79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
Size

1.8MB
MD5

a363a24ac2fa186d0764a52c3c8f97c6
SHA1

1a2d3435f0d07e99ee4cdad00241685d3bfbb11b
SHA256

79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc
SHA512

53bf02d92eb9789db5d3bbaa5496a3ddf83e3b442b96c04eafd7d315977bb08f9eb13fea0bd51024ad8455f846b4aae1cfa63d77ab4fb9f24c519ae33c44273f
SSDEEP

49152:VKJ0WR7AFPyyiSruXKpk3WFDL9zxnS/cW+S8:VKlBAFPydSS6W6X9ln48

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4592	alg.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
1604	fxssvc.exe
1180	elevation_service.exe
4056	elevation_service.exe
4072	maintenanceservice.exe
3264	msdtc.exe
3656	OSE.EXE
2072	PerceptionSimulationService.exe
4556	perfhost.exe
3704	locator.exe
2252	SensorDataService.exe
5092	snmptrap.exe
3468	spectrum.exe
4028	ssh-agent.exe
4328	TieringEngineService.exe
4744	AgentService.exe
2700	vds.exe
3784	vssvc.exe
3992	wbengine.exe
3540	WmiApSrv.exe
4168	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\System32\alg.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\locator.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\840c593ac3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\System32\vds.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME9C4.tmp\goopdateres_lt.dll	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File created	C:\Program Files (x86)\Google\Temp\GUME9C4.tmp\goopdateres_sl.dll	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME9C4.tmp\goopdateres_nl.dll	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME9C4.tmp\goopdateres_ur.dll	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME9C4.tmp\goopdateres_sk.dll	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUME9C4.tmp\goopdateres_da.dll	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000196699337dacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc7b33357dacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000413f38357dacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097bbd1347dacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a1ff0327dacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6e032337dacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8f607337dacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac0a1b337dacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a3e57357dacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe
3496	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4576	79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
Token: SeAuditPrivilege	1604	fxssvc.exe
Token: SeRestorePrivilege	4328	TieringEngineService.exe
Token: SeManageVolumePrivilege	4328	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4744	AgentService.exe
Token: SeBackupPrivilege	3784	vssvc.exe
Token: SeRestorePrivilege	3784	vssvc.exe
Token: SeAuditPrivilege	3784	vssvc.exe
Token: SeBackupPrivilege	3992	wbengine.exe
Token: SeRestorePrivilege	3992	wbengine.exe
Token: SeSecurityPrivilege	3992	wbengine.exe
Token: 33	4168	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeDebugPrivilege	4592	alg.exe
Token: SeDebugPrivilege	4592	alg.exe
Token: SeDebugPrivilege	4592	alg.exe
Token: SeDebugPrivilege	3496	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4168 wrote to memory of 2140	4168	SearchIndexer.exe	SearchProtocolHost.exe
PID 4168 wrote to memory of 2140	4168	SearchIndexer.exe	SearchProtocolHost.exe
PID 4168 wrote to memory of 748	4168	SearchIndexer.exe	SearchFilterHost.exe
PID 4168 wrote to memory of 748	4168	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe
"C:\Users\Admin\AppData\Local\Temp\79d67e15b65b2f54d9c14be6f9110ed4338c5c4a5688ccbe7af88f84b9a7cfdc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3264

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3704

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4812

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2140
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4572,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
c1af87ccf9b950c4dd29b6f1f806c720

SHA1
32bcfc0acca58d08a6f3627a8645043467edb06a

SHA256
a212dfdbaf5fc421cbf083dc98485cf284ef88ac77c2a1152733954df3614d01

SHA512
d94e9e831f1f04ab68df294e4ad4d6576a5870fd0c5c0de8cc7ffe90fd8b446c991d8593c130ef46614b97cf46b8fbb2e385a919af75275ac614d77f53f4e063

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4cae40a8673eada27437c419936d2e70

SHA1
1c9fac34bd77483f959503a88d559705c5c2fb15

SHA256
a82d9f3212dd4aa2280e9d6fcc151ca76692bbaf9130b92572635435791b8408

SHA512
d19a2fcc531a87bba8be48fcf53cfe04d9d9dac2f6a1712202dccfbe0fae3d00386eac9299c31d78c58078867c82e171ac9bef00797ffcd565d2bd07e16d4ef1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f5f6c922deccd601823835f263186418

SHA1
c97669574fa1f44601dff1f7ae1337a801f87571

SHA256
9393916efb7e84d3cd7ee04842f80be98d3b4c428419ce0f06c3b298b4363127

SHA512
e4b7b101f68bed33b70dd0ef06b25ffd285f26263b23ced4db5b7b7b2be8b6f2461d8128b0b40e69afb267b66aab0ee73fa6b99ce46779ea702a1bd63ad36190

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7853ad49f504ff83ffaa2943d7e4cba0

SHA1
eab350ae9ebd06bbe00dfa66926fd707cc108064

SHA256
5b28cbe426905f9b4de38117c178a7ece44a4e0524509a18e06efba520910fae

SHA512
d9ec99ff8af76d5ebeefcaab366177cf0880f0955854101dfcb5643f02f4d8da4b89f6c91de1d45b1c2733ee05d5caa8ef162ef1baca11ed248432c11bb0ee72

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bddd2eb03adcc4e8e729fefc956856c0

SHA1
c2f6ba786486bf4313e7b0b356495b887786991f

SHA256
279e22f78e14898de481bd5961c24c70aad1577f44153bec0453b24123937fdd

SHA512
49881747baf9a2a906e5c2bb219341648afce891b1579b3426bafb0e96edaaa02b99447c81e82993ab3280c5aa44df47857c9686f62055c492dd6cc2b2cbc5f5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4ccced2d146733e5e2ec67c9a472850e

SHA1
2e98a3a6ccb76e63ee1d13a4c27343e7b489d275

SHA256
9852e534a2523c84eccbdc1f4ee38d2994aca8328bb77c6bfe4a79f2f1c049ba

SHA512
c7b9d8e3055f495d674aa4128cfa18905b7bf85057af29df7742a1dfd6f12b4afb82ab88e105942e580dd54a440e1ec2f11dc167c78f07942ef572acedf9fe2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
31e5e577367c5634d6e3a9cf4893cc82

SHA1
4d3003230fbaec56d88c8a85d346c89018733cac

SHA256
e60153287bfc891b2cabf689dfa7337f0fa88201771be0c17ed4a0d8e7d05ea0

SHA512
68d607fd85d9f4a140bd71eccb486eb0e63b6a2b982d3e2c1ba9b91c95ce3fa9154be2eb78054212bb8641674726638e6d5a99922af23431e9b96b389b7e1e36

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
51ab35256094d9c6eed95c21083739fe

SHA1
faec577f70eec4fc482c7b71b3ef881441ddb035

SHA256
0098035b2f17659e98058d038874f682705f9fb2c511fca7e07411e90bfb628c

SHA512
76dff4ec7ec3c90ea27c48ee53417c9ff3e4118c732f70a248fea14a73660ecf03056fda234f414121f663c07978aad282fa9cf2eaadcbb22506685d11d0116d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9d818dc7475a5657c6fb4c07a1266980

SHA1
183bbee0f5fc97e7f9bff78dd541d2d93697e8ae

SHA256
ab6a3644be7fcdb98e1a8af584b5179481ffce6ad7a9b1a5d63d50ff81d57744

SHA512
c063932878e511a470657ecf69014591bc206d10cfae142e18a00b8d3301d51c2e4308b9e2e8245b3c7b46b383a8b1e4f1e22225ea330657be1481c6ef2d6e07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b82c4067fe6bd81394ab5955560cfdfc

SHA1
a8da7e6a3a10b69c1a7f55f3da3f3a4b0625c975

SHA256
3c53c62a870deb04c4a0e3158fc7c897650ee944f968a39c67bd9063d5ec96a3

SHA512
e3dcc3398c9b4796f656e4356697ec58021c55ff36f67a58cff5ce5829f9e9a983d04cb57797e303631a12dcc01ade35fb1eec894ed2fe09410a5e5c04cc46c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d752d98fc7b6b6a511249dcd182ff87e

SHA1
3f692a2ed51bdb471e0d9ee411d6c22862f69ba6

SHA256
aa346fb4731b10e90e8f6d2a13e2add0a37d09a3641c14568071d714aa5d1553

SHA512
6bb611a9aeb973d4bd736c3e46c64f7339fa3a22a50e744d195119d184d35efc07c50ec2979f8168a86a07d84e5e723beec6f2d8ec45011e84c292f7e6c87a75

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ba3af49db24c8fca1cec5bbf90259271

SHA1
cd505996a6fe85cd6fc3b813094bf57e5259126e

SHA256
f4a795a523dcc5d5684715cdec4275dbaa84be5803c25fe69bf3b10c3a92209a

SHA512
ed7be8bbf73e26c9d3fac18b938da511e6eb1c2479ee847d7492f9ce3a46370ee3251e5d14abee2d2f24c637b6ecd41dd38474cae25553f2fe82a679c33c50ed

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1959b9d120e4538547dbc91876f8ed7f

SHA1
3cc73ffac445b42808c088da2fb6d8684d03aa62

SHA256
36f1eea528a56085255972d761b3bff79c7c187d6a2b0b53831f0118ea36136a

SHA512
3899ec5c58936144d91b3c521ef71c04ca6fbc2a381b5baafbc40ce1ca3e7d9b679896ca6947b4c26f49ea418bc3f43a5df9db77c020c33c1ca96c452a84b279

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
fec35dfd4fecc47944f3eb3f94c83093

SHA1
10efa2f0a0fe250e6568d340db10f829360e9a0e

SHA256
cde8d2a31ff0737ba52b8f206f0503a11a9f413e0a031c86f86710c1af0dcbf9

SHA512
cd93bfce50e595fb46c33656cfcd459c50628cf14a3658cb50d2365c2506951f604216de07a4a80223dbc8f74b7aadd762cc67c21a763e70220bb3de1664f83d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2440447c4fd9dcc5ca176aa7225a3ae2

SHA1
1102affa19951b4f20d6ccdb14302b5807b46494

SHA256
6f27b94d5274c0f77a27c8cc6da481f6012fda111898e57bd59bca3288538bf5

SHA512
d2916b6d60faf9b3d381a5b5c441c5ee39828cff8013bfff35c19753e61a77973834e9436b885b02d7987d77cd169717bc4e95600095a1b37612f5eeaa6312bb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2045567d441f7bf2b025db476515f7b4

SHA1
c48155aaeb58f2c8e01cbe6d31af91a8b0df8bbb

SHA256
1b2c17c6ebd7885e43506eda1726b64579654350f6a05c5f3fdea77efc5bf546

SHA512
8f27e649c131725aaf384efe730fd4b01fa339432acf85dd8dfff359f47afaf7dd1be8b137e8a2afb49bc4fb450188bcef35c6dad82ad61132a5468dc7f13988

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6687ec0ec20a0239a84c4e6947b9e890

SHA1
00311c52f7c0e2b5b2216ed3cff338deead9d1b2

SHA256
0307e600aeb71c14e880ba0b9802b896826f6d4c29e069f1c24ab00f1096d1ad

SHA512
0669dd4e316b4c902eff242ca8b185c0ff4345cb0c33a5444d2b2cf04753e30cb7e21401d39a668d519c7753ba99dce0993dc685cf97de27f8c5f6e62838109a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c2d89bcc89cd15a3481a1c62f121dcf3

SHA1
fcb7319daf6ec99ddf99de511181de4fca401305

SHA256
444db95dc5fb339ba3d40d63995a870c511dd8b025128e564082f30c9506e710

SHA512
84ae66115645760352e4b8b4a489c06bf459215d61bc5b5451330da66d51c1b5a71cb1a0eb353ee4daaa690d6adfec03d302f43d4adbb81d8296911e30586331

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e12dbbb612f6cfa34fa37950a901c253

SHA1
480dc62d9f4d47f42c4978ad68611bd723e8df6e

SHA256
367154b8df711f32503036257eda6f993917c740ea46bae76de67d1fcac20ea5

SHA512
a3740dabc9a89f39f8142073bcc1bddb9cc0de721081cead618319b8a864106de3ab4edcbecf7c047955ce761b97b1ae331a4269d4f02d8f528680bbbe2fe632

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
62a6c03f7afa0c11b1d5c37191efb60c

SHA1
935e69b28f4bc84166aa648afce70b79ad709cc0

SHA256
e37ce940dc96ed314640227c0b52d2fcbcfc5c5ebc2274f5ad75343f9cdec532

SHA512
a6b78054385b1cca6137d4e4a3df726466c84b7fc77a017401ad31e98e58908e4f10313abf0c6f7630005e4c9642c2a297029fd7d6c786d468f410cf35692142

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b6db6d4541ea03b6df194366f60bbd51

SHA1
753ed553b5391d2e689de36d50617c638c38762f

SHA256
25aac1b1f2abac8199ad3523bf9df0e5062d30852254c569e4ae64dcd327a08c

SHA512
6fd6b5b48b238208dda0010630c8ecbebf44809982de8f388a1f116a777e0741d9dd5ad7cb64b7457631628252bbf736a4bd2f8cbfa759f541c863130088ef45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d306e4005b1aa6ed9fc64ef5ea140c6d

SHA1
275827328ef79e4243d6d7832b66600f3c095ec3

SHA256
84642bf2b94c8a2234faaba9a414a8deaea612761139c5512384511fb47bb1a2

SHA512
fa71a3c651aa3698832bcd191d7fbd4a78f6da9d16d01b41d217fdc6112e316836c4f6c4be02f38a41a66fcb6e657ff277287d2b3d1f6b12f8ad5f0b17ca86b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0350e28e3f59ec4cab8c3169363086aa

SHA1
273e235d9737f6e7052ccf3c5604b760ea236474

SHA256
d57754fd6d583474bf792d396b3dec070e24f140e1132981024972b826df5f0c

SHA512
132de0e1812f457298bdb81c6626b2927192d874e224c6d1fa620a2c59a9e2f0c1179ae73aad3cb252087b934dad32322ee32b6b959fea6f156756c57e42202f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
aa93ffce3c55c20dccac2e2174d6fe98

SHA1
e37ab97b4308a771b541e31ec859b1d1397d11cb

SHA256
487193e395e93cff4e8ad7659419b9e1b3a3f10d2a915e1d71f84e52e8f58eaf

SHA512
a38eec69327fcf0a8f624c07013b2a34ff41378108e79d7559e9c908034c1ad73abb7b17a71882032645384edcc7982f614976fd6bb4b7535db7a7e4b572bfa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e6531d27d69cad1b997bfd44a57c1711

SHA1
d8d7213ee43cc26c69a361aa1ce82d21644c3af7

SHA256
fb0134d7459861e4b23fef2ad4ab4aed1352e7f3464cd7da9dc5cc1cbc692ddb

SHA512
909b9cda6ce3e37c016809433db1ac557afcf54d568d983de1f4741fe267f88ddbe4066a09b2aa3bfa8afdf7bc4a4e1579c67e32f223a7901974acb561866116

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2d7aeda78ebf5bd283cdcebaa608f822

SHA1
92686308e11bf84559283e03391d0668c7418744

SHA256
cc6cfd4aac9a34b03faa19a7e27a3e5a103367ba018252b2059dcc70a59ee622

SHA512
9229f99e6b8e071dded507da49a6dde132b0b2502e1bd00622f4a0a1aefcfa5bc54bc99e24d329ea71ee69fc7d5abf6c700d8ec456849c59f8e71a6bfa2bd850

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bc06a561a251ed6d841fbfab5f53a4bb

SHA1
ee7a568da001f8b8b4c6479c057d65f543f0abc0

SHA256
1040e1d4404a4491be569ee6c8ea8903a719ec6bfbce732d07d585f9a14dffca

SHA512
c0d2536a0b7a3ed52958664ab0a5459066ff726e1a38f7f445b034482fbbef959db8e30dd53dbd88e34b534542e0775417d49aa45b52c2700a97f85b2a8cf528

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7bece1b9da014d1c1a3ab8873d93e80a

SHA1
f2bb8dc75e274fe01429c5e1937a0e28ed791116

SHA256
adcc1113ffbc0b2a8ce866beb4e2384ef67f6300c1b3d5bf9d2f2c5ce53acf64

SHA512
9a0ee765768d469ab6b5c6a65721bfa0b9ce3adf53279e6b8f37b9fed931229e023afbbc95439ce9ed3fdb31c9669800d42414ae4e01783a56734f7fe24327c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b683203bdef7ad7b8de955c20d2e35f9

SHA1
9549e01171f1e9f3dd077f176807430278d34296

SHA256
ba694701826813581136a3df3b052ebd4277027f9a279d8e93c8d876006911f7

SHA512
a33299661192faf6f47cdeaf1185f8c029125cbc40fce5caba23123c8dbf28a8f1196e2d0666d81a6f5e0ce724b47c13425bd7be2523e2372ded26fb41f4119f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e3e576a2cb809fa27a17d4fd494bc29b

SHA1
5c7d74d7ca1026e1d9b3159a6f8d26555d7349c9

SHA256
62a5afd2b704bf5cdde801112b6eee275a168f6f3153bf8714ac15460db2f96c

SHA512
2f3fb2e4606a655bb6bab20e220871e4e6e1b4e10c3a25139446214a9247ea45b9293535a945db69a03ab93a13d641115b86bc885022095d967ade0f4b01c332

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
931a63b46f7aadd6d0664205b5a946e6

SHA1
0ec0813435f7c577adc22a72db84d574099ead58

SHA256
616128ee784c4b1af2e3d3c18ce21b77b057029ea6a00c317e83377f8efcb549

SHA512
da857275a2a8e2db29a595c93a8c93723137815894254b29461713d22571296e6d10451116f86809d46ef615a7b8a8c2f63b7102844ece82deb79fc1efe8bd87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0cf8eafa274973ab87ece863ab6e89fd

SHA1
fc177dab194dc0021f5c895634f63fe6c7bdf37b

SHA256
68bfcebce2173ce9cf4cae872376d5622931d63ab283b47b964ea559f4d77f81

SHA512
777601f35bf39d9fb5e4f17146a18f0ccc1e711e8c777a2a3de8c88f61b8710aa442cf5864fc7187ed852f50c3bb0719b412743c48b3c9706ae2d98c868bde5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
3af15f08e4a8db463bca29324d07b3e1

SHA1
da56a2562669b9b05e30c6e820e58cfde0dd2599

SHA256
a24945e20413628be5bf303cda65c200b2bb082d9536183c3e278149a0627886

SHA512
0c18b6d918fd5d9f63783615055d2ff55f6ba54c100fd657f66c7748711a027b8572066ff9684ebc099866461c8c3d4ed22d27d1c21c988e2213da479616fb92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
8db8dbc422cc844ed3fd5bbca7e2eea6

SHA1
35d795766091ee71a2c3798f2f0c0e43dfc4836e

SHA256
f7fd74fae5b195040d21518fc9e2c6506e35fbe38eb1eaaf0a8d3f8debfe781d

SHA512
9e0530d52c82dc4d7cd58626d988aae3dfb9a51c3c4efefcfd24b4714b7d4166912a60ce4cd87b30a78a73f3e0230ecdfc4a31cfe8b9036bcbba9613f99228b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0bc8ffbb2a47c56c0114d5b3e92a91a3

SHA1
35f8d032dc8e7962d11448d9005ceeb397c3a105

SHA256
f3cf8fce8bc7c949869e560fdd7ed4589f6e1f91361d4af140b854958722b6ff

SHA512
d08c2541b892eaac2586c11ef812ce8f88d1101c00864fa458eab038be6e516e27c1d9a200c6a35cf6cde0c73bf878c19c54e99b8196d955d74c2d36a14ff797

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5b473612892b1b44e6b8920c96077c94

SHA1
efb62649c10dcd4db4c48273793039940629530d

SHA256
3797cac11676feef346017a4b663d3124c273482b329499d9d94d3ec1d5bba91

SHA512
d1004a2e0cd4d318998bacb6105076936876d430a8ddb12cbb0ffb0f31b9d955255790c16fd2543fa0119eea413a24572527cfc0c6bfc964ce4cbcfca6eb2ae1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
f0a4eb2a5e748c315c52e53a26c8413c

SHA1
898d30dd4f9872f44899c6809b9d5270503c4b7d

SHA256
91d746573f40659264ae26fbd14d6af3dd4628601d50215ca6c9dd3368bede33

SHA512
27618292aa1debc4b565a7cc9fffb49bf4271786443111d06f0874f7390e7f8b27108cc1e178009645eaa77b96724816a3266ae880a9a5a120893cc634cc8567

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e5fabda58fa5890f57ec936001f3ec5f

SHA1
c852dd5417230ccd59e8505e2820c60e83dc2489

SHA256
d81608da3af20129b72d97638aee7ac4431ec0e58fb6bd5653db390f4fe40de2

SHA512
a0cbe65e4154a4b8fb678e4a774733d20db9671d7af2f07477d5be74e1414331ae527d8b3e0976656c22ff57207d291fe395630e274b85d935b5eae3092c1eaf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f7921a3d8bea3890f7eafd1abc094126

SHA1
ef86fb7f9f28c921e2919007c8b0add4604b1be3

SHA256
f06cb48345c91bb80b174f5adfddf8dfbb46fc66730903e1af61376d7c8c8f63

SHA512
c4f920bf1737802613579f16aa7dfe5d8a12c7e0c1624e80f0f122d4a35267ba71a3ae32ee1a8a83fa51576abceb192ad30941a5b0ea98499c63407c184d8d2c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a1723591d3acf7758bbce3c0cb1f85fd

SHA1
bdfd96b4bf9b6a7ca6769ec4928066a734196a9e

SHA256
d5bdbf7dfc5aaf3f095ec2258d961f494d63800eafde8bcc039392c914dbb5af

SHA512
6781357601d5fabfaeaaa6b16bc8f46875dae2748195b88e8eb63537735cb249bb634879262b299a8a3c51c24f344136b128929ab83a1db1522ad899288808ba

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
747e3d7c5f1c2765e5c3f2d04497de3d

SHA1
a7176449e0363baf07f56d35e7590a8448a52374

SHA256
3755619d404cb17de6c02e9afd841b3976c5f4ca2e0bfc1e78756a02d5791fd9

SHA512
55903876687bf83b9788fc456ce1217705de89d2e2590016eca37ac7a2e6ac3a142a0220ca59493bda64e319688e951b46c395f8a40303cf0771176cef6d83fa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ffc6e19f849e01a0afdece2adf248c08

SHA1
48e4ee778f1152ce3042bf49c8cb5128d16c49d9

SHA256
12cc0e15bcda73ce3b8455b6fe263cfd8aa846e3f7682504d02d47ddde557264

SHA512
28f39a973c3cf8bb1c46c75a201733c9c3975572402c54e1023625123d9b07c7f3120d97dc654e0dfb3cf757780435c1f09029434089afb19a93df65e0137ac6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
58ff1e9af27129ca20af8a3e43a14372

SHA1
55bf82a0ba10b9fe93a683ff4e32a52d3ce38ff4

SHA256
18d776e617da727b5defb389ca051ef9d48022e3e5cd1d70da7cc80aa5ea507f

SHA512
e9309ccea73ccd8e59e4bbb227d324c8814bec0f37f56761684c905e1c97df132ff02bbabeda6158cc66861077526949b811cdc84d2516aae5e84a8af90338af

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6d5224b32e6a077e70d395609b01d250

SHA1
e6f07cf677bc252137bbc86187024a0fb18d04c3

SHA256
dd24ed8a2e9ad9e3ce0c6dc12d4e34d939fee10c2e896dd15180a7f04afd88ef

SHA512
576c1d05a6aae50dedc6c68b14d2d2d957b435ad485938bb1510b99a5b3eeb787a47f2d6239dd44a9e15ce789a0e7b59305e56d9d1ae1e8c16756e0f0d0e8f1d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ce810d4a3de49ab4b1886f7d600fa9e1

SHA1
5ca03a1706dbe063106258ec2b6372fd0c6e9985

SHA256
ca570b64e60d8b6b9205ad63d350a03d170b2976ca435185a7f8250d2812dae1

SHA512
a33b3716a96dddc0fdfb076534d5e1f57f80cde44306a182929141c20add8b85ea616f2ee70ae1249c23385af3681076cf482da5494413a254cf0ae02847175d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
06c5c7143d6c3e07cdce6d892d6857c0

SHA1
3588f9571f8c43d61226dc3f9b8c672297770ce3

SHA256
dfe7314701f1907f34a57eea4aa98373e6eb0890d47b6c7cd2733f7a2c7fcee3

SHA512
8c4bc59c23f394b24d3007b25aea4d4a6d8bf8affbc3e86b96b643a990ef179382a94b058f25ccc25d410c012507e313519582519d117f4aca0e954fd8f7e3ee

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
08de2c90cf655407970dd7a14d72aa0f

SHA1
90dffd078187164063a1711d436307ee72d96dd3

SHA256
e0dcf374996fc47a43bb39c114acb43c09c1a6b3d68e8d226e10db3f7b33147a

SHA512
2fd6bf210d2f823fdf6402e7ebb28868702553330d3391ed2249f1e47b2255d73a62c0551e17a0f2bc43abbce3387b1853a6f65e6545f9b1f5b5472ff23a4573

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
55752be67e14ce772be34977e747434b

SHA1
4beae526589fcec1cec5d5b9a0c4c81a1e34b881

SHA256
7135101b807f35c3d3ab9da341a59592c5a36f7bb22d37f09cb6605e084af477

SHA512
be9b28a465d0d9d8a80a80c1e944cf2cc7e549f95d025e67846a7fc507c037544745341746ee016bc65e60506746277b1a206358c628edc4033c33daaf9f6275

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
323689c3995b498390b130fb20601da2

SHA1
d6dc6668fefb2230af3ab582bb9dce91a704a93a

SHA256
cc103dc48b0f77b11f8492ba004f36219504f93a9fb368a221ccd52a80b89c71

SHA512
052d9ef5f9d7a982adcf0132bf509ee1922318975f6804ebe3973a87e4c7ab58b782571de6733bf7e15a323c66213b7d8bbf80d664545064aafdd3c568c5b354

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
637c1a379d82c2b8b26a19a2f471205f

SHA1
49801c9a158b30efa672098d5aff0049a9c932e0

SHA256
9111c4a66593157b6b45efdde6d4a3d027518ca6d0fccab4fa5260c853119414

SHA512
bd842f075b9b5d86a9b37632b3fdad0c2f14e69c63a03fe3249539bbd1d25b20fe607a71cdaa8e9996567eec6f3fc56e65000963cbc93cb343c317e574b24467

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a35c7c06121b80503e2129489d309214

SHA1
68a7da87970b5f28a97539e8d0b0535dc80894f6

SHA256
fdac4a81fd9173a746cb68a207917965f1250741915ca8d7487eff974902379d

SHA512
8e2eed3cf3e6705f50f530aaf0aa0ee5cc128e2ca3839c2e96cabc6f141a652648b60ce635d9daaa302e83040d7d8c1a9a3589fc116d8510b6e25eaa5994ea06

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a32d572d95dfe25d897c64ebe6358243

SHA1
a5ec1f00407e022c3bf73e1ee4470c436ba4cef8

SHA256
42ee90c6d20e235ff1e8201721e6932e671eabff650de75ac0ebcdc25be8c204

SHA512
1add188620fbe271405dacfeadf687d96503fad1eeb86db917ace6637281a22730be6ace20e77d531df7b1e8120219d8fd425464a471c9a6f7560e9418458858

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5f270d4c783cb4315ae6db2429f4bedd

SHA1
6d448ce02d8fa1f18d083c88d5823371eb2d514d

SHA256
f356d26deca18caa3b672885f4550850aa76b7223f842d21d14646805134bfb8

SHA512
235db32994f1eb1408d77073070e4ead4fa127f1d82560e3568bdd504c2d9f713f7f67bbe8039911ca235fd899d0551401aa92c90e08c1a9617da282648d6990

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
64dc072c381dc7675918d3d9da21bcc3

SHA1
a263f72ff044f4bd7e7d89b876342455ff7a006b

SHA256
52f569fbcdca3dfa792f368ef7a65da577d7a3fdcc71b41e7b48451105e0f244

SHA512
241927fd42cd2a204f34d0a26fd332524cb16b8645a26ecc7dfc81164b4c1eafa356035ecad862b00ec417799edfc23c9c7d1069f243320348567b5a4501221d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e4d28c002bdbbda4b113ab79a86aef72

SHA1
f27cee51311da7ceaf39b263dbd749323ddef0ff

SHA256
b402f6c6d6e1580c29cd1f9b8686a0690f7ad00de7d72ce638c51e272324c773

SHA512
45d912ea908bf6f970a8906433355514a035f442585563878f4c37a80b7ca7a73e1024dc7d562582e135da348321993888bdbbaeeae984699a9b365f3ffee251

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
89695b96376e564eba5b64c817699df6

SHA1
4125c55925b74027f676695ba6f6abdff4c4dd01

SHA256
988f3d68e09eb5d6bcb9d6639fc4c2d14ebe3d3290a2f42756e923828530d400

SHA512
4b7eaa662bd87579eeb95630a52dae44a4059dbc340fcca61ea7dacc7c51a810004b02c728e7994e37fc4cdb4155d5b7c2d0bddad145486e6da5fd69c9c3f183

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f720cefdbc0f39e0b2436faa790070e5

SHA1
78934f76c5695ffbc3fad536d6fbdd0c5efa2bcb

SHA256
cf52531952d1785dff835b6131f19ee56cf520ec48ac76fc44d8c0e41b09007c

SHA512
c34b0ef3d365fe70f25e432e5bffab68d1ccdc3483a7b31489babe7092b5faef6d68750c85cca04f39bacba7d73263deb16d7555bf94541bfb9f69a635a33781

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ae538fb2de7be6fed41fd5929f7adacf

SHA1
de61b2f5ed02f5876cb93c0f38f4d020ded9632d

SHA256
f22c2a90597dbdef832a7605209cfedb5f0ab4cdb3257b795390cbaac1ac9d73

SHA512
b992386c5a08123917bda759137eeb0f4268926e34cb8d53f2470637150fffcf3a8554e8b436b5eb05a6a3e480fcd9b2d2373daeae1f643bbd5cc4b37a4ee084

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
37abe22756465d13141bd858663ad1ed

SHA1
8e700a76c7d9a8b6206b3ddc8b80c43db5def76f

SHA256
6965491916d89a5fc1b0d705dd6e3442363d71c3a5c56652aabf55f81f09a86f

SHA512
0d42cc9e4088dc78bb2ddaf9d952c6286db97f2362c4cd4fbca38571dc4bd6426dc82c1c11dba03951932e62acae888aca25c2bf0a3473ade102b08118f2f4ce

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1d858a9d0ac9b49f6ce00588f7812460

SHA1
1e3b978c71c334de03c766de434f9803d295bc46

SHA256
b56b9e30830c78506211e1738a4df9ea322c7f11835706655a3c0320d32a829b

SHA512
0cd0b58b141a125e99269778185d675f218857b3344cdfd356b8fb04156d4591624280cdd219569b582950a1448825449d27b25169203765c2612a5486e211b8

Download Submit
memory/1180-84-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1180-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1180-719-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1180-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1604-38-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1604-127-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1604-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1604-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1604-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2072-277-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2252-663-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2252-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2700-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2700-721-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3264-275-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3264-157-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3468-282-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3496-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3496-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3496-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3540-327-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3540-728-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3656-276-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3704-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3784-296-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3784-722-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3992-316-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3992-727-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4028-283-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4056-720-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4056-137-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4056-131-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4056-141-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4072-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4072-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4072-143-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4072-153-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4072-149-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4168-729-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4168-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4328-284-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4556-278-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4576-8-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/4576-315-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4576-7-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4576-0-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/4576-592-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4592-12-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4592-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4592-21-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4592-509-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4744-273-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5092-281-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download