586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
Size

1.8MB
MD5

47c4559abdfac7ffb15bebbf39c17bc9
SHA1

2146ad9766a75d7b79781743e3a53539814ac5ed
SHA256

586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0
SHA512

32b68fc115195dc2c6a994a32e00fc062264561a3da3406fe12fa7010eda8d3ed876ba67bd2f7651fa04bee2fed23832e66fc89a03160f5b50d5a7f4e184a42e
SSDEEP

49152:yKJ0WR7AFPyyiSruXKpk3WFDL9zxnSuRVlbnXf9gPTTW7H1GXC:yKlBAFPydSS6W6X9ln7RVlbnP9WXW7H/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3496	alg.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4560	fxssvc.exe
4944	elevation_service.exe
4504	elevation_service.exe
2428	maintenanceservice.exe
3712	msdtc.exe
1956	OSE.EXE
3504	PerceptionSimulationService.exe
3968	perfhost.exe
4404	locator.exe
3772	SensorDataService.exe
3408	snmptrap.exe
3132	spectrum.exe
1508	ssh-agent.exe
4384	TieringEngineService.exe
2612	AgentService.exe
1036	vds.exe
976	vssvc.exe
2016	wbengine.exe
216	WmiApSrv.exe
448	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\549a2c6bad45b396.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\System32\msdtc.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\System32\alg.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\locator.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\System32\vds.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\GoogleUpdateOnDemand.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\psmachine_64.dll	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_am.dll	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_hi.dll	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\psmachine.dll	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_sl.dll	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_ur.dll	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_ml.dll	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_pt-PT.dll	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_is.dll	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039354f002399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099ebc4ff2299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000794b05002399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018a8ddfe2299da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000918600002399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005975ceff2299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a5bfc012399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4213c002399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1064	586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
Token: SeAuditPrivilege	4560	fxssvc.exe
Token: SeRestorePrivilege	4384	TieringEngineService.exe
Token: SeManageVolumePrivilege	4384	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2612	AgentService.exe
Token: SeBackupPrivilege	976	vssvc.exe
Token: SeRestorePrivilege	976	vssvc.exe
Token: SeAuditPrivilege	976	vssvc.exe
Token: SeBackupPrivilege	2016	wbengine.exe
Token: SeRestorePrivilege	2016	wbengine.exe
Token: SeSecurityPrivilege	2016	wbengine.exe
Token: 33	448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeDebugPrivilege	3496	alg.exe
Token: SeDebugPrivilege	3496	alg.exe
Token: SeDebugPrivilege	3496	alg.exe
Token: SeDebugPrivilege	4408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 448 wrote to memory of 5048	448	SearchIndexer.exe	SearchProtocolHost.exe
PID 448 wrote to memory of 5048	448	SearchIndexer.exe	SearchProtocolHost.exe
PID 448 wrote to memory of 3328	448	SearchIndexer.exe	SearchFilterHost.exe
PID 448 wrote to memory of 3328	448	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe
"C:\Users\Admin\AppData\Local\Temp\586e7c0040dc6d3838de11abfdb9ef3face02124775550206dcff670c8cb04e0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4504

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3712

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3772

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3132

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1608

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5048

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
dd45e4cc0b7cf9222486cb85a38e8bd2

SHA1
aee231efccff4792b04aafb48ee3a4d960b8ef0e

SHA256
b45e86806302143f70a12dd2c7b1e143f8e2a1343d462e0ead917709395ed275

SHA512
265840b7cddd703ffe0ce616740048f26b0556163bb59cc3052e3f4b452a8516cd1bcdabb5edf95574b2bb4cba225f9fe94203118b4e21703929e44227ee1915

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
5314f6a36d653afed45367cd7513612d

SHA1
92a32bf5bb2773517c91cc9c7991d519be54911f

SHA256
260020a189023cd0252dfb257d04a8d910250ffac80ae3ce9b48a0f21740d0d4

SHA512
f92c09d807947594cefb1829af4f756d5272e007c4cea79bb34ccefe7f7e3a6549fe4a2abfb852f060f5e9797b1ec4cbd369fa43ead0883b4579e18375cc6102

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
03f7dbdac6a9bd0f70e7b4ebe9ca6454

SHA1
1ee8e37ab144abf184af19ab0bf4f738f49fbda2

SHA256
310c748b7035072debcea881c97bc05d84ed27154e4dac7b1abb3959a04c3e49

SHA512
fbe29ba02548ae35e72391b6d2c6404599fe166c7124667a726eb5436a13b2065dbf816abedd07486760ff72ec738516be834b6e2093d8a28f1350832218a9a5

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
1baad823c3a56c00a44d7f8638b6ce0e

SHA1
aa47a45ccd54e863a65284d8c83dcebdbaf24328

SHA256
d42d065a92aea74caa2c1bd770c17a50cdac3e6d79b013f55051570e773d55e0

SHA512
abe57c714ce99298b166e4477177871276ad16bc62c58332b017aa6d65b5214eda6b2fe7766ede00e8b485dae300d6ae4128146e54dc44062eb5cc2f8e91fc63

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d57a6f57edf5f150bdb78aafd7522fcb

SHA1
77da322255c1cb6fbfa4b906330aa2357472a4f0

SHA256
0918407a096f4cd801e6ec1750b2be9bada4c6920117cb1abec4946f1c433731

SHA512
9a838113c91256c311aacbc2b20de6e55109c4b82a961c33e357edf542dd41924507e8c701e14bd7b206b92bed3d2b99fbc6f08930afa1052e04ffa118647dcf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
38e99a696c3deeb429550f40305bdd79

SHA1
618f0dd2eaf4d96ce563d20160487d9445c34a00

SHA256
24973a5b4c1e2821cd142699f968f84d09fc5217ad7890788645c377ba42c0fb

SHA512
be13c0b070834c737cbab4d61d828806f96de310b2aa1b179c6d64743585a75ddd739815e37b22fb1c89af80eada5b79d4e20f7b12035ea3bbcfd04a449e61e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
d3c3eeb657965a77429f5e4ba47bf4a2

SHA1
efc020803e17c3dbb4b91ad100af4e743fe94520

SHA256
87423479b83f815ce272ed590d76b23d97fa38edf9f2eb7ba7032f93f53505f5

SHA512
e4cae10766171761e875f57ec62cf3cf5e191e71bf6510ab6ee1d4c69e0b2b62717a7e852c099f9dcf28b653b3428f9692dd6fb6a18c7947fa8b16729da67b12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
17acc0314e6d761188efd2bf17715b8d

SHA1
4f5083bbc00bb4d7c64564e8e4e4d927922508dc

SHA256
926ffd09bce24c42c7639956e07227e5603c6c6d32d153f78c2140a9372ff303

SHA512
af5c55cff8ca2453d9d27ed681c8bbf540c349d82e3013c7f4f01d7b16a99dd6ed688d5080eef1bc236c37abd37f979b7c15cd8854dc0cd794414e0930fd2f95

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
396b6d13c1f933d5ade056656693bb3c

SHA1
1b561a16d79efb3bf8dc601c05366a2d674b4d63

SHA256
476d4f045ea7f0187019ae4d25c424186528122b3b1634a53c8c95f10f8e9267

SHA512
66d477daa877474444529248b5c6116ccf0c842b4fe761a5d08a7d39ff31d2739e52a26d484cf1eb75ab4940a89dc43152ab583da9402455283995333f77da7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
e12948e9020b431d428eb4917d04df98

SHA1
d82f5414626bbac7710fd08de4e2471deaf33a42

SHA256
401c8dd3721bf74e8b5aedb5464ce110200c64623019bf168fb7e446aeb44117

SHA512
3774145839db7011aa5ab356ba8ab2354d3e35b848567da4bdaa91a6932ae4f0d56b6a30d110d4ca29d159f5cb50e46f6d309ad2557d4d874c89561faa0c50a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5f31af36cfa188116bac20b54320a3dd

SHA1
a2170e3c627005a84588fcea893c8057b4ccb03b

SHA256
9e3d0db1ce180d0745b7d1b9eb4c5dcf9f13b8d22561beb9fca22b485b40e588

SHA512
7b28a1a841cf98da7c7b25d5b7535a7c8dc5c9287a7b5b3c07227528d0260bdf522add4988c056d8b5d3d8aa2d24799b60c5bdbccbf36ad7625749a7ee024f01

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
1bc20e02b96bbb5f6211e46cc4cddc86

SHA1
06a07f20c70d62c2bc8bd387c3483d85fc6a2c8b

SHA256
2d1e1a70dc36995916802150c33a67f3be07aaaddf5a3eb78435218feb63d0cc

SHA512
51c24fab0458413182ad342837900c76522a1db89dc6bbbd568d2234fa97d266eda1983f176682a1bb98120f0de26e2f02ed49e635fcb11a46aba749bed82e3b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
055465bd8092961e62c8c35c4b2a562b

SHA1
4e49ebefc5e671c7303a27b02fbfebcec2fe2c90

SHA256
98948710b44ce31ed32db90181d4b57eca23d428c4e60d1c8a5900904194fa3a

SHA512
263776ae63647bda6649b917050d6be9d918cb84e67d6c319e46afa01a2ccc8366d3e22d572a99117df5e46535da8f8de9aea0fefbdba92a603ec68f53353987

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
7c9376f2b9f28bbd00cb09ebd3811118

SHA1
9b73f6ced82359b4f2c692e016c9be314c2fc6e8

SHA256
4c190cfcbed25bc62ae1243df5ec359d78641d282cd03b48e60e50b63a1dad25

SHA512
0320ad862d3886ab361b61cf00f3b9c5baef860379a671db13d56fa162efbe7499d85d1368dbd94a3067174f04c0f7e8f10aefcc75cddeefe0d1106e6e612d60

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
245906a3fc1d3cae846851c2d7247c1e

SHA1
91f8918c8d082a08f74e61f66f4b660c9a7fa661

SHA256
654430ac0a6eaa7f86ff7ed2470e9acc568d93bfddfd73f55a050adfc15b83f3

SHA512
4f063bff0abb2b9edb6014aa5f48330bbf6f6521f1fcc33cdf492d14611eac9288c557585aa02ad4b488d7b5a5c13ded6defb196c1545ed7fe8d89115870c0ca

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
66effad3b5d23c9ba15b3ec7c50436b5

SHA1
dce3d5524e17c5a36c73a613538d725f5751abfe

SHA256
5d005b37ef2b300293478311f1a318ff393c9d24a05b6b1c5b261f3dcf5adf5c

SHA512
53c2e10ce583f2719310aa2bb2102a8e69b463799792b1f2867f989e00aa4255fea956ac5e72612257fba6953db72a93220289cd20770be04b59248b4715c824

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
5e89e2c752aec0060a00107c6145d326

SHA1
20ecd3c4dbbea1dcd53dc9075b1bac96faeaf9af

SHA256
64581ce31475f44753c7a6f56ac9f0a806849ab9cb1c6d4f43dc5aa092b0d6d8

SHA512
03014e3713df2145a76de24e610c3acff39c080b1859d7b61751c5ba6dc5652d66a0ec2b0c33baa45c5a411b8d7b164bdc3bc12aac960a2d06bf7be2e8647134

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
39996b94fc29166f49210fda836d6ae3

SHA1
cc6f5636661101e4aa7783ad4e4b363f63bea06e

SHA256
bb5546dd408ef916469c42d458def38a7aa4d3ed002951831c254b47af563671

SHA512
4fc84c08e894ff8f9553420c665a6f57c51cc060ec08406c7765859f1084df6622fc5aaf232c4e3314f8915f3bad0cd76df94c3eef201c90e9c5e68d369446d3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
53a2d204befd3b32129819101f910edc

SHA1
833eabe874671264cb6042a9355d9063985c1098

SHA256
ab11b3acf969c0648a94bda9abcc52d50e17341a7421c9daabbe6915a06931cb

SHA512
e9074b1209e837eb232907ca2d34e5326703d1a1b19a8e2617e6fa4f34b5fba07a772c912af45380263d01b0ab690028575e92f74f21e12192a244fb256b2fed

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
eb4350ae892ffd559f4bcdb330c3bc77

SHA1
df079314e7f87ad8b2fe18bd611df3978831106e

SHA256
7b058e1ef104090174b4e13756adb6fe3063257b4ecaa46fdd344e624e616d40

SHA512
1d005448716242ec8f377f690adcd0f27051fda89cac168358a4476ddce0f004acc8dc60f563ac8b6827ddc4597c0bfb8c283870f84ee7bd1fa91668125c8ec1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
8c523d7d9c464cacacd5e25ccf36789d

SHA1
03151e8ca2384d59a0a637e599e419dcc90a244f

SHA256
5770160ac496328aba8d1114a9529ccbc2d6d73c4efc79a4feecf83847918577

SHA512
ba21e086d69e438bc45e49861e254e3bd075352df44dab7452d74344e3314357e559e37b3f4c97bc49df3cfff2da20cfbe7db96c1db75e0415305e95f44da383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
bdab999b2266881345e4a9a35bf93b80

SHA1
3a05f8d48a7e5052718889a26b4dfb804ee41ff5

SHA256
bae5ef218f359f6342003e66f663ec4c2d56bfe739ecbfe8779a29849d7cd787

SHA512
d81b7e26386e75cd3cff4a5f2bfa7937e2c597ed0cc211ca146b9b4c5d428d22c6a18b0a59c38801326363aff276243cedbb6de9de7840d2748644d836f17d99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
9d71329fe2a727ae0c77de8174fc8b51

SHA1
ba38abe243aaee23ae1811f0116a6a228c9c5795

SHA256
0038301b38dda296d9e5a4bc8de35086f52b202646b17d86c090be987fd3638e

SHA512
4b02f97b09b98570c92684ace57c94d3c0eb6bed366a98e677453b4c040d0cdf99a4dfbc4261ad6b39f9cdeecc618df6743c7abfeb7a1007569f80af20a966ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
e9ebd3ac1ab1fe8ffb48ca36558cf3de

SHA1
dd44f18bc59c5a3c89dfea8e0ada9dac7524d9f2

SHA256
fdc1474445a15ce93deaf55f34a7efc64732153545f8d0c95163add151fa96f0

SHA512
73f4f739c09baf81216824cc650fbadbfd72a083a4b1c76a235134e93e7ad8c3fb14465bd7fe0a978db48cbad012237e3700005bdd3928c8bb0675759827a514

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
5884b1a3ecdb820f676a930cb88780bc

SHA1
2937895784f2f4cffb1ae7f14a9cf28eb3627103

SHA256
50d757034f97ca87e5f62e1884413ed489bc4fa8a08325d864228137a482898a

SHA512
1461e88bb2c471fa1833918611830ffeb144942649436765397642ecc7d6cd547095ccc562c9ead866d8de99a6b4ce33e5376bdba1e160305c73dae68deecc87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
5e66e993f30255f1199225a18b45ab1b

SHA1
4548e7c1fd6f80d09f7cea17a92c30a0bc227de5

SHA256
9729cfa0758806be49719a746fe01e499241f7cd6f494c9b5993d395fd732b54

SHA512
db68dbb30ec358fac7c91bf626c218cc547f5be38898a8074fb4954d393d298bac7851da0148c0a4599f8d8520fa3e8ff65ba1e6bb93593583fa36b6c76a959f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
bc48cdab02c7ff4b01f5961032f2222e

SHA1
cb6e3b93e87335dc356e8d7c7a779f96a33a368a

SHA256
d4d92881ed5ae0056cb3ac7dbff6bd094764d6c3942d0d22d4ca7528c86deca5

SHA512
7eec4c47ee4e61d231acdef820d473569266e80c784ff54c1d0f4d1cd9be9103184a827292e63af70ff97362cff79bd9d9685df9cd6eb2a840efebda184724cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
145f17e8feeb35b4301b2a665505720f

SHA1
a6dd0c6ab735aa6f68b72d306a16e1f69fd53d29

SHA256
01e832b5609eb1efe376d613b5607a8e523fcd8aa35814d6a0e2e820dd210bbe

SHA512
89a8216303799635a49597177d42189d99b88aab35f7e10841766e9ed0ca216846124ba10e0c140fc39e6713a60fc9b6fb54801b52aa6728eb51d7e816d0c1bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
97996de37ee4e990de0bdc08898a9255

SHA1
c18333ce84b73bbe171960689dfb83584272f808

SHA256
0120aa7be92302ae94635b7d11d06cf9a8d8a2689654a57b3a7647cb10b6b7b2

SHA512
5578b393df2bb2deb646336443310443860f15983206000adf82a38485ec2c9dfd6859f0ad9a2a44e48568974fd7db8aac1764a83c7d8bf1677cc38f31d46ad4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
dee1b5764245f85756ba47f9272f8fed

SHA1
d3c8d7b36a20724a0121a1d000846159a42a7d27

SHA256
66abf14072c6f2b12139de6bf04aa2c815f8c104c64aaccbb96dc0865b5d8b6b

SHA512
6a28c886fea223b1178600ead7387a9d3fc072a5ed28bb0d4b65d0359762de2459166dc672613e1085b23084ec196833b9b0c196505e877f6b99bae1ddd6dc02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
dfc07322ad2f250f787fdfef21a55e68

SHA1
9063a05706afaac57625906dcfb9ce725757822f

SHA256
32631cf93aaedca6272608edfb5871bd26ec565a5b145852d403ec3fe6bfc079

SHA512
c5f1d9b12560cee2a3b824ae9910c9987ecd67dfcb1274f44de560031a8b93fc0eed221adebf2a1b2eaa6bc412da44b0600f32d27b93d6cdb95335f925b655f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
75d3d386c0d4fd52551f40b7eee726da

SHA1
1d9b793e52cc9873c05dfb76e30e7128b849a2cb

SHA256
9bcd256a334ceedcdcf86143b5e3b9fa0a2096e5b2e5c03be0b24e65cb223041

SHA512
9ce669b763f179643fcfd920f0cc3d10191fe1a0833ee0440b7998bce2e506cb618f34e606d53640f3537b448559405300f99b8108b7e38ea5a6455b85a87dc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
ebe50781fee5be2bac3dd4ceec73c80a

SHA1
01affa0acc7405b380fa6f226a512d46cd4ab03d

SHA256
0416e5bc32be16cb6c42dd6ef48c6f86b643903aab4a69ac06582993c7f7992f

SHA512
30d64dc3fb1984df1045baeb9d20997dc5d36dec90816aae6a5c66f9e0c67e5c84feb8e8d3aa20f61ad4dcbdd5c5901e3492f4a9addf9b45dffa33c350bbdbed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
8223d9e45614fa2cc11c02b6971348ee

SHA1
2c43148d3efca3f6601bd6bccc0cbcd6742982b7

SHA256
053088107addb19a58a6a9b2896cf50ea8c9bb8774f5329a35123097bdaafd58

SHA512
1f4c326677df1c6f9364f810ab5b54f84227936c17cc3f38c910056ff3f721b79965b9facf037a6285e9a0d2f57f7e39b2015b596a8676dda772199674181dde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
8e9ec6660986f7ebed65e9aabf29d600

SHA1
8df383f3312cb697e07101a4d52f999443bc3110

SHA256
58f929ea1e8abf2f79fbdcba761b50e187bd6b35cb716739669b10f107b4eb67

SHA512
4b2f92296fefa7353966f6ac2cba97c74240b8bf20c45d5e7a795500577bec8e09f75714ba0200f6f7ff79f1b600b778b5e7edef8da5a3e69d963ad54f0c2c21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
31dcd2a703119325a08deb32328dcd1a

SHA1
cafec4de052e85e75cbc5828633470a43e5390e9

SHA256
d8c174b7d590db33671b6870eb10f458d739d1c6b46abe55b2592e9b66d60268

SHA512
9d6d5114474f4e2f8de1ad18d553733a545b58f314d3dd43b00729ef98e49253b8239e67cec99e40fd743ff7ed164d245f7f09d513b4f76e456f14f26bb920de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
efead0e22d76e063227277a612b24818

SHA1
d5a5f9c8f5efb9243ab5d95798d4221663aeea13

SHA256
2e30371957989a4f3dcc2b964493c1620b45cf3bd14287fc4adcc8e98f5fca61

SHA512
ed2ff82404308c0c1ab9ad5fd3837c193fd2481b4781dd2f9e0f1e06ec0db715dba1055462c5a43d10f53ec4b2ff50d4b347a6e734cb592ccf4c2b3cda55c7da

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
279d4627b23989ea7c7c33b9ea438f92

SHA1
c4f100ba4b10a9e4c3c28de0c6d18a605c33cd63

SHA256
29687afb83b0aaa0753dd265f01c220b9ceed73a53fbfce1c7c9e3eae0c08923

SHA512
1c42398e9873d3ad5a8b08ec49ac6ccd8ff677c58b3bb4caf3c780dfc9d2e9e354ddfeac0db62a80b0b85f715e63eaa8d85e3eb1770996a5df4a9363db9facca

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
1a747224b3f3b6b831f43e542679e508

SHA1
a1064f62a8d98a792ec124feb281d354a0ecd5b3

SHA256
40df2bfc5d79f06db18ae58d19990bc2abaf3cd545005641b89af009b51834c2

SHA512
aa10fb38cfb38428a23dd57d6c949c9645575789329a40d76e7bf5129bf2c8327d13ad531d0540f014fe9ae0df2d388a7079315e6091d8e2810d3b33985a8f26

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
016d1db4cb51047d6fe7f9006d01ab08

SHA1
0f0a59ca377a5f0fc08d92d0b978f333d4e52f85

SHA256
90f3f184c32dd2728f1ed4bf49c5e55f6d9f6bfc78a8fd3c9aaf86adac69513b

SHA512
735cc786fc18454d252b4c6b07aeeaa376fe3958f7d8ae2ff25bf0b440ad425e04e417e7e6bd9ddf952b0c765f7b89ac7f5c38d6b48e5266d6fb72b2ed48297c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d686bd3077e39c6d3f76640c929af0eb

SHA1
d030bb124889ae30cbfa5fc0c3da8615a33a677c

SHA256
71e0d7bbed4bb5da855b407d42ac5dfd0fe148c577d889e46c66c108af11f232

SHA512
b309e1984d1167e72c2cfd7d9aab970fab395f36e85e794b9cd63bd4ee070a9adbdf7882449dd00c1196b67650a583cb59e8e597624a70e6cd707a61911a7e43

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
c95f8d615929999384113eec1bd4f5bd

SHA1
e14ce0319c36a5b7d719d8b15b5b26eea5531f41

SHA256
b6b99cb7e88d8e4f99a7e153e2bf53b0ec76cff65c5526b3f47ae622d9645b94

SHA512
ed075bdf23e97913b2f696ea2f0021f04136048e1a06f517cec4b73d0a97eb39a80e8d40e8491ef75d559a0369518e9eb8a83cc42b366fbc9da5c3de84b82535

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
13ed3d0e71118b13713769c94e96b323

SHA1
3d069c52f6d8bfadc47deefba3e71b2b6d3d6ef5

SHA256
8de27b48ba455b24a84991b20b4129ff2617794dc6d9897ca3c7966e27e148ed

SHA512
42c8b6ea7c83bdf13d2f3925b9c434945e01b918a4144523cddce36e8c54aa841e87d49b5951cc0a28e88bca611eb8f3e1f1fcc906a9642c723ac719852a9041

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
5b5d5ab9ca91bf8a492bdcbf3ce993d0

SHA1
2d1e98864da6cbdeb2235d021dc5dc8bc65fbb90

SHA256
bc93bfb4e5838c45eb976da6a03c4567a608b3d5544d42796616b80eaa5443f3

SHA512
e66d1195b67e17fb07bb730ea4c1569df1de84f829c3934a1c977da584aed0d35c2cc6e4107f17d19698cfeefe280250dc973a5cc3f3e7f131071e9e57400f9b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
609f1e149192b0f922b46d56ea5ddc09

SHA1
08628f0d028d0e99a82e6ef54242cc33e5f3185d

SHA256
f77491c540bec2622f25ccf1aa11635856be0e5f622943e4b4ed72cfb529b793

SHA512
35ffcd412c294c29da2277ec20535f16390ca33528a7b2ec3ebfbf0a3731fff77fddeea57e6cd656959ba250f7a72ccebca90eae82c519e0b51b826ea2dfbc99

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
3226da7c8a1ed22be82c1a92cb93d2a3

SHA1
a7ca8937e87e3f3445fc1822f896f309b8d5172a

SHA256
28b79e9168a7852c667e2cfdeb8ebd8d089760b23dedc28c2331a46cd366d841

SHA512
e99a94760fe62b9748f0feaf1e1267aefc0252f1d07ccdbf64ab1e6e845b923346b07019a4921489020f861de159811d5417141d4375b6a6a85139e4b0b67c92

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f2f8f72b0826cb96f019ebc93b5894b8

SHA1
ca83085f587fe26546d38f29ff03eced1cd60e84

SHA256
a29337e8af829a5fbd380ced98cac250f1523c78bd553de5d2a51ac292df775c

SHA512
d7c2e5e4b642cd667bc8a50e97140ac0c354cfbf885b90a5a1b6e03026c98c56223d73fa4a98df55260ac5914082a685dd87bf614f7a11720150a8e93cb3da0a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
c91002e8ff5ba5f53ac7aee96c569bb1

SHA1
9e61a81ef844a3b62937de0e42ef818808d15e33

SHA256
30b2eda1e6fd11c3546c4b3559640fd36581e21d96f025a23c8ea7740d6ff8c5

SHA512
62272ccb78c1df2cfcbfffa6b0c060c44184750093c228cbd558445122436ea42e836fb134257032ca2d4ff5273806707a144307b47bcf604b2fd59773537775

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5bf2ffad40a4035c799152414dd20ceb

SHA1
367f030a38d8ffb563782f6608b2acd762812f78

SHA256
0ccf1397c4a078c2a54f20ee52b56f4a51dfd95ec7f6e6cb4840afae52a4af4b

SHA512
f911043fb7d1975f0cc9a2e451c10530e8e6d6219560786a52cc18fb27c9a5ab4ec8835d3a26e467174ec4c76db71ed7862507650200ba812bcc3766ce37e30d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
1d135ee005486b5e4c014690351b8fce

SHA1
7601f0864e6c465ed8ebbe97c0a34c57add6ded8

SHA256
4b49c7688ae94df340e8f635dda97fbdfbc0123e883cdb47c6c30b15d182b6fb

SHA512
d322b11296efea3ffd4989c23817b9b7c6e250c48339b03a6590b3a994a7a2a7b875621aafb73b37071ad97eb60dced6fe0c5cf450d2ef4eacd5965c9616b7bf

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
5ce85d86f9b6a5f8da7d81a378490356

SHA1
10ca25381004603aa13fd4e2c46cdd5a1baf6add

SHA256
1cdca01d2695b34f7d7c6bcd9b0e26101cc06f8326f58b3e133adfc673708219

SHA512
ac6edaec2a5972107c46aea7d516b20eb1630a8afd85c2d7df47d0a7b7a546a290c0d3c72991ab69c0b286f6652a521c6d8ef63e48203d37c8cba322a0f15c68

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
7a533915a492e537537b8682db4c1c0b

SHA1
827e7464da7d7fb8426c9c22b94396ed17ca086c

SHA256
9cd5193ae8bbf18205e55851658efc0e1a879d4142ccafd62960f93c3ad01a1d

SHA512
3d30eb508f598c2726fcb79b7911004fe4bd4f0cb3f6c6c81c59cf36d4c6fab41dd809ab3f83b2f11cbc10deac18199c669431830c2d39c1d2f089eecdae109a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
e9b05322dad5c01ba568205986893d48

SHA1
412615989cf7027dc426438cdbcc84d530109821

SHA256
2f198a01f699251fd9f40f635dadff9dc7d81a831d55529568550a7b39c1e08c

SHA512
2aaa19fa4c33a9a34e51c4fcdea0068558b9f14a939390c07adbcd5695eb01f35a7d34b78d73b8eb3a78348694a75417c37334542c69d65f01c4f6d0aee63ca7

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e866eb94497025f0d5ecdb4ed710e6fb

SHA1
f6a6c19bd228208907d2636115b130ab00d0ae89

SHA256
7747c77d29482dffcfe81829230566b5627fb0700873e2fecbd11d1818272ef3

SHA512
a1abec44946dc96283753de51628c4993f650776bfe1eb36a432b9c288e6d0e0eb50a48b0bb77562bd06ad51d1ac3bf0104e6571a0cc1bb0b5651acbab8d9a72

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f00f680b83b4d1e52d66755c5590182e

SHA1
077c5bd2cd8464605703f7c3ce05dbe2e8b6822d

SHA256
12b9ee6e2d1572e0f187b2c2cb1470d9fe0766db73a7f93ef1e8e8ee4ed030e5

SHA512
d3db3d47871488c9387e1c9dabfc0428c12fcd845ca5cdbc36548bb9b23950fe8f96a7c4057174721187f9ea6dd40fa12eec4249a51af22132ff1283a2ecab5c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
d4834dc0082b92061b3791cfccb358f7

SHA1
bc80abe1498f0ee4bc086c3d0ac49f39cf40996e

SHA256
6efad6dfc57e1d4329165c01f37e0b0d7d1755c0da29cefd11c94c7d3e0ecb2a

SHA512
eb587cb1ba758df7cbcb8686180157ed0878a4fe51bce7232020b089788b35663947daf0e7d0cb0ee84d88ec60c629375f5f5a435942b25b836c12655bc5a7b9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
f6b5f5b125b62814dfd1298abf60373c

SHA1
25836838f46dbc89d565feb0d84aad00a9f613f0

SHA256
0a9c6d09416d1d20a2ffee24d794395359c52ed9439b68ac97f26abaa8486aca

SHA512
ccbf125dd1ed9ddd6f19a568a3d17b55e4e253cfe1fc23fcd7acb6013407dbaa63da7b0d69660644103293f3bb93021253598f8a4d625b5d909b2479a4f7a36b

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
18c5f9f1755d085e94c2ac968699c4ab

SHA1
4d17e64c04cda576f68686c1d1504d8a3327ef8c

SHA256
c3052efd545e0a38421faf757f18b3ebd48712424dd530f64872b402dee4e68e

SHA512
e4c270fc0dadb29b530cff868b7e1a7bea048608874f521c7361c86cf9fd2340e97e8f727862968dc85340e806242f838d2d1ac40dee91c0f0023912902afc6e

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
35e3c59760589607326bc9402847b68b

SHA1
89df3e50a564e42a0d0726355b16f28259da7c46

SHA256
d007a6c22b65b35612419ac2d3d5cb02662bc184b2c943a987504606ca8b0e84

SHA512
c7616a9a35100c9315912608af624a2966fa1ec04116aedb9b9806900473b793dae82fbfa08535790fb0296097d16ef46a115482b85b8cda44aadd61af5a08b7

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
e16ea6fc1d28a93cc230ae14316327fd

SHA1
adb20294723c2a5f0ccae178b7d42f3b889b8c44

SHA256
79889e6400f69b8cf7cb1097bbae22b33d413b9b268bca324eea42bb022c6088

SHA512
f467f80d6ed4f7b9fa59d078adf680f84f3a8aaeff7cd441cf65872fd93445d29256562829a9fb9a1522697b41b70a13270ba1892fd1135948f69e73303027d5

Download Submit
memory/216-760-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/216-320-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/448-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/448-761-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/976-298-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/976-758-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1036-296-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1036-755-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1064-1-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/1064-6-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/1064-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1064-590-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1064-219-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1508-267-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1956-221-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2016-759-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2016-309-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2428-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2428-152-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/2428-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2428-140-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/2428-146-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/2612-273-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2612-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3132-753-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3132-266-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3408-270-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3496-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3496-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3496-269-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3496-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3504-222-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3712-220-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3712-156-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3772-746-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3772-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3968-223-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4384-754-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4384-268-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4404-224-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4408-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4408-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4408-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4504-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4504-127-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4504-497-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4504-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4560-105-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4560-136-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4560-149-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4560-113-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4560-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4944-116-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4944-122-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4944-124-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4944-332-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download