a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
Size

1.8MB
MD5

232dff73ac731b528ce9470baae9d2b6
SHA1

5be962e9f21e65415f1b1f4e66303e178282c74e
SHA256

a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf
SHA512

6a2e0001527169c7e5fe21cc592aa8fa52a8fb18074af9764bc54de65968a923cd53282c29cda19275bf7415cb62d1660abd753dd1c730e73c53633081257d6e
SSDEEP

49152:+KJ0WR7AFPyyiSruXKpk3WFDL9zxnS2aNNakJBIs7sH2up:+KlBAFPydSS6W6X9lnPSakJByH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1952	alg.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4560	fxssvc.exe
4480	elevation_service.exe
4488	elevation_service.exe
4640	maintenanceservice.exe
1788	msdtc.exe
3312	OSE.EXE
2336	PerceptionSimulationService.exe
3736	perfhost.exe
3788	locator.exe
2320	SensorDataService.exe
1188	snmptrap.exe
3336	spectrum.exe
4972	ssh-agent.exe
4676	TieringEngineService.exe
4456	AgentService.exe
1608	vds.exe
4124	vssvc.exe
4160	wbengine.exe
3288	WmiApSrv.exe
2112	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exea0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e91c3f9bb4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\System32\vds.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exemaintenanceservice.exea0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM59C8.tmp\goopdateres_cs.dll	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM59C8.tmp\psmachine_64.dll	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File created	C:\Program Files (x86)\Google\Temp\GUM59C8.tmp\goopdateres_ta.dll	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM59C8.tmp\goopdateres_mr.dll	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM59C8.tmp\goopdateres_zh-CN.dll	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File created	C:\Program Files (x86)\Google\Temp\GUM59C8.tmp\goopdateres_uk.dll	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM59C8.tmp\goopdateres_hr.dll	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File created	C:\Program Files (x86)\Google\Temp\GUM59C8.tmp\goopdateres_ur.dll	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM59C8.tmp\goopdateres_fr.dll	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe

Drops file in Windows directory 4 IoCs

Processes:

a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7ecbe01c0acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc20af00c0acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004fb4d02c0acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058b16903c0acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d945d500c0acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2223602c0acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000869eb001c0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebed9f01c0acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ea35301c0acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f78e4ffbfacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4480	elevation_service.exe
4480	elevation_service.exe
4480	elevation_service.exe
4480	elevation_service.exe
4480	elevation_service.exe
4480	elevation_service.exe
4480	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5032	a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
Token: SeAuditPrivilege	4560	fxssvc.exe
Token: SeRestorePrivilege	4676	TieringEngineService.exe
Token: SeManageVolumePrivilege	4676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4456	AgentService.exe
Token: SeBackupPrivilege	4124	vssvc.exe
Token: SeRestorePrivilege	4124	vssvc.exe
Token: SeAuditPrivilege	4124	vssvc.exe
Token: SeBackupPrivilege	4160	wbengine.exe
Token: SeRestorePrivilege	4160	wbengine.exe
Token: SeSecurityPrivilege	4160	wbengine.exe
Token: 33	2112	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeDebugPrivilege	4088	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4480	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2112 wrote to memory of 3108	2112	SearchIndexer.exe	SearchProtocolHost.exe
PID 2112 wrote to memory of 3108	2112	SearchIndexer.exe	SearchProtocolHost.exe
PID 2112 wrote to memory of 1516	2112	SearchIndexer.exe	SearchFilterHost.exe
PID 2112 wrote to memory of 1516	2112	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe
"C:\Users\Admin\AppData\Local\Temp\a0a83633cc0f45bbc45526a65d8e3225e44653a9fdb41d7a81f1db402a16edbf.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3232

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4488

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4640

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1788

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3336

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1108

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3108

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
12bde31e3573c41e18af5c8e5c9c7ede

SHA1
b46e6d346a6e8d68a5bb9ba5e4f485e2eae82567

SHA256
01b8c9dcf9f0f5d067a8580708192252407ea9034098ca94c90dbb8466a041c3

SHA512
23436107f0850ce0c44cfbaf1f1b3a087ccfb6fb2b5ea4dd8da266e59167848e57a2fa27db13dfdf56e77f7462c0ff3458f2c4a2ee1d5a77bcdffe298b0644cd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
135415a78e7e00d57786f510312c1b33

SHA1
eae69f535b271571060dccaa483f174847884898

SHA256
9c0ccec8889bc4c7188b4cb98a1c3932e21838a6d9cfa8d5f57cdf091acd6fe3

SHA512
400256d4282c3df36538183fd6ea955c84c965bbc721652e89ff192945ed3c19786d89f4db6b8cc94c62159a37dc5ddc51cc6b9ea4f2664fb6b86fb68df1c2e5

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
ee685def56c27a1ad3e03c324331b25e

SHA1
4eac0649b7e378ffc074a4e9cc5828840ebeb31c

SHA256
3297ee4a2948273ffd2b20f81c37c55b25993dc2cf79d4407c59d1137ec8755f

SHA512
303643c5cb32eb65c894cf018ccf8bff15bb5792d2d2609093488a9f9c5cfd5f08a2ccb0cc95f7269c9dee55a4b251a4d2fa05dfdddfff6161d406f80979172e

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e33d2e4ea7f4a108a08cc5a71f871fa6

SHA1
d600cbf09f6a93223a851cc161f30f54e4dba6cd

SHA256
737ef689ab624e76f6787ed219693ff7d137057901f15028599803a1cbadbed2

SHA512
4814b354e10f2a30693f6956fc91320055b0db05f8a463b3f4cea98d5bf12abf3afe0d5df815958d1dbf734046f9293de7dba4bf4beb2a468ca0f50e0a1f8787

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
fe9a3f6182b96251c64f1c3717c04862

SHA1
4328c120892734854f721184f8c75bf0e16c9144

SHA256
e7b1c2c0e4c1475daa05b474b7417cb86a187dd54598dc7c75433ac55572294f

SHA512
5dea3c28a06f41f887019f11b54631889eb6c6112450690ce205a9c0c198dc6b6aa94611c63ca5c4c285563f727069d342c2efb4eb5c5c54128b1e3cb5a6bcdf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
6a68344e805be564a83659e0e51bf9fd

SHA1
49b9f6306ce7df2b0c2f24930bc14f6c70c0d63b

SHA256
3853a4194560cc730b027496a91d65ae6f68861c4d24ee62c5be2c4d44bb59da

SHA512
7883f4a0a423e2e6030d3bb43cfd9be51570b010c75d42faa850c4143877dfe6637369143ce7b6db9862f4047908d7d9271ffa4bdd2732b1ac81f6e33dc47f81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
31ae2eb2e2bbbc62d56302e80c788de3

SHA1
74f9f66e47f8ec775c3f9941e19cae285356bef7

SHA256
b320b596c40ca5cb4d3969d627e7425707f9bf9a01721a2ddb2880ab4eb1b39c

SHA512
7edf744c9b4cfacd90c27190fa69e16bc01b4e56cb063ffca73195db512f5c7c6865fe76f2edcdfee9a18c86e6482af598ea7a4533ff18bbfef0da821b51022d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
cca754f561af2524ce5ad6fb001f41b6

SHA1
60f97b6602291957874ef3d4e0aaa1d28517f0e6

SHA256
90c166dab457ec68ba64e51a1e2850381282615672f46d931c40658f72ef23d5

SHA512
5339040c987ece5a0bbd50961c92be9c9de59aa53cabe12bd2899cfb833c171c2e2eb30841322261fe45fb9333c353d67e06d7ee3c447021689670919f8b5290

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
57b2bf2d05eb01c0aaecce7549981586

SHA1
2375a8be8ec65bbc87708cac9db9c554dc4acd95

SHA256
cca00edb20e31fa8f1f77714901698864e2254e7ffadf26914124ef5d8f738c2

SHA512
a96906a9b2205a62473c203ea24b106e932196f170a87b627c5fa62a1fa9350e4d0201fbcd9ef5d710710ecf05576d3d18b24fd196342038753bd41517c300d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b6cb856d45b935739e5601ffe90df3a0

SHA1
ba315d735bda1baf23fa48ac36bc02977fe9715b

SHA256
1a593dd83bfe274b02c285fc092a05bbeb74781a29c7837810dfdf7f420ac8ea

SHA512
ebc18a20fffbecc315e183ea4080d11a0b6b9d8df1ea3baf9c95e8a8029f742ff51d1aecc615390b2f8a519b3288da73d24fa8ad40a1c0da7c550e797d37372c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
394f19dc2cd3b51a479aedb9ec7ac377

SHA1
36caaaa6099cd537783d02a4efae227fd0dcebda

SHA256
764d2a760dc132deb0507cfdc027786e94193c351a4ddd15e6078e9c9d923553

SHA512
ee14bff33969271f047d47d8f2cc9c53b37eca2a3659b2725e09e8aff4bf6c64659ea575be7984d2c2bd5b5c57939a2ea05b93be0bc596bc57b0190aa3640bcd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
36fbbb5c2cc8af2db6eee26c9c821ac1

SHA1
0651b6c68140359059d631ca28fb6edf94b8fa48

SHA256
21129aa138c17a917b3a605610eecd392d3652d4a76ee28e644c08d1ece276e0

SHA512
d34c2ec4ebf07e9d88e1ea3442995cbd3267665565165a1f4d2312537d8bfb20b61494b2c63a6044d6447c90ecdf22dc965028d85da3bc6f6c7c138dd73ee739

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
9724104d3a276862b6dc4e4cfb518697

SHA1
10caa0cd33a0d47bf83da7f05d0dc0406ebc18d5

SHA256
8c946104a6309d26649ee9e51aa229a23306e0e0290a906ea16459b1773eba3c

SHA512
0cb6d84a224c571c407cd0b3caf9ca0914c7dd9701b5fee7e53855a18681df8b17851883cfa0ad99fa1f840d83f4ad0f9860fcb038bc091f57658861010f9bb7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
0184c0b0b352c378db5b2af530262d46

SHA1
94c34aa6d636db93a103c66487dd430bf6a77a48

SHA256
331aa59640de9bf45055c1810c1b35413ac4c8833a764c07574c9aeb75d672ce

SHA512
af801532120b5bf5ebfa908a2e81814b33e18ee0bce4fb4300c31e6d820e0b3f62ebf47a664ff800f7f91af34fe76fe0eb5380f70e21da1c1f8ee84d041b65ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
54c5ac42a5001333abaa133e93b05a36

SHA1
3047ba2ecc3a4485e9151829b2b8d22448445280

SHA256
8795e0057256cc091cc84c5c973c7f2cd67a588872738bc26a52061f0352d9db

SHA512
2645a8a925e9ed33b2f19800512c7dd2981c9946e2d2cc42ce799758df6720bbd5594f80714fe3e5e9b976d0ef38a7e92394a75b04ae25d6096f3c88d5a75819

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
a85e23430947423946d620fa0d5e040e

SHA1
e76b7e441dff0f9f25554b07f6deb17731a6e03e

SHA256
1310be7aa777b2945f2ae3b683731345038896aa6ae9ff6e7e55dd3d7974f018

SHA512
dc5a4d57dcf7b160ba7b0270ecdf6e8a23234b262dd15c13c8a475f19dbe6e98d6292837f909c20ca0783f64ea4de7b7bee2457d432025eddfa6469cb63078d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
4d8e57b1149f0c21e961a5f7d0c3d194

SHA1
62d127d609f173377ddd187be916caf3ae5dce8f

SHA256
dbc0249dc156fa343f6a01d436aa1bc4c4566eb28b0990c6a1d000d4b0def76f

SHA512
c228fc6d34845e9a37a3229306d50824dcb3589940951625f8c7e5c2a071695362879c8ff300ed1951c81e6b6344184593c03fc57e585ce18170f72a157c7030

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
82d62341f7021e78d73bde1d5694ade9

SHA1
cbabc68756200a99d14e99f67b2b3f116c67b297

SHA256
82abfe31aacfd4dbb21e1a4247673e38cbc8c8810cafc179b5a6263f8444f7a4

SHA512
9e0e7156241cdc1e44574b3bf09f1ff43818c29b94cf1a1c1954d59ae29531a2fa31274e4d3367e50c4d551c8e1f8fb3ac4a239c4081f8b9e374b5f6ca1cde48

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
f2d97314ee90c0ab0e4c1bcf9a004b8f

SHA1
51e4fc9839d5fc6975037dfe86b3da77a6a877fe

SHA256
8eeeb218e1436f65cb9d6a8aed1255f9d29c7718d833eb72c628b2961eafd08f

SHA512
70a40213d2f0d850f5a9866537b00f55ee1a5564dca8fc9686efe7a6dfc4065a565fa96b91b7c0a8255c2b88a8a8f4805653f3842f0b1debc438f3b9755a3560

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
ee3f6c0dd0d54f7c6d988a0f034f2b6c

SHA1
3cbcd57b04685e067fb4df501ead0b0bd8677fb4

SHA256
409ce6cd66bdd9c48d050e595b058546a764fdc06f4923c0687426f5a9356067

SHA512
3c40a6616ef479a82b78890990bd536b231dd9c24ad9b7be5f21da0ca04dec8f928b25e89c6baaf5111624b7e1ecd4769bf407994b864893bc8db6c2d293ce08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
a8fcce0812967270a8e7095e865b949d

SHA1
5c7365987b34917214bd3fb42749ddc1e2478b66

SHA256
d10ee88f8909b025b90ce69e7400cd06bd70fe474eb8941609904247248e29e1

SHA512
9bec106b111febcf8f3a315267ea18ceceefffa23973c61d8c14c885398802ee1d7513ccee6b256274242eaec42f6741f91bb5a36b92c918cd9a0b328ba821ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
14c8d409042b96d6d625c169e35b1ac3

SHA1
d68f6faac31d73d17943b28e91e607aba0bcccb6

SHA256
67c0e760e8da3462adc79b7ddd43cbb2742364b7a3168ea9e2b1e1e7d8327f2f

SHA512
7d7dcb2be924d33fce0953f963e750fe0083d36151c019b8e23bdf7d048e8a8dd488ea9137d75f4d47258a011fd4050eff5daabcb2db9370867bba3772143a1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
04aafc3f4712d2b10b8154df4b98b4e8

SHA1
22fb000724c4d676a5f3572d179f62a03975f658

SHA256
94bdc3228965993f2d684f4c6ab7a6ab0d275d149053a25d701be118a90552cb

SHA512
f40e412c0c157894570dc2126ba14084285ea55324d60dc347f2ae642d8bd12dce2e70f04d82360b51b17669b602623458d0dec939df08909a6e1e1a618537e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
c78c958066ba782a281a06710cda6204

SHA1
a7a35fdee0a6c0bf0baf5432c632919b25ef68b7

SHA256
c1c0750b7dcb4339665502e8e67559f5c3447e7db8a13ae5d49ae2a56c36dcdc

SHA512
2f3f97e08a9f4103a4109c49f0c25804127ef2ed593034457746287f005c87d404052db584d43c84637b08831aee44f8bbe05b4457996d7050c56aca14cba71a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
5287d79ece7977a8bec145953adb6352

SHA1
72f8aba63f75a84ce7de2700eb6be41a855d521d

SHA256
6fb40ee945543c8d2d40f61eb2dfe8318e07fa0af8ccca4b6fc123f8567d067d

SHA512
aca2066b42ff7c5d94df26d81042a19d583f2063c44ef8a7d4dfa1cba5cb89b5594fd9b030798fdd1a9ecc0fd10f0fc3a7842a8d882483cd5673e3a73a2aa3cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
1ffb87c9ac91bfa972eaf19d0ab930bf

SHA1
92a5191fc349617b70772c498555d7ceebd66105

SHA256
ca2366d25e833b5ea78160ffc02854ab56c102828f7c80b786cc047d39d123c6

SHA512
4a074a48a797bf33a308bf13bfab9d3546e0079c51284f645b391dc1a6b55dccd55bfbdb9004818c93ecd4640694ae303ec36f858929249350bfb9b35a3ef0a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
6b89f174a32a16fff9bf841f3af1ffa2

SHA1
3498e00550129e4f5b3d8324b130c2e37973ed6f

SHA256
b12015184706f52ffd59d82cd14ae0724caafd171566e8b8abddc52eede9c02d

SHA512
b741d712f20665b3b7e799837c5666eb54f64d48c6363ab91e247b3fbc20c614a113c5fd76102e2aba95a70735665591b7502b47068a188fe57bdd1c1553f140

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
490c4da72ef7bfcac58c1f64de27bbdf

SHA1
011dc4b2176439db544d633cc284fa638c6984a6

SHA256
493a1b7bd0c652ebf2e4e2417b566d435a4b53dcca33e0d437c69163b8702f57

SHA512
8227b32d17c06133ba78d3399a1132659f02a326140b62ba88f6299f06ba6efc7caa6b5e7b8783f880502a9a189771aa0a603284b88d0ba65077df3991a2ca18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
10716ca50f310e593627666c4fb6c2dd

SHA1
7278b546145dfc2ec11a0a8b5342b8365680ec75

SHA256
e471610f36f49afb163b267b37bc480b71037afedcfa69373efdea1f75366398

SHA512
eb5876037c40f52d0047ee2ac8568834b3d33cae30a77626a91921a74ee8183a25d8875115a71789fcdee1171a4e9a32544b06686516d142739e57c4fee6fafc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
85a909423130bf1c93c492d93f5fb6c9

SHA1
da9b1cc00cde8d1f5dfda0c6b08b3c4395726f0f

SHA256
03b669e8cbeea7128e05d09cfdc48aeb9203212380019d207ee5723688744036

SHA512
d29d52454f23ea1bc34e4a3884b6ae85de599cd91ee2672ce15656cc0d3d40e3823f8fefa9944aa3767d24429eb7c5e47e0240c15ea06387fff8b2d93026670f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
39600170b03c425c2d2efae4faf9fa9b

SHA1
75bf9b684cf4c1ca8824dcf901aa794c524aa6a9

SHA256
ab36c570f08ed41e02b813f1306d887dad9aa03513d72c51b754b8fa3feac264

SHA512
9cf824e94d73e3a9085ffe21017b3a06a9422bb7d2a41ced751d2233c59e7f1cbe4de24b9296faa4bb81c5f2ae40336e4e84f8b11553b4bc0d4b239410b3cec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5f40db39debbbb5fe4d529fa84912031

SHA1
49b1e3fbce88f11c60f39972a0c8e8e5b2b64474

SHA256
5bfc43ee3cd0177bebcd88876a40d91270b314243ca7a5fa7b5fc4e135386b41

SHA512
a6e9b6074d10246a845a8e473564ceb758113be320beae30174bcd7fe7d1724023736f249cbf138509b13b254dfb39ec8079834179f4056a7d9b968e705dcf15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
26390d44a57bdf630952729a3517474b

SHA1
68a3f12115d6bc2ff818eb6783fdb0d81daff707

SHA256
8fdbe98d46489e0bdc852125da4ef1918ca23284b3331c2e74625af8c9518600

SHA512
a501f9f9225456313ff81206ad3994933d2e9db7c8055956168b1ed464921ad8917aa26cf22607a8c683b7b04615d779bf6546c97146ea77fde9f773efc65c5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
63c59c7f3cd8743ccde1eec300767536

SHA1
3fd600e492d1047830b5ec683bd098839aafae5e

SHA256
7f2659825eed3e778f850c658c2b0489fde80fa74c8ec99d7364cce87b0b4a59

SHA512
efb3eea96ab3bb827b24308a971451c14f8bf4852e801b8f714aa46afa935e38b3d5af24cd9f5eda65ba09f3345414061b6287fe18e274370d6d74e0cc4a772d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
bbb9f0f826d7c4679126eb22a806653b

SHA1
a2ef0efa3718e2e5c07d515552c2a2b157ffa69d

SHA256
cd6981cd109db06237dc30cf1b840967443a3976535ead4e3f04c8e58388586a

SHA512
95b78ae24939091a8a51f1f2340e8f8d91fd45c5ec615d585cf515be6e2bd554e3dec657c9540778fe93131d10a56496576f3efee5d70bb97e07faa918b5f5f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
8af39adc8abc60fe1c8edeca06041b94

SHA1
3791d755c71395799f2a7e0ed15c7a96f66cc4ed

SHA256
9a289a40d3853b96a271d770dac3142b1b9f21d101613d0726bf0f845f663db0

SHA512
ae6894ebb925e06c839df5e3b1afbe8c78c8c978f2f6b57239a9c43f73a13870f10ae32cfa3b08c8848705abc7bd416bb8468bd735e2fcbdbd14b21e8fed91fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
d9100e73f4fa0baf07ac83d9c351cef1

SHA1
2cbd810b30894bae9582d7c2f0610e43b03edc92

SHA256
1cf32af37e9e32085d1cc9c4bfda2e144b41c8add5de7dc54fa6ea0148675f96

SHA512
c5acf81d0ec4783dba6ec5b12505430853a010302353b63adb8d3abe0582e2ea15ec3b9b1ee44c83877f0a1d5ff519547c6b173b73a605d5917499dc1101cfa0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
3db09959e727ee9b61bf219c993a455f

SHA1
eb9d4644183ad56161ede56cc85265da0ad75541

SHA256
bb2f24c64abc0ae7a346c7f296378664e0e650cd90ba208547fe5266af85f06a

SHA512
719a2ab28d343e0af209c1389f91c5312ce6cb12766b1417d6cd9158b4e0a3146aeff04532cdbdbe61b83949e8b732fc7739ad5a43dfdae0a5d5f7def6692483

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
7f222a71f5c167a56a6559122aae9b5c

SHA1
36bfc9afd733537dc463c150de07342819401c91

SHA256
e6a8eaa426214292c91fbea9fdf6dc678f65096b6e93406c75355d32e38a520b

SHA512
f73a5ebf4c7add20ae1961138e9017f042f62aa84744b1264fe610059fe57a187bfbbcabd2942a108564b18aa285fc7e311b537383ab4dd07275179ab2949fbb

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
16fb605ead92419d3cf3df35cc5867bc

SHA1
8066028115986e19032883ed65da8fc5eb80634d

SHA256
162ecfa27f2a107569c73d9141ec2269d6fec887f67501a338b4290e72767af7

SHA512
470810ca318da5ded8f54260ccd1e97361bc9a554b674299c2ac70cad053a66be2194500b2edb0fa276dd58c1780d0bb315bfb77a92ce697f27f39f088049112

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
7f9fcea84e435c283bb08218edf679be

SHA1
d1d9a6ae370ed32922b24a1096f72716331d7a28

SHA256
07cd8c7ee5296f6bd82dc73789354aebe029d9e54fd72ba871d0e9a28636e699

SHA512
2fd9a07845f6b0c802ea2c161d4bd6422a2974042197d1534758841df94815655ea96344199bc768c7e277924a39a8152525a4dc7b46326526729e5fcd1cdd4a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
eccd7ea7ec0d2d4674e7e7580bce58b9

SHA1
9d6bcecef7c8a3827ccdd4fed5b41630b36ed627

SHA256
30264da47ec363ab2bb5330708017709f8f0d8e6571a6d8c14796602d8be576f

SHA512
17f4cd52885f32dbb47648a6408b34e806c952492afe94101f5f496944af1b277bfd57872ba168d9bee7a676f543dbe06e7518dcb199fe79ac38eefd77acbe85

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fdd30d4be7c773d4875186fd0684686b

SHA1
92c30bfff66cab13bedfa357ddbc358604f8a8c5

SHA256
f2231500662f624d8f0b364fe6359cbeae45af4fa8dd4f4a057c4169ccf989e2

SHA512
6f259c87240ea81823b756fe1497fe720d279cc34d2372cc5c1e13e515453998e3e3a7d4136236b3d95159dd0b68a08619dd3263f038d1447286ff17f2c41d8f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
f5759efe166db4b40ca7d28f550649da

SHA1
b3387228ea0eba8112fe763eae7cd05fc3141658

SHA256
daa287e40707dab5c59f6d552c07ce35d7691ed95345bc39f4f3a78d309b0f27

SHA512
fe9c11de6d48de05caba21d084eaf2c2e8671cf3bd5681462777d48e505d0029d1a0b02da1a11ab1a876480d51df39a23b998ed8db4b3f8a29bf077a995d1838

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
09237a832ca33e55b527aea2c9bbf827

SHA1
29cea6592cdaf355c5858e27800fdb0eb22e53f7

SHA256
392dd06c2b386e65fe5ade2ad56d91dfc16b7246f1dadee2109662ae73472d28

SHA512
136a6195322bc423b351d80c6fa1dfe76f6a83d5a7a8753e9b61be4adb727bcc086035ee8d45e0b53127389027683d9f8afdd59c113af38c8ecaf9eb682acafb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
da2833755e1175e7b1a16a0166b5d583

SHA1
a48e7a34b1fd67c59cb61e37fa7ce0661c1c4b78

SHA256
beab8d27521d2006dc3687038f9acfbfca7b4bc65f09d4a25702979b0b9c0dbd

SHA512
8c23c901f8faad434343cbf886ccb76adfa2fbb0f921a0af000582d08ebb9295a7553ef048ddf621ff283471e9f32b2842aba687cb9f765d0e7de26eba1fa585

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d076fac5e7f391692f8fce74038ce6db

SHA1
aaf716f7863589a13bbbfad8413c92738729c1ac

SHA256
f75274e601e67c0d1db858ddf02ebb0eea8a2d97fb9815216a2b3b7a5dc3f9bd

SHA512
5969ad27677fc7c6d908e1e8d5fc0f9ae706aa746e92991bcb4a4de89b82ad7bad331282c74d58d25889c21bd60ccfc049d2a12a395dc64ac180aef4b1221e33

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
703dc182223451f41984525643215ec9

SHA1
f6177388f6ffac5d17f6ed4012b42f2415f96eb6

SHA256
db02bf5bbdc0a3b1139799d19703a99ba078f00a148a137091cf94b89db38379

SHA512
556c86a987a83f13144ad9d91c6c28bab640e117d8452e2aee1f1664966778a10a54e10846bc808a161d50196cfe8109f9b11855c3ab64307acffe39e48dbc1b

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
74f0de57485079dcc9a2b87b425bf1cb

SHA1
8294b32809d45931e0146312c90e27fbfd0f9a0f

SHA256
6f466f39332044160230fad6bac595accdcad91e5c664be66d69d8aec66695df

SHA512
b1eeda9f4ee760415963eccacedab7557ab16b589c3caed0f0cadf0d044c5f3e8094ba8c2ed8c4bb928b757c612d5cd762c87ac017cb38459994ea96b72b8f84

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
4158764f4a9b01b2b9d78fe7e362f2b8

SHA1
a08e83c6246eab5220baa6b70357781234068d33

SHA256
cec7e4f118dd701142841533b0f57c974ac9e6ab9ee0ae72aab5f0e0fe938ded

SHA512
300299a50d57ce17a3c7e7e3a16cb97499982a04de11177094418452d9738cc261fa15ef3dafcf523cbe2e04a057689bcb9d418765da917e875600fc1b8c0a15

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
dc20a2e8497bc0dde25a17afe7297348

SHA1
9d89b4f1c88f837c7a7dae79c938435c665d8de7

SHA256
2044dcea6974a397ed4b1d252a84ddc3798d8736b92a73b9db326458bdd3aa8d

SHA512
bcbd0d65546cf5b764a25aae6b9747a989d14b740190a360e4549aebd38f0bf4a2e7ad5f6c592a53eea6ca279c3440ae851106e116794f93f75b864adb7c292f

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
efc9025f6b13a3754f27f78c04fb29df

SHA1
bdaab287448472a6d1255d28336e6ec2f2ab93e2

SHA256
59b08531d1b35790b871cc68a0faaab332f327ae6ea6bfd02dd48079aee89a1a

SHA512
de5ff67c75d2c3057b6fc37f7b3c737ea29a22c965398d281e1af232e467f71366626d1dd2680702de7881e5290480ce46845ada30e8b47a076bc47aa0eaa32c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
58ebf602c9d940e3fdb6e88c3c3f4d02

SHA1
6f516b20b6f502693f9a04bb2d384e337ec07ab4

SHA256
75a6d6b0b70956e8bc34af0d872c3bd2000a5ba17e90161d6d2bcd2305210455

SHA512
1ded3dd3f9e94ffbaadfde02017b1da4e98ec44562f7433f9fa0ec13ac9595fb8715a35df46c5ff365e9f905cff0d36f52c9ca46c9e2ae7988c0358e05cfecf5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
c00cb877fa61f97c8fd39b7299ce0a1e

SHA1
c1f3cc3a11f3c545961700156e9cb4eff3dfa0de

SHA256
6ba7c61164771bc45e486f115ee9a32b229954e3e701b03c4d618c7221a61441

SHA512
5b3cd51d1f49d06f3967f03be664b9007c00e175c736563cfaca0ae83eb21de33497a9c3845badad4ce0e2c8a365352dc7d01e747020c3f763763be1914c5276

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e772926edd2857285eb5c4f003b715d8

SHA1
4f0d127a80fbda78773b442affa5954a445de262

SHA256
4badd14a355750e831c1e1a105bc3db5ff31f300b050f6e7ab375052872b2765

SHA512
748d3099f2a608f95619ae04fe191366b6633561158acdcba43c191cd8b1847a0ab09820c5c626da59a86dc45c047c890618f29276736cab3dd5a448db3a7c6c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
39ec37439be2894bc892d307d6083caa

SHA1
516119287dd46c75e1f0afef35d1df7d966b4a80

SHA256
c1732e7249a8a59be2298f7353d5cada3962f816b62c9871d2974c7ef1ec3618

SHA512
c899efdaddf9e0de0f0d808daa07e807d8d8b6c0b647f786d5d763b65a0ef06fe0d3e4a6bb1bea8a987b087e332687db1ad509ab3a467163172253977a7a6efc

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
90d4d912bd71a0dd7c0846a788386eab

SHA1
12f3ae3ebfa0b8002457cd581879703128eeb9be

SHA256
a6ee87e111fc6586d287ffc4ff6d05adda1d57521feb37ce01929acb5d703f44

SHA512
41645db3d3adef06ec8a7d5c2806d339a613763c01e3972a25126d3511e8c78ebda1ad57bcb58cbe82d09d7db3363e7b1b729060e5d47a1f7438930662df3370

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
42adbceb388c3b82cfd9dc53a018779c

SHA1
3b7321d5a60859e6c69c31867e5aee8aee684833

SHA256
ee60ccc8ca2c44ec7fce5fe830658d1f13ce9ff56ac300238eddf29ce19daac1

SHA512
b385d8c917d7b98ded2a82a90e455dd27664b6d12a30a0ed6baa1a3d04ebbff1527d213535600b1757b268eed61579638cd0520b8d765c0a8a907a346982caf5

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
3dbdff441dcf340ddac14a6c07a21ed3

SHA1
3369ba9b758df9f323b5b3504a94b6aeb2380ba3

SHA256
4c09df3def09e5b2625aedc78e3eea0d68e9958d05738c0ee36ac51e5e4f1b33

SHA512
9e9474b195a6e7eb1ed2235b9aa8ab8f82e8c61fc71400b1fac988a6b501c285f8a25210ddb7478dcbbef9ffc2aa3698695dae258e2c74f0febf3c1963121bc9

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
b0ae5f0d7be9158143c4da4a2550c848

SHA1
12b8f385d183cb851bd944c459563f19f8dcd2e2

SHA256
06818299a64a37ecf3f81efc10fc3ac33222fb52f1d17ac12ec9239c10816f53

SHA512
b0a752dab6950e4bb813c0c4c7350ec337e291dd83474e1530b8fb2064415d548b1038e88780eda20a9ac70f86a0a6d344ff81a17883ecfe3c43477347bfb3e2

Download Submit
memory/1188-213-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1608-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1788-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1952-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1952-400-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2112-233-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2112-685-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2320-212-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2320-642-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2336-151-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2336-157-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2336-209-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3288-684-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3288-232-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3312-208-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3312-141-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3312-147-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3336-215-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3336-680-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3736-210-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3736-164-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/3736-169-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/3788-211-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4088-84-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4088-401-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4088-91-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4088-90-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4088-92-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4124-683-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4124-220-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4160-231-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4456-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4480-101-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4480-109-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4480-107-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4480-678-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4488-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4488-679-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4488-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4488-121-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4560-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4560-100-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4640-123-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4640-130-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4640-136-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4640-124-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4640-134-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4676-217-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4972-216-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5032-508-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/5032-8-0x00000000021E0000-0x0000000002247000-memory.dmp

Filesize
412KB

Download
memory/5032-1-0x00000000021E0000-0x0000000002247000-memory.dmp

Filesize
412KB

Download
memory/5032-219-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/5032-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download