1125f3f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
74f7945287b9ba1bc195db1d74e3105d

SHA1
61271c490e57f34fb247528d4bf759cd9f6ec8c8

SHA256
50078451d5dfc600ea23173338cd503d8791ca204056c8a63df6b9cd34309b85

SHA512
92193a2e51f1ea14813de197425406bc6caa7262e177b77cc600b1c1956ceffb4df7321bc403b4cb0a6ff302fa451f016271e625b14244c87ffcc0f0efe0fff3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
54e95622c732733863c2ef39052ce1fa

SHA1
45bb51544c1082776b70e089a2c5a34527774bf3

SHA256
24e20c1a4ed35c5af9ddcf6b9e3876fd8237ac9b1ef832244a5ab8c054ae9612

SHA512
3c3eaed27bf97116e975a155bedb011a7af15fd9eeb34f6568addedbb84fd2252deaa1afd4e00026cd6cfc1bbfb742a4e039bab68ee215325736c1010a23b1ff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c88e3ff806ee4f0378ac69f467e9572b

SHA1
e0f2a33d56ab20ca23fd507671eb0a5f3ac793c8

SHA256
d7421e0e8482804026fc8a687babad29ce7a4fa279f61524b9744d5c1e8ba7bc

SHA512
1623103cfadc2da18639827a3f15c804dc8544f327ec432b7c7ee0d8c8ebf79319be4bbd0ffd485f6ad64985618930b5b0324de8977f34ac24112824ce67f69c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fbec778f5535edce344c0172a56c0cd9

SHA1
4a624e0f627c4d98721a823938fbdb8e40e78405

SHA256
674b78b5ab57a2d1e228188015caafc9204ae7101a1a7cdb8e98664f901b9558

SHA512
6131cff0e1b621bfcb9ee659502290ac84a30bfb69c8fad203babf4ae3139765c08939fe2f5508412e29c2dca48bbd6eaafe2083cfca29f5dfa56efef3e45500

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
7871116c78a1f8febcb6616d2e7cc361

SHA1
65c8baf75db0aff6d13336304ef5755e43633460

SHA256
dd5cd1fa1ab34226bf66cd00bc627105707c0ad4392d662f790f342408ca2358

SHA512
9edaa2e78a1af4749657eee37cbf58ef919c6a68c01a8beef9f116636f454087a7a0d70b97b419a8fe8a04c5f4f0922af80293064dbdd26d3820a0dbd4dec865

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d4e6ca5e07667a52e3a0378625b32645

SHA1
4e687ab07d1cbd6acde4db6bae93ffb90d2279cb

SHA256
0f8e8a20fe4944e8131dd5dafb94c798490828cd0a74e6e79b93fc7ee13ef755

SHA512
a9b57fca132b0f5fa3b0f5b31aded373e94a06d18c10aad93e1e3279f1d33b3c0e57055c4dbc17efd889cd14be7fcdd3032d55f4c47ca06577feaa59f9568a77

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ddbea9776a12623bdff39d226cdb29b7

SHA1
3b4b8727190cfff4af750d52ed1e5a486894bf70

SHA256
1935425f26c43f5f484258c4c234886b09998daa2453967ab33f862f9e20bc44

SHA512
5907ee4d7baef5d9c2b5b1038c6e5da6215082d84b81d1c5993b44b25deb4c1226b3c22259a040fddad3396a9c535da723fbf0532e0844d753d88ad836852041

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
2797e68d76463c871788c6b86e068ba1

SHA1
e7003f038ba64099d3c079232ecdd8237985476d

SHA256
faf6477696a245d9bf6509a6f76b4a1d44b5d40e12b4dfd7d45c0d2903f4a499

SHA512
d3d779e76a0db9d35c6970eb00cd171ea6724c5f377a91f608c5c500a50b05dd0c4db260a6d73388fdafd966a1746691d70a65f2fafec01d1f485fb192ad233d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
acee008b18e51d1a55eacb85f670caa8

SHA1
5d7d0e45033954ae6e981124ca6d460c97633ccf

SHA256
b9d643f6f9c8df6048e2a2fd8606ff7363b2e4c6cccb1e60dd448c010702f5f5

SHA512
463b05fcde082342e890c6fe38efc15a1eb4e19823eadaccd9d845d483be14be17d251525ba0936813799f86ca10bd4061a41e31c3c325f26468850e4eb1d6db

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3f91e3f0ed7ffcfa37d72acc424630d7

SHA1
d1ec457ab58b57233c7cb3fe777f3b34db960e24

SHA256
8d9bb5ac366ae8e0aae4af5abc7feaeaf6dc5fefad30720e1fc494dfa807aeb1

SHA512
1a27486c2883afc544be085bed654bc84261ebe500f2a3bec7ff80d1c9a377df6ca06a624da5ffb03a056d53c26ceead11d7ed04f7015f50beae14ea4f97aad8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
92193741d4f64dfca49318dddd5be201

SHA1
05948320b8e338db23c1858b30ad57501bc43b9b

SHA256
68870f667507f1cc09fdb0a0155b2eaeab58ba4e8997d33a69dd273e76e1191b

SHA512
98e6f739cda731e25248f2052a3ff5159d473d372c1f8c219878ff5488f8d6d1ed230a8f93a95af40b6719433811a2bdd254af99603b5a43ff98672ff14d409d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9b0119f039561d887c79de0c429ed28b

SHA1
b0528e18a537f44da39fbf5640698d06e79cf258

SHA256
979b89bc31b86fd0aa1d6e3d2e92f69c1c6c4fe76c3583667b4b524d8dff57ef

SHA512
69ad505fa4926c56f402d77c29c10e8595125873710ec8919d6090e5566d93aa98cc830938123ac8b6867d88e0ae959983459f327464184292e5d9490644b26f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
455ce4db70ce8a9275517fa18270cb87

SHA1
8d22d964c08fd7230c9b7a1a050364dfed696a37

SHA256
320921ada67e6a66f09dc67f7c75656da5fb3e32d41868a692442b1cb3fd7841

SHA512
27aafc021964937e279ff34eb15fa6efd17b6ea7a390e093925c65d95879f9219afc862198d6f16493b1d7b4ab565059c19c3557efbd8b2feee4de31a1027986

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fc6b216faa6ab2cebd5a998e9daca385

SHA1
bb148835c7d23479c6fbf0af264091adb177971c

SHA256
1af7e20a7129ae7f46d1ecdb50b52a32aa345b78421e703681bf30d95f5c33b1

SHA512
9294afe4a6a60bca85964e35e2500d8c39dd753d6e69ebed2f741d8ce70a138a64e672f886f65672929015a697261db5e5a6b721caa245d20ae8f1583207e4fd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
860b0d17b221982c705f1c87d567ab1c

SHA1
785aceb0b7b0d7d04ba92e727a96ac9b390862de

SHA256
93d5499e585bcde8a55e9671863449368c0c3e480e373051ef07786b760c96c7

SHA512
781b0f4516910f88be451a276f100c20024811ef4c3ccea16e996cfdd3c321f125c17f0eb5f705fc643ec56b00c45ee79c9fa823e678678d6fabc2ebf76813cb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
53bd3dd6d42a8afa3f79e2a812fe330d

SHA1
deffe75fe468543e8818cbeccbc0cfedf27844a8

SHA256
d2211340fc4058ad7785eda77b03e225fdf350df80b25afc26776feb13ae6370

SHA512
58c5529cff4e160ee5c9c6a2753fa12176033d5db288cbdeeaef11feeb33f61437a1a22065539d27f3ca7dd271568516c482b3197beafc19cb14a505094fa63f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
169a73b0fb455beafcd86a3c122d34cf

SHA1
c7a0ca09358333ceb12d831f8bc0b3dae7ab8f91

SHA256
fd14b26fc9f521c9395462f7e03bf13677072c7c9f7ab51945693b01adf3e0d9

SHA512
45386e143961381d22dee83f884c5c6e7fdf9442ca7ac6362d40422fc28cad50cfc51bab4460d58c55cff780d87a990b4ac09708fe92b25b70ed9edffdcd4c2a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
52842eb7c50227ed4b12d7ed07c5c2d6

SHA1
a91abc60f09cd8309ed30c0ac3e022f3e1c74e25

SHA256
4d2538daf5c49079cbafdb512993f9aa618388220b0dd3a8b9ba5a03d8c5b2ff

SHA512
f9c3aeaa667d222aa3f779e4375bcf43cd62af38fa17e11a417b364e86d188130653e3024fff60c7909f120817f5f8ad4d843b468962a8691930803a1f2f2d1a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
cd2998e82136373357b4ee2dc90af820

SHA1
8de63f5e1d033d82eb2bcb25b84928fcbc04a9d3

SHA256
ba8046c6c3a6530f6a1b298d74fd37ffb523d1aace69dabc32c0e370faf3e9b1

SHA512
22163efa7b56badf664ed0987f51bbde3190e0c6e541233bc38290e5da4e35d909ebbb67031e80c72a86d30fb70d753b30863a6b71485e7d469ea8fbcdf0ae6a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
47fd313a1561362110ae84540a7bc62f

SHA1
95ba703dacc6ca9edeac44f50a75951e4c7b84fc

SHA256
dfa8db158e7a0c31ec11f8ca52644434e994397657764b497dd9ebb5d188ee4d

SHA512
e7b0046231be52f17f2ffb3d16583506ae85e5a7e723ea8700735801db6d7102e7ff6496c714c61e9404470358f9d4222fa7c077003c43268791b0f5f6ffe78e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2151b6e82281952d76dd58cc16f6fdcb

SHA1
c07896397c7c5f37b2b1068fe3f2c37d2c831c14

SHA256
ec40b416afbeabac26900b1cdb3ceb5cf5065076df154551a0d9c9bebd72b769

SHA512
23fff73d70158fde37cffce4fe67b0cd4f0dc9a4b327e6b74d9189ebc2a9b01772f64737c4ba59b065252d3f214bd1c0c46ef2cd59b26bf17efc00f7b89413bc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
1bd6286ded380a0ccb726a3d572c74cb

SHA1
9b3e2154f4ba2925dd2c212d4168f8e569f81fdc

SHA256
2ad1947036dcd617a44c6a80108e862548c7c10d1afbf97c17f981496c966352

SHA512
a32e84ecb6dec3e8f833020a54291cdca6afe7ca4904a4b0771a8adcbeb8c65bc44744ca12039f33beb639c9ed0f423e6c5b2bf8836c4d90f0e6352e1479c09b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
4075d5a0ba6b771029eda10d644d83e8

SHA1
f8cdd6fab8f8593e1211ab2b5a3f0564d0a684a6

SHA256
e8154ea57299d47cb13e1169764f52e181689e8f194f60e5ba23743e3d93da59

SHA512
2239e564a91f0a5100d7c0b65817f8e544382e4c8cf46b938bac6831f2b6a3d093cb175be8c143b1534ad39f473fab7c3818593dcb88d6fb75bf6c69277138c3

Download Submit
memory/264-257-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/264-609-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1056-70-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1056-203-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1056-62-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1056-68-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1236-192-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1236-602-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1636-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1636-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1652-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1652-566-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1664-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1664-604-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1948-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1948-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1948-601-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2728-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2728-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2996-87-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2996-96-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3108-119-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3108-19-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3108-14-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3108-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3148-168-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3148-469-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3252-134-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3252-244-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3648-256-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3648-137-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3984-95-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/3984-7-0x0000000000C90000-0x0000000000CF6000-memory.dmp

Filesize
408KB

Download
memory/3984-0-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/3984-475-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/3984-2-0x0000000000C90000-0x0000000000CF6000-memory.dmp

Filesize
408KB

Download
memory/3984-6-0x0000000000C90000-0x0000000000CF6000-memory.dmp

Filesize
408KB

Download
memory/4164-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4360-48-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4360-191-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4360-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4360-54-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4372-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4372-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4372-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4372-56-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4372-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4384-204-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4384-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4520-608-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4520-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4728-221-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4728-109-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4756-120-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4828-34-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4828-126-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4828-31-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4828-25-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5088-73-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/5088-79-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/5088-85-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5088-83-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download