a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
Size

1010KB
MD5

0210903aeeea2a78e792874eafc4cec0
SHA1

8f3bdda70aac230e55e2a769a7fd89bb612b081a
SHA256

a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c
SHA512

a1acca46b2a8fd7c4b04ea2af6a61ad52715478eab1ef8c007f692f1b7223a28b40fdc63a48ffa3e9ab7d4fd5141a6c0806eb3b7fc40d6ab044ce7e963eb2c95
SSDEEP

24576:EEpQQJvKPzvYZHTHy7wX7bHsMQ4/O6yMLprOInyT/Swl8Mi9:1KPzvoS7wXvYMLprznyDSga9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4532	alg.exe
540	DiagnosticsHub.StandardCollector.Service.exe
4032	fxssvc.exe
1924	elevation_service.exe
3700	elevation_service.exe
3548	maintenanceservice.exe
4760	msdtc.exe
2664	OSE.EXE
4208	PerceptionSimulationService.exe
3728	perfhost.exe
1692	locator.exe
2620	SensorDataService.exe
4188	snmptrap.exe
2228	spectrum.exe
3360	ssh-agent.exe
2428	TieringEngineService.exe
3440	AgentService.exe
4420	vds.exe
1800	vssvc.exe
532	wbengine.exe
3696	WmiApSrv.exe
4984	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\System32\vds.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1089aeb28beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\locator.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4ee3bf886b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000835b0bf986b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4aa54f786b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b6ab6f786b4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbccb8f786b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000734752f786b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024a6b1f786b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c67f4f786b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
540	DiagnosticsHub.StandardCollector.Service.exe
1924	elevation_service.exe
1924	elevation_service.exe
1924	elevation_service.exe
1924	elevation_service.exe
1924	elevation_service.exe
1924	elevation_service.exe
1924	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4108	a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
Token: SeAuditPrivilege	4032	fxssvc.exe
Token: SeRestorePrivilege	2428	TieringEngineService.exe
Token: SeManageVolumePrivilege	2428	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3440	AgentService.exe
Token: SeBackupPrivilege	1800	vssvc.exe
Token: SeRestorePrivilege	1800	vssvc.exe
Token: SeAuditPrivilege	1800	vssvc.exe
Token: SeBackupPrivilege	532	wbengine.exe
Token: SeRestorePrivilege	532	wbengine.exe
Token: SeSecurityPrivilege	532	wbengine.exe
Token: 33	4984	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeDebugPrivilege	540	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1924	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4592	4984	SearchIndexer.exe	111
PID 4984 wrote to memory of 4592	4984	SearchIndexer.exe	111
PID 4984 wrote to memory of 5020	4984	SearchIndexer.exe	112
PID 4984 wrote to memory of 5020	4984	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe
"C:\Users\Admin\AppData\Local\Temp\a2ac58ea6178c6bfbf2fa5e2bb49ffe7808a33d0e55ba2fa81229eb8d4ecae5c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4372

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3700

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4760

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2228

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2556

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4592
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
425f5ea936d4d40371266e87fc1ca6de

SHA1
ce99a54a17ca0fd211697793794f326adf8185e0

SHA256
36f130074fa1dc36ed9ca4b78b88d0263472fe1716e45d051a788afb480b46c7

SHA512
7ca1f1e4be3f0a64a7b35b564e1f66b872203b1a35a931224e3f64e1a157cadc262baf9b174108e7549c7c9536c194c9c507a7da899ea98b9d5f35c55ea522bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
52e9ba1239dc7a17358d1d2abf1da44a

SHA1
579663513c842e1ce2af4ead413ea7f8234ef3c3

SHA256
112e258af6baab57f6f6b9d792ecd3c21d4f36f3c1d5f73b330875d70904ff1e

SHA512
74496cce87945d909d95a8f217ba7ea634e006832477be8deb831b993b1bcc0252b52aa024128f608fda29fcd270a3c4750c989e9d940105d3212207d54ccfdf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
70d9d556f35a994adec3eceb4a5b1f13

SHA1
bcf5546e21918d5eb79e675bf3c88f578b06f30f

SHA256
8b9676ea7b82f7788ebae9d956e1bb54c68119094cd66954ee1fa0570e8a787d

SHA512
3363e2246452c3d1e3bec9322719918d10266a63fff2b3662da06d42d6ca19877459d134f53e5491643ddfb452a221ad9678d6b6d11e93996978bfe2fb04574b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bc3b1f1d674497d182918f1f36654ac6

SHA1
cfe315ea4f2072fd48c89b11b9f95fdf0e593514

SHA256
cce1f148e9d59d57e8135107a09df3cde59848614bba417ce97b9c5933cd8cfd

SHA512
be38ceef9e401c42956e508120fedff2b9925b8ee62a4a968581b48a1eabad173c62893769d72590cf61e67b024faf44cb9323ff0388ce383e6c489004a9ea61

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d6b1538e92e699bea139af7d24696f12

SHA1
7107d4e327b9136a098a4ab1f40ca1be7831df1b

SHA256
26c8c7380599e1392e59b11c906434fd41118a642f6fee36fcbc58979635bf29

SHA512
9d55da36f87725b4316fb9ae3a03af31771a1e732f0e1cda60e6747ad0117739a69c75ed17d2cb12865e8ad946fdfc65d1da63b8179bd4fe8818f7d01e119cbf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ebf33f05c0abb9d6206db65bf0987a34

SHA1
834e517ce599116d9349f37b8aff5e0b021a0c0f

SHA256
6e38b4f02e121ca69f1948287ce76626be8486dd61c19dca174f5115031a6765

SHA512
9910c8b00bdd937862339e12eb46a7cdd79a9e3fb09337720d3a80f2ff8ef16bd45847e6bcf891ec5bb8ad10f565df0c282560fb9bb0739ce09b0c74d47cf7b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1cf4fe2d7a5552789c9a57f6cf9fd1da

SHA1
90ceb265560a84300581c0c4ac2351614f962fa8

SHA256
8e8cd478c2851b524b1f14c3345f21fd1384998d06c49a2e1f5eccdcd6b72d77

SHA512
d761c4ca9b8775297ecc7eb86072c35ed05f30fddba798acc972c6ecacb6e8d66b6c12dc8dfdeb8be9900c824b8122a6a7609998651b555397e0b7d94460ac43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e26883818dd13bafb78d35a5f3f935f6

SHA1
686c823636bea9ddd63eef1289fecc7b713c4785

SHA256
8964ad7ea193776fac73160a66411d5edfe9f0af3c354bfd8455d0160d417305

SHA512
7f02b73929858ec9423ade3bc2c4c5f4836896b43f176757833b18d87f99d2b962bb2b3c03b6567ccb5abebeb307e83f64d72062632daee5632da0f3342c43bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e3fcf4a87a85aa0ed232d91537a59018

SHA1
5e9b369c4ab6a7211da4a58501860ee438fbab8c

SHA256
655d9f34aedbfb3b099749d4772473128f47fd5c60b5c9fd7c01b85b74cf2fe1

SHA512
671472298ab5adcf5f3d04ffe9084f4f5dc54ff4d1718a9ee2a355df46260863314e03c57c4af0a7d5484f921790c6923bb0105bd6d28807e63c1ef31a1b673e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d01de5aab3f5d3c54c17c01c0794945a

SHA1
e6d66877cb9aeb78e66f0c08cf7b5866748c1f21

SHA256
34fb3a61a9e0ec88e6f70502a5a2ed2ea48e6b1ef9e9c9d402b86ac9ef6eeb1b

SHA512
2621da02113bf9e6058101e0b3fdc2c175d22738a4ff46c54b3782a7dd7e4248c2d932b5230198f0c53aa18b62f01be7d8ba3fc3fb89f4824fbb552c9e944813

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c2a1c5d5ea4c0662c92b29672208363d

SHA1
19217053a1a8059203f308c64ea2d51609494c3e

SHA256
25508d807eac87f19bd2da6d15a0cebc0e7d50b4f6da052380cbf4009e119e04

SHA512
197fd654270609cb3eaa59b6b1d27d398e68de5fdf721d8b30981f8b384c7308ad78d82079f721da288aa5dfc53e6457ca4123718c144ac97e3af1dc5390e95b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8128ab80c6f40bde1403cdd9053f6485

SHA1
9695d1c2e14405bfde035593bcf045fd6e9f9eca

SHA256
03c41447e7c9a83a5eb05d525bd2d2752d3b7f25a2867af256ac794f891c8a3d

SHA512
ee6e2bddc5a3abdbe42d66a36dec030fe2000e249282052b1124a6b49933851fe2cbf60a7c3d159f01f72b408a4a0440910d43dc2a4dd402409e6b9d387bcf04

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bf2037ce890ac35f467bf5f04d82aee2

SHA1
52f14273cda5338c1eda3b13f7531232a72d131d

SHA256
3de4e01036f5e39c9344f19187eddcfa367247c22308905f6045638ad14db04e

SHA512
aee1663581a4c45e9b583318f1c8b9ae63904715095b4b4608a91a7a1c39eae2a30d8f7a8f9ab773e20d6e4525e3c1b73c3c64674a8b016f7932cea866e3bf06

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
49e64093c1a04faeb87be71c338b1c3b

SHA1
557baf1a1bf16a379f6f91d98b04068a4ed17612

SHA256
bb0927f4f5975a1d3ee7a1e7732104bcee0d693ec9fbe67981e0343e5335f71a

SHA512
6b159d6c2d5beeb42b18dcbdccbad1c405b0d9f4a7a9a189bd90c35a7b2e8069002896c0bb084f08e69cb28809dd3a0124945e52330615bed2d24126a2aada84

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
43e1f1fc88d8fe1ec0d1d6029111ad96

SHA1
732cb99ef0876d06bbe876ded16fd87f21d85a27

SHA256
85f72be28ecd9e8df91160de9343df218ffe8cf95ae18f179f0a22fad6ca99ad

SHA512
ed50a9dedc148b4f7b0339c02038e02fe196741e9073f1b9cf44b62dd58a027f9960c5a84185ae09bcffdf9907f33018580edd3839b3dd0da869db9373c4774d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b1f6afb4cf68ba704e412495ed903ce8

SHA1
54fc5905beab9ee410a186479c4c8ee97486baf3

SHA256
c6c4ee13c0fc658db9a0f4c58d9c07a5941476cc80a54684af851145f7ad8d59

SHA512
e9abec8c7eb713da2e293ae7ee7721115c006253f2d69c7097d736f1cb2b5cc2ead4540db097cca5933f3f5dcc8cb231591b8671d5ad50d4230e175d3748c945

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7342e9276452a16dfbb00f76e7731a80

SHA1
80668f153430b0d05f7a064eaedd61fcc83ab974

SHA256
910326768b8524e8be933edb68f9c7b4c46872d897653b748dc5fdf8726700d9

SHA512
13f47f595293a025f9b5439183b9b00beda8bf80abc3543335b19a2e5dec2ea15dbd7949100a2ff2cd046d6b2505f5aa28f0f4e9fbb8c5f966177b0ed9c0d7b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c488601b6c9784937cfeb846381acdbf

SHA1
8885ab3aaf6e1e3bc2e8ae8a7bc5565d1cc4ed78

SHA256
e530327eeba9ea3d2636a8e1fee116564310edf9f1e8dc24338f6ae45e232a4e

SHA512
7fb404ef0bd41d9e6cbe3f839cf5f39d8ff2f1971017a3f85680b65be3de51d6e5054b7e0e9f0571f85038a6170fc926c51932806d452ebbd222d423e5030506

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8be16b8aded63cecaae5b63c81b6164e

SHA1
3c0a1370e305dfe66aede9986d0162c2d240a287

SHA256
8df962a391926a0339619d07a4caf7ccf1ee48f0017d9f4e7bd51f5db044add6

SHA512
294caf010cfa78d704562ec217987824d4d1fdbb401933a5a686da42359aef6e7c554dad8c596cd7b5c68f5d5a51089c4711d9c9c756fcfcf527622f391e7208

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
837f4385bdf1453689a6e863afde3846

SHA1
e27e8583dfe8ecdb759fe57f2dbe092621b08410

SHA256
c9b8f002f35b99498c696677dfe2fd9c5649fc91e7724b8866927ff59c03bb97

SHA512
dbe712665efff211e7ad70fc731154c53c98791c90c4397fdc175ee64d254abf222f905fbc5448872d05a38556ebe0d7736c3ce77cf7b988c7b434465f480ed8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ca195390c5e7a6b639f03b4bc93b0d49

SHA1
2f6fc82aa2f42c65eb163b11eca56c9a722f0dc2

SHA256
e8608dfc3294f22eb3820e8aef3f368468d3fab8e0dab9ccae010138879ed9cc

SHA512
38ef85705930ac8d30b0a869783ef4dd205163b32dfb23628956b15e00ec172c42aa1001c07d2ec08efbe76eb80aae4454a25fc469bca1fad6316ab35693c7e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
70403b4a9a8ec3232fe125367da38bed

SHA1
704d622736e1b9f582a6b3fdcbfc4f3b71175d35

SHA256
25539b8c377013de1c4299109803b7c3c75bcbcd6c0c93d783e7cf90dcf1667d

SHA512
0c8482e1598cb5f88e9a5e19d92dd6b1cc107410c89a59d21ede1bfdb177b3cdb64cb8c91101a300418d8a33bef185f64f30002344f5211e0099fbaabbd69154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e4576d1782a3828973ffdf2ad1308c69

SHA1
f56e4c66b2388414e5c66d806999f7f3e3de70d3

SHA256
439a90a0efee2dca4246e2c30f0d56852976e07f9a2aefea84f6f1bc07c61bbd

SHA512
4e2f30fead7d8b8592c39fdb6c3b9b68464021f3d1f8be4afc84cbd4699a9b594349220c95707e980a7c88af237e3003926e4585e9a8dcdf8be948bd905348d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
764d4d0a3a163b50caae9fed736ea5ac

SHA1
090ec9f931bed55fe37fbd4738c54391287390f2

SHA256
970e9382e46e336d15d63400db16cc1433a1d9e1de14d3d299f219f756ce90f9

SHA512
6b5a82c836ebf887a8c8a9f53ad87eaccb26c8e2d3ae96552a2ead93d4b1ce5765a4f8f162a2687d9a4b134b045dc033e8792966b6678f4da3682f1a596572bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
46b481d2b813083003585486a28e487b

SHA1
bbe6726cac4c4f3a103280b6938b50b857727b3b

SHA256
6873a608ee78fe83d4b7fecda57b148cfb8412fd1ad528e1bcae6417e934792f

SHA512
9c746f4db1d735800e91e7c8f21db650c8c58543139e49b4cb213c24ba28d3bc2d7cfe889e7737573ef3d406f0a92ba5f2ac085986538fd8d1b77427f9c535d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d4b7b6446c46fddf5fed6363357410f5

SHA1
ff4a4c20bf94b8eadee897a4ed4560262799f44d

SHA256
049d8c23e524e40750b11819d9d8c349621b1f230bac61d43cc2516ee6c83e2e

SHA512
66d693929d2b3278ffd07f0ec382beeaf007710955e3dd12b64a7fe06327c96f452c948e70929304c866e70d8958f94ea8dc46f4cabb092942498bbbf4beabb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bfb6460dc753755bb5cd946792abdf1a

SHA1
fa8a456e4a882851466acc699d03463376ee2f6a

SHA256
d5e3715be73a7da38bc883db350aeb8c43fa9ec9806142e7b3d9d09acec801e4

SHA512
a14c1ce87a2e7445770cd514c9f4900ab71787fca9374c112a1e33282603801bf17543f7cb1295219b7d5f8fe506cbbc82cc91d165744253790faa6ddb7e73e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7ba528f7382186dcbed03429a38bf6a8

SHA1
647ae4f49a81d5c3979963c6f84f8cf7848b2fa0

SHA256
16ecb8386ae483df3a5832cae8d1afdaee21c6efaff12a1581885a40a805f414

SHA512
fbf8340b40c2a5b3914abb3dd32314d22932d5bd374410004f29b3c82a3dc8b24484b5abee175712b459bbe64bff23b8c8e8095603ec5cce6a1e3b9ecd0ec974

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
74e667e2b3a3e91ce342ece7e8aa6c71

SHA1
31f92a9975af9ac128051b208d665f0923192cdd

SHA256
7670b5c0f9f5083a92dbf91717700a1f7af0ffc03e39e051d4aaf27cdeba5767

SHA512
8789e37847e5755792b992c6d82ed2fc902ef04c21b464e1ca448474f50407d55e7b74260bb5cf6594ea9e2665d581f377c334c35f85dc21289a160b15b77991

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
800f63f4ca25d13a87f20052b54fb99d

SHA1
95cc0b050f6958958c69942944564aa6891df130

SHA256
10d077f5cb4c43a7a6b5301966bd72eafd37b6b9fc8de4f8f5dabd195dd70755

SHA512
20756073fb8f18e5bc7c660c9122ab71ee63494afca20f61b68de8963f73464de69a9792c92e09901aed3da4e8f552755ab69bbffcdd4aab39063136c0e724c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d04b8b3a7a873af768418c85ad1509d4

SHA1
c876d305ff46e566abcf40676bee13ce43f45ef0

SHA256
0ac8c21c34e12c584b763870535fde693cc84e3a70a92cb71df33aca3b89e165

SHA512
c6555538aca50d1fcd9d457993c60cac849c94208d2b3db7bc08968024140ed72898ed9104a6275c46be3357f52a03e91434acef432532f081b8833aa5cb568d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
36f05cd96415bda4be7a9ffebadf6f56

SHA1
ffc3a09c4d79703b908c991f7be7834ac35bb47f

SHA256
05b1731bb8e4892d4e08a14dfa394e1586da4a9c85cd843397f097d27b000594

SHA512
e6d736e2c6a80a222ed10d747a420f6c9221a3552c5cc8bb1d3f6985e179079432d91263d9a80578a56173ee6d51422cfa7498a5c4e8c9fe3d423c39a64fb0bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b5baa406429909b8832ee377a28b61dc

SHA1
b531b06a28b9fab7cbe8f207d932bc464bb382f6

SHA256
e4573d38bfebf3656f3493d65f32a5be0e30ca43a01177e6110bb4bf4fa38288

SHA512
5675c4d48ce76d963bf9dbdf797deab4c3cc162f48cde9cca285995bc75bd5da37ba36f8ab5f7a4efb9dc4e44afa8516e413724093b672602b776708e4554a69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
98bbbf1f496bf1dbbd40e44d51c71609

SHA1
632939e3ce21fab439ec4c14c01ef2eee6968f6e

SHA256
e02c32c561856ee076a75f67cc1014e17b90e2bd7ddc267469b7bcbbfaa8eddf

SHA512
c9394d123c209a499f8a3bef9ea160fdefd03d5dae249126eb6d94f57c3c09b9b60a106c0c8b6f57d0d46f5e02fc94fb931e7b5b944ecfcfb61c71b371b3018d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3de0bc49a96421933b1c1e90ac0052f4

SHA1
d21d87d9bbf687e59dc9e4a00e14572bbf0f8781

SHA256
7a50758b6bf5e74f519e2c6db1ab306f74497cdd0b4075d566fe507baca1e9bf

SHA512
67ff758e12c73ef05fdc33380962e0105f9a86abbd3f3e11472191331f0bb021aec3a87f599d3d89a17b68e4eb1a9dc833835b78ed6b2c5fee6feabe3622ddfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
07f1c21c3d14d81b82d1a31ab4cdd8fa

SHA1
9d233a38d57008dd5849fed33e3f96dce4d301c2

SHA256
3cef2178650705117c137940dc736d2e28985bf71524a1f61a998e43e0665849

SHA512
197dab1acfa3e5f51e51017e5abef704b486b986faf8c214671493d3e41a1ead14b66b883cb6e74a4f0f1bac7b1f872b3a3fa07202e1ca2ecd6905c874da8aa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
dcb55e234991a86b9173c5861e106947

SHA1
d101a6d44d456f819dbcd491f0fcda31270aa483

SHA256
0a27f5a72eef92ffa85b55985aa61e9702c4b15a984363cfeeea7442db6f9fe3

SHA512
7b1268b8f804d2136d2d5fa1725c48c0063b4cc18583db218396edca987097dd2ebbe9812931b69ee6003b1c8ae6ff3cd8f2866ff884dbd3552db6967d64a0cd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
90ec63ee743adc88ee54d7bd8ac62d11

SHA1
7b4a56648f534adb38d220937a58dc4bcacf5906

SHA256
3341ba1a75a648c7743f9061bf490b051203f7ac4315d9320fa47ae6b949c7cb

SHA512
8abb209d9599388f4b72f04db2d5a05f87e88e67ad5c040608c39f0d5290552da287c6b6adf8eb3b1d02907410386cefdfb10fd3e1f8e6c04337a97d1ca65428

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
56a75f1d72641d58d62da4a8855e0ca9

SHA1
033751a7394207372b304c72c60cf747831a09f6

SHA256
464c6e8e89c64c91b60bcfcc1b457b478c36c75947b45e03c1e07c39483a1ef2

SHA512
86598b5c2bcfb0231020e4808f038841c8dd0413374ffa77bb6898f4aaf992556273d83c6bcda464863c7d8533aeb00cf2b54bd70f2eceb365e2f44307a29910

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
74115284516656e373e731bcebad3a24

SHA1
d3ae3867075134e41ea102399c363a9efd5f2787

SHA256
3cb63afeea3802c2e932606933d463ca343a9840fa8bf570110c515db008ace3

SHA512
ed8fa7f2e4a3fc62742690c8f621a1e14fd9a47fefe787d31d375fdda777d2447112df779e46aea67112a2418379f298c8ceda162add8c2c3da158b91c936c31

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
79722943404a23b037c5387960ccd1d9

SHA1
ba6000ec7f4f5d9790e1d90fa662014204aaa448

SHA256
1b9b4f898ac3f709ca948c4170875e3fc74c285785c7142dd2a7f46aaeb4328f

SHA512
4ded3cdd0f18661e654a0457375ef02630e6e755a473eb522b5c470c5f81059b79e6a2f8659e1e8a36799400cac6dbbc32fe7a91ab702d668f6e741edf9d46b0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
434e1f927bc4f76ca64c38a704b943fc

SHA1
fe23d7e804860c7ac1df06a60285d31aacae0d2f

SHA256
1d1cdff91ed220ae4b039577b118552dd7565cd404fe1cd7386d3f1e6300fbcf

SHA512
9abc66ac3f2df714342b98cdff8222e709892c8b07c401a35a0743fddf93a980e6043a3c69b9fecbb37885d7e154ab43fa8e8c4727fed0244442f60652aa75b8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
37fec7fba717fec7348fe555ab2572f0

SHA1
f53f245e7f59d83dd1d1dc64e48b661d906174f6

SHA256
643a8be501554d945bdb4f3c281d281102b73663095ac2ee0ea87d4228dc6285

SHA512
5d3ea0230513ea81347d23a31e035153b78ba4edff37ffc1f9f33e5550a87235d96b7ddf548eedcac6a28704795fc75c1f2b721381303889a66255bcf59f86cf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
175fa4dac088ef186d72733db412685e

SHA1
e288d4693b3c5d522bad385641b92e4e1d1559f3

SHA256
34dad1eba23861903cb57ab9a5c1ed0db7b0b484ae9953dd71dc253a3ab29108

SHA512
8685bdc71b06778cd480a4032072695226f4372937edf7d4abd37c754ceeb631810c09c0bfc19f00de44694152d0f22d1fde82d212d9c499952cde0e802c0e1a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e7c34cf9ebbeaeb65fc689f19e02d06b

SHA1
43b267c05e5e52ad7cef931a7cad1f2e1c9f9ae4

SHA256
eebb47ab3ab007b717e015c63831affcfd8210298b63abb6e9b7697e73897472

SHA512
5b43416fad04b01dd4ea4f5db56fdd9cc1cd11ebd8819f8dac4a7bdd52dadd6d8ee67f44773c06cd1bc084bb6743fea8c09823e507feff4fcf942cece9be45b1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
af77cbd37e560795f274ac2bd7165611

SHA1
d1498da5c3e75faf3b8046653ddb59edf57e2cca

SHA256
add644d52519b8ee6f27666313468f9036d759e27aecc61d08ccd9e8858c9e25

SHA512
2176d107df25652ce189c53c7194fc056caa31c56b8dad82972e8f691bcb362e3eacd1164305b742700a48625b6063a14dee3caed7b566b278c92a61bc897643

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6d92e58efba4deb1c4c17aeb90ef7e08

SHA1
31eb2cf90d303b3c6ac70ed0bd0eb1eab7d2ad02

SHA256
b1b4e7985981c7578fa7d8b56ea3107697879eb9a3df2a60ce6f6d78b27ddb66

SHA512
d7c23ad9547fcb710968bda0945771afdf6a21c32ee0247ed3ff10693f73d04304a62750e3eaaac780db687a3f12c4421660e1247382ac5dc34a37bf84f5b29f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2365102dafbd3b92e3f02a3aef50169c

SHA1
10df70ab983b33f0964ba085288c8bea60635cf6

SHA256
db4726ea71d7c99dc44dd85fe95d5624db6cc0a6560a947d291e522bb8968946

SHA512
e11cc08627c5a0c6621cae5bf03ddba8bed5098931fd918a24ac0dafdc47824fabae734a6bd51de74e605aa16b97b6a7dc621ca05cfbea0c2f56a131581cf1a6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2782101791c6adef3aae78dbb83cc611

SHA1
4764bd64f190bdc9c895783e311ad7947a57516f

SHA256
bb7b7b57bdf83e4135dc04ce86ef093963d70831a8279048da604a7ced3a4b1b

SHA512
3a721d0cd7c77fbbca1e9797c8840377a5bd4b63368763e7e6ab902c43d3f8a62d8ff0254b94dce7cbbab3a9d2ddd2dbc5bca83e5dde00196f19836c8f206e36

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c50a3e05253d3fe13a6ad02a1c90ec77

SHA1
4eb6f93838eed02de812fbe2e6f53c84665148bd

SHA256
f086caf3427a90964e0a1af27a1622dc034d456b2e9653b2e82c98612a7b8935

SHA512
b9650ef5ed7343efe801d403a2284de12662bdbfdf221526d92d1d1a04087bb491dc84e7ec8a72fe5e918c3c048b63d5cd9900b9d7c49da1239682998c04e81f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f770f54555d0568f361b933d45961ad1

SHA1
3549f871030dd0ae14b05f013dac2cd0bef5a55c

SHA256
fdb5ff493cbcc444127d1c110fb207bd156e9e7ac9e4919fae4ed2097b190c01

SHA512
bc34cc95e576ff7afcf6a498f9fff9924321b402c5bb547b643e60378e7652013e95456aa0218379fe923ab98924924dbcf9ed8bf7e6771d284773ab6e4401f0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
92ee23220252a0da7d4adeb0878c778a

SHA1
f9080b153c6e3f28b49e0a618ec8f278c62ef31c

SHA256
88c6c8e192231e1a32e67e1c3a9275984197779b8407b7068f6058eef5547252

SHA512
9d78e2bd9df714339091086f13ca6d55002099556ce760ba0b18f60c1a91085548002f355449febe8983a415f7b6b4e1ce2ef092986758cff30859fc6bf35498

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2c534a37f15d495ae2b66e104c879194

SHA1
8b0b5b81a8e0ba503e2bdc071403d8e0a1dc0729

SHA256
8a60d30534041c9891f8160053bb05c9c1f48d1945afe0613bd3fbaa55cb6f3a

SHA512
2b34fecdb3604c7e9cdf406e3a9e2f5e1b28911de448d7fac7d6d017fbe64417a7e650dcc5f179f98c32b1a80f7626cc97eac20a69401692dc5a5a242e8a45a6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
462fdfc9bab42e3dfdfec8d16caf575e

SHA1
95efbf0e77463ac23887abce943aa9e60b9853ca

SHA256
fa7e0f9fac713ae61784cdb4f9d5114e9aa07a8641c285f3c9ce09918cffdcea

SHA512
d6e3371eba480c95144a347350155525de285f1347d3c6d5d211f80020719ba72118ee6b89c94355e83da765cc6b2f723d1f25ec780893e793549daf568c0823

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6264f1cbf4aede35556e92810cff329b

SHA1
356efc73f291617fd13d1c9206f3a9339504522a

SHA256
084e33c2b928503f592454672adb5de096002c861e94183b7e4864017f516116

SHA512
cf42e1429b06c59d4e4d92517b0a01e0350634f07bf994fea5e41fa19542f8d7de60ba288fdd24980f2dfaec8963a5a58f9812a03699b8b2d69774b0be399a9c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
61cc4c233de1d23309730c4effeb7745

SHA1
f3c1414f1c2c0f8c00e04dcb84783b00b75405ce

SHA256
854d2c787418b8947fae8af38597dcd762b95b14a75dd6f2a9705a14d0ef3cc6

SHA512
c32df5536cfa096a87ddf2b42582eb563195fa43828c06017fdfc2b801bce80ffb951b0745b1ce8cbec860411f5e9c0084b925588fc23bf41b7eac33540e2572

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
68723baebfb1ad39065cc9c693d96d82

SHA1
2260b9fa1c5604e5a47f4a222c3334ab5f42cfab

SHA256
d281501e5bcd99b690d72657436c24d91a6094594c76927b281b0a4f296bf33b

SHA512
d3816d0fc755836b0dfab6c40b10920f5d14100ca966de54c79c213d2f644335d2eeb40ecf8089a4c2dff582110958d758e583a421386ccc2acd69682a7c1fc4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
55df9212884f9db7344142bef2a40451

SHA1
d939b6d7455b868e2251700ac43eb1d558249289

SHA256
d6c241470700a42d52a6d8dede2c2efec5f43f1cfcf8de3dfeea257899127eba

SHA512
8c2b76a9f57a3663d296a9fc507dac94ed4bbd7e774796d4bc5b70ed90667404da45c7322b057ec77e9eb34d50bb23c64b6df1e5eaf2c17834505376138d8709

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b7d1ccf13ed402e4a5fcfa559ae7f42f

SHA1
eb6f6fb3cd037111b53cacfb0649662a108b8378

SHA256
ddbbbd4b3b5de3ead2d09f63feb1883018391edd7d7f5eacd6bdd38ecc95a52a

SHA512
38330905748aea4ef8eca1376b463784a2870fa7d5326bfe8b72289cbe4c7f30ea11db680948e47c5cd46f8a8de9c368637bc5b78e514580c40cacbff692fcf7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
52a845be5f645847cd5f9e308c33b613

SHA1
b33488b84008cd5d4d1df016f433c6c1af69edf0

SHA256
c6fa720c55524157bb04aec743ae00ff335960e5777dd5e5c3ed1d65a6407673

SHA512
69cb8701b9388865613463ab7e4fd525d881d55dabea74d713b65dfea000014b8e0a17c5c967a76692f0d92a07e88b07c85c90e65da40ca9b57b371f61b3d07b

Download Submit
memory/532-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/532-485-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/540-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/540-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/540-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/540-113-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1692-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1692-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1800-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1800-482-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1924-31-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1924-37-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1924-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1924-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2228-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2228-428-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2428-480-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2428-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2620-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2620-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2620-478-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2664-79-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2664-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2664-73-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2664-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3360-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3360-479-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3440-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3440-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3548-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3548-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3548-65-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3548-55-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3548-61-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3696-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3696-486-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3700-142-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3700-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3700-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3700-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3728-100-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/3728-105-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/3728-99-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3728-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4032-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4032-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4108-87-0x0000000030000000-0x0000000030100000-memory.dmp

Filesize
1024KB

Download
memory/4108-0-0x0000000030000000-0x0000000030100000-memory.dmp

Filesize
1024KB

Download
memory/4108-1-0x0000000002190000-0x00000000021F7000-memory.dmp

Filesize
412KB

Download
memory/4108-6-0x0000000002190000-0x00000000021F7000-memory.dmp

Filesize
412KB

Download
memory/4108-358-0x0000000030000000-0x0000000030100000-memory.dmp

Filesize
1024KB

Download
memory/4188-335-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4188-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4208-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4208-89-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4208-95-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4208-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4420-481-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4420-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4532-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4532-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4760-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4760-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4984-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4984-487-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download