5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
Size

1.8MB
MD5

8cb2cbbcf302c26679fafd1e961eaa70
SHA1

d93f7ab2ff4983a19caa68b1adebd130551570a0
SHA256

5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2
SHA512

37fd15d8ca85526408dbacd8db83bf81c454c671341bfd05c414b76b10d027e87427c8c76930a15c3c2851a698257530302ff8813962ba6b4d23d6137166aeae
SSDEEP

49152:vKJ0WR7AFPyyiSruXKpk3WFDL9zxnSAkQ/qoLEw:vKlBAFPydSS6W6X9lnFqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2280	alg.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4544	fxssvc.exe
2156	elevation_service.exe
468	elevation_service.exe
4652	maintenanceservice.exe
2544	msdtc.exe
4184	OSE.EXE
5084	PerceptionSimulationService.exe
3124	perfhost.exe
3144	locator.exe
2796	SensorDataService.exe
760	snmptrap.exe
4680	spectrum.exe
4516	ssh-agent.exe
2188	TieringEngineService.exe
3192	AgentService.exe
1752	vds.exe
512	vssvc.exe
4572	wbengine.exe
4460	WmiApSrv.exe
4004	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\System32\vds.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f2d10b79aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\locator.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe

Drops file in Program Files directory 64 IoCs

Processes:

5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exealg.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_fa.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT3EFE.tmp	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_bg.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_ko.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_lt.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_en-GB.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_fil.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_is.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_zh-CN.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_ar.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_ru.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_el.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_ja.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3EFD.tmp\goopdateres_ur.dll	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fe73d67f098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffd16867f098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000724ee366f098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075d34967f098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d380e67f098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007039ef66f098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c835a67f098da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4d08767f098da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6c2af6df098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075c4d966f098da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010c21767f098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000deeaff66f098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f00d566f098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1020	5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
Token: SeAuditPrivilege	4544	fxssvc.exe
Token: SeRestorePrivilege	2188	TieringEngineService.exe
Token: SeManageVolumePrivilege	2188	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3192	AgentService.exe
Token: SeBackupPrivilege	512	vssvc.exe
Token: SeRestorePrivilege	512	vssvc.exe
Token: SeAuditPrivilege	512	vssvc.exe
Token: SeBackupPrivilege	4572	wbengine.exe
Token: SeRestorePrivilege	4572	wbengine.exe
Token: SeSecurityPrivilege	4572	wbengine.exe
Token: 33	4004	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4004	SearchIndexer.exe
Token: SeDebugPrivilege	2280	alg.exe
Token: SeDebugPrivilege	2280	alg.exe
Token: SeDebugPrivilege	2280	alg.exe
Token: SeDebugPrivilege	4832	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4004 wrote to memory of 2644	4004	SearchIndexer.exe	SearchProtocolHost.exe
PID 4004 wrote to memory of 2644	4004	SearchIndexer.exe	SearchProtocolHost.exe
PID 4004 wrote to memory of 2052	4004	SearchIndexer.exe	SearchFilterHost.exe
PID 4004 wrote to memory of 2052	4004	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe
"C:\Users\Admin\AppData\Local\Temp\5dc14820741b44dbc310dde581cbd6783d4390da8b8b09467286f21f94287ce2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3704

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4652

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2796

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2644

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
10264e016d558b53e1d4a6440d86f851

SHA1
3bd7bad9e0ed27b360edc1d4c5c9f2d3453a50a2

SHA256
596cd9eb77dccce2f3d1bc5a0217769b4c78377df6e93d4891d8c16373a5f005

SHA512
12b1885e2f112474caa6bcabc408647d8d7224fcf7c8389ed2e48bdd9d356dbe83ae02ce81fdc0781ec5745f339099a3da7790a9e987b08d77c099ecdb940760

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
f7c50a0154f87de5bef37f3784876599

SHA1
4af9398a4df6f76df918022842b5d1694c72a627

SHA256
79bf1a81db6ab76846921d8e2124dfc36d5eb6735a3907273e75a23b2cff404d

SHA512
706def0db3b981fb29a50278a11e5f3dba65fc41ea9fc5895f4e1add12ab88f2d4f0cd825d3a11964e294c0ed2c30429086259786e2e355c9dae678b6144b008

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
17613b731cd7edac281d677ecc2e41f2

SHA1
1a066c91950c25dd0803e1f14abd6fa42ee1228e

SHA256
db818eb31d7628cbbc1ca540a1da125799d042b9734f62a97ac68b5ba2561d38

SHA512
60a638c2a0e5c791b69f1887430b77c5e38f1a5c941caf2f611020b946800cf60548d725d4d5f8b8d6bfc012b143693c61f317996b522e991f2ce5cc6039ed33

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b9b0308f2f5a012cd8cebb60c5d401ad

SHA1
07b325772a68d76816a4309fc20ffe116d6a16d7

SHA256
737dd07fc2a2743253377b96edf8210fdbd0e0efbd3dbed3a3a16060aa0ee957

SHA512
4b54da53629a63d2d8ec5e0510b493df57a24163bc4993767a35ba420a52d1ed8684906560facaad12b1c75edd4f30d471a1be5f5828a7e4c0ad42ca0728ed86

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
b13ea967ecd4e2f93dbb01f28ecc0639

SHA1
f9632aaecffe0c8153bd0672ef1f704ee783e2de

SHA256
2494a4cf0497529414f034f6d1288cf923e01aa0b22bb422a5bc6f14fd87cde1

SHA512
c4af684d1d775f2fcf0ae22e22df15509c880e22aa3083aac3f8b8632ace89fda97644a85ff6e3bb6e9166395c0c2045ca2d91af7e9b58fc23ad8e173e85bae6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
fdf5da1ff45eb21c0ee4362ed4da1724

SHA1
9239231db9bf26e2decdb96eb1533d3df6f3b27b

SHA256
474c8b49d41730e92aa76a6b41877c0f6bd5cd85bc83161dcefbe93a9cd5f2ef

SHA512
67ff1feaf76bb1bb686e68c12daa767d3735cc0a27d8644f6704993a4da686e2069cdca0305704fffe31686b37e10b29d4e2462109a3b3d310e37abdd211946f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
5a221ca4ca9a96159f38e6c3a99604c4

SHA1
66b86c6a773d97990774cdfc6aafde499888b298

SHA256
b4b5d49ca1d5314c7f3bcd083e0d9cbe964faf8c4a21482cedb189daec259314

SHA512
96e1fcef09947d68fd155ec2970befd25946107969cc22568dff4e72b5188fafc0ba918e73ab2829b1da13f2503135daecddc7abf059f698f8bc31b16b21ff16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
590e8f65bfc23816d7f073807910d9fc

SHA1
8b4a39b363f3bac751640d07c7557599b95c01d3

SHA256
99b4b899e97010c8e370f2d73332471b6e2d1189936550cb1987236cf72516bb

SHA512
cd57a74b0a5accd5039535d2fc9b8957aa2afc3d3e8cd8900aff2fc56465ad99ba527188924127ab7c87c9149b3e30ee4233a62139a0d98abfd030c2c4276b74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
aa1389d89b7bf9494143bfa73331f1e5

SHA1
78c851a87a453db9c49f79bf6d2155c2d6e2a770

SHA256
a2d9521bfed55fe57b28edbb6ebbbfa602df2b8c29818ab6ee6f8fe665422fd6

SHA512
7038397b10693bfebd22d178084a2d792c1cb5baee32de60d59feee08f67f5ba867cab02975101de6e298f7d19da2ffb5e23c8500b4c6ac149e34aedde19f034

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
03b84ee97f93dc555297ca7f1781653c

SHA1
0b4053452acec12556a5f2190e2a94829b82e366

SHA256
15e2b5f51d8ee152958c7ad5b825948ead1c6993385027829876b2ec4e9c9e1f

SHA512
e7c4a73b53d4ec26805a30833a7449dd504dd02b5fcc44c304aeea29625cab0400239a6af96fa7f10ba0aaa14b900d19621034174f212ce7653e51ac3854f67d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
051c7b24ba499e54bc29e0c4b9f88728

SHA1
405183830b8099fe904b8c3b0c619fbb1b47dd5d

SHA256
06bc05c9da9906215665145abd602e5572680f7c28c1c8b69586530a80d600d6

SHA512
cae5c37a9f5668fa98929f63018161698e19b02f5ce2476efd6c58cb5c5bacff7955f27b85725ff9fa80fc92b04aea3c8f8925d49057b19916a643d52bd3dd4b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f1cc8f6dc9adaae1b21ce6f516dead4a

SHA1
a4dc3b759a412f98b5fb7c004a596bd1587eb173

SHA256
19cbc5b6310b9b4f2779f6dde1d3f07e10ba79971ee8e49bc5f2a8d336d9dc6c

SHA512
99b9369ca41812496c4c0c166546259381300ebb106df3bfd1c51b1344ed7b825b1ed6b65d341292035f44d098727921a062c7ef9c3245397e952e0d476f5a55

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
4ce9a79d99979154d33d04f8c979bdd8

SHA1
3b82ac30636e9f2ba1681933b8f81d5109ed25c8

SHA256
d76b69c69b71382b8ea26a1be66d7f3cbde21f73f10c3e2d60afc95aa49d262b

SHA512
9f58a0f5e65871bcd212de8010d8993d727ae2a6d468eb8a7a64f15d151e755882b40de4eb08d9392849ae88a7727f5ddc30b03762cb1b65d04703f9e14d2a1a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
099045e778ad791fcb2d8477d93e6290

SHA1
b17c730119dfbaf6447c1a264e5068836c947947

SHA256
57e19d1532d304752614ffde061278bef3e2eb5d483a1d1f41da44315916ff02

SHA512
b82f11ca62f07f11200d253fee538ba08517f78d7eb755fd43509c9d2eede13b07377812404185c31bb0819f4d5c16fbcdb1f7d8a25c5d7d2384141d4e4330c6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
548f251dff94c288d0826a55710be11c

SHA1
84d0a1a69023299280d6004f52f9b162c95a87a5

SHA256
2a30ea61ea326ef14885a47b384debde990c4beea06587813e6ba6625ee24793

SHA512
e23d41abe33444066da517e6d09df0ec80e79aae3f5dc5d89cc3ede1abe8729fe3fa5891b4b4686d4c166e2fb19f7bdfd7686fa8fbd72a8e6af5af4ba9f5db69

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
12c86dfbed66634f73895cd6d660681d

SHA1
e36cc45073f1231fd8a13757c12754f377258526

SHA256
a73a53317ec06479e32c9c6704277ef72c97371e26758c01fcb8c5d188ef0d47

SHA512
a2f44b454830f5f3b40e8f04df250e8b7b25d27e37bc589b0c0bf5598a148e7dee79255d09f1dd61505b8ad7403ecd066ac6edfae588fa135321d0f3050c1509

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
a1ae2fec9210f48a733016ffbfd03c97

SHA1
f6767ca17ec9cdf186de6b29fd704e62845a29ec

SHA256
8d20b6a7f87a7e75e4c092af328f2860913dd44e0fa2086558cbb12ad45cff73

SHA512
efc90e5a3672b865562b321a3f3777c96370833cf32dcb195e6fe3a4bb1a27d2f8185278acf77a1a5c962aabe547541b01d759b11502c6f201d3eeb423d753fa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
fb02d9626b8ddc73b0c7d1b3ae4ab331

SHA1
a3ed83d7ea1e86e84cbe200e94d08e22b33cace2

SHA256
926a36b8bc1a0258664ed2cb6fe3efaf8b428038460ac5ae7f0cef972d8eb260

SHA512
734ad6f910f9527852df2b9b0082749187b14416d01ddca2ef3cd284557fdf1ca26ce44ead58b79b00920f767c648189c5f8622114b9be4f528321fee17dc1dc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
7623a4b65752fd02e4b0f45314d98fe1

SHA1
68dbcc122fda4a301dd73288b6d814f98d628b29

SHA256
5c13e48480f9a8d2a40f39b24b958b6a6a3377a9a2b1ba5b5f864f0eaa432f46

SHA512
6ab5c4c0ce8c5ffe348bb687b98fefd0994e716486ab35d64c1fcac6d52243dc4798f3a56e10f1cb704577891cd1867dc57b1166213a468be6c55d6dc1fee4b8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
bc2f253b5560c81a38b324d3b343a58e

SHA1
8ab12be783a2b87eff3fc3d4f51e1667e06590e8

SHA256
8631e6a42501388528105aeaa65124f26644c8f85cc1786b80eda5b4ec4af247

SHA512
ef8bf6e2a3d63fe7221ec6053273cf0af3ab0553e1196acb2ae820acff72b0daa76e556f6dbd17f4b537078e72b96e393321cb4dd0389460f9aadd5d14576c99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
8e010be3ac5e3ff66bfe307aa18b15bc

SHA1
1dd2016b198fc1d42d62e6a38d43221392165ce4

SHA256
327193adc927e8a063393def47435589217919e73bba6b139ba6050cb8dbe143

SHA512
8542a5097bc55257fb37b4cb674aefb3af1e4565b066ae10d351f2c72aa2fc45983433f00cade5362eaa4a5f69e497fb954e8edc2f701fe4a761e535aee41cc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
b9be362cd6a2c0983d42f429adfded88

SHA1
ea198b2f01e5abea9d22c6b395e72e4ac705bff0

SHA256
705cf4be509e2816dd70e0e7791f26a264bccc209b7e300734c4f5bc52afe68e

SHA512
a05a5563095842bdd62c621cce8f83cf37e090da7bf9873fe3a2751a7b9c1ea08ed407e8718f6fb0fc6eaeca6a177664766a33c6e1ec6fad772f54e2701122bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
30394ce6c4218360224e7dfa14d2af8f

SHA1
eea537f959a230579bd9d657727af402a2b71712

SHA256
2cf9ad076360bab238727970a9fa104ad55306846164b050f1ba768e5d09af2d

SHA512
3516657913233e43005738f251ee400ae15f961a16fecc285da3b968f5cf9b41aaf73f86a58ddc4fc634631dec469c03ad7bd4352661e5a5bae13bb351e67455

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
ccf20b38b7a1ae8ff91983d3fb6b17d6

SHA1
851a879825bd3e18b7f18853b6d887b5a453d76d

SHA256
c367ca95c748a65de2f61ad6ac755370eb50a3ff2e27638c76aa49ddd2178b2e

SHA512
95959050cceacae15344f75e170293d9d7c5f81f922c1f9cf4f4332724bbe0c6f5929efe71e035bb4553205bebf0dc1dc126fa47e38c26f6e6217030b98db07c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
aa8e1aaee30f15dd9ca08b4bd3530322

SHA1
d35996220621e01a65b1836a249ea8c845e20278

SHA256
74c84511c4f32a653fa62febdb4bdc4d0e7af55a540e19d9bd18880e38ddfd7e

SHA512
ea8236f0c34d06f5f6d5310849ec1cba34b5b48507e2d02231f15204db678906febc8ce916e5881234c61df8898aa78273183d981bcdf9c783139a68e51301d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
8d33dd9642d46925e04de757664d47d7

SHA1
bccb43754b694ff95a36320831a1485679911617

SHA256
fd04d7e507a34a8e1a1eb1d6701774419f671dcde8a27bd005317badddafcbc5

SHA512
fdc0458c29c24c736a025298e9c0b125a2ddfd705e4f26728cfea1844e617fd5ee06bebf10a47d50f9ee8c8e456e2de355b24929482895d5b2571e63db0586f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
4978a08c76d50939a14450a9f1a9dfdf

SHA1
eef244e061a66080bb68a045bf5818b354fff16a

SHA256
d329cbfe9bf9bf9f04da2fcceda88260185486915fc2abd5f998101c7b6b3b15

SHA512
5d53f83b48158897a93a87f602a96d1565037801f6aa4a3ed99bfbf220a10964bfa7398654a40b828b489a6dba1fbcce6f3c0a60ea3a9205787e851ca5e73285

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
4129bd5825c5cf60084c6c6725277e2d

SHA1
321dd01377f82d7b1e1ea6d2666a6a3e6f193011

SHA256
7ef85e50a3bb749bc64ec69707b0db3613d07ee361d229eb45c772fac39c52bd

SHA512
b948af4ae7737a07b1ebb170fc1977107096bfbc9213fe1adfbfccb781c789aeaa219870978a6b4b8c8e9cdcd82ea208c582a61058ebef13a432ea9c5c7a4d9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
75dd8893c449ba54dca0a7ba8742ebb6

SHA1
db40872f2851cb14b95b556cf1bbac81d31823cd

SHA256
783ce3bab2790a17c7a41f3d10c0ee4134491574d719ba5f3a2cc0028184925d

SHA512
b86b9db65471a024eb2879ae9785aa9e9c5ea4a7fb84565311ba9806965b3abf2578031ea159035ea2618be6594f0cd08da40d41f6b97e145310f0df38e3e622

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
372e2fe4bf4b2f12e36f0dfd94859dfe

SHA1
476e90717a06cb74ad293d90d4d78c3508b57bec

SHA256
e81d9a6e20e328bb2c1890d47fda97fc359bb5233bcd0f4a03394156c6732b52

SHA512
7a2c175def9d7e6de662b2536cb5f482d87b8435212e1f7cde47ed125a5e7b71263faa09dfc027fecd181d6ca5f32ca6786bb47b03d4958571cbd2eaf5ed2d76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
660dd7b9531b31743553246d3ac96b3b

SHA1
6e7f9eda2bfded03e936876bfde51d4660156015

SHA256
1e121eea00675333ab0218a3d8c7a4e68570755ffee82a9d14faef4f32f22aec

SHA512
b580144adac390abc0bc32ba9a56e5d35fcccd2d1c521f9f79a4ecc8fc3e2002e5a99071dc27177ec8e22c01d7d50771bd1ad528b0bedb64487c1615eaeb9860

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
953ec95d122232101d99dbf8e62808cc

SHA1
0cc10dd37170c16650270313aa70b33763092e00

SHA256
b316a3a6a7aca7ce8c7b26bd47c3ed35a68da5423b4b3c079f7bd4acc094d0cc

SHA512
d970a7945b6eb08e5d9520f6a3884dbb34061ddb8e99ec94d577ce474899a8531f62f5f943b08054462293e321593e3c7b5d508b53e26080067b85b84ede4a1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
d894747179ef9fde5fab908610863777

SHA1
b8ed9cc47b8ba97c17ef49aecca254e4ba037319

SHA256
2142ea8151f5c8372d9ca86c378c0dfb6dcb9956759feefe0da952bd116dc96f

SHA512
c8bac3e3ecc52e5117aa93128f98f7a7658fac311d160e6be1d2c5e0cc4a63cef5b8add891926739a4f8d90cab4b4f6be1cfe1d20f5b18e281fec945ec9bcdf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
f26c93365c4fb00c6dad608ff9adac89

SHA1
3ee531eb119fcaf0da186240d5412396be77b18f

SHA256
df2928b67bf473d9b04082980fd88776760c7511addadbac10ae0a5c6538f824

SHA512
f3a465141a19bafa424a95d668856f6fdf4b89dc66457d2c52a3e910585bccdf779e13e1a5e0727eaab21693eb14985e2ecc08e743d79528e0faedd556082cce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
c7402754547345edcdfefc2625beafcd

SHA1
e362aafa8931f947ffe67224adcbac080b5a12db

SHA256
c3df2626b81eba903883ef0d1656d6c06d9188d7d6983fc8c404943ce98c0d4b

SHA512
51edef50f9a0af671a6375d509dcaf915d4043c963d8f2aca9fdeedc9d2526a9830b314d85af4cef98dd01bf03aa6a9f4637f02c0b03617ad28e1005b34a5b06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
04089dfe3e530fe7d493e04fde84c307

SHA1
9cdee70ef562f0730019de20cadaa656d0cccf93

SHA256
88e09c14b801bd80f40e526abea2fae8310b8606992e3451e9af95ff733034f0

SHA512
9484d9ea725d03ff79334b66584d68989f1c7660be1be298202d0b73ae606a495adbb0c47bd7ce057e0b55ca65f92d0286d5e1f0bbb0ef23c0f7a5b280fd59a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
d251c7551f0b227460d1826ee7f6d64c

SHA1
75c009519db1abfeab22cee7e26fbde3a16fc4d6

SHA256
d9850f176cf116823abf953fe32211fcba74c56eb22aee2d694067594925d5a1

SHA512
896517430eae442b7706d16ef949bf94800436e53c4cfc6664c5a6acf6333302be5846808d9613509e3760c1ced92391c3becc46b9d91f4561a6f08c470a0c28

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
37df442eeeafb32a147e2fdad16d84ad

SHA1
a7e68bed778c36f4cc56fa362e7262736d326f87

SHA256
409c68cbd81095fd6297a6e9c9f91d96d007b347ec18fa11e91a3a04cadf0ef7

SHA512
75175ea9b11a1a5953489c71ed613293ac7f19a850ebfe14d6b56c22547bcfdbe162a2dc314a2effbfce3a5e14b652db35a901a0635ec47bef55ae0a99d96476

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
b8583fffd2803372abe99885bc9b31db

SHA1
92e54d112ee81200850b50e58cf7fe6c1fa1ab43

SHA256
f2841b913882c26c54355f9a2178080bdfa35ab3371041322ca4c88f1856b692

SHA512
51847754aad2b08a1fdb66c09ed65416bf875dcd424f4b70c4c444cfe15a92a694544552134b2a948b468e46815fb246a472fc547ab49c478701ace5cb7ac9c0

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
57c25362513e51fcbca3d05ffd46ca5c

SHA1
fe00826f622a95e5d2eba0492907bdae9c058f68

SHA256
50242a6052bb79ea2bcfac6c495c03312418491c8ee11c0ee07510146d168242

SHA512
3215fe3c329962ca29012a90d24648d86f9e06b152a554605b8340e3aaedf717fffb07e307c8f8e2ea682bb7b7b603273f28c370c1c589eb4e1d7f8ca7ac10fb

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
388ad7e642c4120ff08c820b4299b6c8

SHA1
4531a2e45b14d8648c8ec99fa88751604f006b95

SHA256
9299578f190f2b59f5d71e9c05c9ce7001f1845b18aecc051692e3e7626a5e36

SHA512
dbef090787905d4c67aa2dbfc2031bf971214aaf543e4e88155e55cc52bba21046e97aa9360512438b0130040cdd40fd8c12b0f6d4fab3c434a0d1b6bbd18007

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
a1842e87c0a6b9bb7203148c0f136988

SHA1
644433da3098985b70010566fc67fc64a4ae147e

SHA256
66b4c8ba370a80ea7ecb5d56d532d6e7151fab3d986c2e9867d1b68d03aba33f

SHA512
474d3f264c4b6faf5f789084e760102336e6c0e44a0f32f6c5ad35dfdf1d7a1f814dbf5c83408eaf4d7cfa048791716e3f87bb9d7689899e1e69201001b61256

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2dbb358e77c499c3a2f86b47e5399e97

SHA1
142368bd9706c73b0e33d53f266e304205a6e7ac

SHA256
389aef49c2b8eaf4e0037e4949d50dadc5c53db891d180fa71f22d1f68b957fd

SHA512
47df5d453e32104146a47fd741f1a91b0a69f081017c84888cd5942addc62539c24a4a81245decbc9e67c18946463ecfe61d13f24a0400713eddc81b62875de5

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
989f91f1b2632e422afdb324a2ef6a21

SHA1
88519a760f6a5e2eea65235d02ba711266dacf57

SHA256
d352d6a0190305df20dc9d934d51204fbcfbd6e09d2be9123a325183c4a612a7

SHA512
54458e75e9b54797035a9553ecda12cf4dfa624ee47bb0cc66326492cd00ef524ef10a9e98229d0bbb8e34e600be2267f78fc4c6c68ec76fc5ec8df8c5d24e3f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
bcb35fe111e71e2c83cfee3b3bc36959

SHA1
080df5af4b888432f94a4fad657bae49d8a79035

SHA256
af13b83b697d3e00ae9310851683ff943fc32ffa3400794933e12b8595c8332b

SHA512
3dda804b9e955beeed03316d2c3d8d70e84133fd5039ccaa608df3264eecc2babf71d23e2dc4477d8a75c16c7f15e5d08ebd9fc90e07a0f42bc6db44a9a32443

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
73eba17a6bbf5e177de911b7daf90be7

SHA1
33a1e16cb79a56f62d8327453634c8a250d6af5f

SHA256
ee62d145102b027bdf302cfa6cde6cc605b25d69df7ba46c03d15f3130c93665

SHA512
f73f280be1128953b5e37547308cb35cf9dc40da432f0c3b4511ea9a9c26008a55ddf2cd86e96731b41cdac1dfb455fadb495baf1eb6f39e89376d148f56f66a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
7fb07fba8f9a197141656e880874940a

SHA1
317192fd60971223662b4e1bde9b3038ac321877

SHA256
928e8c1502c46b830ec2ac028956d3c88687b4b99885241dded5266deac3c600

SHA512
5180e1257abd67b75ef4107d01c1d82e0312d4736be6e0335f60285c121564f2c8167f07683b3fa96bc52bd3399441ce41c60443e2d733605eba2774184a34a5

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
36dc0c01b83e057e6e813f145baaf446

SHA1
5313c4103d2b2330cef2da10101a93714b5f3da0

SHA256
c46b76bb573fd829c85fd06d0b53d336db6d318a8b45a5a51d6c2ec4b3f287b9

SHA512
451d42ce1870c9aeed551738123c360286a5dc20315981a7fd5a3a206ab5a5b06f0f9321343c29090634ecefb9f9c1e9dd31bd95c8c96b2d82110c46956b42ec

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
e04cea4d011cd095ed7fc3aa7b8ac90f

SHA1
39d316ca81cf0ee29e8edf3921b3f6bff40663f5

SHA256
0acbce74793ac05485d4e1ce8629605e12d320cb81b8fa110e1d2d67e4314895

SHA512
434efbc5f70308a58501f2c37caeb69c6a23f083e4646994bfe0289731af8ef1a3439600ae92dcc1d93298dcabe78c0c38039af55109a767f5c955dd0e103497

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
ef1c231b850b3218a6c903f177744dc0

SHA1
e2ae9c330ff6ade3aca3489502661af0136ff288

SHA256
b2a7de8707d7b454cd33c12eea513823beb2f26966e5610671c5f2da507065e7

SHA512
ad0adfa0b85cb7e1f671ba88bf579e99571625a10fa2808aaffba48fdfec62e6ecb89d9e09c1b659e4148568e57a6a1f2009be9f6b818a2b93ce2bc7a4cf8736

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
aa13e0842c2c7912a508fe81c93b617a

SHA1
563f24251f44d0a40b4bee93db4f8f3e1b3a41a3

SHA256
97cb791d7515a4313a85ec83c71c90135d8a19cc021386d302de405c6f7d57f6

SHA512
85efbe264b5ed57b8264892064d7c44e83d32361675b0a1239e28de67bd96fe9cfc6778a72812adfd87a18b31e5f9d2a9fab29877934c85f9f9c8307569be410

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
701cae526bf0635454ca417d9f6f9da9

SHA1
fb9db073238e852bb13a03f93813c94b26860648

SHA256
9ea4c12709d6170e99c8bd7a55ace2a88595945678080e1709c95c47a58ac15b

SHA512
b4614d07f990945e6eeb8ac0682e4d9e8ff5b8443157dd38f11e1a561100021ca5611cee6fc2a8bb917e6128b8a503664104ab09c3cb781e97ac10ae2e98ba4f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
d874ceb3fb4d81575b8b7c25a3f57392

SHA1
4edf08dbfffab256c9f26f440ebdbe3bbe21347d

SHA256
1a66024b80e2f571f99c1821ff675b9dca2282a4fbae4b8028ee4cc29d73be69

SHA512
d8f81bcd74760d5abe5f6a74ecdb2906a7d2c8f5b6c0de6c3df0cd96e35472a45ce7f5ead2a5e52af580ab2e85f8ec0c385f47bd675056548c141245d0f086b8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
117b48e2f0922711c5b6b1550d1dcebe

SHA1
4c7ced6b25de05bbea9c0f6e7b00e44d6c264063

SHA256
93df628b681185d117fac669892fa73fc0925db24a4f47aeea8558a5e81477e4

SHA512
049b53df6f09c039d37329ba810302b84554cc211ae263889d0b374cee148a42dfcc10a01967b05e4e3a49bebd064e5a730bf7996a30b1db7f55416427dda57b

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b9e827a05358820b2092b01ca014b62a

SHA1
b5b891ec78edcd9017dc98dd28acea8bd2ccf4c1

SHA256
807cb19cecebee71e2dbf9a3624735317424b294d47a2a98394c9d60bca134b2

SHA512
5a9f97e960d5c40b4321fbcd7b8eac79d70e6074741ddb7bb64278c6d3b7a226f60a7ed969f40e573b40f6d51b989e74c87aee9546803862a2c447a48f57fe82

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
01f78d41b1b35a69fcbe1755139a56a6

SHA1
88789b428ec6101703dbe01a5b291010d06805f8

SHA256
a9fc2ed982a33b9aa1ddf8c87c16ee6a88751e44729342bd0e2470b7dd9aec73

SHA512
96c19a014033a417d73800f3b63b34f8c0fc80386eb20929677e4f74e0a12d1f3989867990d59af5bcc15e5a2466a5e55df9ea016693b11579cf936c92c68eb3

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
53f64b862064024365fc3c74f0ed4b44

SHA1
652e982f482fadaa0e5863564264bb05c5d67c78

SHA256
1efb197c5eee2c24e39727ead1d5ef0f6917195f1910376857f1a9ff0de592f2

SHA512
94ee9613fec6aa8788f6728674f85731244ac16309814fdbeda577607c1f72d3e71bde1bb761d30a57e1065eff67fd467d6e43b53f1fb0a8647b802c9aa84f78

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
c260b69d3ab4b8a5d961cdb747bda49c

SHA1
d3452dd53ad49bc70860cb635783644f6bb4076a

SHA256
27038b41e7767fcc5070ecedafc93642a41b5ca7405e557ed70e439c148cb4e2

SHA512
1ad8e5f57c4b3a05289a94bc5742b0bbeedd9391c1436e514f15d67349ffba22ecfbfcbfddca27821ad6bb4ba02a8db969bf746ecd84e3df6f57df1419317ec7

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
4db6f773e30dd583d4f819e4b37ebcea

SHA1
d95d5aabd07e819154290c6bb190b6ac7e5d3877

SHA256
01d89cec4632ca8b250ec14987a96892ccb372360236710beebd7a71e8ef955a

SHA512
cfda3b58e841bcde911951d632a15337654994aa2a29fecff4de39fc0e2fe6b58a67e9741a00628e54b93282a286973b82ad0a068331f0aae9b44b79ee42fd3e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
362a827c8b3f92521a456ca6be1f22c0

SHA1
8805854eb97789a8d56af46d52ab5f5034f9d4a8

SHA256
054c5cb912a8340811d51ba67d5e1b2c1a56aac53ac0751432dea5a448405c1c

SHA512
f421437818a9bb203558dadb654941e58cbac07b541c6e2b2e4394a9f98633aa6cf3c43dda02b05fd27aac351010095af2a4298a50d1f2eab1f4fe672d44ed4d

Download Submit
memory/468-261-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/468-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/468-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/468-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/512-723-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/512-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/760-522-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/760-237-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1020-625-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1020-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1020-6-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/1020-173-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1020-1-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/1752-301-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1752-720-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2156-248-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2156-121-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2156-128-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2156-126-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2188-271-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2188-701-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2280-12-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2280-22-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2280-195-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2280-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2544-284-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2544-158-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2544-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2796-699-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2796-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2796-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3124-196-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3124-315-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3144-206-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3144-327-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3192-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3192-299-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4004-726-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4004-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4184-178-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4184-300-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4460-725-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4460-328-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4516-700-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4516-262-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4544-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4544-119-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4544-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4544-111-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4544-105-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4572-724-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4572-316-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4652-152-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4652-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4652-143-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4652-149-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4652-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4680-696-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4680-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4832-80-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4832-102-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4832-101-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5084-184-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5084-303-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download