5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
Size

625KB
MD5

d1cb7e79e26185047827632480e6800d
SHA1

1af3451e7a9ae88e7f36beb5be8a72e5744e2870
SHA256

5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb
SHA512

af0da317106e11cf5831505796c82b7afeb71507556c3070934a8fec44b14fbe3f70204697e7dfd77f694cb58ec00c2ad61d7588035c9b86c138cb3b67899814
SSDEEP

12288:gJK4+/x8J7ct3z5htUcQ1MlhrmQgwwJzt5+7fyZkCtXFiWZF/3o:yK4+mIJz5IcuMlQHJxrDiSi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2880	alg.exe
4228	DiagnosticsHub.StandardCollector.Service.exe
1644	fxssvc.exe
4064	elevation_service.exe
3936	elevation_service.exe
4100	maintenanceservice.exe
1648	msdtc.exe
3088	OSE.EXE
1584	PerceptionSimulationService.exe
1780	perfhost.exe
3740	locator.exe
3652	SensorDataService.exe
1140	snmptrap.exe
1068	spectrum.exe
744	ssh-agent.exe
1924	TieringEngineService.exe
1792	AgentService.exe
3196	vds.exe
4572	vssvc.exe
2892	wbengine.exe
3964	WmiApSrv.exe
2980	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\System32\alg.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1bb2eb0b85ca13a2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\System32\vds.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe

Drops file in Windows directory 4 IoCs

Processes:

5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d93d879cb399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a15f99ab399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b15e649bb399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df21889bb399da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fab1bb9cb399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029498f9bb399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4228	DiagnosticsHub.StandardCollector.Service.exe
4228	DiagnosticsHub.StandardCollector.Service.exe
4228	DiagnosticsHub.StandardCollector.Service.exe
4228	DiagnosticsHub.StandardCollector.Service.exe
4228	DiagnosticsHub.StandardCollector.Service.exe
4228	DiagnosticsHub.StandardCollector.Service.exe
4228	DiagnosticsHub.StandardCollector.Service.exe
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe
4064	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4660	5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
Token: SeAuditPrivilege	1644	fxssvc.exe
Token: SeRestorePrivilege	1924	TieringEngineService.exe
Token: SeManageVolumePrivilege	1924	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1792	AgentService.exe
Token: SeBackupPrivilege	4572	vssvc.exe
Token: SeRestorePrivilege	4572	vssvc.exe
Token: SeAuditPrivilege	4572	vssvc.exe
Token: SeBackupPrivilege	2892	wbengine.exe
Token: SeRestorePrivilege	2892	wbengine.exe
Token: SeSecurityPrivilege	2892	wbengine.exe
Token: 33	2980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeDebugPrivilege	4228	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4064	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2980 wrote to memory of 2116	2980	SearchIndexer.exe	SearchProtocolHost.exe
PID 2980 wrote to memory of 2116	2980	SearchIndexer.exe	SearchProtocolHost.exe
PID 2980 wrote to memory of 2300	2980	SearchIndexer.exe	SearchFilterHost.exe
PID 2980 wrote to memory of 2300	2980	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe
"C:\Users\Admin\AppData\Local\Temp\5af62a91a027af7a7caef44554b79e75bb8e89469e53ced4cdcd9b0eb777d9cb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2444

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3652

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:964

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2116

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
87bad2a4f156f5c3a73b2622170f7117

SHA1
1f7a3c19fda75f33691cee4486448a73c3480e23

SHA256
a8e8e41ff81881ec91fe3c553ac045de19791d4319a568edfcb61cc0ee82a149

SHA512
93630da80535b959cb05e0f7a7e4e14a583e90da67e8a00e329791a2e25dacbaf6e74ea0662ec26fbeafe3279e18584a437728a2a0fcbb51bc088f811ecbadb1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
7ffb142bb30a569c218c25e98096789f

SHA1
6b294e859b0e38283fe44eb63ed387e4f65a442b

SHA256
7d51382b6756b1092bbe56106970bab731c2efb72c392cbc6c0397ec6a759a84

SHA512
b31157b1f0fd6e98ac20643084ab9ee0e965d9540ce26d2aa673f4acf1e228c282b3302140add262ee171c9726ce94642af270451350da6af9c01b909ce0e1d7

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
142a480ee7d81ffce1625e7ade599bd1

SHA1
1e56aab3b1dd5d93acab6a189e421310192cc910

SHA256
502b6ba6038e2de80f55c644c5dda9ef4d0041b462e4eead47efb1c391901bea

SHA512
a34e97ddc56dc8a21d41939b5d8039611a747d8597577c68e8ee856c4277e015892873c3b952ed2a3f87cf1f18e79abfc860c070ba5468df21ca9fe18c84a4bc

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
bf8eedd4ee1df1a61958f51ed25630ed

SHA1
2edddd687a4337660349b2996c0d445e1ad72f5a

SHA256
cd7f4fe880b589ac95c6858211d3640d2fd8ce023c0cb4bfb154b7117ed733af

SHA512
6e39925db03fd85a14509dcd53089b5ef9971ee2c2d27a1ceccb85336ee30eb209518e3811377abcfeb978c3412f664f0a0d9a9e0d1c2be6788b03855320d071

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d1bfedce951091826b2fcdb8232b027c

SHA1
2c2706103678cee29de5264333642fb99a9a9959

SHA256
76c0d65ab4481ea8ee482a18369b350a5c1267eda98935fcd6458c8195a9926b

SHA512
737f0334b617eebe7898f8987edca210711456166c557492775b1ec132af2b58cfad9ab9e46da4308221d5809655945e2d44ecd193cb187554b6779b9b14c54a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
63dbe3a5abb4d9dea2489e5893386a40

SHA1
b8073325de55ffd95d09d4c49e083e77280c3dcd

SHA256
caa3e07f77b13d88b09ef04a42033cfdc9483ecb06f1d95aee5e315137528d36

SHA512
92c046e9f43adac0600bc27ca29551a100422ac72456e8bf6b9e8cefd40277d1c6c76069f35ddc38de6be1f5ff578eb7eb51d5668f868f0e88ff7f40d4e811c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
9604ec82e3b2a8dfd5dc32b1e91f62c1

SHA1
42cb7c01838c8bf44ebfaca1591d0378ea416b77

SHA256
d0a220d9bf0d99304305c15bacbdd6374e9ec47e0b992af0ad379ec592aad35d

SHA512
1526deb71e6682835d49ac0b96bd820b0841adecdcda412f12c1053a5397cc963e527a14f83202425d11823a4036b8fb30d90bb2859b48ff30abdb1170630008

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
4cdbe73c32ef1294cc278deef28dce14

SHA1
3f986bcbf26ae150866abf5841ace633736fba20

SHA256
f370a2427520a91a099da5f2e1c2761bac18a8251efa09607c9ec0878eb61cf7

SHA512
3a73a80d6e41c607e46c7fe1d49e1b5436bb04f5a85da06c8dfcd502a9202c2c72d0fa0d270f218ff6500e1217eabafa5280f5f9b37486cbe50936a2ac5cec1f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
297091caab3a7cf61c3d417ca9b74891

SHA1
9b8b673d4b76c682af2937bae14ac02d55b53d4d

SHA256
970af9de6b14ff1d7da686a69ff9b65ba8fdd9b3dfca23252060c76e5ef669eb

SHA512
9f961efae42963e0db13735d3e7afb44f6253fd6516da451dd4d1d1ff8e23d2ccde35f4c48ecc6337ffd3ba107e25fdf0e94c9d2dc797a48c207ed57aa1fcae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
05e3a3380a6667588e108d6a60891022

SHA1
a3c3442ab5f8a4c86ee6d51186d04a96098e9e8c

SHA256
3001856da6cfc2dd7985af597dee771a00dafe19faaad6b9068f3033d1e9d7bc

SHA512
cd91b2bddbb93446dbb8ef6feacd0d1fa0021fa071bb1af05c9cc4da45afc1b0a50e01f2b0a25d001f0666b0390e343629bcf3c19063349bb3ce88a0a799b068

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ac28e44102a0f725f2770f0394af3131

SHA1
ea7a94387e58d57007f2e788cca782dbd5dcce01

SHA256
cd8857447d62495c1261a9900e967721aaa18e917c335325bc592918a4f08abf

SHA512
b8a921c984b8cc63090427a1bdaf441807b4d08e0b35d48c6541fc7064d5035082187f389bda60382e8fd77eb0b7abeb92999a5eb08a8bd63627a79b19200588

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c1ddb0d8d551dbd18a58c27423f431ad

SHA1
c15ab5c4edc58e4237611492496e1c45cc32ebf2

SHA256
2a3ac4e13c13d6bb93dd0f7ae00cd671875c933499def56518dc9e08d40f1259

SHA512
5e9febf3907aecfe48c291b2c7d0926ddbb138b2d33662cf19699f4a7f82650a379c54a3d9651e64f004afe4bdff6c305f6f905f2f831446db1ca010af277954

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
ea310d52179bae124aa584862d4d6a74

SHA1
a6a1d1f1d1a635791127b51944bbb1a133a63b71

SHA256
8cb8a4797a51bea7297748c95c880abf86318f0a0e35c110bac2088eba200a69

SHA512
b40f271781d78bbf31401a356955914a749fb14e95893dfd22fb38e62d1451e301d2e84aff1d5cf006a1034a7d847dbbb3bf1aa12e38c27eab265acfa1d34bf3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
b18afd79c38b50b7ebbb03d01e5e76ef

SHA1
b94845c5baaeee95ccbffb4e2b71f99df1b0c9ee

SHA256
e79bc1aa5a0949f3852d730bba59b464041533b6a5504a9ebe4b8becffd5bbd0

SHA512
2ba69a5756f0e7cacaeeb3d6d26585d2b546e453c47dbe14abd9f6217558644724fa39e627dfec59f09881735d48144791ad34425a15b0b85528c4c9f51849dd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
a23413a1f9d0d09f47965e0feeff5893

SHA1
83a955575ba52c12c006344e7ad257d20a02e38a

SHA256
dc7cc126a23dd162d7b2f54d340faba3609b116b69d99aa5e7a556973a065fb2

SHA512
ffe37b15b610a8f13be053a86542a90dffc7bcd6feed9b77ba244bdddfdb4b543197f12c25690d6fdee309f51e67da833a67f31ebc3af6cfab9d9dd79859de11

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
a52c01588f8f9f2caedda2a6adc03621

SHA1
89acde2c26d1a4a5bbd64a8c63a3304aed55caf1

SHA256
e44024df5de75576923b08a0a19c2ec50149c7db70dee4028854c86daad3ec8d

SHA512
fed4eeeeed59305c7fd5dc3529d40be92c29d3881bc9f9e4fb53cc55f563adad0f3e38bec624f8422853cf0124b95f6d5a2b4c9a292838155c8730b3708f7786

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
89420b3ce364c63645731cfe3a030fbd

SHA1
96ab90ee70072b801a598a3e0caf50017ff8e287

SHA256
9b0abe0aa32b4128e6495231a9914ebe2f2120d04b9bd3c30f0c552a0cf905ef

SHA512
77c5d3b395947152b957e20c76cac0015f1007f9cc97d418f647544b843f70f5345f0817f7888e5e6293b6eca5c78c5eec3bcab200210fa8580d81a99b4922f4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
78ad6e7e146795e5bd13048c4eca28d0

SHA1
7ea7804b1dfa1cabb3522d81abd3fadd8ff91e12

SHA256
1b8233aaddc3333d4fff3807f94a668ee6ba0efbb13986a72db2ddc7e79cb6cd

SHA512
8304c4f073013ed072a778a8432bdc3da744ce751e4b93031fcf46ebd86f1854236725bf63d765be045e199704374c466f33a3bbe54fdb1b6ee33bee6c682dff

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
30188350967ca7fda9d12a9c3c47ae28

SHA1
8f15ffd1546f5f94ac2cc14c4258d408127c6fdb

SHA256
22ac4e242a4595e661e973cb2cecffc2f01dc75e9dd2991530e4a860c16206a7

SHA512
ed547efa85d6c8d785700c4cbae05ba2a07f2a66d841bb91913833b4162415f83ee68956a3e12aa8d6fb1decb2a28da93f376bc742f0b02883c58b50d34b9254

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
289b8fb8c14e7ad88b971c8d75a2d0e4

SHA1
b84dca5594378432c5cd1d6e77140fd53b9bb038

SHA256
f0c5f05956c537407538e34a59dfeff08de8c18da8f0adaab7e5b2801dffda6b

SHA512
cbbdbed3eed5cffa5e271488b7b9fa100948824e63111e8da3ad19fcea3c08809192e45bc1e18d8698601af87e1b7ff92b6103f5beea96437f06e4a7ff9c193d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
f88b42e0228f28469f5b6d4c60cc0845

SHA1
10f664ab846b97f843a55aa8bf8415d3a449317c

SHA256
254e33e4cfd643ada2ab20d3a90202f14c31ad16d988b6cfa351457b5bb15963

SHA512
431f8ce90e5daf4a02db132e4012d66be1ffc623de4b1862d6e818837da28ca485d31e38b7e9302499e1c9a5a3c0a2a39af2af3c031b448789f07daada24797f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
5a6a94d82218dbceb32a7e8b1912882d

SHA1
ee2a3864dfed9a71e1a4073d91467cf260ccf222

SHA256
db59302c925401feba8fa89f8d9cc9cd30452977fc9bbb71a7e627a3e1041a68

SHA512
4b31193be97593e63d97fa97ee4319d970149a19956fe57dd286589a10307ad80507d8070c49acc56e8335cb00b3aa4645382d848743fab9e2520e25302d1eb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
3383bfad0d53063f9ad32929ec802014

SHA1
b93318b52d02c23abfc64b45c0dbe3eb5db61986

SHA256
8a1070ffa1faab58c7cf01889acea88ad32512bbe71b35e6527703ca11e09474

SHA512
5191dcdd17463544a5803b9665045c7b3964ef8153cb5150133b48c6ad7bf56b86d9c5f8b3dc627295b299c41049a991fb5829fe36ebb15b1eab34b10cb9051a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
7c2307c4096b762ebc64fa73c0b72e7c

SHA1
dc242fea9de7fd10ab0b30e961410e21b4827ada

SHA256
9826a7a0f5df63f0b7a37fb20ea5b9ccd92cf86eb864b72da7d062458d9c3e06

SHA512
7b4a92d61fc775f9e1257efe09df7d8f4bc0619fc47e21f2d5c8d5dfdc154c79d33b23ebc668930112a752a45a27db5837ed3473a7100303ef833e24685faa65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
a2aa78f1f61e015099737acf8673a0e7

SHA1
4b7f5c220d9d8af3e96c5d5980e067f603b6be28

SHA256
13e0dc0543c5c75b47deb9aca03113de845a0e9ff0c2084e32242946239e7f5d

SHA512
cd48a52ce707a74f5c68d0e30a75a10f5729a5d2b3d931c08d9bfead046ec2df9785254b4cd3f71fb910a5657a35f0d9769e14e483ac7c564cebb836ec360ecd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
31578d2deb1065f72eeac8cf0a2963ea

SHA1
8bc73d041819c18581f7fd04955dac4b6ed37c9d

SHA256
3e53c35152bf2a0ddc866565140501883144e02cde6a513bae4e6aee9e82f733

SHA512
aa506eece4dcf982ab5247308874efc3c7c598bc84ef74d15f51f88067fac7a5f3f2c520b886fc18d57f5e7091b0107c84b8bb0d78559152defed91715730fa3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
b84a360a8005e750de0d7e39e79234ff

SHA1
6b6db92a670b11abdd7a2f34862546375670df0b

SHA256
e951ac77564e970c98469800434ce2bd0f5436ea2cce9c0945920ee6a1a3559d

SHA512
5a6df9a77cfbfd0adb9dde2a4993c5837d166c0eb7b81d35ef7d8d4338f4697e1bc3005ab3e014ca7c936e9a01ccedca78eacbe91e6286cc726a4cd7ad65a60a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
896ddf0ca8f3f19580a79aec2a74fb0f

SHA1
b34bd1a22b362a05d933142bcb3c1d04bacd1af6

SHA256
696f49826266ab586a98819c51ad4f87e678b377c2dc6b08800e6a5ce8b2f68d

SHA512
70bfa150674e6727344be38bde4b67019ffde5efe3238e0586ad2c4ce9c044dbf1446f6ef8a344f4b5f5f0c70b89e82d6b5f9d551d3bf94b82456ce42a87e7d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
693f28d94597c224f2a4b691ec5e8866

SHA1
c2d4f69327723003286c2dd99656a1750263596f

SHA256
227f1c65f2c2be6ea2eaa6cfb6194f8977c46ecd6d25d8197b85260827256871

SHA512
77bc1063b45c430ecba158be81975a5a07c82a50b9cba248ad20b1ff11ea192ae691e9dc90f97d170f76741c1b86c3ec684e1f60433d366432ff9c4a0f89a1c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
5de8563272ee08974a0618b570131a82

SHA1
2161f1f2489f2c3c861c025a71f9f7c7e74fa6bf

SHA256
3513f26e85b777e2a4d23b0131ff3a50b319412c3f0dc8ffa610e4c18ad15bde

SHA512
8f48036abb288338617ec691943f8c89c9877954a4f425cb497a1640839671ee9712725305678ca3dfdac5ca1c8539ff68d5cb36b00cfd60108adc843f76b17b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
ae62212d9553bd2c1fd9a3ce519efa88

SHA1
fd832429dcbd51f5626ce65f7842148118e9c82d

SHA256
66ef13b98a31b0cf15ba893d2be9e95e56527990d1a3b4e40d58dd4705545fd4

SHA512
5dc12fc4e1f9fc66261e24f18c41608459ef4f22c41ecaf6d1c4deca23af121e5294c5d0d8d1a20f305515b6e465d1271477c3901330d65a4cf62ccf249d5232

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
2c1c263b02d3b903564e7d630459f371

SHA1
d0a31cd7a75f05c07483bae88abda71c7702472a

SHA256
548a9d9457945d1788c6c837cc4f9389807dd085864a58c42bae3aa0203c7865

SHA512
afcb2df8cef5e324a8b557099e5f9324d42d18696a48186f67159fc079df48c9e3253cd8af4eedc71c936e65645a1673e975b4fdd17cf81d971a98afb16d5caf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
227d6bc29dbe0d232abdd78cd204e5e0

SHA1
2164ca7cb9b4dce5a130cbc96bbd8ed33fc075a1

SHA256
79ceca8cd8b1752aac6cd9f36011240d8d8b786d5b64dbd8591fa06791d20fe6

SHA512
fd3b97e6fe71748f027737fa3487ddee4c5420a3bab9822f89fc3756422348b78da897a81e9788456e0234394c36b85a51ef0289c4556d58a8da75febd0fa456

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
cd2a0b13a558255a6d61f32268443e37

SHA1
9870cfbbb63c4acbc52a766b9ae56f136b4efe24

SHA256
1c38632cee2e500191377aa564e15af75845611eaff69e42698ff06e7380973d

SHA512
753eeb6832f94806f6d00d85ecf7c6e2ce70b25fd97c6cff91238389842b215f0d5904ed89102701d36e0b86d765dabb22e1c02dbeff39170daa67c682fb8dd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
57dd4afaa3b885c34929aefbb2dc8500

SHA1
1655782e918518757e47c47f6c3fb378037c63b1

SHA256
0d7ee841e55d06be55cf5100cff3f5ed13d9686a8406b6dd26891c95081cd1db

SHA512
b94a38e10e107612ed6cfb8fc5cf9b97695624bfdff6c0057fe82055975c7a4fdc2b95bf0c920ebbbf203b5ca23edcb894e3581e00d9fd525ce40a5f15ed66c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
1e4249da9549785987421a27aa8d2467

SHA1
df1014d291066c1fc84ab59a7ce5758ecc4dbd51

SHA256
cb5f28a42a9e808e3559386af8cf1e179dd5b29028ba20e244d82501fc3163ed

SHA512
b86c24e64408c4a204eae0bfe44b84536f9de8b8d78b15925b61577d994bcd470ad0cee0351a5fa7ca28277e2aec5ff338d1c42fe403aae8fe13dbc43e6d176e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
c9b493a44dd61875ecab54c9ce25b6e2

SHA1
2d5481ab032df2bdc558a5276d71579115a0797b

SHA256
d48b9eb7776363e319b48a6866863c5549aa2810f7eb28409cb6ea6ae248f371

SHA512
5ef690b4ff21cd041522fc69e988fa518334631a39a457d48195f5ed0adc08f0f4b224e9f8b20ac1c4994b708f1bc96665b701572866d65527263c5e03db71f8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8c136a35b1207e15b698859af4fcc69d

SHA1
7111eac8b129be6a2e501ebfc0da2d62e4df127d

SHA256
a94ad8e640b92afcee6b95782ea34abfc02a8d9670f4b76edc6d9f366b5600c4

SHA512
21fe24276326284330873635f8c47e17fe3db1c4f04f59db04b45b0b26502534e4952ef6df72ad9986cc9a74f147f6c65ba2730efe48858d93abfebaabc7c2ba

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
a24e0710807ec4051c20aa7458b3bc24

SHA1
9481feb31caa41bb79c3f8329ca3d83556756b0e

SHA256
60dea8edb391edb1449fee316598d011e202d19db524c39e53310764e1185916

SHA512
e6ccf981b010e06e786421fa2b1ec8913024c12701f83c58b62e69d47467c6a3b809e6fa0e8a947fe62a6f5062f6f04c9ca712c8487fb31cac7c97255814fb55

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
6d436a1d40076af3393256aea26b08a2

SHA1
36e284bbf3ab14e59214d0cd951fac78fab33cae

SHA256
8bdbde0004ab8bdd1f939751213e6bb2764c24a35838c1a397aec495e0baf252

SHA512
72172573518f579735caa3a7481d2f80a51d58733cb4a7775eb6d179eabba9a5ccc634b9c19c8142900b90b10728b02ebb808873096d009435f037bc9e4c6bec

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
fb316f46890e483773356923acb34ee2

SHA1
57e3a6ea4150a9a0c219d86cbde50c8e85d8071e

SHA256
f8471494bf223ff744d6b1492af8c503e8ba1e88da372865b1b7977222a35d1a

SHA512
5b1563320dbeefa1b4430716d68ca94bfd82f3a8d0db3f8868ccbea045489aafdb435420aee901060aed3315097a44bcd27e5e724a61c32511299a5a50bdd2ec

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
416e96b6ee77b902353b71b4d8577305

SHA1
ae347f1e19b2c1005c25685611f292b1fd091e3b

SHA256
a3976b5619d10d19f4a2f22a440c6ef0e0df72fc2787ca8386b75e01be877d7a

SHA512
a91acb1857b6cbb568cc90af75d6a9411fc78ee00f061ae3a244fd3b76038cb4cf9b9b8fbcdd2bc1130e6f8f4181becec96cf63bab3dbb9b2d6a1d106011000f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
62121d6918e60ed472375140f5270bcb

SHA1
935f7ebc6f4e8dee7b5f3e905a818272c55ae041

SHA256
f9c9ff2ad71c83e8324cfea1e58b004c7adae50a277755855577533dcd7419fc

SHA512
91688e5f85751035fd52106cd751d7b4a09b3bc3faba8778c855053384411ba5991b08eb7917a5425855d142c8021df787fd2f0d1db5adfae680ab2ffccf5174

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
9eeda25f6ed3da5a688f1fa7db3f6cc1

SHA1
412b1fb359d5f83637b5887ea01dbc4c2ed13f73

SHA256
8f3274eb1c983036efe5ee9e1a4efb825872db214082f613f4dc7818e9d77e17

SHA512
b6e3c9db1768d149a218a7997557b6c22c2fd66f2e19ae00c985d34ab1fd7e76c0b35f0044ffe7d91e587a93ad29e1a50885b92e671bc0c28f0aee08d0bd8671

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
6541bad5bfd5e7345b7d830a9c71b36b

SHA1
c78656f0d1cf1333094c66a2d5ad515d414a16dd

SHA256
47bd705d98cdd5aa484ee9624044da6670d55da72b5a671fd980cc032600e2cd

SHA512
d471be6b720d5088aec3e16ff94de27a1e77254c52c52882b4d27ca9d2908a264bc79eed6f62645f14cb32635000b70b31b155500cace59b761b225fce321a9b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
879ba91b742944aefa600c561d4f142c

SHA1
c424325c843fe4ceeb7041c15c109d5f04d0d2b7

SHA256
05dad9645d3476fc1f8f00bdb605d7c5565818ec24377882292712485780ceda

SHA512
bb14d5c10ffb2a4131f748eebf4ef83a4c74ad7535a2b66eb01c828ee8c5ebf1be78efa1433ce252262c91a8f5187eea87557c0d47f4f78d0c1ea76a44202e9a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
a077d7f9c447aa0fc61f258048316e83

SHA1
c74514298dde1951a855869fefc6a2fda5141953

SHA256
7a81097bf521cca344305c1478b7c80a30fb22a6c506fea8fa27b5d3335417f0

SHA512
882604a803675ed8111f63a8f73815f5a7b3b9ca61a71f9559f97aeb11a40a7fa24a00463bacb7084881605a74f4b0444921d79c9d795dd8b1b03e8a99bf1392

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
6eaffb57ab344e565916fc24fcdf9402

SHA1
334c42be86176886e8fa14f30468056eea729f84

SHA256
81a20021c958bb75b16b465d067d4c3f2cc82986962de64b443b727375f87c04

SHA512
4419beebd9db608531d3e68fccf5473b1c2dc30eeaa117a8e4a7618ec484125719803800bc9c6afb18bfd0398e4f73ab61f9b504ea2c954d27fd02d3972d6b30

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
b875ca0dd949458908d4ac1bcd0148f0

SHA1
67c1cc6be309b86c2c9acb7fba106a2df4b703b4

SHA256
4e22bcaf4b7056c5601795a78a1799960e2e7f8a96216f8d1ee998ff0bc2dc68

SHA512
f5074ea4f12c7b34b6f5f915dbf5bb17c2009436304d50a5b956700128b5566bec40ecb905874ffb176093b1b2934a70242b6cd7f0db925a748b044f7c063e03

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
818d57f042f3508ff162dc5d24117afe

SHA1
8d0e4d9847be33891ffa73e69877a1a76654dc41

SHA256
47fc9121e12f81c33cc44ee9a3a905fac9d79ce7e90d94815e9b13b881c087ce

SHA512
b6c3e4fbb4da94b19e1b23e721e723a6e5ced11b05782d65b026acc64557c4006474548e23a6eb6e69c6c05cdac3829684420807da2e52e4b15bc745d2b56a5d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
8ff87a2f974d4f858b965818f05c0af1

SHA1
d86c1c9e9ecf15871707509c402fd82790f41bba

SHA256
3f892bae99278b8ec5d0f70be24f0f62922aa8149e967316df82105abb7dff2b

SHA512
2e671c35d5821d155ea123d056e5f9606329224dc358d50a79cd543f394a25dd52f007578135e87bdfde07bfc4f50db85ac0192229f091c8696f46a91954f81b

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
6ac90a6a70f114fe5e289a16afc10517

SHA1
b02d4141e29ee2fa166e6b470b7cb66c74deca03

SHA256
f3e9e3c47c83f14a46958d93c2ac601dee755190aeca46598da05fa72c4303cb

SHA512
c9faad45475d98de9d95380fc2b5816732afc289ed680b7d4408eb70d7ef1826cf2cc6e12e09fd2e4ae7ff3fc4d0a9c3c6c067fe0672de19c60f57e1827ff59d

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
2003ec5e48467397f06fdb99ebff4ef7

SHA1
87e45afeb329f92f77617e5e037cdadc3c4d8f20

SHA256
cfc8805fea4246ee8c5cb0893c90b02a3f80343a10d8feb5e8c27d91cf07aed6

SHA512
9ac0aa39c2df414cdeccb077d63f2645c8077253855aa8981980097b7c4c47c7bb9020b839c48a4b63f8394d5b6713bff82336dc36f1c43e4448921d3667cf39

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
2fbaf8dcfb83e61833b024dbc493c5eb

SHA1
061081d54107e24e214e07b4cce645e24b7f14d1

SHA256
0b76d612294ca02f30e06e1dde5c358f6aa1a35df758db30069f98b62dd97460

SHA512
8dedc89921221a7f77700228269e6189b1a8187fc4dbefda65482515261a71682cfcdbeb0007aee0fc7a7103f01c6149acfa9b09073c38372aa39e05fb4b3b92

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
8cb51be2a803104d718e5e2b3996c9e6

SHA1
49b321e9756ebe2a959c71479014e8c55b290de5

SHA256
3e0e4568f97518f4099e58edb762bd4b4aef888bd80606394d266025853862cf

SHA512
1a63111272196c8d69dbb00528cd171ed6bbcbc253356ef6149f2e2a9310b3f4165b798b31891a2e51a82f11d7f22eb8d90adc98e7e8037acfe64be0c7e6e186

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
e0ac130731bf7ee1f164b106f2fbc06e

SHA1
28998074cecc8aeda2cbf2e8fe1a64c8a68fbb20

SHA256
62021b866ffe403252ef76f60983c19746560d4bcf8e3aea386837089f8247fc

SHA512
fccb772bdf0fddbdcc9bcadbe0f64d675465a637bff2b79429cc28e469b758a59ec0ed0c71638f87669a6f188ad9234a2066ebad7e66818a84ed988c4370aea6

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3bd371c58ede929afd1de784e070931e

SHA1
bfbbcb42eb82dbf42e8da32a8f972bc03710a97e

SHA256
d9878c029eb3c92d1d488698c3e5f4e8d702f2b71c434eab829f86dcfb9b9491

SHA512
066b67c2ff7b703e06b323556e793eebb4c2a41917c838dbeeb3b37cac3a5158048ede417d8c020bab012c41a2cb02a31d3d2659c35082a1eaab8a6f73e4d7c8

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9ffbe822de3a9d9e6420a5dfe5b2fd41

SHA1
e380c0f3e0e573e1b5df98ac7034352334a013b7

SHA256
923c6665cdfda36f64b63105a7d2927d141eaf0fcbc25a07955a146bd50d94d6

SHA512
15d43ec3b2da89a91d1ba7e90e2983a6bc8cebf13f83eb80d9bc042fd8f438a8cdee4470387c425b2faf7b7b0178a803b3399608c981b5b7be5400f80e2811b7

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
88257cb377ca6a8d1c3f135b2bae47e6

SHA1
5c8512249d73fe0ef82ba34634eb8141a31f6f6c

SHA256
82823ec7e2e23c995427d54354d444e42098935948996e7a93edbed5ff23f38c

SHA512
385c3040ba45fc9cce65a1895f6fb4aab97cd195cf40f11628fa9751c3acbb7ceb44e0ba72236f18bfc397c0f3b3abfa3cb918d75e37359ad8e4d45a716a25e7

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
db1df1b37e478de93ea9301479265c31

SHA1
e0b3a0e0d77b05432af8d0235e31dbe8e8154eb7

SHA256
3076d8d7791db9ff5ff63e0b9e50a22a8d9f408214c713658c10d566a454a404

SHA512
4d593c2d06f521c3a68664d52b97f1ed7c90d02df01ed06bfb55c82d390fc7c96636a35b209dac79110e055e9625a32e879699709994bf6a31e8a093412d7782

Download Submit
memory/744-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/744-475-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1068-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1068-425-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1140-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1584-97-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1584-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1584-95-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/1584-88-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/1644-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1644-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1648-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1648-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1780-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1780-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1780-106-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/1780-101-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/1792-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1792-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1924-476-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1924-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2880-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2880-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2892-481-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2892-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2980-483-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2980-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3088-79-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3088-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3088-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3088-74-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3196-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3196-477-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3652-474-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3652-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3652-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3740-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3936-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3936-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3936-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3936-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3964-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3964-482-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4064-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4064-129-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4064-38-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4064-32-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4100-61-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4100-65-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4100-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4100-55-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4100-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4228-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4228-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4228-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4228-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4572-480-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4572-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4660-8-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/4660-366-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4660-1-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/4660-81-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4660-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download