4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
Size

1.8MB
MD5

6341bf66568f521cb9a7ebd4338c1d8e
SHA1

bc4c5d9520609d06883fe9311c280def90e45d9e
SHA256

4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f
SHA512

0334f5b4e9e2b255ab47775d9643230aad2f4595a155d83526720c71daa30de97b26c1d448493adbea0807fd5568ffe4112c0089ad0536b5ce5e01041766a8fe
SSDEEP

49152:NKJ0WR7AFPyyiSruXKpk3WFDL9zxnSx+pFzz+/2fNR:NKlBAFPydSS6W6X9ln0+pFtFR

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3908	alg.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
5104	fxssvc.exe
4552	elevation_service.exe
2412	elevation_service.exe
3496	maintenanceservice.exe
5012	msdtc.exe
4232	OSE.EXE
3376	PerceptionSimulationService.exe
3576	perfhost.exe
4640	locator.exe
2792	SensorDataService.exe
4740	snmptrap.exe
4196	spectrum.exe
4440	ssh-agent.exe
4372	TieringEngineService.exe
4844	AgentService.exe
4992	vds.exe
2740	vssvc.exe
1120	wbengine.exe
3216	WmiApSrv.exe
608	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\65f6fdc6e703f493.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\System32\vds.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\locator.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4834.tmp\psmachine.dll	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4834.tmp\goopdateres_ca.dll	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4834.tmp\goopdateres_ar.dll	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4834.tmp\goopdateres_zh-CN.dll	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4834.tmp\goopdateres_pt-PT.dll	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008baab96e00aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a27807100aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005221b06e00aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001396117200aeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3756	4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
Token: SeAuditPrivilege	5104	fxssvc.exe
Token: SeRestorePrivilege	4372	TieringEngineService.exe
Token: SeManageVolumePrivilege	4372	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4844	AgentService.exe
Token: SeBackupPrivilege	2740	vssvc.exe
Token: SeRestorePrivilege	2740	vssvc.exe
Token: SeAuditPrivilege	2740	vssvc.exe
Token: SeBackupPrivilege	1120	wbengine.exe
Token: SeRestorePrivilege	1120	wbengine.exe
Token: SeSecurityPrivilege	1120	wbengine.exe
Token: 33	608	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeDebugPrivilege	3908	alg.exe
Token: SeDebugPrivilege	3908	alg.exe
Token: SeDebugPrivilege	3908	alg.exe
Token: SeDebugPrivilege	3208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 608 wrote to memory of 2748	608	SearchIndexer.exe	SearchProtocolHost.exe
PID 608 wrote to memory of 2748	608	SearchIndexer.exe	SearchProtocolHost.exe
PID 608 wrote to memory of 1700	608	SearchIndexer.exe	SearchFilterHost.exe
PID 608 wrote to memory of 1700	608	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe
"C:\Users\Admin\AppData\Local\Temp\4f71c98b05a21ddd5b055238c4c9e2b071afc58261f8da3640dccc75f7a4ef9f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5012

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2792

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4196

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4032

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2748
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
07d3b853d1e5a841bafde8372bb6b1ca

SHA1
da97242ed80a49b38785b9fbb40cfd7ac134e32d

SHA256
bc80ef48fd4fa35a73a2ffc88f3b6314bbb34fa15e7de58f9164882738ee3b18

SHA512
0ea7de049d4a1f8e55cf173a85c1aca3d2d5dc842f42c60273f04ab447a8b233866257be3e236ce2374ba62304ed09e721fb30b269d19b1bc8df5ca6cd74ecee

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
56fb124ea28a60b215f45258036c5c98

SHA1
951a1f89d87b48740fc2540cce64ee11131e0966

SHA256
8484a5f667763219267b311fa41836454205299e3c34d2e5dc4f5f904d217e81

SHA512
1062bdbb5349a6ed98010668a2bb1909dccb10114509b2721ae65154130bb3f6ee31e4f32ff342a842d785e1e6bd5cbf67aaea188c7b6518f54948f71c965111

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
61cf0eb8ee82b29addc87ead076fd266

SHA1
6f51a8eeee03cbe15a5f7ee00abeb2a32783b528

SHA256
84de145e7bd12a707b2fc8547d9aea18926c610b2ca36edd25c826040780e21b

SHA512
b707013300a6f50662f6349d0de946e30908a6e194869f016554a3f460353d1f7a4a02206fafaf3e7bedfe108a286f7b783fb509cdb86cb7bfacb061063abe0c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9054165ce30ec447c7299474cff65069

SHA1
e09895b218dadaf5cd12604e6a7f92601231b0fc

SHA256
24f0d3e5a5cd2b58a002ab64b192fa23e183967dac60a807b8e16158c08108f1

SHA512
7a8959dd8aaeb97960fbee361fec4b632685066602bfa5da1fe798fa2b51227ba725d5ec045f8ea52da8d3c48dbd1c606a1b68ee13d03cc67f0c5fc7ad4b9c6d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
081869369237993c0a4c2d5677859e67

SHA1
f2ed813fc3c494004dd411528e9ee00da18055ab

SHA256
65647819ec518988a0993ee46e9a535557cfd47906423f30ccf91ca893938839

SHA512
8baeea65537995e8364d332b09edd2704f5cf16a8f1408826245b345fb956eb02a1a8666dd7b5ad7041bc6f0b9e10a781f142f554f47a4b88af8e8214ff8dd05

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
de4f69e9e459e1ca1dfb6fc982417947

SHA1
728a83800d947c72fca95c774723266eb42eb87b

SHA256
c846796fa5e96477cbf975b386bc20310fad693a2eb7e8c27fde18a792fffaa6

SHA512
872f6f4b89cbdf1fe70433f3edef8e18389e641679db330479caaa59eea27c6b0addbb28e52655f2ff96bce51532797eb11089db3c654c817779c5e8567acc1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
880c01094d5dcdee53ad4b12f4bccaa3

SHA1
5c463f0a1161687c67f7065cf9b2a31bb5c9f7e1

SHA256
b90b28d323a01a6fd8c6e1fe14bf56cabb36560a4d3103d0239ad8af3a794a99

SHA512
2643b7e4a550dff17d5d278dc200575e8990893d682c80e247601702f044f55fa93803a93ba0d5be3170d2bbbf46d11ef6537c3235fcd76b7c36d2e61eddb661

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
af1ae528af86b4d465c8b6e7446e6e79

SHA1
57742b5b7b4758f0fbc88e588cb02877d3eb2159

SHA256
ffb7c609c537a1d6ee8056d536d6c70a3afd8074f2092752528711c6479e7d80

SHA512
5d8f8bff583d100264b39b211a42f44ddfcd76a950140f90795abea0b8fb006e95076551a32c44980b5388d1745d7685f81b32e069f2ce571d558d8e6f4e7d2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8bdb0630d2e8aefa6a22b2baa013f2eb

SHA1
58f81ec4914ce2f0bf3482dc39c7d818ea68963d

SHA256
6321155c8eccfb38fb149cc3673bcc0c4f249424a56f4bc73a43c5acb1b4f7f4

SHA512
32d8c619c944507a821a0b5a1c4f5a17dc60e42ba10d6995835e7d6edfa7e8595a99324709d39bbc46e686683e15909b1fb1608aba549cf672d8cb6ceaccc91a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a3a987ded448758262575a49ed578bf1

SHA1
00cb9b6ae083e9c0de798ba966df23d63fbd2386

SHA256
eacef2aa7dcb2d7a17b37fe8fb2a91a737584f009f8fba1bdabe7490648114bc

SHA512
8682b0f2cdab12a5dafae57f0804af886ff39024b344d7f7143e7d85f273570ce7e66d898c154a06ab6ff4e6ed6998ff0cee3bb5057a5a0492105121bf278e34

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a0590bac87dc41c73cac79dc4965caf4

SHA1
e6d8705b804f3a20b312062d51831748333e19ed

SHA256
d5830f01cb3f9d202b5c36dddd708e700243bc40c47e8ab351a0b727dfeac877

SHA512
e146f14b8d76f5271e7c9770256a63d4ef8823c4e571a749e8df994f05657b6f2d0416c0afd1ff06e2669da9ba037f9e735f3492d6bd8a7796d77e6ee4d26c86

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6b65c37fc8448f5ec2fdd470095fb176

SHA1
5401255cc16b82a4355619d4c43108268886b9ef

SHA256
7777b7340a4d4b1cacb4a80a5fa24e21e8c828c276aba90fa89bf694c414b256

SHA512
28644ddee433b05730c6576e396f065f1c5dce78e0875d44b61ac2e43394a13282e8cfbaa5eec11f9b1ce6a9326f0468cc1e6dad5dfcead8aa5f99c86e065a64

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7f66094309e404caacfd63b196d7e1b0

SHA1
f4e71b137aae192a129bda32f5ce8c9fec6ed158

SHA256
506014ca96d456bbb26d68a0a8a5172effb4e9e4a3993ce3db0e7b4e84a04cb9

SHA512
7ee60263c13f226ae5d9cb0923accc5ac313a300b5b604ddffc7a775e4b5c2f415778730a6dc2919318ed4400cbef3d8ce5c53bc74265bb141df1cb48c61b191

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
4974ba759af6ffe94aa7cc4656b530b4

SHA1
b8c9e4259179959dc72cf305f4bb7c676c2fdd43

SHA256
05e1b55d524a8e2a8a9cd43ae3a8a27f6b8c44e04838f72ab3a8081ad4610af9

SHA512
391b2eb6dcbe5405aa91ced9407e24be9d7a267c08698b11da4131574cf7a206d221441acebc502214739986351f0f22f1a0b15c8d36f115e5603a99059fce95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8d5227edea2591f3543bd575335206d1

SHA1
e452a48fcf7f647f83832d3cc90c809cf4bbe26b

SHA256
154495eca6cc26853edfcf2e198da1999fce4199050e96aa117eae6435807e86

SHA512
12be231c65076cfea459a1ce9a15b4fd053db79e098d2fb41a735794cf3b995b1b298f6ec8f7595f1e995ef3b0cb0de7c1e2f4ee3201d3d7673ec71e9cd018db

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
84f2f4a182a618873a1c976ea83f8368

SHA1
4b79e63ad7afed9e9da96ec6d12e8956dbacc2e4

SHA256
a3894045b6e01f9a8e47db57511c54603f36723cc47a0a9cb58dbc686cf72dc4

SHA512
a2513bcb8dc1506866260e362cb0e2b5cb72eb84e54499166b8799bd65782083a6d484a76576de62168bfede1b88daf701833336a7acb4b9d026057e8c1d68ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8a1ee11d9eb64ceef466048f2ee81c07

SHA1
85a797343a11518159aeaf377eceef16f0a22767

SHA256
582c3c2255bb9def4f792b79026241230149313748710d4eab4598c39e8cffb1

SHA512
14de78118cc1ea742e3c65cca58e6fcc6a0dbf67176a1f98461d87233e115d1ba8123c2f7d2f65c75f23616907197b66b268b6d5c38b1e77d47c0fa3c7a9c57b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9f005940eae53acd1233f3f0b080d9f4

SHA1
ef8f0ef8c4209411f0f187e0a2b5a47d41dd1d8d

SHA256
0f7ae3d304440a59c6cca1d1c2674bccce38bc1c6ae3e9e79bcf585282d9ee21

SHA512
2fa9e5de01744050db2bd3b9ba0de189104b290ee12e81a93457ec7e151fc3659c5c60a4df1a0ce77eeadea04045bcf2368c5745fec071fca49859b5043d0d4d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
78552fb5cec81e20fe24e7bc1d091edc

SHA1
6585761d28aeb276a3de957173a9b927595b591b

SHA256
a0141b6cc1ee8b086fd3ef5be9ec6a91702a5528b6644345f76bbb5af1dca684

SHA512
74cf2015b49be5f31733c8db83ba4ea680a5be0c1aaa215a8243d2c0ba55e8c39df00adedfc21289f25b86b02b31b533518652a2b45f146dbac6742ce8f50ba4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a0b43b82ea6529076b24d1182a47426c

SHA1
cbdb23ba68d57669d6b97670d3225c1a593022b6

SHA256
35f3c3b0af461272b2fa1bc78a428f7264a401f987deb2ea12027f98ab8dd48d

SHA512
1efa6807514eefc80d4f21922d28a5fcd97e65082e4c9b66724083a81ec89871d088363b62aff6b4c4124952533ea867c643ab948df871b56c87fb3d3566613c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d9ea8097d9972baa04c9f2dab079a93d

SHA1
77579b8655d5756a1e065ca0a19cb7f06a8dd81a

SHA256
7fe11e61d1a2ad0107e7a61061d6222237ff7b6f31fef48515d8d8cb01421691

SHA512
a466606a1c25c0ffe7b35a35b5eb02104536bd1049cb95263ea35b20c5fd5864fdbc107a42742772c6dcb50e390a023e01e6a8513ae9295962f47a4816de5505

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
61b0b55f41fd0306be2359e92185ef95

SHA1
a495eb7881a37a1832ea9a937dfad29c90f8627f

SHA256
d73f9d79cc7de78778453e56ab697b0dfa5d0a5f90b91ed14c577de00b423a34

SHA512
215736ce7b49f4dedee31c374f5d954c3237a91a167dc99e721c6ba9998754153d0e29a89e09b0ffa9c32fbcc3d87c7c2b97b4790b3d7a1fa57eb6e7a36b766c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5f818ff2a17a7e18f994b749be40557d

SHA1
2ec6dd5755611e68d21af33a8a802dfa39e31a93

SHA256
7e7a521e9bb9bdb289197ecda49d2d9aad71bd02abda1d262ed52ef4f294c9cc

SHA512
7490406f2c89dfbf332ea3a788092f67e7fbfb89547faac41db87cd20c4967a9e97bf84da8583538c2ecc6bc71e9a89a30915a752e8c1e1103a9b3011784ec13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
7ef065241f1764028ee38e9e790a5c22

SHA1
e1c5cd32e76e08954b4695cb3fa42aaeb9391e9d

SHA256
1d1f52006e5bc56bdd3ee4300df1e0cf652575b529ff439d0ee7778695ee0469

SHA512
7d6e891b01274cbf825c41bc81e19a2f69ac29c9454d7951f2221d448464dba270ab6bca0ff7e0626ea4c3c1814c2c710d0128e0247c077970019202ea74c84f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a1bc6fdcd1b1b7763dd75dce6df205e2

SHA1
cbede4900bb656240de09c886629e8ebec9244f8

SHA256
be2e258932d6c4a475a51a93b2b63ce11c7368dedba605eac401e78aba6e0396

SHA512
3caa862943c2a3e20caa2da36da6efa68dd5fee6e0203de77d54a21862597ffd5b92cdb8757da8b0fd11549e27e5e58de3d84fe65447fdd2e19b07d657a9d96b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
daebca2cfb3339d5b68259037fff21ee

SHA1
f9272aace123a08070806bb30ed885852af6ed62

SHA256
52b081b8c2986f09b1a52012fd4cf75287353aeb5546c9ed17e6e8f6cb8ea250

SHA512
6a105646a6b2059cdb3d36b271611cae9ab2ee33ea6b815bbda24529abae1ba82935801bd058c28725ee7589b5385ac82d61a45ae29210a61ca7e73c0e8bb451

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
51d23d90770e29cb1c5a5bcc7058f34d

SHA1
d67ce1d44d9b7e33c620d6d57b2408cb3866903d

SHA256
477d46e623bc5c8a72da73a10893d75166b4d3742efce1c0070ad069ed335a3e

SHA512
caeabb39391f885f36a7f366a57ee8e0910a075346e0d1edca9dcdbbea97691a46d81dcf2f36096436c17d75d4e56802229ff4c9929e0bdb4fc15ceebf5da021

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e60e3108a8e7542644ee8bfeaae8ea01

SHA1
aeb24cd0c14262f13cb57a54c906d6689f3aae24

SHA256
16f212b61c47b80ca834816fba2617122e5a853dcb1baff7329acc856701d6d5

SHA512
0448c3d062208fe4004750ceb6a3bca0d829f6e684eb57efdbf5a3b7f311f9e8760e1f34dc0bd68956ade486ab7dcc3d0d440fb90eead2ce86d3908a5c638461

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
db25b811915b213ca3c2ae16782a6a60

SHA1
bb8abf82e09599e13ad801b632f225e25ce767d4

SHA256
fe80fa3d20e0f1d703bb10ce177e148d4fd7aa4fd692f94c3bdb79124e3072af

SHA512
51555f061c853f22027238f40d2051e8cf835564a6bb33e14feefc141a5392551d2d7d2d2eabb4f84f2c7963596b07e0a4112bb9bbd0ebd4eae4e211a4f20799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e64ef07d5c7601c90b34c5f9db273850

SHA1
4866ded064f84f0f521fa606886c1b7aba53d76a

SHA256
5cd70fd9b3bae616a05eeb389df118fc6a1c991d0f60e4d7671739839aeaf85f

SHA512
0e567717653fccff689fa79d2a06c676e37e552d3dc35151e1a48e0aad851641ad2d7ac01ecb3d10323c3bd6610ce08f8731dd6d5f358310dc96599aad60793f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
2c2a44608a27129f3d3357e23f75f6a1

SHA1
7c673e81b9fd36206d1d5b2330e5601ed4a394d4

SHA256
c58505adf44628cb22499ddfa38bdef97c96d3513cbdbd3da1838f08fd871817

SHA512
18215a25d3e0a14d7ca90717295df14b80c2dd4e660fafef8473e6cc3518bc72c7e7abe40d9d8bc356dfcae5a1808956537bd9c04b827bcc3edfc0f57c07287b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7534715946607521ec4f543568cb0f6e

SHA1
69b7ea175bca1ba7a44fb4a28e1c92e46c6ba08c

SHA256
c614b4cc09c0e1cdb45f4c7a810a62e918a458f85bc19b1aa6896265fda6298e

SHA512
9826b9734abe49626e9e33409d460733e29b4ed95d675355c82f86d26e48bbf1cf73faa54b8e311d6d5b121eacf794a3c4eed5389253ea7a131748b0e0dccaab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
be108ec1209f41eaf2b6169461216d33

SHA1
c97edd99563d43add5fb099efbb407ea94878733

SHA256
7d7ca57accb98055a25259cf15f385e36638902a3d3845b9f28bfa088cb85b3f

SHA512
b86769e37eb3fae237f7970fdf973bc5d5836b2db5526c218f3496f9cae64265ba55bb1a4b58252f5e5ee23900a94f29324572164353c4e7687f4dc0a55eae5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
bc792f0fd8d2ec9a5965c1198bf8b075

SHA1
aa4e312653db95fa4bb3228c60f50f4b0943dfff

SHA256
b2e6dad5921a57ea24df4ddf9a1769709c26c75ec9db18a37d9a2bc41f4b25c1

SHA512
c9629e29c548185316946bde807c01927d9189f9945b9f5c18fe11e89aa9d95d087a28f766c4efe4c425fa864b05412db6bdfc68031a4b97967412b840730591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
ac578139b47293c75f034ac728bd8a34

SHA1
8e423bf205905138fc30458d1e7e9a50bf546e2e

SHA256
42b7353577ba026e7499500625b9e87843daf6c231a929b361b44f7f8c9bb783

SHA512
c010b5dd0003ad3cfac53d85a2cda70e67d446b11b519ffcfc97274759c67464d47d6b76ce33502a1ba2f3b396c2107ca1434a464db4039ded1cca67f0982b8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e3450ca79cd4097279cc0f4a358f06b2

SHA1
e8e2f570969bc205f8effe340a5abf5b37e2f26c

SHA256
1ba47aed2c04edbf323c2284b66b0e2688e53ab6767b4eae7952a8613496c93b

SHA512
93d125e93ee36d8a90629bd77fd8d0488b46047144e4f6a62238c7e999dc9a67a7180a24664634184a027d4503a5e73e5ae95f6ee38eaadf48e7d00a547867e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
fa458213542d9a887510e28f52dcbf0d

SHA1
4d2fc6dbc8b866bc9a5b438d508c846e10a4a3d0

SHA256
3cc7bc31f6741451b0bf467f5c2369856cec859ff87558e66ba019d8afd56009

SHA512
8780b0a32190f4e3d5416174d7c4964f2638c9e8cbcba8bb3fe613e39b8d73dc9cbd020b2d8b2e3ed5191b811d3d6272c6b815d4c05cff61099b81933cacd2c8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
23bd36aeaa48706ef12538538a150ce6

SHA1
b83306a862cf3b62697d3afddfccd742db1d137b

SHA256
20e1c14c93c0d4916ce6ec4fd8c33e94c93a1b8ec7c2daf37733ec71937e4174

SHA512
0c04048c34d5b6232ba0f6cf0a19387693b7eb20526e260a97db5586642bb7446168ee610eba8775d6bdddacd1ab41a61dadc8b32ad2f8d3d598e9b11ab345ca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d97a7a1644c3af8bee481f4eb2a9c90b

SHA1
a0b0e6fe7aaef6e96fd870c81c1bb19c2f5e0740

SHA256
437b09f18385e57d9053395765f65e77848fea7eb9deea54b33b2c50528b600a

SHA512
4e9f08e5d266a95c59c45f809d7e9a44a617d020e73c8154d9d5699cc67700007544faaeeecfd075c4a9f569e478aa34d71dd7cab0929d27ad2830805c1b7b99

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
bf37adc45d9650baa0f62c98e70ac4d9

SHA1
333a19dc746275eeed476df68de322088d7781e3

SHA256
e0a069aff9f31a77c6c30928173c835097a2d236246e684c113c78fe6fa20090

SHA512
fc73c77ad38d38b40fbe5c4ab72a5d783f687e6769ab91268edf154bcc6f8db46049440934547c50f623afc29c8d030434d4de57b97035b7b6929a9eda30faa1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e33c509bc0c1b48b5d15345168574ff5

SHA1
30a6b5a9e1dded33e0338c22b08815a2088bc730

SHA256
d36558c4e1afe73b49c96c7c9ee3ea8b80457d4ffc1c16b3f444842444da9bc5

SHA512
2a835e177a49bb253c8c185a9e0f6a6a1deef95b24503c9ba3487d346b99a4a638a5f64946a1e7ad631c058f2f947e799adde9003209e14931ef4dd2365009c6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5b7b8c4719cdaf0b60826ad3713f4168

SHA1
bad3eb06398732c2ff4741491e879485d5050bf9

SHA256
cbd6d901dbaea6a39da909f5192185bcb242f6cdcdb55811f8f87c7b4b8b608c

SHA512
84c9cef5cdc3a818b6a5c2d62648161add1bd821b5db8591979c37200e33541171175c4fd6a55df720d646c8bc6b696f3b0f93b5c6c8ac224fc17e1526e8f931

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b9bdbd612338a1c8846e406ede9b6b3d

SHA1
4a7c570537728ecfe3074121302e08ebab7812c4

SHA256
2aec4b80b30901f72c8534fc5448fb6e9b9119d7486afee3702399a16146d4dd

SHA512
3ca610bd91abf2fc864a7f926f1c913b40f0cbd1d18235101302d742af3638858437417d39229c2c32d367a0ecca3be175c959b4c038ac381dc1efe22cae4b02

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f17371a380d30227bb34955e786308cc

SHA1
c2f3fb90511b06497055b7d5fe8c2fa84e72df16

SHA256
d76ad89f2dcd907199155ce09a14cf6ab575d49c4d38e7508ab6165639ae4f69

SHA512
af6bd391b3296facfaa940828521eea99e0dd7eb2fa309f1e1762167558953b0a6beb715fafada3968b7132e07a1c90f5d8f91121912ee6843eaa02cf550dc4e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
d511ce700acce85908b95d5363c0bcfa

SHA1
d52c260710f89d5257a2f3407420bb1290a2d127

SHA256
7e93ff844dd12f5feb7003ba6809158423b7f3b908e3b193b1a62768f139f568

SHA512
d543dc47efbfe181a3d912ecf7b25bbd4a0a2b2ed05b2a083dc1f19abbb6516266c9bfdf50f1117a15e497f4ed3f5e945609e43905db1d4d72efbf9db4ca6823

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
8ebc39ca73303e0c7396b2482a7b7308

SHA1
e9a9b37a5da4e5430b57836bd584bf830d0e210d

SHA256
a84ef87882b60b9ef371bf2dd8203cc51de320588a816157f59a4f8a324331c7

SHA512
13557286ced789da551e8942bacca254a029721d4309859aa244973431bea9572c59ac7a5812fbd35fb28fc47180df8c868dc30aacd9f240e6c6bb6f63d697af

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9d4a02e65bf4fb254ab6bcc27cd582d2

SHA1
38438a129a20fe97b49eae474d2145c941dee1b0

SHA256
71e659a092b2c36065fa756348840a9b4be2eabcf99dbd139c43d4bc6a94a4a8

SHA512
d6574f54f41a23d3328b0a75de0e31ff5896f2a97b6d0ed4225654b5ff737ff1b85b08f3867286e7f185c616924306f1ba3760613ce308ed927b12acda16217b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b3dd0bbe240c87ed0f4da581505880b1

SHA1
7f11edd75f8caeea7174127b41dcd87d6f284666

SHA256
d259e2be35e5ba41d0db53628107257bb34692009bd742b2e430db0a1c5fa712

SHA512
3ccd90f5e4062e437ab1c798fe5db38aa42744a1f47fa7a49c1876298a5ac14f661e05aafea8f2354649789efbaf16f38206f5690551997f9af7b504a7f1725a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
54724083e6c5c9e96145a9278def53b5

SHA1
0b145a0284b790478104210c40b18297d22b74a4

SHA256
77f247f6c1ce7394901e5d73697f7564ca2a6d93acfa56561e7783ba8f8c2f00

SHA512
47d618776ba635f8e96883a13daf594515b864c232c5680826efeae46847ea7a94f0f2b97d8e93156d146513903e09fc883194d229464cbe88247392ffeb348c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2159e5def45508db8f9762fb9f0e61a4

SHA1
124b058f328db63b05a517352b90a906c555f167

SHA256
82c520bc33bcf706706eb1b62da79b26c5aa4f5300832d5c98a12622d5491f85

SHA512
2387615f96ef0851e499019eb3452e42dc946d333902e82a1a615af5a63c8bbaa4f5f538262799fb94c9488ed34b2cf9cc014354f3f3e9b9a00f68ec852a68eb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2624430c090a37c339504bd596fc9b17

SHA1
91caa5721b5a8b95eb54327b9d8dbb4e96746c20

SHA256
93ebed57ebb8f70d46885277ce6cf861a07fb10cbac4941b44995e49418dbb3f

SHA512
9b4b2f54be8f51c889f1013ac67429176a7b3f9b372b8cd8a7d722cea20abdc9fd985fba8674f18d8eaadb6c45438adc8efa8a1640e7f1f5cd2a70b9b71ce564

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
204117eeff5acea755c7b6c07725ffa0

SHA1
13ade7948533c29b672197d79b8f3e70858363ad

SHA256
7a0c0e61d759868747fe56919450bad481de05ffdc6e8a1c234a10e601020b38

SHA512
a154d5e7575f81ed9b8edcbb729fea0e920e16db7210038bfcf6154aebbcd8394eacc8b58bafddf676a3ec009123681cdcae66ddce10c8db58a8b40591718d1a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e942a00172844f1170ff3738a13722c8

SHA1
d6b5c7e8ecfcd8b5606acc712983112a46ab240c

SHA256
ff0746607d770238664f5fcbc288b79922fa6609696787c9dafbbeea127a7503

SHA512
fa646f8f1a81951a611305fd19377d294ddea2523219de4faa7842706f43d39030f82ee47bc143a7754e0887f1da9787a334dc271ca6faf5de6ed19d95c77810

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ec7b3c1a9077d8c57ba2af2164be4c4d

SHA1
563781f46b9fbcad1f5810b66aeaa2515f40e725

SHA256
afaa08c1f2fee1f51ca3c1903547ffdbc041dd7bc636c1bcc4d3a4d656457c62

SHA512
8ed49ad3d70c10fd12a2a483b9cdf30f4dbfadda161e00c0dc76f80b0d40b0ebde6ed2db45a1e4bf4b972ed0b393ec006ca1c4e035665398de12d1c13f4b4f6f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f9231779c31ed8650e1f96a3d4e3e3c6

SHA1
065d80b28d3a26c0d2e983bdb63d888f0dec5a62

SHA256
0fddb8940263c9b61b90529e47d3e7c00330d653089bb3110cdf1890c1e4cc1a

SHA512
6f79d0b15eec902b63e3a8431c6d47696761c2f54e163107341c4b2af20d2b53f8b35f8d0d66d519d7b5058222cd724e08bb84a73813024883138a845c0799cd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
818e80067d7280658f732346bc4099ae

SHA1
966d5fa983b896197228fd98e010604eefebdbdb

SHA256
7b52a2a2364855e5f161172de0dfe0bd703d259df12f492188e1d01b2f3c98b9

SHA512
5f6ffef9db38b10e1db491e2f63874599bffcab7d6e2003a851ac4828189cd021997103de6245b992b1a0b0549cb4bbf4ee3c3727c7347be04373842ffbe010f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1569d63ff3d15cc1084aa0fee628e9a8

SHA1
345211ac1449d317b055cab51c022df947a870c7

SHA256
faaf0b568d9d02eb5f6c33e22e8cdf697ab1ea258f9997cca11d1c1ea1ebe56d

SHA512
480c588c05ee0cb60ca65587c1e7205d3ed50ac2a2dc818a45ad35a5839068cbd42be5ba2242f9d16ddea285f41903763bddec54f3846f89b8ec1d9621337508

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
835784177c774d35ba0c324fdea17008

SHA1
0da36620a4a93d60e41bd784e62701aaec1c4f25

SHA256
8dbe8437ef48effb51cf7c29d4dcb68ebc0843f5e6128fb64aa4e47b2349f8b0

SHA512
18dbf32b589a6b6290c9ded5641c6ca096ed9ec83ada7ff6a6fefe03a1198898a3d21ee9e3ea67cfb456109e1557afb382457d5a1b7255c095421a52a40baeab

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
f5ea09cab22de582bd8f22c800176b75

SHA1
a78e0c95e90d7c3f17add5d81228f709624e3323

SHA256
f8f0f77d952c4e9dc4888c42286e695367181274dfa4e0ff1585eb5d0e9f7c9f

SHA512
76b593d9478c21649e0d9daebb1a3031c602fbac433ba1579deb53edba205e989f4c820ee060d6c1b3f5b3bc5cfcda12d8c2bac21c002f6f43d2050366c7e0de

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
beb7325088f174e13e16df10594ef6f9

SHA1
7054c648ccce5e6d0118138866dadcc8e2f9ea7e

SHA256
ff534330714a789add6e8c8e2d28cfaa5af8b1e99f42b3b48219ff0324153d1e

SHA512
413cee072fb0b3bdb5243ad0b0e5da85cffd171a480c049be047d96c5217ccda2591473fd8e13247406a008e8253ebb6cada8c3ef92967d9f860285492f549ff

Download Submit
memory/608-684-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/608-334-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1120-332-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2412-681-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2412-319-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2412-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2412-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2740-682-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2740-331-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2792-630-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2792-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-103-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3208-93-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3208-102-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3216-683-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3216-333-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3376-322-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3496-151-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/3496-141-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/3496-147-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/3496-153-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3576-323-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3756-578-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3756-0-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/3756-7-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/3756-6-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/3756-5-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3908-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3908-55-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3908-676-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3908-30-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4196-327-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4232-321-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4372-329-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4440-328-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4552-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4552-126-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4552-120-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4552-680-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4640-324-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4740-326-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4844-264-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4992-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5012-155-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/5012-320-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5104-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5104-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5104-111-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/5104-105-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/5104-118-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download