76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
129s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
Size

1.3MB
MD5

6769805f4ef66963bcfc14962f883ad9
SHA1

848e0f81396740e052aecdb6c23134872c2d000c
SHA256

592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe
SHA512

cdfbd24d641e986e69849dfc0bdfd7021f4f42aaae110b61add94d90950cc67df3022ba4ffccf333ce0307d83e7431d26fe76eac15780469de561d98e14302b2
SSDEEP

12288:aOXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:PsqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1616	alg.exe
3812	DiagnosticsHub.StandardCollector.Service.exe
2772	fxssvc.exe
4216	elevation_service.exe
1652	elevation_service.exe
4104	maintenanceservice.exe
2012	msdtc.exe
3152	OSE.EXE
1792	PerceptionSimulationService.exe
5080	perfhost.exe
1620	locator.exe
1840	SensorDataService.exe
2724	snmptrap.exe
2692	spectrum.exe
2080	ssh-agent.exe
1556	TieringEngineService.exe
4880	AgentService.exe
5040	vds.exe
448	vssvc.exe
4760	wbengine.exe
4724	WmiApSrv.exe
60	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\msiexec.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8460e90238f5360d.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\vssvc.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\System32\vds.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\wbengine.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\AgentService.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\System32\msdtc.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001411d2a36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ae165a46055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026ee13a56055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000953290a26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca22e5a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae4684a26055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003908c7a26055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca817fa26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0d798a36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f9adba36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f65de0a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a4aeca36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3812	DiagnosticsHub.StandardCollector.Service.exe
3812	DiagnosticsHub.StandardCollector.Service.exe
3812	DiagnosticsHub.StandardCollector.Service.exe
3812	DiagnosticsHub.StandardCollector.Service.exe
3812	DiagnosticsHub.StandardCollector.Service.exe
3812	DiagnosticsHub.StandardCollector.Service.exe
3812	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3044	592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
Token: SeAuditPrivilege	2772	fxssvc.exe
Token: SeRestorePrivilege	1556	TieringEngineService.exe
Token: SeManageVolumePrivilege	1556	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4880	AgentService.exe
Token: SeBackupPrivilege	448	vssvc.exe
Token: SeRestorePrivilege	448	vssvc.exe
Token: SeAuditPrivilege	448	vssvc.exe
Token: SeBackupPrivilege	4760	wbengine.exe
Token: SeRestorePrivilege	4760	wbengine.exe
Token: SeSecurityPrivilege	4760	wbengine.exe
Token: 33	60	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeDebugPrivilege	1616	alg.exe
Token: SeDebugPrivilege	1616	alg.exe
Token: SeDebugPrivilege	1616	alg.exe
Token: SeDebugPrivilege	3812	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 5016	60	SearchIndexer.exe	106
PID 60 wrote to memory of 5016	60	SearchIndexer.exe	106
PID 60 wrote to memory of 3676	60	SearchIndexer.exe	109
PID 60 wrote to memory of 3676	60	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe
"C:\Users\Admin\AppData\Local\Temp\592075e1fb5e9c9f82bfb80d4f3af4816737aed1a2ac889cbea2b8e1d08edfbe.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4592

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1652

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2012

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3152

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1840

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1772

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5016
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1ab2ff60342a68a4d8e2d632eed0b9db

SHA1
7ac36b170ba959fb0bf628659241315c361dde80

SHA256
80de3cba0e2135122002e9cc28d38177dcde8cbdb32042409c72d6e9c7b9e4b5

SHA512
485b21e35891f644e51a01aaf054984adb5daec1f61fdc95ee09c92d6ceb441c93dfc36e029d978f29be898f3b139170bdd6d8d2eb71bfd9a2dff6429056e2b9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
57b37483f5bfe72830189e6793c352f5

SHA1
7f1daca2f48e8e387aa7f8faf0dbd4c087984aa3

SHA256
36974e40860dc0149d7746618ad74eae0bc5f7520516b1792d0e95f267c43d30

SHA512
d1a24a9b6363e7d521a0cad5b3636df604512d2d49167961f9f8a98466e90fa9be788f1c47953ded6f3d1015310db87b5d2e5be850f397d17247bb6ecd5f0318

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c360b64f0c8c286c70033647fa00d08c

SHA1
deed142b7b791d71071ff2dbc20fc9ae42a0a1c1

SHA256
925148fe1444352ce9d0aca937ad556c6706eac62344365a8f7a9d626f51d7eb

SHA512
2e0e9002a9298d1715031934d0854adc19dcd4e66ed3730ab16801bcc98dfbb2c1c095d9fb62c50678fea6e4e427f18dc70a036e1c79a91941b2ed0625c17d4b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d0db2440cc386f1cc3cf4888d8b86e53

SHA1
e2b91eb9bb313255e158766cec2863d37e955695

SHA256
a6e68996cc328ac990660f595a9cd319f27c7359f0aac179fc61111e5140f65f

SHA512
667fdf5e8fc3478340e7b323c35022d00ee47a0db039491eae04a4278a32f66f302e16ea10c23f3bdbeb0f874743e360dee83f78be80713492f519e971ec4ac7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3599b240d68f90fcf71ebcda30971d48

SHA1
998d42e3c07dfe6ee2ba3d347a461ce128058686

SHA256
4a2fa9ab25eb75f567ac1949684a51fdb89b6a94671c9894bfaeca49a64d4591

SHA512
46d030a10af2efec560fa3f85f235358426e252570b12dc681caf366f6b01c0b4d377b7acf5c61eb5804d8bcc7ed040e0548853cbe41ce8a4dca984f4862373b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
24f4e3c4d3109efc71646419ab7c0d15

SHA1
a64eef9b95e816d997009849964a9aa682de3abf

SHA256
89fd9d195b04186fc422d2ee86da74ac84f4d9459b0b429e6dc28ab6be0531ab

SHA512
6a52db9dce02b96569eedf2e99152567fc9c72e73e572bca296196415f3d3fbcea2692af08d59efb1c2db1e8c984f56f21917961d1f1068f0df3e05417bd6f30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b5950904aa378fc21bf3021edeedab5b

SHA1
8f57a51c09646c84198341a17d92016313d703d9

SHA256
33fbc2cfa0fd95dbe5ba52a747cb4b7edca11a279bae5076fd9e3aebdc834fac

SHA512
f7688babdc2e654120a99c85e7ef7a1ff501a3e999934d38c5adc5042425912fd23008b1739ebfee61fceab5a450c48e23c771867b06e6df3c305ec1d3591a1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
071d2585bccc31e4ad18aff9dad67d08

SHA1
1f2297d147fcbd5dde739de957d711a6912be72a

SHA256
9916a1365dce362ceed740ceb667280c88da63d5ea67c35f7d980426948ebae6

SHA512
31ae879cb831d40e9d50b7399b8a44bf580f3d887074e568d9ed5ec8b55f820da95e84b5f7dcd8526946a9af12810777fa6c96efae1da885463538ba69ff9364

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
a028483c4071e75e3cca61c08585b29b

SHA1
ef40f88d7fc29d21fe132535491dc2dc354aa02e

SHA256
0fe2c055e9077502eeb0216974a2ea3c14ba271f4452a18da9d70b87161e37cf

SHA512
8a088fcfb6d399d506571972bf68f339283d68bfd3975e7d9b9786ddd78462b4f81b027587a40bcd9ff6c4d982eb73a60e290ab93b6d4f6d0b42aae50f7ee6f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
69d4919f8b4a1c5325a1d57350e61bb5

SHA1
c99b5abab9246be7648d84fd8f8101a7beb4489c

SHA256
87ffd5c616283fc75e7deda301a6cad4278ff344bd44c144e2bbe093388e72e2

SHA512
fe50bcaa5dfef548a1a9c52fe076b9a94945b6df14c9819307fdc61eb0d4d698d31195c4fceab77f2cc50e1effb89ba09950a632a045a0c9985927b283be9eb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e29c2f4087b34554d6e852737ffaaad3

SHA1
bfd95e616b25454f1edbda02622123061b5d0615

SHA256
24e2a7c0b2d3a86659343445fcdd8dd2e15b80e22fd46be513dc5d76ae9e1666

SHA512
dd64d9e6820b857c6414770d2bb299e00c92148bdfd00dbf04fb513c1f2f7ebc1f4690281a85667b51fbcaa8c4b4458c57ed3bf7f7848e72efd4595ff61fd8f3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6ddf1d182e81a1210c6a93ef5464ae5d

SHA1
7b8e0ee9dff406386477c26ce3cbbb62cdac4e58

SHA256
57f867c5d04f71287c856590bf512bacd7196afbd3ec44a75527350a22259777

SHA512
67e47c05d08a63b8570f60ba04620abe889bd674b105c5cd1fab1a32b68da1fcc63b36b413e8e288f5f29e75ed13d6588686e7cc625554c2684283bec49f0ece

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
09c9c93a7978e2fba6a4d7e2367d3369

SHA1
bba2fa27dde019e3c42a774194eb1d60f53bd3d6

SHA256
ffb1d7944b5f111de544c93d5bcbc218ff1127952cb20563eb21b19b0496f48e

SHA512
07a9fc5de65167ad19b037137f1d1fdd97f97d4ac22bf4f84143ebb5d70d4a12dd01f199f378e0d113bdbe5798b66801d4e98535c96c90fe01c0b1d00d2ac289

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
2f6c29367a2edca2da57812bb415e804

SHA1
5ac8c95d7a2613f282602f529c96c298e0ab0457

SHA256
6ebb59568e62cbea6daa6c61c255fdd04fceabbc174335f0c4e486c8c73b361e

SHA512
1003ec8111b33179f199d627d8ce29f99c2256ea0bff4e4e8c0567e5bf3637e00d1c1920e07f8c24a77ddfab1639e6823e80808b42ecdb044929935aa6d2f39f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f0b21a671358dc1a65ff021c19eaf172

SHA1
7b505ad648d68afbdceef3778442b2f325dc8205

SHA256
2a506ad8ed10820da1f1397b996b0942f957a2cb6785bc43e15403e73ea632a4

SHA512
9f2d7cbd06c99352eaa22f09e31504da90437943a4262143b3875744ea92b4d1aa76b335acdcebf678f8961f98a8a459e6fa906bc7456122e018e8c2bb6c5dfe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
235febb89b93c4e0fa7dd2f64199d70f

SHA1
e93cc410656fa5379536c6467798e1546ac3667d

SHA256
d545413485ab142714d3e65da98e8741048526cd812b79da248788fbce2b833e

SHA512
6cffef8a21adda505414462550b47456bbd5541ce4599e5d53c7f888925353d6a8737b90213770d8d62ec522fefba608b51615270bba77e222044d86aa0a781d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
f98ad67f884fd454a5940ae2995c5336

SHA1
3d3cc5f85657ef64e32eb6fa98782a81a0d1bb11

SHA256
1a6ca89b11e73c1754360e8d7337814a53ed2cd8b0d41b01f0650946ff9547f0

SHA512
5e69497633e939b8c4ceb3e1ce12b922b5f8624a9ec4d859948dd2538f33e3dd47f0a88560ba7f7db32bd22ecd42a3383b95248129ba5b40ccc5889df551735f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
27ed4f7c4eed7e6cbd68d05d9ade4242

SHA1
c15aa92cba8bd4ab3c084290de3ab5753d2fc6e6

SHA256
a538ee7e3c437a271bbe091c555ccda3d0412bd25b3ab38af732c368844b2b29

SHA512
b1584e847d925cd4036c9c6dd4821323d3dd753b234147c1517182e1bf0b0ee3c73ee95aabd11e00ec7da3cc8f6995b2535c11587b4959561c1a65da50d17a17

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9a64e0f9ba2d4bf88ef6c6a0d4ae8ef4

SHA1
a50d17c6690ff29b1f013fc4d259cd7c0c9d533d

SHA256
0402f70766c9824b5059f012eb5f2c0bf9b2e379f866d151ce0104ed96c92cbd

SHA512
2c4423c7b325e47eec29d2d4c6935a3cce227b85bb3e608a0ebce0630943dffafd49076d83b11695d2c14c6169cd1e3dc726e2d6d2d711c353c7f71609212da8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
570433869eaf9dba7b6c6b41c8223475

SHA1
2e5c3e702731cb90f08c55a2124eb404b39d4264

SHA256
cc04decc1a87b236fdb8fbd291a85ecaef3fb5b2afc9ce93c46f6647e948b411

SHA512
40adf05f8bc1a5035d16df6770dd35965352c40bc0f45753849054dcf75f92b9e1898c2d8e8dd506cb155ef5670ea938dda1680c89b5d551650ffe25c86440cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
4ee7bd09386b574848c86e2070c6fde7

SHA1
7bf7f8ba23dc5b70cf36c3a41aec54b0f5c3ca5c

SHA256
cdd9cb03fa43926c9e2993e1066e257cd8206d922c8ae43709b5703f45db8465

SHA512
98662b9f5f5840f35f4512aaedf7b2b2e9d730b8ecc3ec3fd6dc020e28a2874591c0527e35207e5806fd9daf847094e301e4240c488fc793101d78e9f7995c7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9ce75e66e1b8b8a1c056ff4e0e0cf4df

SHA1
2b3e5f3d5aad75cca0d0d01f31706accbf66a9ce

SHA256
399c05a411ad51ea2b1e5ca63e13e00f497b5fb04f61ea881a44e1dbaae1a13b

SHA512
cfb23b3cdbfb074447bf6e29b248114d5345cc23b3a100e5780d9b1c3f8214379d168a42f98b7721e43f1ee25fb0140b49a49e68b519aeeb8f8e2045b26c8c2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
87f936eb020b5e2f667cd2188c323654

SHA1
dc7758eb232077a206f114e343072fefdacf7551

SHA256
c6c0073d4fb034366d83e94f3d10487c326e1399de805c8dbd967afdddbc687c

SHA512
f2f125ecb07106f5f7fa66bba39847a24eaf85e835e2079bee0f48b3ce93e524561db31d907b47c42c04e646b63dd4f58b1cd5bd773d51b76ec2172c24ab18c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
5ebcb9cb3310eab22e9dfc774b0cbcf4

SHA1
86452148f0cf890a04f115dc50311c4f1257105d

SHA256
34d999a493342107d7965f1fffa743f3646bcedb7e91cd5f7144fb373192bb47

SHA512
1c785f48e4959409374eae7613fdc3101de34b32b908b46b53e80e1ef35730b4e40ce041f57d7619b37d77338b92cdaf8b10287275d92130b6a0117a4ecc11a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
0f6c343c6ba52e9488ee23b4afbe33cc

SHA1
00729e6801d5ef7a7be7d6b528b76f42eaf694c2

SHA256
90f86a32175c1e05b82b17735bfda45ae4f23917fbdf212137f2129415b18239

SHA512
8e01e50c0aa9a1dbd7515589c7a962a36b7476fd5d28fac5aceb8d9e1bb2dd5a8d532b32e3035055a43b9d06d47ec4c29a2048f0fa3d4fe0078885518b189393

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
01ec5f3ef3454fd23b29ab1b66fcef1b

SHA1
56357222d148f2480294eccc69c10f03edf118f3

SHA256
8191bcc1d12f9e1b0841cca06afa5a935dc2dbc7a0a9d10214e81b964fda4424

SHA512
4c209b3524e681b877aa9aa4d4ba38fc44a41de2cca9424770d0278c38e2cc765001e00fc8922c064c6fdf359e8f0be5fb8ebcad6b9b272aa832bec737e5eeeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
ed506351adcbd7c43426e906b56af87a

SHA1
e0ea931c316ec1d59f4998210c24289a5917eeb6

SHA256
58db9541e9c017cfc506e55332527bf0b7766ebd27c81242ecedef6f493918b7

SHA512
0db4e01b15b66323ca43389d332859b9c7fb17e7a7d59d66e78d69f6e3e40a99a6fb11e6f09ee02255509acbaa337dab273dbcaf76f52899657d88336761e2cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
46a1082101302f03d18a4134468cba16

SHA1
df0d8b1f3ce619571b5b8bcf9bf523659718b7c0

SHA256
199dff7e945cfa5a796c0890ee1f4b3174e7ec78b63e117374b1b9890221b1ff

SHA512
63f29daedfeb5e420796806e4a2a97d02a2008a7f1169a670c90c6a9be50f10b5b84a4cba6251197577125cab0ab2576ca4edfcd6ef704754bc04f51d2c1bb83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
2a65bc914814af3466393e78b40d0d2a

SHA1
ad14058fb55311424ac1f370370338e8fbc5e9a4

SHA256
a7c5fc95d95eb4a596ee1d1d6f66da5ac04d3aaa95678ee4ed4bb27c95e09ade

SHA512
e9d2b0ff2172d997baa38bf4c425fe732ecfacf8479fccdf4c7dd59c3c49e689e9a0174341218ff2d20c58bb613ce8731b56158eb8a0dc68ed57caab448c357a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f06955c4d584e4fc1ae05a27d8a74a67

SHA1
450b09ac4e61ed9c7aeab523fb73fb5eb5603cc3

SHA256
4aebe033be8666231da66ac5dcab8788c8822a5302c2c437e4d7869b5fbec6fe

SHA512
ba87cb323dae5e5d08aac7e0cad8783022a6b8e25a192388581846cb8b1369c850a491878dbd862a965451d0731ae451e15541a68d28845fe1a4bcc32473e074

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
db8797ee3008153c30d0426cfd8eb4c2

SHA1
a6d3e67341d9ec374a369cf5a76b6aa449157a74

SHA256
41e89bab18cbd8f2a69826861ac46952b49961e492a53864ffc67dd007bbab07

SHA512
c0e509027d51fea501137cbd5e6b981f4fdef6cca3938f4754d5b6651ea6b9a45204e4af7dcfa1c32a3c035c869726de99d3f48dfc3f2fd3d40160cf0ed4dce8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d05a3c01e57c55cf9d57a4448f17be5b

SHA1
5140adc3c7467952a82e6fd7d947605004a07a7d

SHA256
e83302f028476eda8e87b96e905cdc1a8eb230c1056a12b963bee38d03ca7f28

SHA512
1ff4cf12ebaaf043120a2ab9b70aa235e229f97f7f121de4224a42d857ebe8f38f0a362c10673f2f76fd731e454a6dd2b10c460173e403c1e3be95a1b9c6b5b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b5138ee51dae8756fa74ec9320da886a

SHA1
3d56fe24cb9f31328c9528bee1a3783cdc8a33c3

SHA256
cf9318d28ef5e9150717c102bbef8bc3a8134e913cf1a4be33499f18bc3d263a

SHA512
1d7c2ccdae8c7efb249f168f0452604da96c51288507fcef6e31d08ccd1a29247a0f53ae8fbeb89e9fe90b19c5546bb50f21dbeab7d776e8205557b1bbbea770

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
cb162f0a75a842e0ba8939eb1309bc68

SHA1
5b0668a67c053d7fbcc898f4779384a79e3a6efb

SHA256
8f081d9163972abfa0c6f2d9ef202e03c7ecf73c3eb0366f1b2e7ab36ef19537

SHA512
9d2ccbed99c339922de27d48f8e343837a4096df549deec5fb58b7bdfca97cb61b051739b9fb593c904cf3f8e7d9383a24839726453fb863703863d32feace3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
225e0dfeb79ff4d260c9ebebf1bd3c6d

SHA1
658ec7153154dd64251abf44f814748519735e75

SHA256
86fc858a12cbed2eff5fd1cccfb3188529aa56202b284b1aba0842f5f0535ca9

SHA512
325d0dc24507338db1bdc39a274e443f1709753113c487909e736b641c2709dfdd3b4040002acc0e7b2cffe41084a18e0af4d151ae849672515f697a509047e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
9a3bb8cc1eab92d92e9d1e4824187042

SHA1
9b49e534ce5340ea2cb46f5ecda32f3d62ac3c51

SHA256
784efe6b669d7d889c0399bd47f1145aa5ca219b1757d94d58bbf8988b77e8cd

SHA512
b02573c48ae1bf8777f3111f51f02cd0fd9b705f9b69f785859918c852667fca6c9d850c0aa9e74d73fc7413127d366ccb28691fa203ec6a6691b719b66566c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
a1642b2f77b6f8725e7e47f3ee3f9b09

SHA1
7102b7241a817cb226c238fbf65d43d9cc7ae767

SHA256
79c2c6a755663391de09e34977536cebde959111459b72a4a4b01e5d21404e63

SHA512
7527542d32077844dd279040d0552d158c943c69040297b860f9f7d29905155e6e5a9d4823805a69e77ccf3e50777dd83fe188ab5d1aae553cc15c872c47141b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4ce3b4d739f55602c765399889d2f5b0

SHA1
a6dca45cb50ff8385231a3b4793703ced2f08216

SHA256
1d8dbe2d095ae28c9734a17d2a4001d072be815dbf8e8f15eccc63fccbb6bd8b

SHA512
cb7b8338542c5ad206c46df79799008b5604eb94e9f902a0cef3e95f267993f7192caa36797ecb35e4b2b00882ed5b72ff9339a7bcbc53419ab9a935f3aade07

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
733f4964c3e0ccd7cfe7d68edcc00ff4

SHA1
0dc7665af63777cb5bc029afeb342897f589d3bb

SHA256
5fe0dd2e451a208ef18d8d5efe00e63014cea68bbf8a1b6984cf91de3b63e738

SHA512
5383a8aaa7d45d0956c4778f7b39761b88b12f474229e718dd7cca5183c95b3e54341c8d3e4c925b131381efcd1271181910279bbc1d57d98b96e87e7e3f3281

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0990ec755235006ae81a6edbd9709b9f

SHA1
4295eace451d8ff2797d24c39149ae20fbe72971

SHA256
4684ac18e8307585f6325e2792e2575f7691099bdf85b0ce2bccb3b6f3111c32

SHA512
defe11b7a1e345d4f13f50328af50cc31cfa056ea357596899091e44ffee843933a9002954f0b64de4a6338ce8f3db52e10ee9ca1d7c63d974b113d1cf9d1e98

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7056a7dccb57545c1958b4ee0fad7eee

SHA1
76eac53e1a93efae3c6c6c2c6f567d4f5213a337

SHA256
aec05fb686e562d2ee5be11320dcc4df24aae9400ac1609a984ea8853de22901

SHA512
1977be8665bd3b629fbf9eb2a3f210b67068dec5edb6c6692173e92deeba1ee07f08e48050332eaafa10d1264cadde1a951c2c8230884377779a068fb6247a52

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0e88a146863f949ccfa090ab0600205e

SHA1
a3df2775235935a9c0f0300481b01412836cee92

SHA256
8779d5ae47f95fe7a3beaccbeec0329f6bbec48eaff7c106b11d8ea4f43daa68

SHA512
cf3b6ed3e7042d6baab1c1a20a880a24689276d21bd13de43be46a8105c4940b4fe2e257bc728deee4f2241d8a3ae6ab79c8b78351e8ac2f25772dd60c0c60c3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8d6720ba6f191ee3535ea048c9cf0ef0

SHA1
97a860a66f0e6d57cb6c5aa8ba50806be62fc2a1

SHA256
e1de77dd5300e4b63832069e2cc757cff2165ebdc76754739ca8ee39decfbcba

SHA512
ddc81a998757682da5fa346e780aa975dd107d94ecdff7263717657c777e4d5271488ff0b83632f33678df0e0e3cddc5a47cdf8fbd68f05bb4327480d7a60442

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
286d7620526c84a9e0a24a3248aaf2a6

SHA1
f7beab53fbc3b370bd120bb9e55417dcba7c73af

SHA256
febc6058d9bb12d0489e96795d47c523ae8c247d0de5c911de802059d30d0c23

SHA512
4f883e0b0c3250e509a84ec3e5b12cc5faa55725449a1d6a36c9c7d2833deffb30c8dabf2cbaa55bde232c60fd9c8e334e1317b8bf1b73f065abbe5d93b2e8d7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
d4f298d0dc8627051917bd7e92a5fa4e

SHA1
4e6f5454ba42849f77290208254016873bf35d94

SHA256
6270952c3e1cb69c3fd18a4c62ca0158fd4a1eb280317e78f39281164a358f88

SHA512
a63b075a859e28d151734dc4951f2e00258448244fb06a26ebef8b32d780039a60edc12df3e93d42d1afa2cd5e78dc518b44c4945f07e46da8f54e39fcea3319

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
69b06e1b65a173f5e36bee6a41d7838d

SHA1
76dbbfd7b10d33b59edf13469a74a9b7d7ce059e

SHA256
be846ae3cfddf7e9a23e28a5df2fb0a6b40057b1d115e4878122b17ca9e2d8e2

SHA512
222174ad7ca4e368df65a56cb8e560f7223f986da6e1b57ce7dab6d7b4930afbe0526e493f6855773b97d8eb57f78af02a109ef68f0172d3b77fb157f2fae62e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9bf14a1e98ae3f78fa821ab57a20b069

SHA1
a9a6b0fa58a2e41326ca9fad041eae388c7e6be3

SHA256
c3ea303f5a22c411791f2df7f4365ce83efbf87bfe98222ce02cd4bcd9383096

SHA512
b03944de6fab138793b7a3aac91ce9a032d9ac44bda52b007d6405e9b5cc98b2caa01abb79128feddd870dc4429a19ce70049761b08524eb98052ade3c016b08

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
65e313f4201dc6cb15ca6e55f78c026c

SHA1
37b2f1072c8912f5259391e40e68145616da4998

SHA256
9b8febf8efb0cc86ff754157dacadaf0f085cd6ec3428a3235083fd5576e036b

SHA512
c43c90a2d8f45839b498642e0cd318b76ada68160d3c7ccf2d77aece3746a2c45be3707a420d85ceb4f3c514fa23b717df2d59971faa39ff42d94e2bd8807157

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8855e702cc30a89dfbdc9ab1a81d2a4f

SHA1
b01a86c840f126a633d5d14c1a1728c64d601daa

SHA256
8ff2b2b03a31e75980f0a45c51b577ab0a583b92e1ab8f674e329abd3dff84fc

SHA512
e7b2e824961af4868054ec88685b602ed5b2251d7baca084ef80d193443ed4832406d31f720824beb7f2bba0ae7635d14f48d174e06dc7c8b15631e32803ed72

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
7fd53273b43d13b97aae1192765364c5

SHA1
8d27ad66fdd14a9dd6bb5d0ab581d29a3455b021

SHA256
79411355ed6226650a074985f5b5c7117f0400ab1551726223d80e065a5afd12

SHA512
ecb2026d558cf83c3036c8b03f9b1c7d7f166fd3673ceec2a7083c9dd28655e672e4bd96d191299d022944aba5dd443f4e26d6bf165db020bbb21fc00402f2b1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
45618b72dec1b53c3edd00c1b658fef0

SHA1
b2b5ec31f3991bc0060088bd30d3d338fa020c27

SHA256
a79b56603af1b1f882fe5a34eeefd24162632fedec4165163210b77bb5bc16c6

SHA512
252a8b26b702df22a51f8342be084c7eddfc4fb71a6a6da90ba0ba58b3bc76203b7f72d8ff37acbcc35653264943f3683784fa42066ce6dd62638a2e0549435a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
07ec19f0f96e04adc4a00a4f6e5f8c99

SHA1
cb3e0076c005b382af7e22b1c93d0cff260385fa

SHA256
63725da6f50954c4274e7fbf15cb7c1022eb7b123744373a24da77463ccf53e0

SHA512
3d1978c012a5fe6be742b6f52d1299f69879912281b64a9b2e8dc2305485d1bfafd0422435f62f813fe9cfee259cc9e2daee5f9b7bf9a4e062daa73f58c84acc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
99d7b0293a31de8d2eb1ac5c8e2cf28d

SHA1
c606a1777558e98f02beb0d388e0437b2f6553cf

SHA256
795274827f8073ac08df4ad2f2abeea4ced99f83c852ce7750661e5efd087125

SHA512
e47dbff2b6e0f0cb2adb71c2f9d980bcfbc7f94859484522e3c213ed0c04e460c8bc92679056f12a1557ac2043e3a708468b8bc3e49fad15b2c108a1532f2be2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2627ed75fb43613c83aa4d7c27543e5f

SHA1
314028725ae1c531a7cd441eeae15574e4f81a7d

SHA256
c8032ed64a12517dca577d5325d1047806318b223f1a62861afc34e888f630d4

SHA512
0821f9abe7a803bbb00056eca70b93e064bf6873d6989999ad0d23d9b0a04f3db8f089412f6a6abef629bcf0e436633d5d1c0842d91c94981f881651971a1c5a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2b5facbaa2e7643b6cba0cb0556c2bf2

SHA1
e435af400079958059ecafe73b731a07bffc8351

SHA256
a3ca1d19e898d2dc309b030e81ebd93082201285fcf685caf28a52dbf094cad3

SHA512
468a85db428fb65d2e6cd225f25550b0acd27a4ca24abe79eb8b4af262fdf598979a85a91ecd42034e1253fc58f316c64885ae02d2fb620033650b708a202210

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ba8547bede6f63910990e52518cd3d28

SHA1
dcd5e6f6b0c7fa08ab014c0c0404572340a750d8

SHA256
a26e64f2b7764ac95993e9a166ff4c09873419dc6a59b1c152cc2364bf61d7cf

SHA512
38a24194d1077db52cfcd46c6458b92fd53507d6ad669706e8b5837683109168cb1cc8810adf3f50e7cd74ab764fbe2aae8b233e009bc9176aabf715ef014742

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
546eda8f6530da4a21c9d2af31ee8229

SHA1
e967a776ff79c19e814512481da4567b32665366

SHA256
ad63af79e5cb48af971881f8d97e29fd36afbef58d8dff89b0229393b8660022

SHA512
e2ca1e498502ac86ce12f59d041621e1b2b45633fa24df37698895cd9b55d64fcf27b42566e544fd75661ef6fe4a53546502f45b3d96befc60e2ff3eed98f03c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a63da6301691eda38934576de72ef1a4

SHA1
4ef5f9ba4472193b621733f167846740554500fd

SHA256
790a568e46ad2dcb692ea919e3642f010bf6b980505faec16c885bfd778e243f

SHA512
17f3622b73c3ff91f9ca7d1054ab6a102263b2739535171cae8ee6146cfa95ac03ed37492ad2b8da8e8cd23107a5bad7bc7f1fe93cb1a6bcdaf09f8e2a07661f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
758eb514cf976602a89896945c387592

SHA1
77081421969c2f17aabbefcc5548059c7626a38f

SHA256
cf1dc208ef58e317369f644871a1f47cc69845cc93278db3f6560ad91b0a1108

SHA512
16bf430fa017fa24c59c999203e3bef382b0ca3986bf71d9c32d428eb4cda70b973c33b57d29391648ca19f45df9bc3b289e108bbb1c43a8d8ee39c730a58d41

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
86280a7e7eef0ec66578d8f6abc5fd32

SHA1
598b85a78fe3510ababb1e3c5748a32e1c945263

SHA256
3be8cf332b49b9d9748bc47fc5f5febaee58bcaf1c17875ed74bc2596d8ca9f0

SHA512
230ed434f293a37d85ada6ad86309c38016cbc86c2963c4491c938ed7296cecc9087dc6932cafa9e25b7b8ebc31ae6a632f0ee71f61c8ea1f01b16caaf2315ff

Download Submit
memory/60-600-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/60-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/448-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/448-594-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1556-505-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1556-198-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1616-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1616-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1616-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1616-109-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1620-131-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1620-251-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1652-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1652-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1652-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1652-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1792-228-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1792-121-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1840-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1840-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1840-597-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2012-90-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2012-89-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2012-201-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2080-475-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2080-179-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2692-387-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2692-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2724-154-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2724-334-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2772-44-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2772-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2772-38-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2772-57-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2772-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3044-88-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/3044-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/3044-1-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/3044-7-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/3044-6-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/3152-216-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3152-110-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3812-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3812-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3812-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3812-127-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4104-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4104-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4104-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4104-81-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4104-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4216-48-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4216-49-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4216-55-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4216-165-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4724-252-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4724-599-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4760-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4760-598-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4880-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4880-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5040-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5040-559-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5080-128-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download