0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
Size

1.8MB
MD5

c89da1c73c256a84140a865ce470d6ef
SHA1

07370c2777eb958b11271439aa6261971aa3089b
SHA256

0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc
SHA512

7a3deda487f191795bea283585db416013a5b407352cfc4bffd0cd3ed2c88505ad3a9db8f7521fb9a4c887e40c38787170ac2c9ddc9b1a7eeeec404567dcb998
SSDEEP

49152:gKJ0WR7AFPyyiSruXKpk3WFDL9zxnSlgFIDRRAubt5M:gKlBAFPydSS6W6X9lnJUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3084	alg.exe
4444	DiagnosticsHub.StandardCollector.Service.exe
4356	fxssvc.exe
4344	elevation_service.exe
756	elevation_service.exe
2684	maintenanceservice.exe
2760	msdtc.exe
3892	OSE.EXE
872	PerceptionSimulationService.exe
3828	perfhost.exe
3916	locator.exe
652	SensorDataService.exe
2936	snmptrap.exe
3588	spectrum.exe
4688	ssh-agent.exe
4188	TieringEngineService.exe
1208	AgentService.exe
4456	vds.exe
2320	vssvc.exe
4092	wbengine.exe
4536	WmiApSrv.exe
3004	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\System32\alg.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\locator.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\System32\vds.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\413bd62d234f82a5.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8AF88020-77AD-4F36-932C-90EB553F7474}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E61.tmp\GoogleUpdate.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E61.tmp\goopdateres_et.dll	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E61.tmp\goopdateres_sv.dll	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E61.tmp\GoogleUpdateCore.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E61.tmp\psuser_64.dll	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3E61.tmp\GoogleUpdateComRegisterShell64.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004718448eb999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d635590b999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ceacc090b999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd3ff18fb999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000698eff8fb999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009256018eb999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a29d6f90b999da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e900078db999da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4444	DiagnosticsHub.StandardCollector.Service.exe
4444	DiagnosticsHub.StandardCollector.Service.exe
4444	DiagnosticsHub.StandardCollector.Service.exe
4444	DiagnosticsHub.StandardCollector.Service.exe
4444	DiagnosticsHub.StandardCollector.Service.exe
4444	DiagnosticsHub.StandardCollector.Service.exe
4444	DiagnosticsHub.StandardCollector.Service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

644
644

pid	process
644
644

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1360	0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
Token: SeAuditPrivilege	4356	fxssvc.exe
Token: SeRestorePrivilege	4188	TieringEngineService.exe
Token: SeManageVolumePrivilege	4188	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1208	AgentService.exe
Token: SeBackupPrivilege	2320	vssvc.exe
Token: SeRestorePrivilege	2320	vssvc.exe
Token: SeAuditPrivilege	2320	vssvc.exe
Token: SeBackupPrivilege	4092	wbengine.exe
Token: SeRestorePrivilege	4092	wbengine.exe
Token: SeSecurityPrivilege	4092	wbengine.exe
Token: 33	3004	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeDebugPrivilege	4444	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4344	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3004 wrote to memory of 2516	3004	SearchIndexer.exe	SearchProtocolHost.exe
PID 3004 wrote to memory of 2516	3004	SearchIndexer.exe	SearchProtocolHost.exe
PID 3004 wrote to memory of 4744	3004	SearchIndexer.exe	SearchFilterHost.exe
PID 3004 wrote to memory of 4744	3004	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe
"C:\Users\Admin\AppData\Local\Temp\0e45c8ba5b9a217d6f95d67a738754432c9c6fdd580ccaf97e769fbc18d070fc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2760

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:652

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3588

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4016

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2516

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
819f12b9f56572e05b9ea9e6c6a078e1

SHA1
e2961e71bf61002ada3493853f9d442bf72f0bb3

SHA256
ba546d088ecaf0f0a8a92c8b94bb9170d49f14623206822f6582b5fa2e07bfd3

SHA512
beb18e7e1a9ba6251fd11deabb4581f0019bcb13426426e3e34560c3a9fde0851b577307d36f67bae2ef1646b97515b4fff34aea2a5ca23525c3512f0d544302

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
7a37df96a31d995773df002b0cc6fc95

SHA1
eefe6350208651a1b3ca912d1a046e7855d70c96

SHA256
11939e1329ab743bec0f37c4c299ea999f875c144c9fe3380dcb064ac504aa4d

SHA512
20c1dacf3845e09d951b99805c104a19341ccd024e1e6babb1b1da9618a7ec2b7c42c88467b9f4a448d4fe5750f36c846928214d4b22ee78ad2e5ff99517927d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
e64c11a211622481ba26aea781e726a5

SHA1
1a1357f98d438d55bdb574a1a8ac76d4b6798082

SHA256
454c6dc7b2e390f2e86d27b2059b8154e11a71e01f20c3b7fd520b5388320007

SHA512
3c0bf21b33a27889799509e9fc97770a3d5b72841d685453853bcbdf7d4f1ef42aa18136d6f30ffe2d7da327176d893cd55d95acd0507bf419638285285d7417

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
70be049ca4d8efce087f81cf803d89fc

SHA1
46efabfd50c40d58f101befd459c1f04c2ec5055

SHA256
aa864e982ccf414d7e2ac1a7df4944fa3ee3a5e407811c264724126f39a4794d

SHA512
4c2754d675e090b6a63f68deec61e6f5561b2c37101309502a8c9f5a74bc6988b02cde42c978f55e0abf8a54eabbfc210c7ede13e6064366c86ce05561c36d9c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e2997a4b76bc1e94cc31ed2a06bebace

SHA1
8aefc85b82056a124f436122a69c3d7f536e7fe1

SHA256
3a4a46ba83a510da6e268b9fecd7bf2fb85564e0f59acb2fbea47a4ac4527404

SHA512
e672fabc4fcc383d000749887e3feda66442c704e3b9b198e9a9e74c193b3e14d6d1cdb36aed9a57c8eea3f67211d5ed8c89bb6e106acb36d1d3b10e5357a35d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
3283cd43671b86ff323718d5f54660ae

SHA1
8d8cd5b4705a6c6a4f812a4c23edf047fe9985b0

SHA256
4d8c8b00f3ff690de8b25f9e155a2c79825947e14e99155a59def3a643f9d8e4

SHA512
b05574ec65a56270e79e89df8cc0c6e1ece674d41c58c056259785bddc0c4182883310c14ea81f7019cc6860952b320e985f80d6118aea149af2d6a32f1d9f97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
93f7b3ecda5dfc6f31eef3fe2a8aeb5d

SHA1
205d38a27022af89aefa4cb3771305f1964f09f0

SHA256
84cbd0ff4322010ffeda922a15e48b1c53bfe7c96d381880847b3410cede7358

SHA512
e1317f854a0ab92cced0b1e4c665901d0c306eaaa7791a357e4c632b45f70fec4a29fe2eb3e565cfda76d18397043f776f868121efc8b0d54cb36d179fa88c6f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
75db81a5064c3ac778c498bff9a56203

SHA1
52cc20b809f5a11abdbf63ca02d5bc726e6f0555

SHA256
6dc15cd793e1f4ef8f9bbf225f75587b964eaf0b129201e495223a9c8d84a74a

SHA512
93256292b5a171bcb6e327deabceafa3064a005fe09f32c8bc2996b6980d6e6980dad4db24d938b53aa2da0b4202939bf0c164580dbde29bbcbc46bb9d51d284

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
3bf90418fadcc1358e6a3186f18bafe1

SHA1
578838b39bee6f63e6c4a88dd047f13fa10fa788

SHA256
d46dc098130569abb9289719899bdc4b1de3a626ebc0e316892bbc8ed430da5e

SHA512
d57246e07bf89d5f5db8409eb1234f1e594400acb9da35d443215d9f41d709ae78e457d41026a50d7f33084015514c241a78cb65601326d229051c253e2b7eee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
6ebd0fa8dd96208e552c19790359892f

SHA1
9aed1978d931dab2252d7591fb264f0274dfb5e1

SHA256
dfc3dc145eee8e366a03ad5782a100f13bc37d6a6192ce138083938cf57bdfcc

SHA512
3c2782f2234b854587e2663fb9106ab733e4ffe69af30c4dd622c27bebf77b7e39cbc105b8b29950237753309cfe4bf2ea8c26c9548810c8337e9c01190649f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
12f329ab1cde81531f435ae200494c69

SHA1
dbf2753b4b8c8dafd36004f1c4ac26bee9a14dbc

SHA256
2d10038bc2cc70900b82cd13f37fa793352a670b4525febc1f92df6afc3ad070

SHA512
4833eb538bcdce81bbaf46473d09beb7124fcb70afdc006c8c7b288622e721ed73f1b663565ad227ce37ddcf0893ac02ea46101f586ef06ab85a381bc334fdc4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
980dcf49fca39a0e628c9c65704edea5

SHA1
6f7b8c6ba6726f2d72e72437333791813b4aa1bb

SHA256
80716ef3fdacc06d406992421f69a0a6613f8ddc9c0731743dcf6133cd4c85a0

SHA512
1361f967f7823a697e774c03a27f0ab7a0f6ac8a396f86c37aeb7d1fc5ddb281b5c661cefece1bb8e326c47bf7a67d0a09cd9f12236960711f8a5002bee03cdc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
b9ec8a4b3c6b62ffe73671d53f16c6ab

SHA1
b2c31898d799ef07c2e44a971a80a0f2330c7833

SHA256
9f83aedadf9d922980bbed26703d0b031e5f385d0705ee0909805a210610048c

SHA512
d59150ab738b1658129591147f80e295d6a0fd88cc6796b8aa90a243fb9cac316dd8716343bb6a3e96eb0a83394fd0424aa741694c6ea922abd8471ca893db08

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
0a01469bbb3637051338947a4b1d3fad

SHA1
0c390c7e0c7f89909ad455d812eab67a8be7c349

SHA256
f9365bc467e1c645fe8cd15f847ffb98c41e0787a05d2d1b808d692966577c6d

SHA512
cec5ff9958045657aec909bcaf0f459628b071886a850491185cb27637c5e1e23a6be7935a79718a5018e10ae0765a05aa00642b7d1246bb9a6e0ef4adea2984

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
66ebeeeb4f90b7efb925350ec7a15e2f

SHA1
262a3c37cc943bba10ce1c089b9aef430877e6e8

SHA256
509a204ef02c2ff15738418701b1df44d0aae75c1d2b373ad1b3cbe1e9d523a2

SHA512
b7df016609e796606c4adc3e2130e56865c73f3f48865fd0351ea0be26e41fbf94e0c37d80957d01b99b843455361b21ab23de181317c311af861e8c5356eca8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
8a589d3b43d00782c88da88c81c87541

SHA1
9aebfb18cae46db479364b36cf42810902b5e1cc

SHA256
ea8f37b09e7d74e796aa0900462bb7cd65f0922fdbd04c1a2516e931da2aadf8

SHA512
6c6abd9a043a5ae583a72f1e5c8cb3fd3c28799002d32aedbb590e5e21d2e61f312a59d02a33d4aec5478f6cbe8f1dd3f83d2f18c5dcc10068dabe8678ce4392

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
dd959fe46d65128ad85324a6b697f014

SHA1
28471a355cdd3f75d6fbfcdca1254aa3215d3168

SHA256
46c377fd31a14bbfd75d3921b2857b8d136d93b1d195ff45c196ce7cba5bb6d5

SHA512
9d0fbfb557cae1cdceae73449e29941c677cb76520994659bd43328986f43869a126eebe26768425f92e6d60105b20a57271821db59203a4a8bfd1594f85bcce

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
f84dd552d9f1c607e42ad2311fceba7a

SHA1
cd51b94f75a4601d99cc39d06bf895a36e0d3a91

SHA256
0f921872388cff1dd54ae4694a8cdbb9d68ec34ba3d65e01f3a4493fc82a9ecc

SHA512
ea714c3745c95005c0ec735741cd167629fb850c1238956e4a9082e1e7ef21df69b6fa9a5637ab24d2065eeeb6d456f87b7e88b389c17cf94c188221053b738c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
e12310deea4005ba8ecbb3677e84886f

SHA1
41627a90e5e6eda9adbeb439fc8fe3c6a11488b9

SHA256
77e3cf601c36861d8d36dd544701dc971bf177d7632cf87fcdd3405b9ed210d6

SHA512
e2573d2c8652affd883a2ad5dad1df5ead47a0554fd0f680677b71fbb615ee57e1d0684a0b80801e3aece9e18c5fc48ea46fe04e7ba1ad48e69b780d1399cbd8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
dc1a56f3179a1043c55f56695d399921

SHA1
0b37a7871e789bc95ab40c31466ccb03c2d5f25c

SHA256
29c1226cec4348163c84744b6365ad0cd279031a603da0ec86d4175cf3221d7d

SHA512
8504d6e701eeb66176edddddf14eba05bee7c688eb433cbe925545593a8a6d3c9cf0c2ccc4a2d6c2f424405a64c903f5c929c135d448e6735d1d9cb6103649ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
5ab5105dc4ed1c875036a4114a27723b

SHA1
c31fbe53db0522b2ad1aac5db9dd94c2143f57b4

SHA256
4e97d51fc600df013b7e5b13e008c8b3023d056539e10d6bb1b04a1a2c35767e

SHA512
1c574f5787bdc3db2f75cd2f236eca23c5ce1a053f9af12e1b6eaf653f379b881022c851ca18e81a2e2b0c1814b190ab8112ea9a826d174f9a832e108df00027

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
b5e021b12dcb581a8592d26ecd24445d

SHA1
613b3b0acba8dd9fa4ef480e79aed2550d4a7995

SHA256
c92eef4fb7ab1a6582848234d432755fde0b734b6491e70ef7ff63925c71de0c

SHA512
2d7f8cea135b1c86fc10d3113b798a9fc14495032936996012e434dd09bf90c5a7e227d3babcaf13a2002df925215e9b7955093e78c1c20c9e19b913e04bf8a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
fbd462457ee9c047dfbf278e669be9b3

SHA1
d8a3b6e25b9a8807992a9d8b20763ef1a969bba5

SHA256
ce4ab06186136eadf7fc82353d995fa74b298065ecc8424cdf5fd808a563b4bb

SHA512
1967ee70e24cc46f7eef75d99cdef5c68763b7851036724c04b2d926e2be698004fc984f72bb55c31847ad559c5860397246cec26bdb13af890044bfcd9300a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
8acc49b5321e7b5aa397705d9e30885c

SHA1
c8577de3a8be273d9b72757889855be34c7c42f0

SHA256
f189451675a365c01a0f26de933322af62ba5f302983145f9192681ebbd92349

SHA512
bec28009e26a9c757d9e8ef65276764557c9f22b1c68104392446b88d035108ba0649055ad7141e1b9cfbd8a15dc5515a3844f6ecd08db4d81933583fd114f6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
02e4dce3615f7bf78db0db4536fafb2c

SHA1
90aae766235da10c546ac0126504d31ccddaf55c

SHA256
b9ba47492c058638fd3d94762a1a3ef61815dafbf3411bc78b81485ed49ebb6d

SHA512
29c2a3f6fb67434c3279b7789cdb096af39bf4aeea6d446131f7e35c4a8e729de94597ecbfff900cef810135fd974e91b15248a80814a50974a60d77713f6b24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
fe2e09d6e5b55406ed6bf583c3f58baa

SHA1
eb131304c225905019480b47989d7ee0f4101ac6

SHA256
a620d5974271dda39113c74a1bf4c34cd832639068e0eae3326d8924b289b247

SHA512
84a1b9c7b9f49652543b287df1a714ce38521871753a3dff8252d8df544480a1f92b1a761a723ca83458f4eedcef5dded6faee1e8ac055f570b9e6e80b740beb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
544437e08c3328ade338b98d63c5b225

SHA1
997025b1989c079271470d0ebf6e3f04d79179fd

SHA256
eaf8274547160aa24fd9ad220f6e048c0c81336411d3dc33d77b3dd1d6fac709

SHA512
9c4a23202c6eb3bf0fcf69dca4bfbf3561e6dda3ff4f1468378f9e754fb705b5ce85d1bde7941c3b6ca4b1588466cb6fcabf80b5a55a19abc6f9b50a4320d92a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
c710b63e6aeb93e6c5925acc8a7c8147

SHA1
242ee3935d78a52ed69c664a5f613dc9f648f766

SHA256
7787da1305d122eaaf32cf9c48fcf2ef288294b8a09862e607d3df6da5e2fec2

SHA512
518f6e3355ab31596f1d9215bb89b211317e1e9493b543aff3f0fed9fd235e48eb829d5de043f55435cd681ec53fac6437750ac9f1bc6ffbc2a58aa0b95678b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
f93e9e2c0384b05926cc09505db2ac7a

SHA1
cc7ac60e872824b7a9d5af577ed349a1be846ede

SHA256
c534d63880e76e4c6c7cada39726bc017dc6e3b49b398183110b7bc2de6cd16d

SHA512
7ac0895c7ff9dcd4b2894d8c88f08282b9e84566db13fd71700d84ec7dfdb8a26dcc890cfb4a2e30c82a28d286d6229fde9c8e64a47a5ce67aa3d474e5bcbef0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
65c1fa6b48e732edc8e86e773a3be8c1

SHA1
36f9b308c365ba8a787891edb786d58b1d229cdf

SHA256
fe20c09924997760939159ba8adacf973c4ac91c138cf844c2290524da6f22bc

SHA512
13f9b460c979879e3925ec7b22de5336fc0e35f009304fae9a5608e584066fa45ee25c338476076f472c897199538c882aacb17dffa5eef31c949eba9c116495

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
a5971720abe5f15c1e7f66ab4dd942fc

SHA1
1aa4db26220e9162d57e2eed68d43128336c679e

SHA256
35f54d4c6e15762834727379c7d83a9b1e411f8c39e6e156b407025b5d77de9b

SHA512
e6ce7b75312bb451b0ae92bab2808cc06d3a2e98ae18f5f64c8fb94df99ed82be09e71db68536f9ab7cacf60b19b942dd575952062863763377c8ad9c2ac97eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
83676cf0966dc0e254542556e3563209

SHA1
676ab2645f02b2d0e28c8de912a3180f4826aff0

SHA256
b33a4e41a9e315c3392d1579e971c6fa85948cf93f267b929a79f58458546d35

SHA512
bfc67ee7604c627b0cb21894ea09d674731d765234e9b93051d885ba148a22e21cffc0fa36ff9ca1dd7f27ad253a947eae9d54f7908e47ec1c983350c6478c0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
ee7d8714973edc0b605eacc30e4252e1

SHA1
1220b4c748089d9031de7983dba21b4772d52c42

SHA256
77fe5b71ac82bb25c77d426d0bd18c73755c3463b0e111f4ef1899c6c71a09a2

SHA512
2359435075aadc76fb29b94d68d2cb81e3f4898cbebf42bdcebfac89c10f26a1d59e798c98c80f601e24159b50cd6a72bd84cda530a5a1f7824a0b28a5c35770

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
e94282cb1aa901bbd913c6846506d32c

SHA1
a7cca36ece04206bab39f31c43ad1f2466ed6155

SHA256
c38c2d571879b4114a4e7505fc63d9ab69b92caa481378599363350ac2c5d636

SHA512
ffe85447830c6cea8ae7e64ed8593d6f0d23f82bf59a668f35dde677568c1c1ee2b69e84cdcb8457ce1625e38078f231e3d0ae045ef003bb438b48b0741dc8bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
2869eb9e39f6ecc9ac85209ee623b3ed

SHA1
1eb90ee31790d32004781f4631b63e1662dfac3e

SHA256
f3a43c99a2840074bd8a0c6c2b3ae1f0bad6b456f789bffde3835d0cc5434a2d

SHA512
e5268ad5e930d2e6ba457906155b5ea498ca314f6bd5813b3bc1f3198aa78968b428b065ed590c698f216fb33ca63036d0781032816adf4bdee71226a6e5e854

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
20092094f51a150b10a43db4f1a775c2

SHA1
49b9150e89d9ed33b0dadf5c446adb79a60fc946

SHA256
ef7e33ba0e57ae83ccdc3d40ae329ef741dd162c4736564a3a1476397fff7837

SHA512
97ced3b5c671b65cfc8585b389297e719fb88c4845eca4ad31c8dfa706f8d7effb6674faa4581f7bc3b30ecee26c84aeb654c19c7cac64bef3551c300783e6b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
40d74b2b274a4d5ea7148a3068859e29

SHA1
ebf35081cca04b6019677c7ebd72ba5ac2dfdf6d

SHA256
37fe8e37a47896c794e6e991966fe402d2505472c8ef8a459ba23a4daae6d61f

SHA512
d1f4b5bbbb7290f146e99b77d45b53c67bcdf776729071a2013f11d0d503d3ce52a6bf96c35a15602c22be1ffed96431fbd6662e0dfd5af71df51c336399accb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
09e78ac496616547c71acbba0fb8bdb5

SHA1
7adc7dbc1fe4897dd1e77bf15677684664ecf234

SHA256
960d46662f53e8dae641e973f12491ff485f85d7460c9dfba7cc6c8c83203b87

SHA512
e99c0058006224e0502a936abf001fe0b1a38890736d1e3eeb2d31b19ee758d0ff1e3e3c232cf3e4d08750c243291c1bd542838bf5970f279678c7cecc900272

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
ec5ec886d0743ab50302d10e6ae5c177

SHA1
fa1c51ce3d700dbced50c58c18581cf2bc105f9b

SHA256
6aca560fd921e91b7a00c02674ef1b4d9c80a8cd64a7f6e9a00bc8177ee13878

SHA512
b79cdcb08f157dca83f3034ff8826abcedadd259f88aa97f51573d1c5f767619687e3c14d48f3303634af7aa74a95a66bc400511b7b649c8c8c2e4fdbce525c0

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
33393401a3203ee1af13d54ffe0193c4

SHA1
3df805f90998938263b6eca85aa57272fb6f5c32

SHA256
0ad3759cb70c9bde7902e65a2e0a8ef647dd5e013ebf28ab231d71611ad2a86a

SHA512
77ba7fe4e2417042bfa72aef3c6be22b9ceb91d3db8e86854d43718fe17d2795d9a580107e379c173bce55ec1d8e72332bd3336de5b1f851575b6688185ee4bc

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
47b9aaa0c82a82e7ede6543e437c40d8

SHA1
c0efe7a075ab315da87dac08a8ac9a923e5b19b5

SHA256
f4d3310b456dc95560e80cdcc00ed84f8c651b247a4651ef6e87992e6447a4ad

SHA512
048f5d87a43ab41aed3e84ab8d386f760ef6393cdebb44dd3216b8f5d9b8fcc04f3e33e34c5be756fb1bf79477c9e6aac2ee6bf72e76d511a18cd0cbadfc3e4e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
b9338a7c7c0007f7d7d7cdcdd4469daa

SHA1
9b474b0d7ceed03ef4f78781ce11925fc99f26fb

SHA256
8c573e1fbc72dd99ba023d523deec366992d7c42a23aa5ad296ddc4a321119f2

SHA512
cd4b09a36a8d6b03e4f9f617838f506057bca7ddd4a76a2e90456e2ce3d9ff37042bd76d82a62c5895411655fcb73ae14da9b52b83d8f8cf3dc86f9f5d1290a2

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fd462a585c8dd9760fabeba06ee1c391

SHA1
6f45a626f511ba1886ffb13aaa7dba7b269416e7

SHA256
70156180a22c5a0ca61ad75f579923a379df7521bb368adc328563a374d67d23

SHA512
b6f45d49edf6264e56eb392e15f2fae60f48f181469d82bcbdf735111b0584534bc0fa80a036542d38321960cf81de71e6d93d86541db904819d70d712350850

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
0665e0e8edc5048908f1836769178b97

SHA1
5f8811c494c453da0c5e9acdd080c20d6d45c01b

SHA256
043f7e0b94952f7750fecb54b1b9855697994a066ed768ca32874ca821c6f1b8

SHA512
645630c6d7777b32edda8cb745fd18439ffffad57200beb751128d077cfa5e77dd9c4761e202fbc0d178ac054e32ee3a44398f85f9bb0116e70804baa6c636cb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
b096761a359eb517ea060934b6c61e2a

SHA1
bc40d52855703dcf4e704c611e3cf4f31ed7ceea

SHA256
772239a2a460aa3cf605b295eca61cdd15f771e095fc692063825465569042a5

SHA512
5bf6e71d75af294fc63172e88e225d5a10aef8cdb72c2d9b8c982177dd9c6b3f83b72964f2f1b2c904ef1694ba73a3e0b670a0a0f96fad29b983a5d654725a46

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
5e929bbfa06c0af21b2a1551cd5b597c

SHA1
dd20d459977ad5f4297c2618e3a7a9146876dd4e

SHA256
32ecdd317162de09d3ecb74aff90487d1e83a1f3bdba31d1e8db8d07802f7985

SHA512
fb9d8efb2ce0ee29a69768f728e86a1d19fd8a7d3132521b5d03f204f79e5d40dbd2ca0e6710e2ba224d85adcb69d2ecb49354592c6423c83a194ad4bdab65a4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
55abf6864c5c290c7c33258ce8117b28

SHA1
10be779ef34beed087d3bb7e038658dd2ae6f1f3

SHA256
c2169f8801ead5c8802baffd589b4ce1e40d591b8b29dd707203fed5ce87ca81

SHA512
ed6fd02fd4eb1ae362456a124f5bcee5495cdcef6a540d25d9354cf93789e20d243a82121fe2944b3b64bf1b21f812c21185ecb1c35705306db0fd809b37db00

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7ad186a35b637c5e805b353fedf0d3b7

SHA1
cd6e6a02a8aefa3a3858fbddde76ee62535729f8

SHA256
8fd9fec0e7da7ff4785eb4588453f5a813224aa75b78ebf69cdbb64f070858e0

SHA512
8f168e3c10ff3b1c0ff8cf1f0448bdd39992c599e18e3bf97e25163b1275721b80595ccaabeb06746760e092aaa9f509feec155d3d348b27aadbbb5933dda02f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
12831deee2985a1b812499402e1f1f21

SHA1
64a0bb21e486106e5ef0899ec745a1ce58a049ec

SHA256
f710846b4285ed216853139cc1e5c083908bcf899e1e7902736dac6c90ce9129

SHA512
c4a001c2b9fa718cbdf29ea35ef27da28a61eb8fac9adc01946cd5a0ba4aefdeb0603531884be03c1ada76232a8cdb27dfa596ca504d8389e50d6e0dc5ac023e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
0faabd1a9b906b473a25e478e9fedceb

SHA1
fb0e72227ca07be12e794cfc367dcb83d3d149c5

SHA256
ddbda8695fc7e4be3b1522b4b2dc399ef2104e651d3c524b0ae94b96678028e6

SHA512
828733cf05b81f8bfbcbbcd0c9c1388fc5ad1edaf5539968d9ec59db73dc522d074ed0469779898e1a17dc6c39f64e3239800da54f51f9274120261c81570fb0

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
afa588bf4636c561e25e2b7bc5ef9da6

SHA1
5dfaafbda104eb5289ef73885c4627f13c59e09c

SHA256
e359bbe44e2ed24ebe60a8cd35ad1f10d37ffd6b84990c124a4e18d0c19f89a6

SHA512
dc85b2422ef3d3c65059b8d19471c0d225616035a3dc5aa9a251b30f7a609fca7d58dd786d63895afef6320f9c564bde06253e126655828de295ab0f4507bff5

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
972a83920b2959ebd695bcc65974180f

SHA1
dd79dcdd6b89c48f858834547584033dc503b4ab

SHA256
0935c426f0e8f6a32917eea9d139dc798f5287b3b0676576fc78c270142ce18d

SHA512
a87d6b18875c8058e2292806c88d61cc8803331af0bca333b6d6a73094bcf1bae1b39b5e725f78bfd03e34bfa06d5cd7d0f3f6646718c5524b9ee4112b62b042

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
0d6730131ac2bd32bc8b1df26d6d4589

SHA1
99a560a097a46c9d186316d7eb4a9460f2ee7d0e

SHA256
86596b431c487f8a5aa1e007271108e9c18ba7225ce0b8315acd982d8e7cc29f

SHA512
965dbc9e2c900787c820df3245f6ecd81041acc1a66d786dfaf3212c1cbd3e64d521bac9ee5a561e18fd847777fa9c88daaf6a7de1c6ba6c4591ed3113befda3

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
6faf9cd3548d810c76b566b2fe6bc6e7

SHA1
14449f64da47ee09a6b5b9181c5923e33636a6f3

SHA256
56dd5d26de0356aa98e95c87d48d6c05b343185ce61f5f1b48cc72dabc31d2d0

SHA512
b2fccfebc35e26adf9a1f5ece8e7e3d20b15298f5f1df15aa0e7db93e96b96ea8dfd42c0a054145b76047fa8d10fdbc39ea4d6dd5b7279f26581e1b76481d0cd

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c5cbe937610fa0462450df3cd34a4cb6

SHA1
bc04ee2ee80a1bb6ed39bf49a3a089e2c684545d

SHA256
5a000189ac20753f53dc0a263e5ab22a2053a7c5d18dacf78ccbef1f53cc5b52

SHA512
e44026175a2f62cd1f9cee9cc108baadd6d2262199bc558502f292e3be0dcb801d2c862e0dd4bff47a29f166d7da770072503717f5f7d16204373adcfd8663d6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
b6926b321afe5f603fe5571d61de68cc

SHA1
297ab8ebe0adf210dbe1f2d37696801f658fae10

SHA256
1599f397e1c259bef13548a51bd0ebc11facf2464fdf0da9e99814dfa5661eed

SHA512
af454962ebe3bfaff172a3f16352e4897f532ba1496ac90db902fa1a3332406b4974e2e2055f7068c7488c83c823debb637a9c0ea30bc636ac54210933d0772d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b5b54ff84f8da1800d91307f33985b52

SHA1
4852bfc4cd1b2eed7becdb8b5baa9988ee218593

SHA256
4b3912ea841d4f2958594e386ab59edc826c0baba87ea847250a135585298414

SHA512
4b53cfa043a9fa88d8d5504f1d61594137466809d082a74967e8214c184705b0f79d49241bbc4137638eaf316282ea49871294beedc2db21ddf527c1c80d708d

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a0012cea0e94fa354428a066091a26a7

SHA1
7a405cf28c7830877e39bd93b77407b1d96286aa

SHA256
98f9e53d16690facaa4edace733c8793610b552ea868d97f4b3beeccb4b1c4d7

SHA512
b54a4656eff758a0e68e3e26b46972ce741ca41da52b4a91fcc18075983f3f098556e5ec844057436e0033df8a418dd04f8a898aa2706c1bcc1aa7bbc44672f8

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
c921683bd120251fb50aaee8481e8eef

SHA1
76c089ca0d29cde4586dd016d6189d9ae405c1d1

SHA256
768dfd8817840271c256a1785ecae1c2ca94cfdc19da7e35384244129fc3e431

SHA512
235d4cc8e98c78bbfdd075f2f24bc9aeda40558a44eadcf890c9411bc74b48a259fad94be60af2187c5c889b5128501eb4956f9b747931d285a2d3fef10c251b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
48d27a39a2ac1b905e95cc2a2d97b981

SHA1
7d6a9cc32af39c3b4ba3ddc1415afc42ad082b7f

SHA256
d185ea7ad5a57bddb3e941a47f75269641b290a6fd7ae6cb600c3c335627f026

SHA512
a4f599525deeb71c0ce3b27556cf880b81da0451e50e622846d9234e1145fdeb6fa39460617e8320c34bcc45ba6c868463be2eaa4d10d7c8d2805e752561b360

Download Submit
memory/652-595-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/652-206-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/756-117-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/756-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/756-387-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/756-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/872-156-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/872-615-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/872-163-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/872-157-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1208-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1360-509-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-155-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-6-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/1360-1-0x0000000000A50000-0x0000000000AB7000-memory.dmp

Filesize
412KB

Download
memory/1360-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2320-621-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2320-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2684-133-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2684-135-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2684-122-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2684-123-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2684-129-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2760-137-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2760-613-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2936-207-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3004-237-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3004-622-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3084-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3084-192-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3588-617-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3588-210-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3828-616-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3828-167-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3828-175-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3828-173-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3892-614-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3892-148-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3892-142-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3892-141-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3916-193-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4092-235-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4188-212-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4188-620-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4344-100-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4344-108-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4344-230-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4344-106-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4356-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4356-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4444-91-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4444-92-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4444-83-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4456-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4536-236-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4688-211-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download