57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
Size

1.8MB
MD5

f1e4e256486cf4fecb0b84aad90a03a5
SHA1

d5285314432b399dfcc60f5fd3c2747bac267d9f
SHA256

57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145
SHA512

5e85077616001815a7d8d5a5b7a115045e07981d6e1722a094785ccd697f83096247ead18a85c2452fe7f95d23c1852963acfbde45a0e003db1c4104745ea5ce
SSDEEP

49152:Ix5SUW/cxUitIGLsF0nb+tJVYleAMz77+WASkQ/qoLEw:IvbjVkjjCAzJVqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4696	alg.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
3296	fxssvc.exe
2352	elevation_service.exe
844	elevation_service.exe
4508	maintenanceservice.exe
8	msdtc.exe
3200	OSE.EXE
4336	PerceptionSimulationService.exe
2188	perfhost.exe
4388	locator.exe
2724	SensorDataService.exe
1860	snmptrap.exe
4056	spectrum.exe
3640	ssh-agent.exe
4856	TieringEngineService.exe
1004	AgentService.exe
840	vds.exe
4736	vssvc.exe
5084	wbengine.exe
3220	WmiApSrv.exe
4952	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\spectrum.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\wbengine.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\AgentService.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\System32\vds.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\337860c0234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\System32\msdtc.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\msiexec.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Windows\system32\vssvc.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM441D.tmp\goopdateres_bn.dll	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM441D.tmp\GoogleUpdateBroker.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM441D.tmp\goopdateres_fi.dll	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM441D.tmp\psmachine.dll	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File created	C:\Program Files (x86)\Google\Temp\GUM441D.tmp\goopdateres_fr.dll	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM441D.tmp\goopdateres_lt.dll	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM441D.tmp\goopdateres_is.dll	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File created	C:\Program Files (x86)\Google\Temp\GUM441D.tmp\goopdateres_no.dll	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File created	C:\Program Files (x86)\Google\Temp\GUM441D.tmp\GoogleUpdateComRegisterShell64.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ffbf3556298da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7b088556298da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bbff8556298da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009eba2556298da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f67c3566298da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da85de556298da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4d3ec556298da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c30b26566298da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007536ef556298da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe
1908	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1716	57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
Token: SeRestorePrivilege	4856	TieringEngineService.exe
Token: SeManageVolumePrivilege	4856	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1004	AgentService.exe
Token: SeBackupPrivilege	4736	vssvc.exe
Token: SeRestorePrivilege	4736	vssvc.exe
Token: SeAuditPrivilege	4736	vssvc.exe
Token: SeBackupPrivilege	5084	wbengine.exe
Token: SeRestorePrivilege	5084	wbengine.exe
Token: SeSecurityPrivilege	5084	wbengine.exe
Token: SeAuditPrivilege	3296	fxssvc.exe
Token: 33	4952	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeDebugPrivilege	4696	alg.exe
Token: SeDebugPrivilege	4696	alg.exe
Token: SeDebugPrivilege	4696	alg.exe
Token: SeDebugPrivilege	1908	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3816	4952	SearchIndexer.exe	111
PID 4952 wrote to memory of 3816	4952	SearchIndexer.exe	111
PID 4952 wrote to memory of 3860	4952	SearchIndexer.exe	112
PID 4952 wrote to memory of 3860	4952	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe
"C:\Users\Admin\AppData\Local\Temp\57db6e27eec0ac7baa87d89205a7ec03857bbe0b310cd6c5ae1a7cf40ea85145.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3108

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:844

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:8

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2724

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4056

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4368455d103d9c50a7eedd4c193332c8

SHA1
3329eea7a2ccab577dcf89c2a8aa51cd068b8c83

SHA256
02ca5156a3051962762a61f0fcb5309381ef59a17975b2392fb9f2c334014c26

SHA512
5440982a3ebcedda1d868370f31e2223c4f55ec7a05a2f6f57484c24e9e8d48c6d82961cb7cf6c9fba9318c859aad59b47a1595fbd45f85a58eb918541c522c5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0c8fd4ae233bd0553013de31f95c8f79

SHA1
c38f310e77a1d6b21c391499ac8916247b61a935

SHA256
d651c91472a2b507daef013eae50c944f1a166b3eb41dfb5c4ccb0344b2df551

SHA512
cdab1a31018205c3f50eea6ff406ae9325eab8c5ff1e8dea4a500f51f8f3772b54e59c6825c4f7179eaecc5a0c32ab3f0e6492f181ba80e8769ef721988af867

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e084c09510eea7733ecb28b883943430

SHA1
af5ec27ff0260174c466b451c8e7182be025cf85

SHA256
24aac535d6d07a583b39a3054796b2c32964e8c7370c3c5a5558526dc4fd7dfd

SHA512
065ebed4fa4644a831f9079bf948f132dc4c8569b16498b21fe6f0b171962c71b4610a19ac92cc8d074dc7ab06bfc8b791ef920162436e900c33bde30a1e8997

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7f8440068edd565ed09ea91a65f03943

SHA1
be998edbb7d3335d13d957dccf5738ec52c05f37

SHA256
d9638f6949f02716e6028823781218891aa1e948e6f7853f07063c7f8e837f9b

SHA512
17390f3f0a06ec9b1a64a9ac2fc2202a9ddf1e9b73db1b1e05b6771150a6cefe43edf15c1b2952bed86d4340c3ef5b959934e2817be44cbced9919fddf7edfd3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
875cc4cb4c9a0b0c381fb54377f58dbf

SHA1
1f6a7630839d5bf3ff25eff8992e69d4b77a9bfb

SHA256
3703fdf3c6cf9ebe8b6397e0331b9a49d9982a93eb14dc48d6d6a7e2f21ce962

SHA512
bf7a7ec644a056628232b8e7ba0161bbee69ea68e9942d3c54286ec9ace5f3f1b2625a6326013a3642aabfe1cdfe06b6e5841869b9e241bfc5bd450c087f1c47

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c73712fd9cd19485efbdb0453894145e

SHA1
c2888e941ffdb4f4133e2bc2bce0ee5c3b28b4d1

SHA256
6bedb58b3d3602bdd9b06f57979a4bacf33a527aea1b39f6a1577e851b432f77

SHA512
0ee403502a2f6cfaa3f00733e89f696015b8a5f8ca5584fd10e6d852f57da08ed3af0a141bae542c4e93e6bf9e799f8c55980755f7c42cfe6a961339da0c845c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9c71632d247aa2366f74b35a898f51aa

SHA1
ff6d6e83d0023c9970e90b82dde30df0a2d3e61b

SHA256
acec94a4d28386fdc6df6e992dcbaea6407d0ded382b6de3d3c54a3d23e2fa65

SHA512
69af66cefc8f279ca9432bb70b7928181f6c616e790a4c49ecf947d829d9214098aa4d156a2943c136f572483f89afc3d324aa22d9947ddedd1d3d9d197db040

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ded7e59312613a8a14cedca57f94901f

SHA1
31e82d4d905999bb4f124d00049b8109a3c3a3db

SHA256
c61befb338fbe87a7f75831b19c5be1689d2014a9937c34c921546e8cf448e0e

SHA512
537a7c7d30de54c95dbc20b7329a6af81c3392fc20464424ca8a6d677a9bdde028b13f61ded1f71d7f3790e9376f3c80c13dbe27bbd4ffe615c25da21af3375e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
3dfe9ef09bdbfb824ca445d3f2ddb3fe

SHA1
6a3e8a4375efb3108bbb472075952199fb328b14

SHA256
cb45bb2845af9c35f4b7fc32ad63e8e75968d8153e8214c1968f993edbd28ddf

SHA512
45ba92d69c97b38d01677b18733c110402b6c30ea9f58e225e11e4cd320dbf9fa750bb2d2afac1ecf27bb0e119571aa29abe7a3b0dea7a1d10fc9a4ff5d408d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5f6e11fec8607451c32ca92cfd61dfaf

SHA1
dbe5598dfae08a8570bc2110ac189f109707a918

SHA256
e1b96ae3b49002568b23b4b29a6ce840da4b00ab5bf12d56548e7be66035fc7f

SHA512
9eb2b2c553b724e1d2f996fad712d63e1bd7e7353c49ed14e2086e5c6e66885eef1fa580e500fc1246b7aec79df0d0274c65230b5bfb9331e9c1f85f97821b63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7a3c3018f83fc0d1b9b8cd0bce168912

SHA1
85d30cf12f8c1eff9bb4c77ec3146df3b9a59ba0

SHA256
89c6c104b1360bdc1658dad58c5a12df4d0974b9cd75591a8d449823edfa3102

SHA512
93e4e82ada56ccffd12dae9de42945bab12c428572cc4d6302ebfe83f4329e3fb2d1657021c37ad2c5a3e0edeb9159896c044eb313fb6fb1d2ca1ca992664632

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1436b4936e7f3bd08f77271899386ce7

SHA1
dca87061e861db082a9da7a04d64f4258c211e7e

SHA256
a36445f1ee5be6dbb7b41c9171252dfeb8e232e2d0dc073e8b57d4ea507ecb8a

SHA512
807fc76c3fc018d4f7bf299078911061491bc3cc1cf32c8c3aae588e114b3527961bb48aa82b54309e1cbbb250cd580ec1585fa4c6fd52f889821a0f0dd0bc8c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d1c09aa8e615073360c381b2108a05cd

SHA1
10a16848162f59352aa2aafaa57fd20c06d269e7

SHA256
5c0022e1f3602cfcad70cba469fb3c29fd339ea785cc5b39e72f71df60a01b8e

SHA512
9a58fcac13a37a34a77296ffd2ec68c97577e10ef492ec4558ae5085912f0831e615b129d639e04b6204d78457fbb720737a82caac120cd24eeda3bc7b825e60

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
262c97fb66dfe1a5b263917a79a24ae1

SHA1
c46d8e931e6282b0ae6a637f37472d6fcc55e2b6

SHA256
7d992c5cca88bd49314efde1759291bfd442a979195244211135cf523de3dbdb

SHA512
db54068bb6b56d60f964c4566953d2b88d53dce7e2ac80c62b80196c8d026e9e5f21f8b94f39b48307189e8d53e9ce9c890606d4de63b980d090e76d68b7e9e7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
8e517f0d8d7698aac1dc5d008bfccd19

SHA1
2e91770236b46370926dda805a6971ea19dfb2b5

SHA256
c6a036dcf921e89cf86596cb43b2be932c3058510184ca258535c199e5436d61

SHA512
72a989c579d97d060203b5c34ce3116adb6ee253fcf82eb5a18d2d90b2e5ab666e9601e2e44534f5600817e27ee77856b4206cc0b2a5b28661c2c0709c19466c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
dacce1a317a3a2084c380e431fbb7adb

SHA1
f954090a17a39156cea0e41de87e12b339c4f29e

SHA256
9cf2ddf689f61e32f33da45a864425f14403085e3da6f78b6ace612aaad5fad4

SHA512
a3284a3884e8c11b86ec7de17490100b20f94edac699e7c44fae2fb1959147ead77af003ee9b600866a42d6d9dc9de391133d9231e825e1d49f6dde6b704f509

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
83792f69ebb172569ef1fddb8ecaf440

SHA1
4008bde3372a872404920c4b73767dad7b01d9d9

SHA256
718d9e9252ff032a06d2d1d4018ce32c9fccd26039f803c8c31a7c58fd0a6977

SHA512
db3a23a77c48fc4cc1a6a06e26a5b93e1956208bdbe740a3ee8e42aa2a62b04dd2bf3e9fad081512a7bf645f4cf6225112be644a9a19b63ce1b0dda6382dbd35

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
acee168c984eded2fe2488cda1daed00

SHA1
45002f48c6731422fc837da332aeab2182af2a3b

SHA256
461514cdacfbcca62f944bd8f1791a813ae13a21b06efaa0f4bcaee03b224d5b

SHA512
d05b3e35b2013c9f4b58ddb318039f16aa57a86dfdca835056b9c3fa3ef1befdbcde0a119867e72e31ec8cd7f5c53d9e6f785fd368517ac6c08fb5f57a8c34d3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
b4d6b797cf8d12f995a43ded3239c027

SHA1
4f6dfbee7b70e6eafc1841e008ecf1e848b23130

SHA256
a9ebb9feebeb3bf94b3f10777af276746a3d5ceaac280509473567095a1a08c4

SHA512
27214ee68d5e516d77548998407990c755d0601bbe9357b2ae312774aa62dd2337c47db475c357f2dc5962a2a6d647baad42f786ebe1cfed85e4dd29737ab5f2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1a6173999a13b9d3d123231adf9fad1f

SHA1
34a3b3b14c8e915f6fda084cb2b9888aefdf3bb5

SHA256
81610bd52ebbbb85573c16c8c02bd2aae06efc349976ffa50592b3da005b7a67

SHA512
8613f5e538397d22e513b4d58b70c4e7b207c93a628372b0bd44f8c7971b6de811ed2531d820e3104c0e6c0e34b39244a2ad1bafea5985b24453125d7949e48b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5d5eadc066a4cd5fdcb4b5b5f3f968be

SHA1
40c257e536699997c3b6ab26a98b9ee914648707

SHA256
1e36c31fbaabd8b41017950f59fd89d2825ae016a764f394d326b4adc1875897

SHA512
130d3ca1c0a38c4ead141058ab496cc2471bad3258c9966b8cf784e74f12d45f05b667ef52fec9919a2c335bd2588ea852ff2f37e16b4b0425e3cf3325b7b644

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
6203abde32fa260694d7f03a2fe31435

SHA1
d38ed510088fd7930afee8144092afd1906de1d1

SHA256
f71ba2d991a1ae06a268a9b1123734924c782fc9b88d9c2a436b6cfe4f3cd431

SHA512
233e40b6b3d61cf7226773f54621b8dc384ac88b39c3250377f1ae694cd7a8b11573003df56bbaab0d0435dfdd343fcd6d14a8ec1e6a888c1ae74148aca67ccd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e118a150775dac8d64cf0f7025986299

SHA1
d8ffe3e7f5b26bf8adbca2530b711a6f1622668d

SHA256
9d0f4f21b9b542eb115b81366ba508f4df8a3d6ad73231aa07fd86549fa66a2d

SHA512
243d1c3c056579bad0f3a83aae207bfe026209455c67738b18026c9f91b0ee1c5e0f5c242db49166d46b52b7377a9022cce20812e421ab3b19c34fa119cb65df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
88ee59915b0717a9242403ca15d2fdc0

SHA1
9872cedacfb8e202e3d1738447e11b2ead3200b2

SHA256
8275372dffe84c53eaa86a6930c3a1fa45de3e5a6408d1d115f144e0e35af4de

SHA512
44a1df57e500c0ed6ac0be1fbeac5ddea54faf4c22147a153a3f02a27d034ac53d483e34f16519893203aaf7a8ca4b9adb370c3e2d623e49156cd484ee9031f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e2911c9a1793dbc5df7e96bf700cb754

SHA1
f02858831aa887aba4541d55d8ab11ab0f883e22

SHA256
9252b15407e8b46e4e5001c5864828848170d158600229f47789f5a090985e29

SHA512
d695953e87b861486f0eb83f9ba53815e0fdb4f58ece7e6f4e9c4968efa581a376db0fdc1e7ffca4c7ad60b5156821bd3eb6947d1a563dfc464e79cbac398796

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9cf957ddc8c64eab84f8358e19dfe481

SHA1
58df52e877e881e73d8c7d409143da0dc75a3008

SHA256
21194036f57832cce0a000de247fadb4199cd593fb8f4bbe000f97604eeb9f6c

SHA512
01116cec4bea12b18d032ed6312474fc6430510506a0937973d65bc803fc831fd743342d07711b42a966b60d30cf82d5d44508925ae8642ad08509f8ea9504a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d3b43fe40af261f8b9d6c207ed6365c8

SHA1
ea2c10365ab5facb4c332b547af533e55c9fe4d6

SHA256
ec14e28adc88da4fa74c2ff42f11ab8d7f1560c0a73ad08b3b4b93032a9c5c11

SHA512
86f2cfed55c47150eb69292b62084284d9749b83e3fcf7e42c411377ca67202bb23619524ce3cce111c40ad4876142ad22f83d115105a63f5a804240979fdfcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
6d7b8de302e2a212d1386256ed22bbee

SHA1
fe7f1ce452594ab8476189089bdeed906f043fc5

SHA256
448deeb139f4805f036457a6d214bdb52a6fa559e4686771ff649f9f3f8b7507

SHA512
4ae3476518ad3130d9723a0ce8e923ea7a38e2617adc15a5402de0629a377c27141988a427eb8f98cd81f7dce5d8c56c9ae47e023f7a0fd4499ad31b2e0fb076

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
adaebc6e6d33d04eb07c1c65b37a97d0

SHA1
2d02cca14d7cf3d140bf98bd050f7164d5fa022a

SHA256
91099d2a908e454435f90932c7456e64522e6a62ae5246534dac32a3785ba4a6

SHA512
6019336b953b0223cb216548250b7c2427041f30c71da16bda33e0e39c9bcb8d4005b5f1c5cf548edd6e096f01161f3ba9279af79be4fc89093a2239b252bcc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a2199dff8ffbeec3e2d5d2f86f8f6dcc

SHA1
a6ce69bd61a40bfb323e13f7a21647b175195460

SHA256
e1bf629035c82100d928499f58f4049a9cbb12cc9c737c31a88ee9d4e3a1fbcf

SHA512
45d539a037f75d3f9641225da0bb2c45cb9a5308f3653cd9844e006821550b87188fddf7a9078f69b9f0a3fa263ce9f6133eeb387d77eade88389480c80364f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6c8e64f3790e6b98c8f521450c3ed523

SHA1
318b23bb64d38729e0f5acb95e3349b110bda243

SHA256
23925671b6958203f7c5dec90e0329c5a6a0df3c4f3e2ec76c248e9ff5fc27ad

SHA512
cc2e2d3f715978ef8b1b1aeb2894c939ba266f11a93e6fb3af6c8f59ff782565173947afd42eba5e2b7a43a4d7d18d9716c232faa1ae1eebde42f5d874680572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e8906fec278bd0bec5c4270c692e2569

SHA1
d94f527546c75092c6167121f951b8a7a1125655

SHA256
ba330f74fb7e7fecb3db43ba29af151c8b7b1af79226390aa91a2b4527a93078

SHA512
bd0baab57840347bb3ad564faa56caaa14a2c32240fbcfa017b85211c30ba6e87f767f484ffaa629fae9bdb5fc119acc00b15291270a69356d5880e785daab12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
452ae0e608ace5812c57a2915cbc07a8

SHA1
5e0220fc6b81441a8d1ad1020b6b25c1d801ebd4

SHA256
19bc524bed3d501768edc9cc7666021b2068ce528fb002a6e6fbb26e6e0a06c9

SHA512
0b751d1c833c9aacca5baa4faf8a56be4495b369b5308e08e99c4c676c87cda3a0b575a6647f2cf46d30e945b9d5d744bc15eab33fc5dad01c456121127ae6f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
bb4b4dc83cf99034c97859213171d795

SHA1
6c335423b027cef8810c7d4af52196cae4a90ef4

SHA256
2f9a46a36a3c2805b44c718c50f075de739becac2177564fdec3ee67c6d65eb6

SHA512
042001405475c98ba0cd756502ab09b401cd8a71e18c02b89a57d357077dd7cf6e0262409c889bf77f5b50388034d45c15d0d75513c6313264bff76418fec029

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
7782ad6262d4d2e066b92790dbb1269a

SHA1
ca4a85b837a3a5013702f5f5adcb1b8c689c11d1

SHA256
39f913e0ea516a24e09c650eff315b9601938cb6c86aee6c3ae66dc26cf8debd

SHA512
81cf816b316d718c802fff3bf2253f591c7a79897da62cadc72b5e4bfd57bea46048ce4d6e219a4a06cb8e7898ebebecef9bdc0c5a92719b71f4ca3ad037a0cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
810259f1e3084c7c2a3afea60993601d

SHA1
6a3a0288e900ce38fb16581dfa3b993a2b9b3cd7

SHA256
c423c43cd37ebbaedfe1fa2cdf05db2edd617dc677888bbeed6722b1c8af3cf9

SHA512
978bb34b2b955762b33a8112edb3510f5acb8d7a76c34aa2f5e7bc198b9834cb1e905234c4896e0e83778ae4ad928cf29fe8eb2c9fc327641bf10d9d426e4832

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
c0239d403a3f59e26764e56a3d5afc36

SHA1
713fbd05315284cd231e0c522ca4adb70ba976b6

SHA256
2d90099dbcf343d822084ded8a63640909188bf8981dd4eaa361ed28ca397bc1

SHA512
d2f7c44890e788a0daa095ab098050606d25c9f0e364af157608d91f7626bc8204ed63ae84e3a9b1a9daf906ba1b6dd81045449b8b3503b47b25e50075767c4d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7ee41118de411cadb153f4472748f608

SHA1
2c3f575c99ea35d04f03fe827cbf1e6ed00b46ff

SHA256
766141ec61f97a3d5ccc44c0f8b11b33a7d44ccea9271fba9467278d497803f2

SHA512
cecc3033aea8f9787e5e39bcfa2fa1fd529c72896982e300633bd1ab4b37bec4588b3bc39628391415122691eb034dc8e4e5fe4cdb51f142642edb1bbc5e4ff7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
442185d9b4b3d916aa28c55a30dac320

SHA1
28dd154d742b665d0f63f9b2adb101bbf092c55b

SHA256
792c39476797f5777be593a9c795bd70f9083a4c74ada5dd6e0667ca5f6e740f

SHA512
260ba5fe528fc81d411d1a4594eb21e57fbfb0ba6da29ce97e3aa31c7d07a8383f5e5f7dbde720e5fd8950372e9c9b91d930e82be205c820a7fe50f810bfe8ac

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
99003022e8ad76ca9c138f5deef5c27c

SHA1
5d4a6f4ffb63a533f0c6ccad4313678e983576fe

SHA256
8ca92526080e117444e25b16bf52f929a56837f7dbb8eb1d3b22829a436e9220

SHA512
f689ad6b921b5260b1725885538beda3d05711fe438bcb034be4c166b9b7d9bbf245a9c556a96cff35351f4c5b10e2d52023c69ed3e1b63863bb01dfb212fade

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
27f21bbb7790c7584787858ef36ae5dc

SHA1
9e55f7e02518e70152380bffeb9e3880cb261483

SHA256
0dc2e7f683dfbe898c224ebf5c977f087740d81bff38afeb5a7c784b9c77a278

SHA512
a397053a6b721c32a83fd6df7e11d3065ca5ea531f93e1019447c145203cea5ca499be3acd63a3e3ff628f3909bd1f9da4df5e77c8f914c40d109b9c52e22a7c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
2d0622a97e9ca2a6815f23f7f140620b

SHA1
826a44b8033b6b02be018747eab746c4165499ab

SHA256
ff088272fbef488accb223204c94d19079d32197616faee1ef79ffdf35f20d0c

SHA512
680f1c811cbf1b5c7add6b2b23faeba0db0dd7f98d3ce95a4bb2ec0c1805ebe9e26ac156fe3de24f22134ac1e4413f5e58bd38a93bc3627c48492a224839d315

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0938abdee750ceaede53a9bf6eaac3ed

SHA1
6ecc1a19968dc65ab0b2713bb77204023dd9bb67

SHA256
1a8116a5c44f7d26b47d14481efc6ef4a741fd84d593bad66c90b6fe06b2e21c

SHA512
55c7a53c861b395e32bd9c62dda0df0c8fe44b0c717edf79834ce158fc6e9d32c88f17d956681bd4d026b46d6af3f82837603583564d90fc894066b663e809c1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d7f29edafa74a07a0aa1ad844dc29317

SHA1
a3252ce5da1e8d4efb6b8591fcc0ae33ede00f46

SHA256
3eafa78f30a4f3eab5def1c096dc2d727267a4000576c2c16b56ddda6091ba25

SHA512
e307e0a2ac1a4d5723e1588fd17b0d268fab8b1448ff8eb1e48d01beed8658560e3afc532b64b162a1792cb0cd5545465901881b1dd823de5840e1b1cbbaf8ac

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0357fea1ac42dc75f353f128615207de

SHA1
e946e6176f93f385dd40047a4d0a82e1ca1102e9

SHA256
e0fba066a361735ef0795ad06be25d840063f2aceecc0a683bd0e4e7c55aa04a

SHA512
9ccfd341e9611bbec2ebdd7a22bcbe27eb2d7f4a2729a036178936f9553f3d8f4f228611c1683d073664efa95d979309d7e128b2818a58a37e750043d4be61bb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
832d00dc35f5615737281b61275e190b

SHA1
229d9f6e1c60df3758f04dc345afd35e94df045f

SHA256
edefb703e6c9d022614b29f8481bdbc042cfa9566466a0fb6086ddf61693d7e5

SHA512
99808091040372b76be8f04cc4a43873fbf87024a202d92f333a617575dcc6cdbda4bf55af0a870da6d249f36daf1156327cb8020302f954cd8bcd2998473ec0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ea691b41dc30b0b2b7f4b029de702f8f

SHA1
48a422f20954a99ce7c51dceb79a95f672b624aa

SHA256
ca8a80a0d213b2d92d4fee1b673cbb81f5e13308b59ad10f7b42f121c9536058

SHA512
102affcc3364d344b628ffa3efe859b89970098c5f7472a36656c763b190dc60d6ac41ac79ae2ba4be3c999d7ea149cdb9faf6499ad39a29fea2b8fa93270649

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
be7a9b77f17778c114b27d1bd44635e6

SHA1
a437692772f5275e857361708db5c205f1629a31

SHA256
2509dd356cc20b53be03e4da9622d756cc4c93f2a2a8f2126a7aff59b9909ac8

SHA512
31eb5404a72d7f825987df33b0a8b299adda2c0df0fb0cfa6cbcb4f58f7d57db5aecd68cf36b5588b0c746b414fc583c833379183ada090d5d6268d936794dbd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cfce304c7861c867234239e71440c9d6

SHA1
ecfcee9896787298ade20f84b729353f7a1d786f

SHA256
4f70ea28a24b3ef829c4655dad0eff53f273739ae85993bbb7820dadd0e427b7

SHA512
ace130d9f718f942cb05832e8a2735f0de1b25e642431ac1ef296384586922b157397061c01824bce45ed0308c79a734f05488eb3a2fa66ea222dea9b502a317

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
76fe55f8fa925fbe59a7256002364d0f

SHA1
e5e6032ab1ca685372375ccc3c395d25576dc2e6

SHA256
e27df5d8f7a4ca191dbd9ff0dab637700b4643d2c2509841bb60073fa8bfda35

SHA512
3730218f2bd0cba4a0c54ee6473347f4414c9a617b567a27b11217c23acf8f5671bf65490a5adccd85b82889522a8cfb2a071c3eb30802f727ac247d34346564

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
879112d8535858b57c6e104ae0f016a7

SHA1
d1876ad0064868a7725a7c1c66323192e91dffeb

SHA256
13070b3a4b39717c522f6dd494b06789d1039d4fb07060f0a53cff36e723698c

SHA512
4b4ec9f0eae4039a54ff60441917ee3a27d18439550b4bc178dcf7423a0319a587f358fd60af8d4a2596f144034c8299f6a919c786bea0156b0d6ef39e9e8ea7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
96785a845525ceda2fb373d3be79ba3a

SHA1
6c57f8dda9eff5a103251a7c4aa5d6089f0bcf3f

SHA256
bef01603a9753ab4f905010943320e3435b7a4ae40b43132d4d3aff5bd2f379b

SHA512
8eeb6ca893b6bcb7aa828a7fd11408bb6dabf69f2f0ebf931690b957f478ad53464543f4b92f6c68e9e2430dedfdb2de071fd226f4a15b7ca91f178bce0bff1f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
447f1ea813cdf0458267bf827ce28c17

SHA1
67e5cebf37cd7cc3e3fe3c8f378c2693061105fa

SHA256
6257ed2ec16503031c9c3081094b217173b92fad78b3c860b2f1e3ed5c9c1513

SHA512
bed15f9cf9b1e2b32dd440a8b2db45f1e7e7427d59f60f8a9d72eb95f2ca4eff95ebdf85a5e02ff42c8680cc0bda159146857cc23c385ec113f484cfb1565802

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3a4b87915a7bd386a95ae763895c452e

SHA1
fba98a99eab669e71a178ce7c2559de42ec7ad0e

SHA256
3712b70a913b00496f14ba299f56d0648456d1c0decc4bb5e84c01c8d30d2a45

SHA512
bd31659d439ba54aba604b4ddcfbef337ba72bbaf71119a23cc2eb4a37e6ff298782e582dab4f41dd5bfcd09e45af5764d7084129abf9e8d7f2492d930f3a438

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
56a118bbb2b29fa98a2b91eb6a7a7281

SHA1
d2a319f6b10a8f3ebbd29aa8cfe2ed686249576d

SHA256
57c40daf7341afaf2a8ef47a0c684e6d1320fc23bb7e75c0f4b53691997311fb

SHA512
cb88aa59e432ae61b917947aaa0fc2260c5b99ffda1b11aca8dcbbf1a50613a7f70f2bc2b6640d938b3194960d8b46b3c973d1bae5416ecef84b9c738d39bdad

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
fbb8d2a6fa411ea2fbf449775f63406b

SHA1
8594c889556c295aa10345890891b04a81cf8d27

SHA256
c96708a39f6f7c426faddd6123365a146f7c625e324dd92cddeb1966299c0757

SHA512
6f4b2befe572afd44aa2fdcb6a36897f424043d96447b4a63ad0ef41ce59846b96c98200f777a9a2d060019db3022f67c63ea421692391e29f1f5fbcdbc8fdc4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
42ef68d820144901da2612104c5790f2

SHA1
c248e5079b2f47afc8a58a1618020fb9227e5362

SHA256
9caf57572703c54fffa1f0241b45f881d1e16b85726a9c0454155b918989900c

SHA512
d646f4dc1264396180cc3bf3d00db2d0554c751735776a90fb7d5f8dbff1f36e7d430375dd1f00a95e94a9bb7fc3a4878b9d5c73ad6477cfa96f33ca2f2ca8bc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fef53df7a5e0a97a7e2d3d5c5b72c1b0

SHA1
e18b5579bc44259d4ee826c557725018e8c7c891

SHA256
2e8472fc55317db5923fdd4266eb119dcab35add5a41c3af77c9cb42d75f876e

SHA512
c405af47f46a1ae3a66787486c56a7111257b17c36093f3e59a978d5ce2814126f109107d9a5dabbcce923d58d52213351801f32a4e8c32213990d3fc81608b8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
44933eaf603c3d4741927f8577e2c62f

SHA1
393b216e9f7e3275f8a610e412e64af94737e9e6

SHA256
362a128b66eb077208cb5da6b9dc49e4234baaa1287c1e851d0a1b9ddc120bbb

SHA512
f2ab4b60439ac47f3c387bdbdd89f09c2bd8557d7af48bdba4489ae9ebb7a7fc233817318ec381a63b7262fb3b5ff5ed3c38052474e3df06d0502f9932ce61b8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
73a4426e3bccfb22a9eb1017140e019c

SHA1
4db0df7b4e1e24833937873fde592a94eb41142c

SHA256
0831d3175d28e87225eaf2c21e7458cf12de86b112f24e28566fce58875e30b7

SHA512
92726e9025816aa30e5b1ff8b828f227f63895d5212a5192637bd01c0883dcdea453510a01e3617bc3cf29feee2cc5212c7e14d02c5a78bc6cceb8e202412f98

Download Submit
memory/8-150-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/8-156-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/8-325-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/840-337-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/844-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/844-708-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/844-126-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/844-324-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1004-266-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1716-612-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1716-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1716-6-0x00000000021C0000-0x0000000002226000-memory.dmp

Filesize
408KB

Download
memory/1716-1-0x00000000021C0000-0x0000000002226000-memory.dmp

Filesize
408KB

Download
memory/1860-333-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1908-93-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1908-103-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1908-102-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2188-330-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2352-707-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2352-122-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2352-116-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2352-323-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2724-332-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2724-655-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3200-326-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3220-710-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3220-340-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3296-111-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3296-405-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3296-105-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3296-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3296-404-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3640-335-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4056-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4336-329-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4388-331-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4508-146-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4508-148-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4508-142-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4508-136-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4696-86-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4696-75-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4696-87-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4696-85-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4696-704-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4736-338-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4736-709-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4856-336-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4952-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4952-711-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5084-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download