9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
Size

1.8MB
MD5

a1867d388869588739ad81fa687a17b3
SHA1

564967e84c73fbade568238ec0c6f56cab256f5f
SHA256

9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a
SHA512

744858b0eb838738563ffc09081023170833ff0e0c0d836e1ea4d5c72d66198947b90de0f3612b49744f7989ef70445bb89f619f88d631b5a116b04f1bd2680f
SSDEEP

49152:mKJ0WR7AFPyyiSruXKpk3WFDL9zxnSkCCAcKV/NmLvTd:mKlBAFPydSS6W6X9lnlCCMlwLv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4300	alg.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
4772	fxssvc.exe
4196	elevation_service.exe
1468	elevation_service.exe
3700	maintenanceservice.exe
1292	msdtc.exe
1636	OSE.EXE
4152	PerceptionSimulationService.exe
2252	perfhost.exe
3408	locator.exe
4564	SensorDataService.exe
4344	snmptrap.exe
4224	spectrum.exe
1888	ssh-agent.exe
3388	TieringEngineService.exe
2508	AgentService.exe
3068	vds.exe
5100	vssvc.exe
4772	wbengine.exe
3644	WmiApSrv.exe
1596	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

elevation_service.exe9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\locator.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d4f5fed6234f82a5.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\System32\vds.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D28.tmp\goopdateres_mr.dll	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D28.tmp\goopdateres_bn.dll	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D28.tmp\goopdateres_en-GB.dll	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D28.tmp\GoogleUpdateOnDemand.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D28.tmp\goopdateres_sk.dll	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D28.tmp\goopdateres_te.dll	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D28.tmp\GoogleCrashHandler.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D28.tmp\goopdateres_am.dll	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe

Drops file in Windows directory 4 IoCs

Processes:

9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dcd07ec7699da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7027fec7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091920cec7699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fb651ec7699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0f40eec7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
4196	elevation_service.exe
4196	elevation_service.exe
4196	elevation_service.exe
4196	elevation_service.exe
4196	elevation_service.exe
4196	elevation_service.exe
4196	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4496	9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
Token: SeAuditPrivilege	4772	fxssvc.exe
Token: SeRestorePrivilege	3388	TieringEngineService.exe
Token: SeManageVolumePrivilege	3388	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2508	AgentService.exe
Token: SeBackupPrivilege	5100	vssvc.exe
Token: SeRestorePrivilege	5100	vssvc.exe
Token: SeAuditPrivilege	5100	vssvc.exe
Token: SeBackupPrivilege	4772	wbengine.exe
Token: SeRestorePrivilege	4772	wbengine.exe
Token: SeSecurityPrivilege	4772	wbengine.exe
Token: 33	1596	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeDebugPrivilege	3164	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4196	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1596 wrote to memory of 4724	1596	SearchIndexer.exe	SearchProtocolHost.exe
PID 1596 wrote to memory of 4724	1596	SearchIndexer.exe	SearchProtocolHost.exe
PID 1596 wrote to memory of 3628	1596	SearchIndexer.exe	SearchFilterHost.exe
PID 1596 wrote to memory of 3628	1596	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe
"C:\Users\Admin\AppData\Local\Temp\9eea915361b3a1ffab6bb437c7aee5d1194bb947a5a3b1e7a32f94779f28998a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2280

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1292

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4224

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4584

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4724
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
469903bada0e43e5db7ca3ec02b54594

SHA1
f4e4ed97fa4da5f1bc116a138be7c4b15da6173a

SHA256
015626acbc7c7c49b63c3b7c2032b01a688049d15926e0de441318e20c0a7064

SHA512
491024975e194ba967af3c0243439e1ce0d728e80837a7a612a06508d5eba7773a1dac98506ce9e21bbe7bb6f735e4d85a57137d428a8e804fcb7c03526f6d03

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
0376817e9eb653f41d884184a15f7031

SHA1
c75215ec6c70f9b68ea270161367e6e2cdc02a2a

SHA256
a0110576817c198fc1d444b65a35dfee1b86392abfd4dbec68aad03c397964d1

SHA512
64560f9b424b0bca00a89b7b6018a862ff54ee7ad11465c1d70cfaaf14e66e68959d98b0a185e5cf1a48c1245731cd9a94029b43d55b42f40cd8f14123a81e9f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4cd9573e029957596d6b083f10328b72

SHA1
a6529898842d47d5dfe42cf363952ee44bf75d0e

SHA256
4e7953b6494c6caef6575b95d9dbaab1221920b76de7b3917078f87d41d1d083

SHA512
60c96940d3009da1831b7efcff4af7b1b1ea3c6bcb1d8e4ae4415f2f10fb12ce6f1e6a9e49d1f856260460ad33b418d8c893a1c0f4535b4e67b9d3a2b733085a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
675200b6170e4c45cb69bd5d71fafad6

SHA1
5630dd7cc476fe4481315bbae3963b4979aecbf8

SHA256
29c88947ae499d674a74b4ffb25ff49b918120722b9543a4cd73f0dd6707ec0c

SHA512
237de9b5446a3ec47858a89ef29cf5d9d7dface25e85b2bcecc5444cd133d652962b9cfa4b771c017a46936a99ec8d2232520c1d31c4cd4842926535b37dfc86

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c3ad354812c8d1fada91fba9d1fa3597

SHA1
9873b975743b4727684e1a45d4d443076a9c986d

SHA256
046a17c81debefe1fb2d236f3f87ca92a2fdc51cf63fe33401ab66ea503880b6

SHA512
b2f71ed1d13ccfbf3f480dbe95a50300060345fa6d5e3ef2d6510c6518f3be8bb274c430a246a84dc157ac71695e1bd6239ff163ac3362c23692fcdbcbf5ab8c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
84f59631c9e8d60e1b49d474a889e1d8

SHA1
85029962e1552bc72bb54d969929075ffd693ff7

SHA256
ad8ca2f5799828ccfa93117ce27e3411009684e25473dbb466a4d49c9e1b6932

SHA512
620aaf90e2b693470e387ccb07ce677905de8dc8590d8a971689e087f7a18f5c7dbeadffe5e12d0fd3392d4adf314e55328151f0088c004579df740955a153e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9fbe7cbde528f9da06573b451e284de2

SHA1
171066fed1b3462d6692f13ccbb2edbd3c83f18f

SHA256
b2f95e82775c9855b92a0812c60cf2fd22073da3fcbdcf5306758b2eeb1f2553

SHA512
2180a0e8d1f1f7da705e52e1c4064bfb8c873d9d3df0173003c318d506106db99aa753a75b5611b89cad05ccda179cc610ef523088ef9e7479352ec43b0c04db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
39dd831fb11673d5a8c112d95a5ab9e1

SHA1
f65bc353ed5fc57ba8e809508863a0389cdf4a23

SHA256
d1fb2c596233a4f0ca5d44143d0c4e5bf79229ce8e100f740b17de3b13dab1ec

SHA512
a4196a07774c08b3a9189dfe1e29ded6eb89ff12b7cda1368bf6051856ad86f173390633ebd3de2cb52bab28c5f010e9506b309ef7585af5f3d1b3224db4b6ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b90dd88253fb50a5192101c2795b0803

SHA1
0ef7133a4256c121ad6300bbbd629c3d12cb4805

SHA256
bb14fdf3822cfcdc41e134df7f11f410e729b3ff109cf50221c3192111f7424d

SHA512
5d039c083239761a7b83057a40ef13ff27ab043b11b2375e7e13a9099796730f13e9acee78487997537b2f6e1d9fd1cd6dd50e1f485420b0d5a00a1af6a8fc48

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e166bf28c61d4fe89b463c098b4376ce

SHA1
ce8f581d24047fb6c8f48955b4cca9967e3162d5

SHA256
d727519f2295520d5606918724e95ec25b74dc32e310e37fd3434fd60b589774

SHA512
f5b10529fa2fbb4868154ab0094d306583bd026793e21416add122e810e6b34c9e015bb8a7ad7442625c7e56d2b0433f4cd3860c78357e773c55a9de52e5d18e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
93477e811878f39f998890b2cdf8d856

SHA1
3a6cc1518a7b3a7237799cf9975e17f8d9a5f60e

SHA256
c3b15de1c3809d5448e894c20623ca334556edb88f7b996f51cc00341915f9ad

SHA512
16fb7355bef2fccb2a2ae8542c6294ed5d9ea4995ffdd3396f6536228398dd7d6363a0a207ab6523060d898c6d1ba31ae33ce1decae89322d1946d74669d9b68

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9961d1eacf289b47398695f6507689c0

SHA1
61df3449ca6a69f365aeb74d0e72d123a58d7588

SHA256
90fa979d61b27d9426d42357af628b8036746af93ef188bfc1b6244688296a41

SHA512
7f7a4d505f3e7f52d32da3cb99fee676491ae385d99fcb22251982c5b385df1fc07e3189d84becc652d0d36f51897cf55b48cb539a8d2e532592b405c23f3927

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c5b8879f2139c8264539bb5c9accc77c

SHA1
71fd99c85d816c39c85deb0fcb26f5006449cb4b

SHA256
143037b22c6272722af0825b474918e518502c1cc7f05be241f986fe2ac196e2

SHA512
192ad624b033ba150ad96bf78c2e7590d7ac2348241e1eec07e555a6cb8be794bf23a0a2d3598111e84c0defc6382bd658b3e66b2873dc6264881ddd7057ee00

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6509ad3df94334b9b7bab538e9850340

SHA1
042fcabeffde5ca6b39c113181b4b57447d551d0

SHA256
d736c39f701dadfd574b30cf7fb116e07bb670cde266a0efa033c94373df4bea

SHA512
1359ddcbd0449495f05ce1a7e2993e2e1b632bd5cf582723d4aa9038dd612f292b494b2d1be8d00425c2c87e67cdbdfcbf0b1fa64d805b286a81fcc00b43d2e8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e9ab11d798aa77bae9ad49328914a69d

SHA1
cc69e05105588bfb299c3184d6680ad237ae1a5e

SHA256
988d1bbe44103f42ab7227c417b0e8bc2db86fdd0c2aa9d34dd6671c71f7f813

SHA512
e9d051bb14ae2effe5c1b03ee2857f58be7a4f3bb097a2157cdcfded965a0c188370c676195bdd4f9a2077c48a20a97f3396173ba5308ac98723933dd1e98735

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
d09013a600a45a54e69fe6cc00f178c6

SHA1
7d1ba9eaa6a0d5a3528e9aa51247cc380aef50a2

SHA256
bfb6b6d0fda6790b5c3e2f7ab86971cbf2753b783ae58c5b6d7970ed2e51d6db

SHA512
9c40aad4e42c84758d1a39077c7c59e68cb07586a4f388c6f09dac5f640a1640a0a8544271756f7fb89a5491471ff93af9008fcad1e949474ad327b074202a51

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9494218d56f36378c0499d5b41d7b76e

SHA1
5ef92a78a759e39fc95cb7820c35c8185897cb5f

SHA256
91cb3bb7d05f1b00c8ca13793aa914dab63c01269ad1e6a3b401facaa72cb302

SHA512
63d562fe157a7d678487593bb74b91a20de3ac18c5884b24ed59ab87f757bac945c331a2234cabf5adf661b76425219147af71ae7d0fb9ed81927dbaac2e5c6b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
578a102112782dbc88b2f7eb634a9498

SHA1
d79c93140187c76e565eba1d4105685bb90b49fb

SHA256
03e13c2bdae5d3fc876b3ad9d2ee2bf0ef844aed95909ccfadf786c5ac6a54bf

SHA512
472f0c495e61fffce15c15b36ec71489716d128f6fff9b09cfb7b0d2711b09c41202ac036a737d61bb096a665cd80acb9d37f8845bcc72ca46a2ed758bcac940

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
c9cad57b4843dd2957deb8406efae984

SHA1
93a81d857ac7dfc4f21635ecd18bf6df12ac4c53

SHA256
3e1866bf880922626f04753a93ead76bd2334babda8fb6334c93bccf0f76d5b1

SHA512
b048828ebdec2a1d5f6297779a00da492202546f980dd40f505bf23d916e546d1c77b939c20dbe3a1ff06f2c6f4e247c78d0a5529d9d755b0d4dbd47684a31be

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
00d37a067b527a1007e508ebfbf4671b

SHA1
3cec7e07a9cad1418adb2e644c027d3a4adaf402

SHA256
ee9084bfe9aecb00c07761a941709202013edb2b18b2d4904ee8bbd706b2ec6a

SHA512
a90cc313e2d13875e3888cd8e420e0f9973e9210ac5050cc9fc22d69f6fefcc3ce56fa783ed72964ec2ee6ca1265701079214a52a41353c5b0f39420750777ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e15748f566f8cf88337c932feec07da4

SHA1
a0a58fe3021e3932261e5a7562af6d3bfc34b60c

SHA256
37af3f58f5351d68804b7b3fe2063965809a15c7357d3335322e5e2e63880719

SHA512
6e3845acc5d6a6c14fd7acf687e4ab9ad97992541b0d7cb42a244b4d7316375b3602d8a7956bfa472000e0932a77e2b44686b95e1fb36572b85abfed70384b04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
da51c3e0aae068ada0e2beb6a2566837

SHA1
f8aa127ff8046c1bc358b8172e360bab353e67ce

SHA256
09256d99d9c8888c972643f46c0b6b8b346ee46132d44bca79f8ecad42db8d40

SHA512
254cca6b7d111759927fe5f19cbc97086679a4cbeb5f29112a5cffee07d0b1c3c6ff36a036336251924288d3faca5d8e9ed6f8037b04f3fc028791252cc05d4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d9406d521f0b050afd09e5dde071d561

SHA1
6677f162a7b6aea5a3443f578d606a0c321ee906

SHA256
082caed62948ee8c2551d712a63c3525abf5d7bf40e9248d3c8415fbf35194a0

SHA512
7b7a7d123a30b16934b9d347a9ec16bbd3511e967e14f8e3ec39a5fc6ddc018d53c84cbee484b7cab47e8a2b6c75e5e4b83c306b95c4834274916426efd476d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
126afef8dc908c71485fce55448155e9

SHA1
5936b1065c99b80e914ba4ef71a857d356a4ad68

SHA256
b56d52f061de66b3dfa51dc9025ad3a40b96282098fe16d33fbee1c6d4c25760

SHA512
bbcd222ae82fac8e40d0c6859b29adfcfc04d6bf68aa4f4a4afd962b570ab6375b4682d0d1281ed0ba4783db32eda305b063410f079b19ca01ea6265bd99677a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
0b9739a267fa1f8e92c2f97a82e66208

SHA1
6c464462eee6fd46e57ee4b3ccc77c1ea151d0a9

SHA256
7e4522b6c3392bd52ada69c482b9849cd0f65dad280793417d51a9353cf7ab6d

SHA512
3a9bb79bd7c27b3337ad30ddbfcca948aa048ff7e195c8eb071d6a1dec2a63c553655c83f8cf8ca5ff44da18aff5e3c036bb1d8ae84e268f60755259f19f6499

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f433d861bc1c510edf3c2c3d7bfb80a6

SHA1
5b538d4dee5e2be8037d599112e2ced56bbaee6c

SHA256
0ed7ecaa5c63052a1856d49fa2dc542ee08566b35f490f6ed12e038def315240

SHA512
025b154405df97f09d074ae9485084515ddfa98d995628d32581951be776dda3032afde2d88601453299dcd5cf15597e5bab344a1c1fe1fc68431597abb74334

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a38cf3f5f8dcb03b962a71905b818806

SHA1
a9119e67d48e44cb405109b6bea463ebf5416641

SHA256
ecd52650ba0da3df321a7d95e75144ef7429a19f25e3c3682803d401146300bb

SHA512
a199635054c01e9d568f8577248252e312ffa471ccdb853a31e1f357672e7e2dc44ff7c143030f0f3cbb9bd85b1a52ed45b2da076e45b3fb44f44611c8dfe19a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3a0672f326a03ff8ed070ef727eb40d7

SHA1
a6f816062fe75f10dd8aff2c95bdd8664d604ded

SHA256
69c4ebb6b7317a7ca5845d21c55f768186c51bb09ebd56823a8dd136fe9e91f8

SHA512
bc7f6a0b30d4f2c36c388fa6480bd662ec8212a71a0cf53fc3f4f2e20e363478f1f05c4388ed78aa8fffbc4bdebdc38d445810ecc8dcac3a4839eb0c09622bab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8721ef9fd86ca3933c798f45f53f5774

SHA1
13c955b757373b254b46e120e9237f056b72ad36

SHA256
64d7996cf20c49a2c77b460ae79c0a50a8c325f20ff8dba1b4ccc1bcf68a3428

SHA512
6fdfeb7870cdf568c351ca9d95a0682ce6242e55264f860a03a69273414fa4228ef69450feaa7913d4cc9b3a5cda3813790c3bedf7c9d293f04574e3b348a083

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c502afb2c1bcdcbb48d64b2cc8ad5742

SHA1
026558e57b601b12870236cc5378a86b89622269

SHA256
66ae6cdf15ea31a797071ce630387ef48e587112c874c87d3e1d537b67c29e1f

SHA512
3c99e0f2331d17387989c6bc9fae60979306f99e5691a24dcc4ffecececabaa840132055da102d477a40ba2e0319e0a1da4921291c060b0fa5ba0ba9b5690421

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
49a31d876aae80c4e99c3858f2a13356

SHA1
ee942de3be9d877fb370495366392adf95853a0e

SHA256
5130948d5f0dcc787b7b29809a09bdbd35c09711568e769b0ff9faacfb32044f

SHA512
64a9a4fb48eb76aa7aef014cdbccddf854690ba85a670af9a8238e7f8969dd0d4f25ae7b51970c4ac90d027fbb262661d2584646fec0a016ba740e49535e082c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0c3c1af4b4b7e0a0d87d0faf584f4252

SHA1
ca10f9ba0c9bf4c089e1bdab28145074bbd70199

SHA256
212efaeadd8388b3d715a61065322627812be226eb15dda58ff3d9090b9ccbb2

SHA512
73eb1488dbef7e08891de7e5767f8ce796e12da90eae04600c4650f670bc870580728197fbdeb94ecd9caae0ad8dbc24e106311f8271242ce8f96f14e1943f2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
304f830d851424f9854018eb6608f12d

SHA1
ede31c90fb47865abb80da0dc90b902da6e94ef2

SHA256
c06bb17b3574d1ca5f5d7180e0ab810cc1213dc58511f2546b16d05b7ac5b0fa

SHA512
d5ef45144d4dfef512e707fa55e2e215e55d8fc2803e8bd1550020f6f4c5fd56effd173ef1ced24eed9e0d4a4d90e7e0a855b2034220f993744e567186651f80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c899ec3cb982123369c1aac09e09ea8d

SHA1
468215b6c8b538094d7135e5079d9275ab8d7a2b

SHA256
ecbd7e097bfabcf64e31310f36996a8086f82d2966e5320636896caa9baceea0

SHA512
67d64db97cb5ee8538c583d6952a852144994a313ebf3b6827ecaf20dc69a5c1af31856a64e4e0a4a99955e91c63eb251e23941a237f23b2706a178d62774acf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9dab958826953aac3856e6005c716f32

SHA1
d7634e0e622260ea77308fa30ee0607b8527ac2f

SHA256
f52ea5e82778f9de5f8adf9d63f383891d32e9b210689b833b35ecd4faddb771

SHA512
1882f476681b12db023159eec18685483685302e560a43ed52ad97c3f4e08157397915aceb91097a7d2871e97ccb07781859a76bd1b257a2035d78e57f21ba56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
73023fc5a532c2b65bdda42773a43bb3

SHA1
515f60f40335ab31645cfb3987dfe9891d94acd8

SHA256
ed03b160d1b1e2804b247a119a0b0a9ef317e1080a79c7f5ba2d36eae1af44e1

SHA512
595aa1e61600fc17c23ed1e137656f12f0462dbc9d65ab0c6d36caac46d8ba2ee3d4bac3f354e3bc88bb74cde95ea3bb7bb07e8d9ad4d2eaf62b22ea1549d89c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8e193fd70e4382b9743430e34616a136

SHA1
10a425eedf989d41ad2950a50c7223337270ac7e

SHA256
8ffb5fbb227739bfb48ec130391ee117c354afc66ddfcf5f392c71d6f205c352

SHA512
4e70049dbf1e4bc8db24e5770259af1a21a5d2a8761a511f05677320f02a215232b23cb13bdc3fa449a5f3e666af12b3e1b88462392d01d2e100e8ea9a75ca6f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
087eead354ddffaae880f8a9eed81fc9

SHA1
7bbb6771ebb13c5c4a1eda875a3f080036697fab

SHA256
23b1259e0a2aec5b252e9dd643ae913321fac5ad55ffcd1ec7d2845312572e98

SHA512
f97128d86ab481660b41fae2107a9131d005616a107d88cd32da2f91b781026ecce1faee0cf36f13b39dadf51c0a8f9356a13cf6252789bcbf850922378a531a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
33c4fd441ba5638b7132650d2ac47e50

SHA1
3d22819aa7de4c0f238fd8919be2261f473a87eb

SHA256
267c215ab0a0e04f098f8186a268cbcb70b2f0564c9f7c3910d8be89afabf95a

SHA512
d884b7f7b40491510dfdc99b997996872fdb19f773af73a8a67f118bcc9e52d83da939b441644047e2667fe2185249f2ce47fb9cbc096fc02de4a4ebc3087499

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
42df92564d8f2cedb38af48213a95588

SHA1
95ac9ce811802677516ae5fb62daddce434ad621

SHA256
2d6f2630462f4f40deb5338ca0c6e2ea20990bac1ff260126d8e04291fec3dfe

SHA512
4889d6ca1fc8641a08c48a1978b04523458034c4cfd47681acf50c64a4fceee8bf3bfb552bf53ed5668000168f5342baac3f513d74cc4da38b8d9ae330e127a6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
794aa51cd5efa177e4633fd82b0ee48a

SHA1
99e42b4d6419857cb7a78aceb44d162d169f14de

SHA256
b2085e5efcdd0b7f9294ec16929b988877477dfe203374964208a4382480bb3b

SHA512
f37fb6ca84591efb71ffc39939ddffb992bff6edb4f95c1173f821b3eba2b00d3e2ee9a523e3bd67e313097f3b5c8e5ef546532e913927ccf54bf4d0dd5545fe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4df528480ecda45dcf82af4afd2ee5b8

SHA1
7a3d58d21eca2f944834b2095824f71029d881e8

SHA256
cb6140202afadd0677a33be0c52f038f11f2b15ca85370e45aa002c63db5d358

SHA512
399e93035967b04b0d3bb1789abdf1f8d422a3940bb498858f3bfb52ee1ba1e77da20f2e3158dc6b82fed4ffee5b6a78fbe7594e7a07cb2543fcd52d8b05d94d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
56c42abd1327c4bc30068c1aa0ceb9b9

SHA1
cf6e1ea02e2f577cd4986497a930afb53e6990d0

SHA256
f17c4d2c8dac92f42f62067d4d2049336f0dccd02f302f30494193bc6adf25b5

SHA512
4887cb363265eb22372d0008bc4f84a1c42c0a6e335c51ef135b8219c8fd37ffb2c65aaf47fad0fa1003ad0e02c278df66c5476da9b96777d9a66ba20eeb40ba

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
488797170c257b262342f4db5c0bf438

SHA1
425d7a51dffd8c5f710ae45d6a8e9a94a27e12f4

SHA256
4dc67dca515cd7d6a55d180aefb40afaad221c0822c6136281cc5cc932d21638

SHA512
82122f98d1fd02bef2242240f999df8838f22089586d33db6bfd2ae215a055145cf062c30e57ca12660e34201bfb12a3ab83f3f99aca2409341e349114c8c5f6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ac9dcded7c0bd0203524efbc7ef3b8a1

SHA1
b9027d219caf4f9b91c81229322a94604e41410e

SHA256
5daf64ed067cc8ccf73ee3e1fd223399c523cf65abf6e484a3642e0e1f0983bb

SHA512
74edc456e81c7c045bd529e425f6e506494d6bd8ff4a325236da055a00fecb4030fb61755947af0effc158eeeec91a55f1370faf53c7b2f3f150bbf19fc28187

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5eaa1bc847ee8fa0eb61f5f60b0a69cd

SHA1
e2c3c7eefb43850cfdd8b654babd8691f98a59ec

SHA256
75d7e2cdf1297b09ba44a9ecc096efb3d8d7965854841b1aeb2477a6ae0adada

SHA512
e2f059244cb33373b3dd87ab2d9d5ce4ccd7968309b03d4d1ff9c95c6291a3f4117e958c78d8682ef83b275c523cbda2be23bbc1611a173b4323e8260097c3df

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
47c7fc9ee493f6dad9d6911d7ae4e39c

SHA1
334e0302b8e0b98e43e369b0a2125d1fef1b285d

SHA256
cfdef83b6c92eb3357a9ba6a3acaeecf39c90a8bed79a220653c9a2680c331c9

SHA512
57a1f5ef4266ee8050c92e9a792d5f2d43948224ec5ffb5844bedb0d34abfcfe2c3776278e6cc3971330566a1c1ded60d1471f88b0245e237e13107f3bb6bb2e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c16a3e98ee16c6441423a45b97712a5f

SHA1
e44faa900df84161a12f1c88fa661a3362ebccac

SHA256
348705da5af8aa5b17245dea579fc22fb41156b772217a435cba257b9c9a4780

SHA512
963b90e0df1aba7ac4f524135f06a9469da42c903c3d0af036296f446e9c43062d8bc3f5244c8726d1e87f241409a4dbc2ce47b6e8b4acfee2cc1f4d398f44b3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0e50174c74617d3c6d3065ba6c2caeed

SHA1
25fa5d636c159ed9588fd012ea4b5e9ebe2c95ab

SHA256
870774027ec9269ca6d68765c0a0d272b2b8d03bd85aa18291bae581fea91153

SHA512
6d3f0b45f1a03afef00f4481b77739804d58b455b255387714920f08e1e8ed5cf617bf07957a3e40f55ed197dfd56f1f56741cc8da79279565ef3252b982be0a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
138bb50a4a066f25a821f3e42dac082f

SHA1
8686d5584c5e78e07667edb10bf1a1fb88fc3aac

SHA256
1c3c3668bfed6c0a242028e36ee2e84dc61f409c8daf07367a8adb6e9111ec65

SHA512
4372c3b69592e4d44a150e5419ea739e74b1c21c19cfae90530dea95220d9cd1595610b469517ffc329b352b85f7ef6841164788b5b7dfcfc3567f2b17627e52

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
78f7f99fc1a29b73b04e33fe40599c08

SHA1
28d487ab0bd694514fc515826161a3252b46d9b9

SHA256
58b1404c8b9717aecadbc926a28d7a19890a009b9b14c4a973b27f78bdf997f8

SHA512
354f756e51287fe96190f331d292952687cea71325fada48502699434cc849f6d9c12aa4fb6e01e0d2a69bfe3e7c7950d0a44744c33151b764de48fd0d46a7e0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
76c2c1dd847f1d7f71bf52d53c2aedef

SHA1
c8e00ae51cabcc91d339b978b221d02d1b0e1dab

SHA256
901cc982a7e708e1a53917ba620b8c18a2d9567d6473080b50cc9c4a9e3d824d

SHA512
46c91f9b13a7744430e3003c4977f2ed836922d3f54b24853db809d19520c571a2c4695dee062dce734656e7ed30088fd2306f3c5c187394f1d4255a9d990be2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5b40c0c1fe4eb87193b65972c210138f

SHA1
5aca70f363da987c4238d42a47faad1f9f785340

SHA256
7811fb675d38eb783af04ca67bb06fb857751addb47c204bc52c506b3ebec6f2

SHA512
d300e1a74f520a917782607d8639e456b61acf42ea49fa065218ce560e9231c1297235fb2da7b2aaa77c058c44e872435c61daa40c479a2f0e9c064e4ebab4f4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9d34dbbd71ef1023f27ebdd40f46caa5

SHA1
51e76264c1ee1c139acf3cff12fed11a0cd063b3

SHA256
8da447448f3b2dad3130e380581ba5f9beecab0e2327bfea56f8732e85f49e83

SHA512
9cd83591e3f8bb50ebe004c73a921de279651835ecc3ceabf1d24cb8112d5fce27cf35de9c1eaeb84b25641731d5720cc54db69a05d4c74b71868b9f179cf24e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ca43dd96b4b0f37a1c33c4cfe5ba8f06

SHA1
acfd2516b2147eb6d5320aa467bf3d237a27a5d1

SHA256
40b661a7847fff0a01c65ae613052ea1e614ff099d40c55fc5f4a87a1db01927

SHA512
5f44ad139370fa2324b6c662222447fc6441894dc0de258286f92bc1862a324ab2c6212dd718193351732e19766bae5d5bcc2f50be6e144dfbf3071fdeea35dc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
088ce63846fc24584d7aba2206b737b6

SHA1
45d23cb9e5bd410e7b5c31cc9a9b4660de70fcca

SHA256
9659d774cb082c2fee94fd53a518e7dff0eb8af4ad05cda9b897d2c5f4171b4c

SHA512
93d15f81cf4f31296588c28d2a2e9420ff2d5d27861e743613e5bc80a79dc86c91a757fb45b8e8eba8f8187ed09aae5eecf35a4c53f84d409eda4100f468994a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
991ce7d907325f453c86c10fc87fa485

SHA1
a924192d683abbedf22af87e072db24382113ae4

SHA256
9692000c34252bd86e04cf06a89ba9ecb11ee20632a9ce0e2415f7ed9c91e4c3

SHA512
b8d1798aadbcb6499565a228a13ec906e8e5ad4f6955e180dbf52e18cf7f41d93d080eea09809fca4f1e0f0e593014447e14eb9356de722bb3c485ba2af7c2bf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7c846f44b752204355e2734759bc3a35

SHA1
cf9117e13374d23066ceed9bc16dd35d995daa85

SHA256
437a542fe7da169d189bdb0bb3c69a78cd895fb9b3f3a0b4fec3c61273131f0a

SHA512
2606a2f44f3e8ddb33c233e683e5c2c5b2549f972d4d912dafd220412bad8f87b8c02c242df6097619e2427c5b08dcff10fe0860086484c891ddcce723e3267e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
61c78345d0e8470dda1c2881dccc7e32

SHA1
6adcee6aff8fdcba228ae6b27abd11e58a443ac2

SHA256
4d27c56ff31f3ac141cf50dfd622664901e94f476202bf72799fcd191626ddbe

SHA512
ee620fdc909677419c23344ce5b19f4635aa3eff4e66cf49e730924cd9fbc00692d2fb42927fb1604272372de1fdebbce040b66c0c0a0d1551bd090f79663c46

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5cb971672322d9b03b0caa39aae24445

SHA1
4bb1f5ccf3baa2efb81bd105224c97ca68218546

SHA256
b9f6a894743bea57db40349b6c36d84c2669d94b5f46501c018d24930ac83c0f

SHA512
1a4dd02e554b06c19813b74f162e5a5db42207d025903946413b2fb50860310c8792c044932257ec1d55b3bca1dd3e67b5f6602a90c5ed28e5ef6b4e6b1e74ca

Download Submit
memory/1292-227-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1292-137-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1468-220-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1468-119-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1468-117-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1468-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1596-238-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1596-669-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1636-232-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1636-150-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1636-148-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1636-142-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1888-210-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1888-661-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2252-395-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2252-177-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2252-172-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2252-167-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2508-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2508-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3068-663-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3068-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3164-91-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3164-51-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3164-176-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3164-73-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3164-75-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3388-212-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3388-662-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3408-195-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3644-233-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3644-668-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3700-134-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3700-132-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3700-122-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3700-128-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3700-129-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4152-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4152-153-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4152-157-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4152-163-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4196-215-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4196-100-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4196-108-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4196-106-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4224-657-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4224-208-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4300-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4300-175-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4344-207-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4496-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4496-488-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4496-6-0x0000000000950000-0x00000000009B7000-memory.dmp

Filesize
412KB

Download
memory/4496-1-0x0000000000950000-0x00000000009B7000-memory.dmp

Filesize
412KB

Download
memory/4496-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4564-660-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4564-206-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4772-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4772-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4772-229-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4772-667-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5100-664-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5100-224-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download