1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
Size

1.8MB
MD5

54d6e3b30ee1503a75ef652f8b2bf373
SHA1

dcb71ea861a56fae18869ef4f392b6d8992aaddf
SHA256

1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab
SHA512

035a1da28382d32198171742d6a4c349ef191c264aa5695ea96a3858eb8e9439e149c283d0ba393ce4702a2f76d4a38180ea469975003c25e5269879d9b0ccb8
SSDEEP

49152:/x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WATaB0zj0yjoB2:/vbjVkjjCAzJ/B2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3716	alg.exe
988	DiagnosticsHub.StandardCollector.Service.exe
1236	fxssvc.exe
3244	elevation_service.exe
2572	elevation_service.exe
2168	maintenanceservice.exe
4472	msdtc.exe
1756	OSE.EXE
3504	PerceptionSimulationService.exe
3956	perfhost.exe
4064	locator.exe
3204	SensorDataService.exe
5040	snmptrap.exe
3316	spectrum.exe
4912	ssh-agent.exe
4528	TieringEngineService.exe
2064	AgentService.exe
3440	vds.exe
468	vssvc.exe
4592	wbengine.exe
1160	WmiApSrv.exe
5064	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\locator.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\System32\vds.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\System32\alg.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1f7e8b1c4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM349D.tmp\goopdateres_uk.dll	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM349D.tmp\GoogleUpdateSetup.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM349D.tmp\GoogleUpdateOnDemand.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM349D.tmp\goopdateres_fi.dll	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM349D.tmp\GoogleUpdateBroker.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM349D.tmp\GoogleUpdateCore.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM349D.tmp\goopdateres_sl.dll	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM349D.tmp\goopdateres_hi.dll	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b2e74ad2299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000246445ac2299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f90c97ae2299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c797dbac2299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000941375ac2299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009da72cad2299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e28025ad2299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e64973ae2299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
988	DiagnosticsHub.StandardCollector.Service.exe
988	DiagnosticsHub.StandardCollector.Service.exe
988	DiagnosticsHub.StandardCollector.Service.exe
988	DiagnosticsHub.StandardCollector.Service.exe
988	DiagnosticsHub.StandardCollector.Service.exe
988	DiagnosticsHub.StandardCollector.Service.exe
988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3976	1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
Token: SeAuditPrivilege	1236	fxssvc.exe
Token: SeRestorePrivilege	4528	TieringEngineService.exe
Token: SeManageVolumePrivilege	4528	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2064	AgentService.exe
Token: SeBackupPrivilege	468	vssvc.exe
Token: SeRestorePrivilege	468	vssvc.exe
Token: SeAuditPrivilege	468	vssvc.exe
Token: SeBackupPrivilege	4592	wbengine.exe
Token: SeRestorePrivilege	4592	wbengine.exe
Token: SeSecurityPrivilege	4592	wbengine.exe
Token: 33	5064	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5064	SearchIndexer.exe
Token: SeDebugPrivilege	3716	alg.exe
Token: SeDebugPrivilege	3716	alg.exe
Token: SeDebugPrivilege	3716	alg.exe
Token: SeDebugPrivilege	988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5064 wrote to memory of 1580	5064	SearchIndexer.exe	SearchProtocolHost.exe
PID 5064 wrote to memory of 1580	5064	SearchIndexer.exe	SearchProtocolHost.exe
PID 5064 wrote to memory of 2656	5064	SearchIndexer.exe	SearchFilterHost.exe
PID 5064 wrote to memory of 2656	5064	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe
"C:\Users\Admin\AppData\Local\Temp\1846b3d9f391953dd33edafdc29375e7560acca81048c70fc949bdd8f1a65bab.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2572

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3204

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3316

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1580

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
5bf61ead8f04eef5e6a604b7d3fdd597

SHA1
da02c67ee5a6df62caab01ea3764cc105963e208

SHA256
7988bdd76051a1fe453fecc4f913563bbd67962675978c58c9022146ee29faa1

SHA512
54a7cfde0bf4ed2b160e3e3f964e9c2da47c1f100cce2afd046cf3d628d9d688facd9477d086a5940cd9f88b34b199f383175e2e9a4817fa63f9fbf44cc51872

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
23b95eba17e1341b57f59650a25669d3

SHA1
906e0a29899a7b7e9f2f478c8fe88dc3b650d778

SHA256
6287c6366424675c850081b50ad5b6fde1563c56b156fe80fc238481eaf0c725

SHA512
284143b1320d578b50a8d0ed8c594122fd20317a90421d2a77b9b4e9c16015f99d7cd728a2092931302605a0fd709476300418c83af09ac2aea34bb4371618b2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
debd7fb9b94e0b1823b623212faf5759

SHA1
bd533bd13f9129f1a944c4632d2fe22ec8ab2b0e

SHA256
698723da3c1572f6ed7a8436761d3b68393066b96e4d341c0c04554cce016f36

SHA512
07adf82265d1cba760cf874c2dd68efc673f9398e40f04dc1d60736979f904c772b24410079c902f109f5ea71f725745c823f0494a4bbad2d25ae64c4c78d57a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
c23e41158bd332f517600dcbd55ea7fc

SHA1
4d12b6162895177035d2de2b44207dc27b9668e0

SHA256
7861cea3aea06a37c016ad4bb55a81af94e6ee69dfb1f2ea2deac95c852f02f4

SHA512
0818a09b4470faa2c99d413451fb2b4deb54d75b0e14c62f9e46da8bb287aaf395091b8941c4cb8dfc27023c2f5f8c0ba85f2f865c89315cfda316c6681aced1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c2da83d67b710909b31bf48494a35cff

SHA1
e5c0f1da4da3dfd7161b55f9a47ebbfc558247f5

SHA256
6901e68bbbba93edcbaab9580d91b019ae7bbee04d366251fa4811ccf1b5f8d3

SHA512
8433184c5b311a1f9ba65e3a5e24787c3218964e74e2545ad6e5ad07ff2840e74935e88787ba76b8164c85e454a66483edaa5994ab4088143605596af45d8940

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
ecfd89f8b9ef8e7b97c58700187c634a

SHA1
9aadd24c09af376ebf7fe13cb8c907f804bd82fd

SHA256
6a2ddabd6612a9cf1b5082619bb606e76ac8c9079edc901c5d50ee4e79ac7174

SHA512
1b5b18a5f12b4c56c2eb1a61225a79c21e6f14862499571df6e35b60b2c0d20e1b515c331383c9ec4c86b1fdbab789f288f2ce89238461f2c48804c788050c00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
fb6c9505645759d488f52699b781c4b8

SHA1
18b68bca33f962361ab29c0d595f0ce71a9cc184

SHA256
4879d46ba3c26c55f84a95af873a51e7db292cf7e00da15058d57650acbe8008

SHA512
68d02c8a2b90bc408f8e5cf94679110bf63f9a9ab47bd90051536ff942dbc59ea8b513b390264cb117de19ea8b150dcc60fc666c696f5cf4dd98b07858d4b285

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
d9e7d2edb516e3a76a9813e77253a682

SHA1
16bc97a5de7f2920ae08f90a2b516daa7bfa5e24

SHA256
3c3bae20d7512e240385a84fcb4b41914a82cd3f62cde5d880c7c1f798f03f27

SHA512
f34c79d67e1bfcc830a6c8a9aa003a12e6a066107f22d48ecfa0ef7d8db893fca1f71248ac23a20a67829b9b72fe32181f4dd9e584511e0ffad52566cb41a0bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
5117272cff7fea386020188c2663ea83

SHA1
e046577a6cc41490003d8633eb97f85ae36137fc

SHA256
16e9cf93fa064eb3c484cbb42880e8422430f7aae81781beaf6ce0a94a37838c

SHA512
ff50c0002f6083928b0a85166c40ed7777c4959ccfe687a365f13f5f6f49eb8e59e46bdaf4285dccaa13a9875e9ba893ba2f327617dc3ba8b54084a6ba6523d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9c45a1439de717bbf56d9f59b1f7e8df

SHA1
c1519faa19e5b74c052658cb9a7a9323cee83dd7

SHA256
9779f27ca8c9a68dc3b5a7e58fece242ea44c878599a26248304f914c84bba0b

SHA512
75cdee32a1d13541351f5d4df10063397bb73cecb13a63fcdab07a7271d01ab27c865d746f403fa5960f425d435057956a0c75d72b5926b5927685ba7151bc43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
232530411554adbeaf6bcf6b6cf1b88b

SHA1
3c06279aa497b5f173a36da64384d8d3cb10ee9f

SHA256
9e0f555d608456ff226d31a19f3ab70e5271ccfbdaa3bf27b4d9a93ae3519e1d

SHA512
f3264d2a61ac90fc065e44627811ed647971104e687fd297e2627758a0434b34e394d8fdafeaa0d17f2df76d73fc209367267a207e5e5a7e820658b505813016

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c87fced5676c43c22ae75900723fc734

SHA1
1572dfe44af98af5abdd76edf178f7452d87b1ce

SHA256
8ae8fe898a8495c46876ce2b130aad626d91a59ebf80c30d4004658799b487f7

SHA512
c29b313e7f746160b642c7c9d6c42c050fdf5d6f3b5c08e35cb838cbf299fdef504a7f0802b4b5e553668db8a0e60820279aade12e7ae8487a0f9c8efb53d96b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
c56cf62afacc678add869f512cea2c77

SHA1
ddeedb5e8477dd82af04a38e5fb24484e3d42d58

SHA256
87289bde4fa626503a3f40d74f92d9fd7f8a829d5fe3f8af571c9ca0a361eeb2

SHA512
5e871ea578db799d166b5e9749a07e323dd6f21ee7f605d80e79c4b96584cfe807ef94ecdbb65895629a590acbeaa39867353135a217004cab8217b501fc0e06

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
c914cdd89660000ffea2a825366ebf29

SHA1
88aabad9552fecb08d7fda1268b695fd112cf09e

SHA256
abe96c6f1715485771d213de7aacf213dc5702fa3f55e307e9a2f335bd0c521c

SHA512
4e83b77635430646940cd3be603e38eec41cc84e40b4f0a8e02f47e0e69b459fa5166632f823fa64a542f6e04d053b92ce316873d3acd3a91065af6769de4a70

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
aaf779bfd238c9eb2f60be87e42e4226

SHA1
3925a3e848e165e87216b9363e93e6e8446177d3

SHA256
6ed9271b498aeb32e0c2e98a84fb6a20f55c071d6ccc4fe903d1ec6b4404172e

SHA512
f14faf152d6cd8c9f904dbbddf78f523dbc9a37af50cee7259fb8092159c141c3f7530110aaa615e4e867eed902d2e5f538075157a26bcaec5e48804c362ff8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
2f8fc062ed7cd36a12f0a4d99604e664

SHA1
60058d798127b67b2a0c9919c80da970d365b10f

SHA256
cb54f6f1280a884bdac72dbf9e862af4ad56bb06bb6f61917341ff8d250e90da

SHA512
dbe2776735ae7778eb52f5de1c1b5e6e0218e9f7bc06520b451e12ad20a0c459956c545bbf42f79c446738ff364ad41a5ff60b714b30a5dff870cfb3096aa7f5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
4683e8b44de05077b9bbad6601fcd7e4

SHA1
15f08a6a1063b12eb36de82900b7f90b00e96fd3

SHA256
eca2918022ad3d7726743e16d4876adc74985efe6e3523807aff5730d6408d3d

SHA512
6e6ef325236fdde349ed3afbdf7671f78c60cf046df4358ba867843ba67a33272333fe25ac7b2223044abe8fb1afe06eaafd4447740b4fba54494da65a8a895c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
563173d51354aa27ab3213c2077b8e15

SHA1
dc5cc62bf7fe6a33b896242528e6b569f12d674e

SHA256
20ffec67bded753d102b13fe42ecec6b9e6fbe5f70f3e9ee1b944a340170a9b7

SHA512
92567a361dea84b401b3e65aef9f419008c9ba79936e04283dc124f9f18963d621723e2ab521c2ad5771ab1e0547c235a2f8cc5b527a77e267146cd1f1183ef0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
724ae57277d7401b78b3be32e747315c

SHA1
191a6f08614230846059b885c47b4653a004d08d

SHA256
112b54256efb070cb92cdcf59835a3935360a70a216569687fae5c5d07efcd2f

SHA512
2ea2f28cfb421f7b7510412ee023a612f4903d6a2906703c60e3acbf2f3a45100d9fdfd549b76e09da34974d6403f97a15ab6103403cd9912296c6f257409f15

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
43f325429323b68a2dac25becd5e4303

SHA1
d896625fbed6d3bdcba0cf550e45eae76e4874f6

SHA256
558b213995bac86bb6f00825258e4754bcd6a3e02987113f1fa3bdd25d80566d

SHA512
c0a6570a491489a4b1062140cebf1985ce27c04cbff055f7e2a5a7df6d14206e5ebaffc720f65f7abe19c04d0a4649e58879a10c42ace5625450b8d3fd415e4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
f6e119b3f246039e006c2e592d1e970d

SHA1
8ed21bbba847686d394d18e598f48b15cba6d0cf

SHA256
980a52f0c543b144370a1c377c954074d27af0766bdfc33db7eca98395e695cb

SHA512
deaea1609e3b53b4dcd2077136ff937d3164c67c88bc9e1f5c07e4cffd8e5354f9ac20c409adaf54168117d73462b48d572fb88cd5b48053c91744167a5c09da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
1d80ec9973790500c3103af47bf12352

SHA1
44d262aa534f15325ef222f1b6f8e02c867c01ae

SHA256
b9f69e7f203c2a7520a4c6da56df8a9ce134be91ad298d6064d57950f2844427

SHA512
395c31f9508b6f3cf8b14c4a856572c86341d8f1eae8341c2c97223f3ff8e712d4cef0d24902bf47da4aa60147114202431e972fba58e17cd93c788f9e8a2771

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
f917b452cedfbca8d6a79564a940d15e

SHA1
3373648a5474830e01f8f268d933a1b979f97fce

SHA256
5ed270fee8fb6ef6883debec1d13a26e598b6cb3d540c93168fde09cb71f9d86

SHA512
b1c395a899e97c2baee15e2e7bd3367d75d8e72133dac3e15c8c93e52160de58084a1518a3a6d4f4cd32787e4e6eb33f6960e569e9fedb70f7d75830b01d51ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
00a02d6816f16ca9035edfa4799e57d0

SHA1
b1c3c277bd580849f375141ee28b481470bdb455

SHA256
361a1341785c413a17f24ed30c266bbcaa49d173d68c640fd9fa414f086f3a9f

SHA512
b8e918f3b77473ae6c9b0b140bfaa854d5f10774ee5e33814fd6a570011364a288c3fbb3f06223828a31f4d43121e8173222bb1a28e4f524eb017c068d21c715

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
64319f0b1819dc80bab8b94de7863ff4

SHA1
5f80beced6c79ee8761d6d4dc4cc4f7e93b6472b

SHA256
e27974865eee70682078f539766d1006a8cdbdb4cc62c59258554ae64fe3cae8

SHA512
3624792415d664ba7d22317fa8e0703cee0fb409a5a832386034784296ef8d24cc12fe69635bb8ecd80aef7bb524d06104160a766d588836137dce9bfe58e6a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
9c3c232b5cfac774feb5259c4b527b4a

SHA1
60c77012f155cdb5bca61f2c4af6ece152ea58fa

SHA256
82cf185902710687a3a76b16e589a0e2ac589f8d8314c8f900067afff3b5b0ae

SHA512
98511594595b44e8eb6e98023de0a7ae1210f54eafd48c35a2e5b0df828ada807f593c9c7f552f92e042eec8e68b20f904a7aaf0252c3dbd369dbe1451420df8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
8b49b8f7205ddd073605e2a437d5e122

SHA1
5e83e880d22ef97d5e32edf41173e9f89e7c8553

SHA256
63c768c7cf84a060bfae93464598e2389fe7060860dc8449b9568974caafb391

SHA512
7289a74694c3b011fb936d4f9caad6c18ee3a3db8087adbd4bc3d90aad4f7c3b63bff490aa31ff540449be8280ae79c6d98c91f7f69c7d6eef9f061855d1385b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
b669a8b5b4c8f67b5ea63f1ef182ae39

SHA1
ed842a5e8f26a3c11f504fc46b8886d3b8b2c341

SHA256
2510ba07e958e17f91b01497314cfbea8bda185a98781ddda19f0d9de18aaf8f

SHA512
063e64edcd831cf54a6ba334995323f9f1fbc69b4bb69e9fbf7145814e2de2e0bf994cad107c20c9d34fe9760f3d58a0821960b7411e9ea45d092cb25d0eab19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
ee9344d438d9e9b27377411a6782f64a

SHA1
f928d809a0d5e32d78d5cff1983c7198cb88b1e9

SHA256
2fd99c2cf1abae31902c4e57c6b1bcf4a77de0cacf58e7dbed3a7a62e331e0be

SHA512
0d09e4a407ccdc1cc6135e39753bdcc56f0e63830c5bce2fba4f4517a8ed8b1122d48d20d59c6a410cbe59d3cc4adb89abaada99605fd91690f99f6d17578068

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
5bc83eb3019c2b8537a6bd32f15497c6

SHA1
62ffb46c7ec9467c4bdcbb6254fa5a192b2e8fdd

SHA256
27b8cf8fdf9399dc3c44c03cb7290a0665722527f9fd807b6d55e9d4e523c86d

SHA512
34dad25ba7aeff80dba3081fbfdd17b95603a40e90ffcc9fb1b1f57ba5559cdaf8733c642d181eed977a9ae130bb9bc085a3822b669858651c0ff942ef769373

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
1259be13ddbad7420b7051726fba8e64

SHA1
28b1323efa193cece7a281bd08d4cf7c01f25587

SHA256
33cb5b2cd91b1a085e56336bfdaa231829a948545a0f31b872eb890f24d64fb0

SHA512
639bc95bc7ff482fe492b2f3bd4f554a895a8fc0cc4387ffe1111e9a465e116b6bb9b824845d08d16d73a0eb595fbff1c972533d1fe88d0e7f9e007759faa502

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
925464f7ce2285e0beff7b3f487c67a7

SHA1
d40d860b46871e90a06255a7decdbcd98a41bd21

SHA256
bfb8ef33c1fae8370331f4d4ce287659d7ec82bf6e2ff85e64f01c343a14055d

SHA512
5e3e75c823cdf6a825d5c91477ea6a3042b54531748eb980eda5566e271cff197fcff93d80b6de3b2c652ff787197d8965d78aacfaa93f5004c1c55212660af9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
f8eafe5f6bb139d88f81fdc2d8cb4c80

SHA1
41d3c67dc8f35b5405ee88787beb4b3054e94448

SHA256
da45aca54dc08dc6f418ee50c437287f20df70bf02ab7c73a8c359d2ba355654

SHA512
35617b5f0db7de034d8f7936da053016bc791d1e16b5f3f18dfc978e49429a3bfa8a6ea581fac85cf473dbbd6210d720424ec1792b647313cd97de88de0d197e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
e851b377225bfcfa9065f053f1dd3a9c

SHA1
bc7fb3e03aa428245ae71efeacd4bcd1b46cb875

SHA256
774a276a6e5dd8b655d9bd6ca416852285da776230d5a3be4ebcb04c785d9aaa

SHA512
54c16d3e1a010246f3a54b62a3226e95c716b55799a5a17642c315627ffb282b8e285d4c1f94e869cdd93ab754bcdc123c4513be87ae162758463eabf33b62f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
caf1138b44f9fc771fa91c9915c008a1

SHA1
20759617e9ace15f7d949824efc3d067eb09ea1e

SHA256
99cc57fdbe9282e3636da488e929929356c9455d8f576d982ddec2b98764abf5

SHA512
65cd28c572cbafdd037f6044ca1213601965ca580a0e372ef76ec57a36bb017ec25a81ec3dcaf5504dfc2a23873f9def0d00684bae990a75f89d5450f3c8e37b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
d372bd108c8d5bc5d916a7517dda84c9

SHA1
b95fe0589de0896f3666ba4c446df40a5800ba90

SHA256
4db4698dfaf761e7e7e81b55683b5e8b3360a5f149f17995fd6515d53f0cf442

SHA512
40f2005bf3d625f7e30754b87ade62477d768becccf6e753543c139dd5be7936ef47589bc3fdee50f2fd5ef97cec7a25e613bfbd55bddcd737ef217cd658e65c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
8dfa15f8172829041de86eee190e4d2a

SHA1
1a959122cf8ca8e5656ece2544b06ea9f6f4289e

SHA256
daddb2bf5fa8e9e31516c4c7e4b62aaf62ebdc9e9580c4736168583f3d67275e

SHA512
0900f059bbd8d3f27c2e19df6b6d879a7c368e48bb718ba5a457a712b04a99626794ada60478c18d1b7ff350e59b03d3fbd5a36f9a28db29010118fab818a0ca

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
db1b4e30b9e849d81fddec67b6052507

SHA1
6e6bb7c74008c8686eb95b842bdac5892344a07b

SHA256
161db172347231fab4a50825d70366ce732889188ee492339ee2481c0511ffaa

SHA512
fefb851f3d4ac0632694ea9013fbe16633caa1cf737e260f05afc4e73b3bfb4dd61b27418aace5ca504e2c852ac03f08e4d181435ea27dd6533eb7880b6febdf

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
de72a50c8f4b66526a9fdc1b714f6f59

SHA1
6c27231a6cb347d713286ee9d93b0c7a40e38d31

SHA256
7d569648de6af321a11e6ce84ff9b2a9e9d82b5481b9b08254f0037d92771373

SHA512
e59baf01fc0e2b4ddb39e44cc54973bf65000bb62abfd580da202bb677a05cb580b1521db08bd273333d4e5e7dab0c3b041731c20d967727da4bb038484fae15

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
79e7497b540f4c25f1985e1e1952ba56

SHA1
b6a960de8066923c47d9c6ec24baba260a98abca

SHA256
4baab993a781460555ccb28d1f8b942a154411952b9f4fa6ebc906f70d2c495f

SHA512
d59a5cbc195bc224fdbacaf733a67e86c6ac01ea948ef7d8595d81acd69e7085e3fdc1fab92e7542f57628115dfb54d14f7d80f15625e622eaabf5adeb92c2b4

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f8733e020cf92be248dcc5ffad865887

SHA1
d3483ea9944db67704292bdc5562112a7fcb3949

SHA256
3536fe6a526dc2bacf22f3216df60f7edf372b514c431832bfcace0bad280b2f

SHA512
7463c1e31563ef76bd7ed85a5dee5b78be0ecc0faf51e48e99a613389de31ed3dca889c7ed192ffbb866c1927904e94805e37e15b9333f71353d55bcc52e582c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
e92b532232d76fd0912815329b8d993c

SHA1
db42ff42c21fa756477b4cdc4339501ffb8b761a

SHA256
e9550606536d83f12ccf02b1b5349e02b20a85ee65b853b3b20541ef36b7b640

SHA512
89512749b28ad0945a6bc25ae3b76ac23b9d269ab21a2d5df8063d4c5cdb230a9818341d635df04be39e1eb76fc5395cc2437a6c3ca789e9103ce230544beea6

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
75e7aaf465ea478d0b22f3be17365a8a

SHA1
c2d276b97091975d5ba48f4769916b09af1eeb9e

SHA256
30e0f2b0bb9c9970a596bfbf15e73a703825385d60ea7fad222c2d592aa077ab

SHA512
9a6dbf8d1f1fef9901b156c8b852b77cda005cdcee62e691995ac53656262af6fef219d1df20141936647138f83cbd5046ea3a6112d2714ebfe3b3f8f0058d80

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
53d39bf91bc1290de59274d16a3f3d1a

SHA1
f4effc19d31411ec2fda756e8e56ab57559fcc10

SHA256
e37987a8f4b32505ef01018f64f3c93bf804caa4aabb61004d77028b815e9d52

SHA512
8453032d4c51494b1c790c01114b245e8bc64d5c7f7051d0b673e308e27b6849263a909622bc8f37a039314c902f18131cdad3e18fef7f9fc99029cf58b36353

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
63f2d28d3907a31940646ab605b91436

SHA1
40202e2a78a3e25c89326c823f8c80f6da364afc

SHA256
97d3d9b6b02e1f3709b18736017d747172b04a9aa472a3bc697a0c6fddaa8c0a

SHA512
fa7eed0103054163095613ce233c23795b95cfc1416385160ec68365841751ce3660b88a9b1d4e882a0104fc006f5aa682e81b7bab429971000053b55f61cc3f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
67f734068d99f4b27d86bddbf7824546

SHA1
62dcdd6cd91b3f4e58c741a1ee6517eccd9988b3

SHA256
9a177526be6dab185d22aec104a9535aee7335dac9a4fab08e194866375acb87

SHA512
3af00d79170de33b9fb73a666742c55a198e8ea921d93f4e14c9708746696c56630456aab3eafc2ac9f14dc7823a40294a2bae5d4537c1feff59bdd4b17ebe85

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
32962149d19bf33261502ce2c225b1b5

SHA1
1001d7a636c5184f0c8526965b468daf6fe8a1c6

SHA256
77ddcce2a24119a17643acea5c7349833b1ebf8e475f5e25dc8da8c5e98d96b6

SHA512
761eee685b6cbbf8bc666d6be176643a0505044adfd86f93d6b70adb02641563580084fff7d7aa9993cd5714de19778146511e27f16542ebd1cde89f53e3ba2e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ad4c7bca97b097f018f2b774a7cd1049

SHA1
e6256b10aaf9738a4ffcb725f3e9e1e72d3fb813

SHA256
35b329de5ac4c776cd25ae8b1a46446e8d158f44f319edc5e771f40bf4603ccf

SHA512
3b60a3732dfe40b7dc6b27c9770c660155eed05b79ffb3d817ac8f5ecb4a39c7d86e848b616062af8cd39ad1376745be7f7742b2f3eac952d047d64eabe3f591

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
1bc2f6d2146ac79cc70f84fb84814feb

SHA1
20de3888e4d20340010e565b5bf9f7fee228c356

SHA256
490ecd9b17b8e8d17dffe244b9e50084f6ff687dbed82c5c45493e03c5fa18e8

SHA512
e4a5ecf603d8f221e6aba7ef7c629cb07c2549c0e0416c26ecd98610dc36e4057d43852e30fbdcd6a2077ddd39e4dc287614d3d54620f7cdf6e8ab8a4cd596c2

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
03fd250f7a6e46609f41b5acd29ac7c7

SHA1
97ce4a94ef83799be08d7256e45f5e51cfd45a72

SHA256
08de19783373398294d4ea64db613246d4af0777b311a9e8fee443627cbbb42c

SHA512
3478450c77163e1c6e2272643308288a6fb0e08f5bd59793b8842ff8bbd013710c1269bf41cc630516b574418800523c1fa9710d71406cc74c989b7c4e90d33a

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
56ba0eb0b36d2bc5a508a5de7f1cae17

SHA1
370e3bf9361b86fffa5fcfd9cb2891f877300075

SHA256
3ff0cf384fb2ecd91716184ea7267ac14deab67da089995ff2591f24e012817f

SHA512
a90226bb6093fd1d7f58aef72f3495053e9e445276dae78b1e86e67193db08b1a2a81fe0c5abd6d6567bfe0b803840bdea92bdda6480a8855d1874ae8f971931

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
f7169fe87c66f1aeae469ec22ebbe100

SHA1
bc366107c4c55d0825cd23aec96f496eb116a908

SHA256
c2a0fda03d573026211aecfbdf98270825db1626e0833e3e801d40725ed68c06

SHA512
70e2b6e545e29738cf072ef923004acba53e7e415120d8c9096cfffc88da77510463352067953ef8bb47b13a7e778cebbf65bc8a70e3123d7fdb872110740c0a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
4f4210225b979f1a6f94c0a6d166a6da

SHA1
8b90ac4cf5fbf21959a71140ec5caf109dcbedaa

SHA256
3bcc605111e1c244f0ffcecf78fa96fad8cef9267190ac602fbcd910df0b6645

SHA512
422217d7cfa2a3aa97556dfe9d8c7a2d5bb497fb96d438ff27e989c92affa4cd456e5132cf51ee7fcbb8680cfe6034417dc71edca483f77c962298a4536da655

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
2d904e102bc9d63a26db0fe11294c2b3

SHA1
051b77935bdc771c8d1f79b1bf8d527147acdb77

SHA256
020ab89d5ea2b04c5939fea7c7b77b6c054cc60d5df769b7057b042168fcb85b

SHA512
202d4c6cf8c7d05d93e9a22dbed64b9b14eb3a621ac8a54b194e534544338c66c001d8ede32f9ada39fbe90b5836bb8b1700db1040a95a5c4293d17c639761b7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
09a36307812be9b7f15c6006455bf4eb

SHA1
bfcd060fcd6fa214914bc26bfbbb6cde25420ae7

SHA256
0c11dfb31089718a201b2d4036419c468e7e10ac8f47c08c050837db01a7536d

SHA512
ce9096f9367b0c71c35f8b27f833d36d4908eb3f447a6304e0429e9f36a9ecd2b308c26ace6bb6f901146dbcee3c852426eb5ac80397bef1111c78a66a5ae26e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
b7e8e1222e59998b6938e3c7449507f1

SHA1
e5aa3bfdda94804fe2bcb1c0c219dcf8ac4ebfe5

SHA256
6a2c9c00f214bb0c7849298574c97ddb48aebcb31a719f146e41b21f74c135d0

SHA512
b5f2a49c6d70176c07a007bd48dfbfcadbefc0dff2605ea32796371be167816aa7e2b318a690ffa1b56658d47d4aba689d02507f80027b5b8578cf5c92fcaecb

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e7126ec2bc9834e3b5f68d0575269e05

SHA1
57f8259eae8d792959d3ed6a9719cbb73ccf4fa1

SHA256
c6a62285f920b2e038c2076217b84e6432d358259f7ae89ab4c6188395c28576

SHA512
4282fd105c2850b9a6f3ba1ff48b213ce6a6e190a7bb22ea4810f429eb8048205968863b794c1ba1aba878988641a9ce9d57178d83203c78d32b7a6993aafca4

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9d5b9243c33d09dfdc901067342dfbd2

SHA1
a5cee8d6a0361014666ac9f103cf8698dbb250cc

SHA256
ed7d753a77b3df9b77e0807f782c1b088270bf8381b656f070bbf617748c3b60

SHA512
0ad1bf35de941063e686161aff0423d58e8aaf7c7f5c81b2c0f360dd3cfa04b9eb5fe91c3e5c0f4535bdbe6b0ab8da72ab7dda269b96406381f3e144703708d4

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
8b90000e12fbe397953f3036b7df533b

SHA1
af0f0997a395d1e6ded1c3aee29a4e25edf830ef

SHA256
8d3bac5a13cdbe96a746ab52f039563323f6545ef5852684b679fbad76c5efed

SHA512
162ffa4e1a721dfb3f5923929c9d941059f887eaca0a69e23eab7e9f9c26c874257b1094d90acc275708e3ce401127620e6141d8457d71c34a464ac6cc757149

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
ce7c7c3f2efdd9efc69971e35b872e07

SHA1
8f6a8e54600f849e20c577569bd24bc274228026

SHA256
a8e425bc913e3be613bfc765bc6bc6b99564ec5f1b96bd2619bff030d44f11d0

SHA512
21f91f7e95efa146ed3b0b2566e38f58599de6b76afe577ba880b7efa0165665b7a1ab854e6e2541849a4742311632173c11c5129dffd23c0da5947ba42d7afa

Download Submit
memory/468-801-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/468-297-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/988-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/988-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/988-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1160-805-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1160-327-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1236-43-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1236-37-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1236-137-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1236-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1236-139-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1756-284-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1756-173-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2064-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2064-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2168-157-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2168-154-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2168-149-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2168-143-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2168-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2572-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2572-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2572-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2572-127-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3204-210-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3204-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3204-797-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3244-123-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3244-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3244-116-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3244-117-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3316-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3316-729-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3440-800-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3440-285-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3504-184-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3504-296-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3716-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3716-195-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3716-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3716-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3956-196-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3956-308-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3976-156-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3976-1-0x0000000002230000-0x0000000002297000-memory.dmp

Filesize
412KB

Download
memory/3976-8-0x0000000002230000-0x0000000002297000-memory.dmp

Filesize
412KB

Download
memory/3976-597-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3976-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4064-207-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4064-320-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4472-158-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4472-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4472-166-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4528-264-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4528-799-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4592-317-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4592-804-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4912-247-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4912-798-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5040-222-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5040-512-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5064-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5064-806-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download