1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
Size

1.8MB
MD5

1a6d571f756750a0fdc09b778190894b
SHA1

bd4def4b71af5665ef2cd1e558fe6de10e61ec2e
SHA256

1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23
SHA512

d0142a201610d64bd81b0a8b1b49aa951ab8a6a2af2a54e6e8a26f77f3cc6cc12af07a16a1332d770ee7193bce9554fc880de09789ddffe42715b78c80f77409
SSDEEP

49152:sx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA3aXNQAjMaH7:svbjVkjjCAzJyaN1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3968	alg.exe
4720	DiagnosticsHub.StandardCollector.Service.exe
4928	fxssvc.exe
3588	elevation_service.exe
780	elevation_service.exe
2116	maintenanceservice.exe
3396	msdtc.exe
4476	OSE.EXE
1948	PerceptionSimulationService.exe
4372	perfhost.exe
4180	locator.exe
4968	SensorDataService.exe
4356	snmptrap.exe
4524	spectrum.exe
3976	ssh-agent.exe
4848	TieringEngineService.exe
3740	AgentService.exe
836	vds.exe
4196	vssvc.exe
1008	wbengine.exe
1644	WmiApSrv.exe
4896	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\spectrum.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e91d8e5085ca13a2.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\locator.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\System32\vds.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_mr.dll	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_bg.dll	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_sv.dll	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\GoogleUpdateSetup.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_lt.dll	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_no.dll	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_en.dll	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_hi.dll	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9bde5ecc199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028fe83ecc199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004babd2ecc199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d7aa4edc199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a8e98edc199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001fae0ecc199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000aae94ecc199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dd2d9ecc199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f71097ecc199da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088e8aeecc199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4720	DiagnosticsHub.StandardCollector.Service.exe
4720	DiagnosticsHub.StandardCollector.Service.exe
4720	DiagnosticsHub.StandardCollector.Service.exe
4720	DiagnosticsHub.StandardCollector.Service.exe
4720	DiagnosticsHub.StandardCollector.Service.exe
4720	DiagnosticsHub.StandardCollector.Service.exe
4720	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4664	1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
Token: SeAuditPrivilege	4928	fxssvc.exe
Token: SeRestorePrivilege	4848	TieringEngineService.exe
Token: SeManageVolumePrivilege	4848	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3740	AgentService.exe
Token: SeBackupPrivilege	4196	vssvc.exe
Token: SeRestorePrivilege	4196	vssvc.exe
Token: SeAuditPrivilege	4196	vssvc.exe
Token: SeBackupPrivilege	1008	wbengine.exe
Token: SeRestorePrivilege	1008	wbengine.exe
Token: SeSecurityPrivilege	1008	wbengine.exe
Token: 33	4896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeDebugPrivilege	3968	alg.exe
Token: SeDebugPrivilege	3968	alg.exe
Token: SeDebugPrivilege	3968	alg.exe
Token: SeDebugPrivilege	4720	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4896 wrote to memory of 832	4896	SearchIndexer.exe	SearchProtocolHost.exe
PID 4896 wrote to memory of 832	4896	SearchIndexer.exe	SearchProtocolHost.exe
PID 4896 wrote to memory of 2116	4896	SearchIndexer.exe	SearchFilterHost.exe
PID 4896 wrote to memory of 2116	4896	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe
"C:\Users\Admin\AppData\Local\Temp\1d6525ffb2a86c3153fb079bbc263f78131289892b3a9051d50aa3fd06550e23.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:644

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3396

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4968

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4524

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4596

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:832

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
66446857b346ed31322b61b09c88987f

SHA1
a08ba30fbf0e4374d4157694ccb867de72e27c81

SHA256
6524e4c534a7ebe215cea03577158494d8afd852cb9e8b8d99ecf70bb297879a

SHA512
6afb3e0e78f8844edd649d130b86c70014894e19a59ada994571ddc4958ac06cb289790396e9d96a0115001f241b5aecd3b3eab46fd2fb64b2c34674f3c901d1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
138670cb4e6b794332dff58c1c81b332

SHA1
53e4c8550809e185944b7f0f287d54c358fb1a69

SHA256
b310420eb0c4ab0760976facc98fc41d4fbedb0695122f2192ae0e54810e4323

SHA512
35ecb8828fc80f2791cd4143b7968dbf4045dc7c0d05c1c7a99637201c9823fa966e3b7a66daeec122e04a1b7127eaf46004df3daeb8387bbfd8e690b5a4cff0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3533ea3c48746083111887a771afe6be

SHA1
f80c12deafc3e115cc3b8c24b0e5a3871cda3b65

SHA256
8631445d82ad6c55fc5b6e8d409a68b2fbfa26ed1c874088ea0d0abb0e8384c1

SHA512
e8ceb15e8dca1846f8f9f2806b5843a7084fa4f75d604db22548809332ef21cdfe62463df74377fe646a79a0e718dbaf624410a0f5b55a939e71164a12bb71e1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2f625972eb14a6a467071856eb20eeed

SHA1
326bc1c36ac9e2044b1a80d761c713a8f635e2a1

SHA256
1d894c08efb11197318249de25e2857fb539303ef7a5c4044fcbb2fc3d57fbd9

SHA512
bb91288d619350c8b6171bbfb14b9c211d4873fdc61125c8ac3f71616719331ce4ec8e8e61ce7678049746c87e2bad3628c9ae116a8f7334baf5bebf45079970

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1e9ca5ad8f8dbc3202c732193e6a53ef

SHA1
f72403ddbe63355ef08608f1de32c582dccd5d68

SHA256
6392b3c68d8e14e0439df36f79c00a71b26475033ba1f33364bf59adc0982f12

SHA512
e60ee5b85b86ddbc149638bc6ae4a2c4d27522fea777d192a7e133739d43267dcbb77b1a27d54be50779f19aa17c84b2a6cbda4ea02175ab2445725093636dfe

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9e845c8c3d2c4576d465d20a0deb04a9

SHA1
e2d5ae4cab62d6c8aa9a84b5a754814af3a150b5

SHA256
195ecc73a2dfa36667933aa1dce80120b59b687506db4106e27516cd285ec9bd

SHA512
dd3e0d6b04a308795a3db9c0995a5a5dba92033a830d0f41b59af89df091dc5023e1a4fe8d1e90393305d60aaae41939f395ef4743d0f69245f63afc256a11aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c4bc71c562fd84babf2ee556978f3439

SHA1
6a84a31864577ee4c895d1d0d3335aa9605a0868

SHA256
c494c4454ffabac7d5136667859f2504d87a9dd630375e70132744dbc3a2fa4a

SHA512
d853fe09ebfec220e9ffb806b1cd63222def4ff72a4df6c13aa8f95fb01a087f038f724e7d8cee2c1f13a98d26db58419ea960db815a9b136f8ac4910b49da3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
eb9f6f88851fb01bfd90c6988bd852e1

SHA1
433921931b0925f3de4ebaea90f48af64a673f2b

SHA256
eade0f13a9e783b395342206a04b355f52d3062435d265a869aec0d875282e74

SHA512
c3ee053ee0f8bfb1cf59c8b64f24e33a37f8a64ab8f2273eb78d8c21bfa1b9d388d158d0b186fc9088929fd72a13194414663dd44aa74324330dbab516cb0970

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
51394d052b8583d08a74eac5bb12e494

SHA1
cdbbd0a1a547d8f2e59bfb62778aabe1f9401e7f

SHA256
abbead9a53fba15bcf346778ea198ece9685facde21a00b9f43d44a773b87c4e

SHA512
452d5871d2f0a9a40d95b160e9040c116e83cd11a0e6baccdb51781a756032ae4fad28062683a87fdff571008e18515f81fe4a1535d70f643fde7a4a42b41d3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
de5679f5af5a80fab82983ae373272d3

SHA1
1f45fa21ae62796e12722affe0d12ac4ba522de5

SHA256
73dc6fd26c293f06ce1d64c1dbbad95c53cbfd39cc87a59e85e807c2a803d49f

SHA512
a5e16c7249c88a8b115b610712b77fad6c9a3044c90671e6eddece5190eb938e6b6a678e4727e30bc77255548a29b2be5149ecb7de2e71bc9c1fae8a8b9169fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f5336f1543f0d9ec56916f644023806b

SHA1
fd253ac95b5962c72eb0fcbcfbd405170f6f3590

SHA256
9949433a7378bdc1bea54b128d9db48505c6c11be436918f44fd3f95e7a04d6b

SHA512
8d50f005fac99427e6286f56718621340fa83456eda4f1a9c37744f292767c3fddeddbf9be4803de04c1e32235b6815415ca8e2921766e3dfb5a26a541245ea4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3f1d034c24a2f26b82ece3a55d3c9a88

SHA1
40a05dbf3f9669d78e0d3abb821fa39b3d18d190

SHA256
7245183bb882b2cf1b86ed0f01ddab30a33f1c5a0cc7c43186cc952977ca6de0

SHA512
f0c828cab93f75405ed7271d32b9a0b1e245472a1467b3d2eb50f383fb1ec1dd6418399c73dc2576b0295e0095314bae91fdc8dc7fa149f248a1b08b3a74a09c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
94e042237f50999e637a596b7fd13f8a

SHA1
49478fad78eb6b3f28e297a448c612886d9a7811

SHA256
4db297a063d2ea3a5b09438d396d56a373e7d95137ef16f2dbc9e2d8f46a45b8

SHA512
5863508e6635694829da266e3fc368b0de505f683b44534e4cdec4748b4f8b658b2c92f1d5c931161f7b6c10f6c40b848f14f073d97d9d9d049459f42b233e4b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2b7ae54979825f59419c911c8ba3f792

SHA1
ef27c1d916dc862b164095fb30d69bf8337c5b90

SHA256
a2280cbe7fda659a032cb71c38d75feaecd26f6574cd2af895be009f14824824

SHA512
a11e9e1d71073f1c1d38cf093cceb30a9ad5df0598ead4f00bd57793ef7440d8be3e195af0d591cfbb17fad85ae33d216eb3c70e7d0de01280f9c3a9ccda39a1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5217d86db70105c29b3089459faece9e

SHA1
3b9e771c7fe04709be04ea23133b9d568c5b3eac

SHA256
5e0caa85a274483f06b0ec97277800509f0f9e1580ff3354c652c25172b5cc62

SHA512
34edce50dd43fbf6ea6c9d35eacc9a938203b17a9b43a435b5c10789cc842e94dcea5c1be57a66777c55fa9d407ce5d292fdcd08a89b77ae399153f4e37528a3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
9136a7e1ea54485058a637bcef4d07e4

SHA1
da8566f74e4f63402b1e32eeb77f89fcb7c22b10

SHA256
a17fd5123ff688bc2e4c3dc21dd1c2f0e8562598edc6cbe166273dac42f34623

SHA512
5d9c17ea9fc2a68e16f6b5e76aa01f194838878a2df4f0800f0103d078d0da504508745ad0aa342c3dc2c9dbfa26118c8dc94e6b7faf855e3ff9e4620912c5c4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c33286244e865e49605ecee2d36c04c2

SHA1
427a44bc29502b6eec6cfbd0892d1fa590b20ac9

SHA256
f9f76c5839ea357ab9425248fc6bc789ad8b96bf94510fd8bd100ad797447b9a

SHA512
86bf3875b3ba7e40cc50193e136e3808e4ed84dedcf0a8364eda49cac34179b2eddea548f4e148f499e1f6f57a3dcb7fb21249ede13935138f7b81e77c8706ae

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
c6a4784cbbc62b91363bb8c98e8713b1

SHA1
628c4e6ba7efa4c0c11b45fa816dbdb6e66894a9

SHA256
ca8d83d0172ef0a8406fed6efb7868201db044e284e778bfc58609cdeda69038

SHA512
4ae440c3e9b2f2cba4af7ca7ca95d8d468ba0a80d4551cb02e27165cf3409305c87e016e92a3f0963e552f9d973b8175171ab3c9aaec3b1742527d3031913e3b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
046f50c91e3e2ceda558cd33b311ae77

SHA1
7ab6d2871b6fb32af124faaa45b74bdc9ccfff15

SHA256
2f513687e68e693810ce31ab086292135cda7c3b9bfd77f82f3722ddb7a0a5ac

SHA512
13f9d6bd8e2c8a7842d687ce463d05cb6d4695be9ba0273127d28780612bb31640e822f10b92aa3ed31be0f404be24bd81e5ff65b6df24a65648785c8a608440

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4e53a6816d63c8c90197580d33b4defe

SHA1
05a7593bec2d853be367b8f022ecf8319ad2c1db

SHA256
eb5cd44af41bb2e2c69edbacea465892a47d0745a821359d88b5cbf3767b6355

SHA512
6c3aa82bd2490c39b87ac1db85fd10a44cf6aec1b2bfc565f0441ae0223275fc8e69d3c5bd3f5e71abbd8188bf2148859d98ae3b710e11a73b438ea7ebab9293

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1093d2129676e939706e6075d3156d48

SHA1
4384c2c235fc3da526a8cf753ab356fb24b6e113

SHA256
167f0702537bc4b94bb2e0a4913d035419f7a6e35afa10e14fcd0914d46a085d

SHA512
13c5f87249734697eb347d7b4ad54c2eb2789e37ef6b9432af46e25281be9926833f9a0db6d97bbabca0e8192d7bd96d2bf224a511719a9fd38255abed877c09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2b3fa4e9ba2fa59fe0bda86e64596c51

SHA1
7c309e54c49a49afb3d848f13df5337a5ec3a703

SHA256
1d4bfa6346daf5ba39ddab63a2bd4601571f2ff815a969a8836b3d90232cf35d

SHA512
eb239158e3fda636f7b659f9393b0feb851345e3e5a539cefcc98ddc2f98b8afa4c7aed304244a7190a8766c06c097249e46d642b1eb29ee2cb23899ad2a95a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3df402db499d4e177105d39bbe09f8d2

SHA1
fae766551f634b99d8efa5b34c433b3b2aa3195b

SHA256
c27975b4dd6ebee7d5add0eba3327db97faf74697aa220a100579f029e17c290

SHA512
ffe86b28416c7ae71c9383a2c0401bf1ffae0a182691108a07d5e014b05998ef0d2848dac7c0ae5c9f5709785f93a11e9f4b699c7aa114e0ea3fb048e74c1b48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
eea95774f66afae92d4f970494633dd9

SHA1
ec73e64d8ceea8da3c5872c9162545fff1f4a4ac

SHA256
fdbf280cd0975d12e5f6ccfa3e436bed6e7791585a3a1a34ec2d8d6d67e0c3a3

SHA512
c388a6d64febcd3d2fb87d5bbc5ffa49df14b86e2cfcab972fac90979a331e2db1cf5bc39d7d69962fd76c3edfde6c1bbdaefbe4c3b954be7ab3caf9309285f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
dd71433cdda026939f519bb5f9ffe168

SHA1
a58ce6a9f43667a17782ab34731139cd309a749f

SHA256
5bb52c0a7ab59637749cf530fab4e161f7abf8457e9c23279dddbf08de57e642

SHA512
eda0f7af28aec32f407ea01e7083718b745f07326e4d566165cf3733789c9c1436aac4a545cfe0111a00a12e0acccb00a309600a94ee83494b2b5ac296d9ee0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2bb5962724e9e1099b76c758b46521c8

SHA1
594b0bfe1dca845711e0d9a90d3642647558cfdf

SHA256
f0b3b4418b2b8dd4aa68d3bc6f433343787e31f6b1285f7df8ed8a5b73df5d89

SHA512
b996eaaeb74667923c7fd7e8cca95d4d18aa1f047de8782af5602335602b8ba2921aeb2101ee19c365f59de7b5d23821e281168153929bec9bbf6abd0e436529

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
32864ef4beaa2076e354745c2e57a279

SHA1
0f4a4181268ee95790716671f796918f8290038b

SHA256
715f4385408403882bf6413116cf6e106a3cbd9e8a1772c850a0bdc89a425598

SHA512
8896a146bfeea1ff0e02763d4154d380d7b73519035043f027de4a373173a8c4b662dc816a3af02e86869039ef5afa1199596e006972b9f1fd67f81ec001844e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
4f298647048f37bb0c0de8a493b619c9

SHA1
20563b714a3ce1bb872adb0d216e91fd5036dd8b

SHA256
ac151a0cfee3f4a2c9e2023cbcfee5ccf54ff11efd3c6def3a31d8b7dba33e26

SHA512
dca2411e4f31469aa117451d249ecae3f875f1fbe38317676a8b67085d95fdc6ee915c5f8edf83fc638b279c8a39ef78d3c4c4b2f5ec167dfdb44a915b6d4d78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
12d29225947d66937ad066cb2ec7dd25

SHA1
ccd4f97208cc1b3e2efdc508d9a330386e61bb69

SHA256
48f3681779f1489eec0017a712e6b41120fb3bd5ab1dd3bb35e578d3fb5d4f86

SHA512
3ca5573259992349293f9bca025e9074ae817313d6f907f6e50f5d2ff2f6cdb63697a199d46be2790bfec236215d556c222dab5c5cf27da254d56775c74c5ca0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c91c24ad20c8e1f72e9b840b76991d54

SHA1
7d9bd37a655f83ced3c9f2bc9ee3f05c2995ab27

SHA256
565bb826287c0be2d3fc721457d4cf71bc4abbbc36dd11ad78404ccc487d967f

SHA512
353aa878b3a49043550c99cccef09f4668bbe760d2a614295e254e3fa1f29b54db61621039a5cd35833658faf2fb7eeba2e7c7564b54fabe47d7e1758dd0a79d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
fd8ad450c380f3d5645a9ae50d67e389

SHA1
8a50013902e824e00d4584554e82dc57a2299815

SHA256
eabffba2d4c2a96062eaa0e7c42cdfbec345f447491f0fa23ffb3841ea7f01e7

SHA512
6dacde08a2175fe11a186f6faa5608a42ce45c8f9290ffc8c20f8d3667ec12adbd93397bb473ca5945498ebeb83cfd87e7d1dfa03f643d0549cc3b8ebda9408f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
985966dad56628bafc596c930552ccc5

SHA1
4186b6bb46818927394134c51d5d8d371adf3736

SHA256
722ab728b4032df6d2141ce8fbc1e56103c3f38315192a0b2d9529b43266aa59

SHA512
28cfb086efec394abe4f93dd4424dff67ed7ec438252fbb8f011f5ed5ddfcd3bf28758c4d2691144759f75f5893215508f008d3386c8f92173b46d316a9be9e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
83e757d45961b7179989785eec931a47

SHA1
f801e91f8057f1c767020ea7bce1eb3561b37d27

SHA256
7128e6bedc3edd70d9c4a541e19911dd28888e724287be8a7c62b5751b84369f

SHA512
96105d6305f61bb0d2210b3077350dfe9713d3028f48ea994491b4b78e9785d95e7a9d3297df99ffbe10ace62ebf0888df1a387820d05675f3a83470e6f91271

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
121a409b57c0432b0b91007831704b72

SHA1
53fc577fbe289b8f8d14a9a7c4b8c1b5a4673a9f

SHA256
89ee23ab50702524ee429978513b32ba7352b293066df655758063dfcc8b23c2

SHA512
247eb25248ad4eda0da2ee45646bc9c8d5bfe0c4f8ed4f59c38f11eb33c12481470fed87ab487546291008a115b5b77d72239d76066103191fb97f5ad5dafe72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5d0298b2ed1937ca1943e9e9ef316129

SHA1
4d5e72cebe06abda24ea2998db6ffee0381f9055

SHA256
c34d92f0bb12a156b63d8be62bd078ae0ea82d8b76c272e53c720f2726618b1c

SHA512
510e8cc23f0d0f7a7925e9c7b0dacd744507201f3511b2b12ac79085578e32c67e60b5c27e25a4575ebe48adde8e6f7ae78aac8b6d33d2fac6d8bd55c94d8c19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
0526af6fafbe12cd1516f11e45a19414

SHA1
9be521aef3e32115e792d7a8e00a4a9e59fb0618

SHA256
80ddc3783d276674a3d903f72150af74955cabee1259e18ae821b04279ecd4e8

SHA512
6e9fe0f0158ad0570e82948a90c6a63e40d3f10ef67a1bd995af722596ee86dd55308b420617676fe2d0f9376dfdb79acfe45eb4db14294c29e7cad93166b547

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c31f3b5b688a0369e4da6945d81c595d

SHA1
c9daca2efa3b7e7adf6265513de6e2902652324e

SHA256
f8c8dc9e3f196f3abc18cd31f37ff912faa9f20fcfd54f9005cb637972284333

SHA512
88e03c27f9e17bf28dbc2313f833ea185ca86091f780f97576862dcf14dc1b7ab0ea1c4610941083bed19c3e029f4bb08129a3ca064ffcc507078d054a7ff7e0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6d70b074a24371e224a0247ede51e808

SHA1
ee6d86f0c81b916b743c5a165400492c4ab134df

SHA256
97f7009d7ff6004ca6b3ddc30c37a7555a888bf997f5f9aa7d16917ffdaab5e4

SHA512
c674a5373036754101a8163e337f3c6ce6a097fabbb96fe5277b6569867a5463206fdf8ab7a00c183edf0ddfae8831adb774126c9249cf65c5aa80804fde69a5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
57fc76ca190ea1e8db96f1f61923cae4

SHA1
20639baeaea057abc75ba6ad7268bc29ca381496

SHA256
57f05f9e03812dc642345c0884552664ced66a514bc04302f63b7349e02130dd

SHA512
a8b95cd5347f4acab5d966e4990eaec4d6d7860d4a0d34b6520232da7a75a732fd9c44c49b345149df1f9b51e32b5396906e43669bf42c10bec46c842ab86738

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ccac490602ef494667009c9f0401d752

SHA1
ce8532e2a142db84776a7c2a18006dd7a843f446

SHA256
8bfefae7194af23cc0b816519ed18d499e4e600d1cf3666d7f262ea0c5fb1bc9

SHA512
441ccd8aee2b2353b1a17715ab02ad7a3806b8ca7db2dab4bcde90c2d0c17df5b75ab5f33ca6428bcd7f52a7f310354bf1fd7d9e98a90649040ac9ad180d37db

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ff0053fd34601ef56d9b2788e46568ce

SHA1
6f61d1be26897f6a14bdff34563aa0cf1ab91885

SHA256
2763e9fd7e128b28bd16607139cdeb45d357691cc73b4cc3f311a34d642e566d

SHA512
486a79daa9ad330f44fce8ed0828b6a40dba6d509ebdd03c179d979a967c8e9eab53a587eaf09d8cd3fb5b69a757b4ea8bf027c202fbd516bc2685d8433b653e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6ed96f5b7dfc6b423d9453ca448a8fd1

SHA1
78c9951a9e0885ed7f1e9601c624f7d8d16fc7f8

SHA256
b468dcc183afb270fc769bee7001b6a4562712f3c040b35a3c6d00b31e46340c

SHA512
6210e904550804af7c78d6ee158015faf0b59fa2a03983a3e617dfec24129a956d60d656be2822f0eb68e225a76eb997346f8384f920ea7991ce418ad27df681

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1c380f48f539de4dabe08a8578150b79

SHA1
e8e8084d9f9dd203a06327714f460a7a52554ae8

SHA256
23bd0f962aed316a09d3deab26d7e46f570b6d9f29bb212036beaae05b891d48

SHA512
a24bce69dff87007417174e945037470d2211ba328c6d464e853967660fded60570339240cd17d960b6b9300188067c55f1fc4413de1cafe2e8c219ff93a44ef

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d1faa261ab9a9bd9ba2d7e06eb4976ee

SHA1
9b631a0ccf0ac082386c27cfa2f69c5dae1376e0

SHA256
ac6b5076a932bf6aa03ff62603f35be8c4410de7b27cdf916bb5dde925419e97

SHA512
de851c107225093a2fd19bacf2250996c8266a0c9c54f81554cf1763cf85a303f4b9c19ceb76775c3b89e1a1c2187e521339d0e944f47a423b939aebeac524da

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
407708cfa5da903a3c62b0a2e820ddb3

SHA1
62c88a63ca799115943932a969458278245d5bbd

SHA256
b29c3ecc12b267c44dfc5a62477c421fbc133205e8cfd41a927ef13d5f5ae68c

SHA512
aa4527489700776a6fb7b2264aea5758349575ba2e3265721b8d88d68f6b45d9eb7f7235b951deeb514b36c813d771ed921002a181f5c20ffeb9f96711c0544b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
76f54a22fb15dcb8ca7fe23d970e38f3

SHA1
fb4f177bc6a630fe6a024c79dfd333a1322a0af1

SHA256
f0f2c7a1d53c14b60d7e1d65927e552703c1097f650a0174cdf7a6639d586852

SHA512
53531f4c42135bf8f3d1164a214fb54352e9801b105a0fa23c036c5f14ee36b94d48126ecd2143bb91b8fed6bcb524c5bad9055004f7a9e130abe16b870d5059

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d55ac53d3e5d6a33e8c228813a7444c8

SHA1
36f4271ba6d0a7452071f5cc4d72f65ec3e91a3c

SHA256
0f437d53af14508f8a348a70a58da035439bed5182bcbf6f52d8c84bf886cce4

SHA512
d353fed74f42e8ee90dd6b00d373b00ecdaf851b1bc2741b7c331b72fc7df0728be115703b5e075a348ff81c08f8a092c74aa2c8f4ad2adb4e8c9fb572ba0043

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3c923b61c0ddc0905fbdf32f72648897

SHA1
c92f5f855a81b95ca40f2da0299c9da5845f945c

SHA256
94cfe12b0cecc62e2ea29fcd4cf34099e7c741b012d920ed3a3e7194a7b8cc81

SHA512
4bd6fa8792f97dedafbb4e38e06f908a1c9a0bdff01a3ad9a5916ec0acf848486bad4ae8735b4118ed0f9d47fe106d310a9c09df741d4285b68f6163e546894a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0e2f2efb1296c91d2415503dd672aa0e

SHA1
710ce55c7feed31fbeeec6459a149f6b2b92589e

SHA256
7f52b0452edd08eb36103e7ce146394d674dc9757bd8dbeb1fb3dd9439de9655

SHA512
277cc4aef34e56bce3535fb634f5a5fe54230a9b5d31ea06f94e366b51b78447b3add6f14adbf8501d90487d087479432b8f8a5f4532b668292e3f3e738eddcb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
200ae98230c1ac0ace1f08d55762d204

SHA1
ea2aab89ec9e665fcabad0aaad7b9c60632e2196

SHA256
130613f5b3ed725ae465936b0ddf710a46d6151490374092f2d48adac7b0a9a5

SHA512
b56ee9708df03a9391b1850c14a7e5bbb8ccafa7200892749d130808a90bd689ea9929fbe10bf3dc9909e7937c9265447a235212e16222f95116c5a1547704ae

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
be08cbbd2888c0ace8f0d1d080f7b757

SHA1
db67bdfcd4c7d4c9eeb307759588b3a674981991

SHA256
c64971e7e3fc8a37e7c3fb70e17cb9c7c8f1a975e780715eade87feebcfcf7d7

SHA512
9cfa9b764971713e81a27281aa55af1a003c07430689432917cab55c8f1ecb23653cdab6c1f97ec0cd5a8c8e71c81fcb165440c65625c458e342cf06dfe5f048

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
153f1caaf5bc71a49c1cc45d4206ec3c

SHA1
e6fd676757dff7ad6de01a2693142f5525c59d2c

SHA256
56abcadbf49802a141ea7e2e75e295bfe1b230151c7e6b5e51649a692df7a9d1

SHA512
ab931469d7a52829bc951cdcfce7c13ade03b3bb3c8837789c90e7983e1e71501d9ff26a092fe9841665b05411b9fc16acc5a12a134f7c80fc1c4503cac7f4ec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b2b3dd43967347710b81bea310c6136c

SHA1
45cc156b53900c440713c5bfc664b03c159a0046

SHA256
39361bc2f01234988e19b44e979cf9bf1cd724b7e1e05bb17d1de0ae56e4c3fe

SHA512
0ca9e24ca907b9af2ad93984516bc5696c0549efb907e250e26b3921a66c872492ea2eddcb05b95e1bd7d8012798ad6a9a842b43721b903a4c3e3cb6d2bc597a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
036e45f059f8b89ae1fcdc323f882198

SHA1
6a637fa2370984da9960da8eea23c5d7fe38288a

SHA256
0c68d6f249150eecb2b024653fb18fbdac1a1d7ed54d98b09ecd05d9fa10abbb

SHA512
f41e073759d4d01160e8379a559849a6e408e32b67144e502d9ca94332314b74388e75622c696d195d8d411074c9503de5dfc1097b82860b6305751c0e919d88

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5134527c7655bf25eb36ceb48dde64ff

SHA1
8c8591e6b4b43fb81bcccb4f2215d3e975758b1b

SHA256
2522b23295feebf4121aff733049bc184ee9bab0a4eb2fa8ce6548f76dd4aa8e

SHA512
724d0b3d3d40ca0c08253be769898aa8d319fc6d2d5f63e187c70368d86142b3f23f7ff7ff63dc25c6ee51b0d6c560820537e0a4410b88d2398294493ee20acc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
112227f18db7dc18d46a71ab202ccbbe

SHA1
4d8fa1eea0259f517c2a4a006140d24cca758114

SHA256
c6f9b36a9d4802ae84baaa5a430dece748c14887316c5ff40fe53e038d25588c

SHA512
48c6131a3188c3923baa81d69e558d26b28fb23b5686ac3a5493bfe30d99fad9816c6e3cdc1f3928f13deb8d705c19fd8fcb4eff2876f0f89534b4c80e58503d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2227780b6928114af85e3d9dc6ac72d7

SHA1
2a24ea1d4e4498dfbe58918f058bdfb2c24dcb47

SHA256
5f01cbe9d9b7dcef709b24ec011140b53278239e9298961a91868fda2558524e

SHA512
f0ccb6177e81cb74f55f39fde90bac71630421c371eeb4ed72687e2a0b0603d0a0d850260af95115547a74a3cfc27038907ffe5813ac5afe6d6776b5ee707ce8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fcf1108eba9331f1d185b156785c0206

SHA1
11c2b20874e02dad087ffb31ba7caafa4c021b85

SHA256
49f5cdb6fe3d744744031ec1c1c06788c202c79e093ba473e1b7d5dd3ca0e9c3

SHA512
46524779e17225c6b2d47817b6701abc4fc97dfdc1ea2ccb8e81e35f3c7769f9ee0d0dd7522b63eb57c699f985c8ce79503ec6735bdac9671d507275ac567020

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
2756554d6902fcfdd73e40d1df23f153

SHA1
c92a5416c5dac7e2cd1ff47e55384e1e53e41f10

SHA256
6a97b76ce8596fe8c8b3bad302af53a0cd39383540e5ac3caf8f96166cfc1d3d

SHA512
f72605ec4e5680c29f52bb3db027c087316e1a5e2e157b20edf79d70da2b21b872423d8298c102308d9c1a00ca64863b2d1204b8d8b0e89e9b8de43aac2c86df

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
72e0bb4eaeefe609cfc59dc4385d49f0

SHA1
0eef5971d5550765da11ab6427abe0626d295e2b

SHA256
87d4ce8d1e475a1f3953cb27cace357814555193ec4a08f54aa2d053b7ed84c5

SHA512
42f7b0aae1f1cfef059ad6dd2c35553f5c2d4f16dbef05097025d59ddfcc2eb67605ad2e8189a787703d2656e3b878312fa0b4c13ba740efac13d1cc0518a94b

Download Submit
memory/780-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/780-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/780-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/780-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/836-294-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/836-707-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1008-711-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1008-319-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1644-331-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1644-712-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1948-297-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1948-182-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2116-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2116-150-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2116-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2116-153-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2116-143-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3396-160-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3396-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3396-159-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3588-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3588-122-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3588-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3588-128-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3740-271-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3740-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3968-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3968-196-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3968-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3968-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3976-705-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3976-248-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4180-208-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4180-330-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4196-708-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4196-306-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4356-229-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4356-506-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4372-318-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4372-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4476-179-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4476-293-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4524-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4524-699-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4664-158-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4664-0-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/4664-593-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4664-7-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4664-8-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/4720-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4720-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4720-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4848-259-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4848-706-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4896-713-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4896-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4928-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4928-56-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4928-50-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4928-119-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4928-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4968-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4968-343-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4968-703-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download