c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
Size

1.8MB
MD5

9257bcf53d15f3ec9a68bdc6654643f9
SHA1

f868624af82bf81f710f9c2c4068dd575700b576
SHA256

c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb
SHA512

f3449ae697d509beed34465f54ccc662ce9b6d539fe50f89f3d35884d0648a877a145eb37f08c26196d3bedf425566096ba5186055ebfd0a8c90c21fd26ab5e3
SSDEEP

49152:nM9QPdxwfE7WlFwKAfzuTiDFUFk7aB0zj0yjoB2:n1PdVQFwKZCFgjB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1256	alg.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2728	fxssvc.exe
2676	elevation_service.exe
1836	elevation_service.exe
3136	maintenanceservice.exe
1028	msdtc.exe
364	OSE.EXE
4492	PerceptionSimulationService.exe
4112	perfhost.exe
2024	locator.exe
4180	SensorDataService.exe
3144	snmptrap.exe
4916	spectrum.exe
3264	ssh-agent.exe
2160	TieringEngineService.exe
2968	AgentService.exe
4936	vds.exe
1916	vssvc.exe
4892	wbengine.exe
3464	WmiApSrv.exe
1976	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\System32\vds.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\df01de5485ca13a2.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_lt.dll	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_vi.dll	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\goopdateres_id.dll	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\GoogleUpdateSetup.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\psmachine.dll	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3DC4.tmp\GoogleUpdate.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exec087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062e8166ef098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053430e6df098da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b7fea6cf098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb60ee6df098da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f09f46cf098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b1de86cf098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1cdf86cf098da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe
2060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4568	c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
Token: SeAuditPrivilege	2728	fxssvc.exe
Token: SeRestorePrivilege	2160	TieringEngineService.exe
Token: SeManageVolumePrivilege	2160	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2968	AgentService.exe
Token: SeBackupPrivilege	1916	vssvc.exe
Token: SeRestorePrivilege	1916	vssvc.exe
Token: SeAuditPrivilege	1916	vssvc.exe
Token: SeBackupPrivilege	4892	wbengine.exe
Token: SeRestorePrivilege	4892	wbengine.exe
Token: SeSecurityPrivilege	4892	wbengine.exe
Token: 33	1976	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeDebugPrivilege	1256	alg.exe
Token: SeDebugPrivilege	1256	alg.exe
Token: SeDebugPrivilege	1256	alg.exe
Token: SeDebugPrivilege	2060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1976 wrote to memory of 4172	1976	SearchIndexer.exe	SearchProtocolHost.exe
PID 1976 wrote to memory of 4172	1976	SearchIndexer.exe	SearchProtocolHost.exe
PID 1976 wrote to memory of 2080	1976	SearchIndexer.exe	SearchFilterHost.exe
PID 1976 wrote to memory of 2080	1976	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe
"C:\Users\Admin\AppData\Local\Temp\c087f72c68f1ae7fcef6fdf6c91ecd7c7b06d568a431b0bb71aac21ae978c8bb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2068

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:364

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4180

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4916

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2372

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4172

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2dae7399ef1fe1eaeb015d00753a0d86

SHA1
4a1857b55076eeb30305e027ee4bd5a5a26c767c

SHA256
2e6aab702660098b429b1f3439973614f0586b00fdb556a13a77da1f798c298b

SHA512
38bae7635442ee47622baac7d018a56967aea4284fc8382183123d4983fcd55d65243d568d885be07e9044c2a016eeccc512995f510ab182028ab961a8975a43

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
ac70d35eec531694abd46660b46ce4f5

SHA1
764a9e7db9bb1458b9cff0cfe7253f079fb8b826

SHA256
46b247b472e4ed3644f651409ab48dad7b6b87c4213e50caa1a02634210820a2

SHA512
9cd54f29ccd0c351a2e3d56551db60d7e2d5c7760878736497656b2b50e4cc693bf026c1dac44546c3d582965a01650910c2fffc3e1fcc1d22ace8422c21f2d8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
b8c180f9e800daa1d6bf5210fed8e969

SHA1
7b27d20b8ad6c5b6f7275a31362b332f49516915

SHA256
42debfc6f6c968df9b0fed827d19fde68842724c1ed0fe503399321756639977

SHA512
1a199334aa674a6d2021d1617dafacdbc706cf60e6aa1162b71a8798d5e839982a5cdb376f85f060be13d3fdaa5f4ee749452de49b2167fadef9b10b22c33747

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
f5f3658605be653e06e1143c84025545

SHA1
65c92226034fae945386d87377a18a2263abf9aa

SHA256
c7e6673a25084008b1395e470ca49fde9c39fe5bd64bc6f57747831e95dee876

SHA512
494784a474fdef21161981cceae3c0b618744f750847238d97ac7dcb752f8bcb902144b3beae55ed9a78cf518ce4b25ccd2e8b3ffb7c7046e53d5f997b7be153

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
4d93c76ab69be3a93f5b394df4d80b8b

SHA1
8d8893140558f30fd36e63202329cfd275d23873

SHA256
8c3a578f7f6734425697ab6a0ca3c40b490fcb8dd197805652ed2242c67b9578

SHA512
65f28bf31918585de625ffdc5dd6dcf98499461a56e4cbe1a8135086bbbd36931d14507fda2b1d9508fd1caf7cee64425547576a56b79dceee171d166d2d839d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
9761f3d9bfbbbe57fd59131db2ad6731

SHA1
93fd7fb5ce5624074f9fe6fef45adc739270977f

SHA256
b6c30e03ff6bb0e4988da19b143d63eb4132574cb0fee5ef30a1f497e1f53a84

SHA512
5507acf36756a2f4ff27a27fae114216d75626bf4a6d2967ffd9f8582012edcc8aaf5c7e52c7484f1ceaa5b078c925569db73028bbb77c3dc71730dac25b872e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
19ded5763eb1df0ba050687de0e6729c

SHA1
6fc1e86afa8ecf20fc58f7787c7c7443a1df7cab

SHA256
fef14e63c57c921aaf285b62a15c2bb6275cabd83f2130166b0db58f6c272fb1

SHA512
60644a475db3dba0393c71db9ee516da5e50416cabbcca5a0f99cb4f5433f846611a87530ca3ee8967437f3bee878fca596f0dd961b966b0a0cad668095a7731

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
142b588cd88e9c4b21e497590ac77688

SHA1
47148256191dec47f4aec15186816be1eda1fa69

SHA256
c9ea3125884eddecb1d504fd5d43264f5dfd2230fc9d4f6436e25a2952c72cb6

SHA512
7e2a00c64d843218e1b99c49c159b8bce2f16d7276de66e565617e784ba02fefa43e0495ae468fd5dc10097b0ba3106a05daed9eaa6bdbfe2654b9c792f4b46b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
33219a3897fbd06d962b27b846bea4b4

SHA1
b33dcb7c4b6cd0ca9fd8666ef24e0989be6e8595

SHA256
842304aab5d03df97ee0e0e184d7c7dedcc551254236a7aae4055dad174c10f2

SHA512
47a6627dd40d1039d2145ce12d40951f9163590ca33ef7c0f0361121035924e45edf2893530166b5079c90720eea7c3da3316725feb5d7bd594cabcfbf7b7315

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
7ac74dcb694673dca3bdf577f9983389

SHA1
d4b4ca75a7850ffcf286cd73b5f90e15377415a0

SHA256
fb306175b38c79ed0b8fc58ac73243687e20055cda7e52c78df2618f541030d2

SHA512
7b675965edb80266eb6285141a7e0f6e34bf4a4ae04dfeffba731627c8e28a4d73b3da2b00d2a9dfede88acbf4a1f82f70b754f8416cf6287af117dbe7148528

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a9670bdfa21389e42766e4e6adea01c6

SHA1
43196b8b885a7474b7c7d67ce5f6a38ebe97f0ba

SHA256
54de70f0ab98c6057fca061730813dcca3d10a164b5493df4cd12078609e9da1

SHA512
042324ebbb6873ec61ca355644d9f5af0ce5499116cbb2714d6fb605dd9766c0ecacfc5c4e77a1d386c2ae1cdd3c7e42aabd4a0e6acae331cb5c99dbde56f598

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
2360466bf8f92607c1adee2a7f72271d

SHA1
1b67b206476e4f89168540127c47d7a09b4206b7

SHA256
9ec22a1504ef6e87cbc10092ef0187f8e1596deb7fe40bf2775f928c4c43c61f

SHA512
7f493501e1222f9bace5e80bc90bdff4eca320e093f30f76bb46627ca118a4efdf45f452e5078410b3a1d40599501f868330d0dd180e733379629fe608b68978

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
366fc347b411a4e34537e2a6406fbf77

SHA1
4774b70baf71a2b0fae0d87eda10272ae79fbbdb

SHA256
978f9c442d42401e5a2248fdfd622973d8dbdb0de59a338d6dc45c612a306518

SHA512
57403d8a46b64b409417acffb36a809a462409b1daa939b95d1c1f01f0108b0d06d7b24d3449338c2a090c1804bed7b7f8eb99600f34e7b8dd895e7063411b07

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
d52cc60b9501a863307291333dcb99e6

SHA1
dd05713bec3621323b411448cffbd7588919a09b

SHA256
f213358df96af0cc6a98f755f0ae6074f649333355bd1bfc15328d6ab779229d

SHA512
99181c62aa7a07e7484844682fd120f3a5b86819b42311195f67c2d28d5051e52353cd9c1fc2a2842ac58821052c18694a95507a05039c008364ad00e9a2bb48

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
ebaf29146a4823fbe91d79863a227408

SHA1
56551f40699d1ad07aca0e8e32e2166d7f479cfc

SHA256
9b69e0b1be4aec315e513067fff27922981d1186f881d4a2717d3350fc190301

SHA512
cab2ee2273a5c55d1e5895f2b4bb9a247743b3162531bca382cb42f1a143d510f644b0bea61a5f6cf6139b5ebcb38f7981c7f732b25d37d8a51d7b0a074c087f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
48298181fd3427964336aac8b6482bf7

SHA1
6ce155fccaaa8f342e65070e5f8df5d3a9d08823

SHA256
ba26e2bc4746032d7ead6abd6b66373357af2dd9f6c00ab272823a4de775661d

SHA512
7a5293eeb3320348205c136fa7ab2bbcd1e05e70a4726ddfd0946c5978c8398a202603332fa3594ec6315e03786c07f53da4e3d825d0c742d3e0efdd8a88fde3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
af26444229c9b493a3084fa864cde568

SHA1
94853c1dd3aaa48a08be77798b602c9dcf29e321

SHA256
6adc28adf501d770e70f82425c482b0eb1292b241d0238face9379521bbfcf30

SHA512
828e3460d93fbe807bc2e80808cd97dd4e21bf0e8c9b81fb5ed58655f4e1ede4647368f89060a83a40ce48e2721c6655d5bc78185bb28371e0a30d349688bc7a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
bafa3e2a8872b5e12921e351d63f43f3

SHA1
21edd43b6bc23d69d1f36e5cc53070837683e1a7

SHA256
37b379c3dfc9892aa055a3a53d36ea0b563d6ac9a9cf1ec67ccbef5bd4a581a1

SHA512
6ed79cb401d4935d04439fcc2445a90f87c67e6fb2f074d907516a2cfe2673abfcee7e714d8f06e8f120a7173ee39aed764f49dea64c0655d3f521fcc5334656

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
a540f6bf1675f27138af9e21d7669020

SHA1
45d9bd2cc515bc2f15ca3ad52a2d79234e293552

SHA256
65c95d042f86be0942d8fcb79fea5d8205889aaa2e9634743cb7484347edbea3

SHA512
9f3bdc07873e8639e3320d24661e6d50f131e654ad3c223fa93fac1914e2c25532b12c21e3051a765348e209e9ef6f33d6dec4b50bff60838d8782dfbca70bd6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
2d483be3b1db13c580ac082d77a97b0a

SHA1
a4f9dc09635aa6586d8599bb3755bcbace7c3ab1

SHA256
c457c973c3a00a95126454e5d19b0306173f5f5b775f53588db4ddd119bd774f

SHA512
37b18cf1fb1f4f1c304db35650ce89b786c347f72bcd2d5b729540f3e1ffb6c9e021442e100f858a5d1e898225fdcc7061051d4044b49efa2c9556997fc0bad2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
593bdaa3a2c9ceb3efd6b22c010f1e72

SHA1
b2d1761a715312c878c2363fbdf1a10b3032073a

SHA256
5772d68ceebd09cce22d11134c168d67a0ac72594fc2183153d442c93f36d9f1

SHA512
13aaf9f4a01eb7be88f2789fc8610ef34bed8444fbf76bd63d30cdb3b094eacd57e2c2786b8c440a991c5e39fd9b95e449d5b69a947b447c9a1efcf6b8a4a609

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
75f38817dd7670160b576613a7ed9b5b

SHA1
68f52e4d4e8d20a7f17053c55e59ae37974d3b32

SHA256
1c22db06422c2552d49d983b1a51b8501468939bf35fd8775c02b70cab552e1d

SHA512
35e6f2dafe63c2bdafb1d038ede477a29dcfc7264d94fc23c24b0465aabda4ce97ddb3accdc4f06567f13fa9aef8b758add7363803f035ec0d4aa7a613817dac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
fc68774f51eb62117e9aeb7fba831c83

SHA1
d6a91a89b0847f6c6b838ec18ed2c9c867df05f5

SHA256
f68ec12b4e6022df5d6e463ca286acf257a1dd7801abf1347613cdcb10b39252

SHA512
3063d83a97d8477fd474f978b740f1250b2bbc2651388e2dcf5481c0121fcb2f5e759dd1c42543a4e80869e7618dd554995124b003eef4a6e1ebcb285ad5b067

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
eef846ea4642d0345e10ccdf4ae2fd21

SHA1
249fcb2c16c0d802c5d6541a936c5817268bf9f2

SHA256
35c1cb075a3e6ec353d1ac1288b2eed6efe99a5faefdedefa2af2cd44f8ce4c2

SHA512
bc9c76488d1b41ce18d1f027c2e64e9493b7280926ea8cb88c49f9e176d6f990da265fe9b286c9fa99886c3fec19c8853b2c4d283b96448057b703ae51a9fd5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
1b4501fdb90a8739aa802a33a7d71e70

SHA1
ee834aa9034fb1af1ae5957daf117b520899e348

SHA256
81875a29969a9406d720a9d84a99c57241159fb3858b3e2d6cf20034940e242a

SHA512
892880de114c9296abd271b70134fa556cfc6e622de314d734f3f4ee46bdc0a6464f960780676e9b939341eff850bdb30cfdbaf91364b980c5748a0cfe8042a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
de1cc7c5993931aa566080781a76c065

SHA1
f5b7fd7c2602b93cec9bdf54752e8fafdb1c65c5

SHA256
22faae9b67cc5d41adb4d3d977d811a6f2c6413cce67c26f389e7ea93f52f5ed

SHA512
b428779a697bafef2110923de652b152d7960ea818410ed141b47ed0a8903fa7c80a655e98487629dee945a4b3257fcdb1c8ffd213a8f60465fb717f3c83d722

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
04e71b50102d576d7db5862e50d87601

SHA1
c51b3faf3d16764e29cee26eab981fea28b0a4fb

SHA256
ad140b15821c4b2127297656b1ad39865b64c1ba3867a2a09465468dd2c239cd

SHA512
ba12438f271c00e6c6a2016eaccddf9749730d6c92a326a2059e5abf70432c965f89249cd087a89847ce3917f621a6191e717b8df1638497a6063758b4111eb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
20177d27df7b09e94508deca788089e4

SHA1
ec07d2c9da9fb4806092bea88d561c8872702de7

SHA256
a850eba81ca7391dd846b53f2121a09d40d04ebd76f2d13edd9cfea16260ff24

SHA512
43cbfb1a7cbaa81444e8f92d564913638a0eaea6321ec3154fbe482da27675cf6022b4424358c39a57bd306871e7b9b1d474bf66d3f8c9fa02eef9cfc96f42c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
4f188b275bfb079212f6793fcce8add9

SHA1
fae33965d41a72085309d81e5b513caca61207b3

SHA256
da00486f564037971273c3a69720b5b99eb26a44787a93847a63068e2bafd062

SHA512
c44d6107f4bee12f0ad6bd73cb54411e1a14c7cd9ba880cca44ada28046b71be532ac1b7b167197ec5952117e7eebec81ca20d81ea0108064559761effb65b38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
62e4b68e482bc9c89f3c9bc2e9ef2a4c

SHA1
6f97ffb19f0ba9e061fcf5d323b3292fbaf2bdc6

SHA256
db84604b53e5fec579d28715c17b38b41826f5b5b8f19cfc5c77d47a9a608867

SHA512
8e0fe5c28a65f41dbdceff5fec7655a7d96ccb47de2b6c391cebb9efdc535b9e2f7b6168b4dfe9c7519543fdb3cb1ecb0cf15d455dce577035beb0447007cc5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
4cda68d6909d56cd68745ade6bdf2b78

SHA1
d06c196a5d0d7ba98ebee0a537411c5998886033

SHA256
d1323cc4d58544ce84f5ae177a315cc27b374a0e54cccf2e0fa9da6c2eb6dd7b

SHA512
ce34619b839985ddf20cc1b71aa0a1325885f85d9a2b3399fd8d240f22ed86994d9a28d868088728ae17f8500426a40a327fb4f2666e8b1c1ccdce9fc0b0fab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
72568d1e2f04f3c52399d062bec7932d

SHA1
f1a6303959748f4fde66718e6f5b4007e42fa04d

SHA256
f63e495d566d1d666047e263a5a116a7b299e54bc0ed7eb7b22d7e0cab903b09

SHA512
8f885c47e75bbf83faff03d65aecaaf2e50c55875d6854b72c958528a6e2cb8e85ce020c4278f915ce951f7d3d0c1d618baa2610bafbf59efc3d64ad990dc7ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
98458d0d51243a65d576fa1714292918

SHA1
3a43c89fc8fb1eeb067959a07eb2e596c79003cb

SHA256
3171652cfda19a75f6db17b32ef3a1e1f76bcaf6f5625c3a5ef49e21122164c2

SHA512
f5eb0f8396cefdb0a3dc1a809b686d07a81b11a71b8fcc9fabe0e5691ff11c07a6bbfed073ddee7bc8e393f214b53af88a5ffd32e732f8a20ec581de593afdfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
e283beefbc826d2e3f1abd42b1dab774

SHA1
b6e766ad4f8535ae0667e3f1f9ae85bc145f5462

SHA256
b768b57482ac902759ad19549c609718d471f721185c299ca7993572ff900c3d

SHA512
3e8feb63adf74318e3d9b6defed61a71bc28c6f8794c65f5bafbc88baed63cbbbc389d46f5c63e7702f930d0323fee211790707573536f7145060f2fab023a98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
326fe168028191b74b85cee3da0ddf11

SHA1
36710be819a58384a5080e00c162c49dd0263692

SHA256
733313965cd948bba33e587bc2c76b32481fc3d25fa70c2dd69ad650e59a4a5e

SHA512
6948d0a80961d0cd1b4c48001d27f575e835c9272d0d80166a0d3aa295906ae4234aa9b28fe6393df1539c387bc49345ccbb95c7b41a07e383aac44e28d4a7fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
4013cd8b33cca0e9e8198cd28e443282

SHA1
731c306a55f4198d64eeaf820bd527650b21f31b

SHA256
701c340a6dcbc520003300ac75611fa80a093fa17830305e272cdc3d6bc39bee

SHA512
0b8fc17898eb33e1e4b858da2ecceec93ecdcc6b2dd0c4f514b03e2fdf73b13536de970e6b9d0a5df274d4b9cd448c441970293cb9708d3e7c5fe133b107d79d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
d9623b36f235d65214ffcba75f076e52

SHA1
de2bd699b96854f6f75223f6ed1952880db9defd

SHA256
b3da6c9cf5d9e63fc2a70c08fa724ad74f3294b3209876444cc9b77e7a6a19c8

SHA512
292bceb967c6d7f7e503dc5c52873401a963472cb49093db808045f72bc3cf603794a9c97cb281e3e55092da46ff598d7070a44b68cc41e295ee8e8f1d40239a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0f0ed558800ae6bdfcf6243fbd0e4ce5

SHA1
bf72ede204724630097289aa29e51acd33b4efec

SHA256
962e1e3ea2db14564477a83c27d339af5dc1fd74c3ac1ce20bc841c38052cee1

SHA512
cae0ed4ca084970b7e0fc730bc76435c98c724b47c7078384647c944560e07ae07f71a8d83ad0f841de181c01a0b419a96bc2c70d9bffcbed8f234083a3779bc

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
e53d66b4db550e1750e11b693f1e1110

SHA1
cd1812345d9670949fc20435baca10a32583003d

SHA256
a49cdcf3da26f5eb924d0a1de410dca0f14ccfe92ae9d153df57888c60c928ef

SHA512
623d9797098f140ae0abccfe1e113a46ab0ca1622f059bacf12570ad5add13d4f9979735b5c7efc0dea48e20a5e2f3b75e21e39570f27a4d5786d9a4a02ba655

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
a0cf626c53014f3f4a55a8f987f733cf

SHA1
9002ceef1f94deda105f42c77a760670c1f63b67

SHA256
635b57a62c31315cd27430aef4d349f768ecd63d8057ec6c5b0b6fd34fd22c54

SHA512
db4a5632f58b14e2bff4a470ed43b6743fd450c9d6a499ee4ccd1d2fdd860754c2fb56f3c61d536581f07eb2ca54ab88f3b0634e6ec208162c87c1b77580d9bc

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
906824e03642ce045e771c2d5691334d

SHA1
a93c56cce4037b831095765de5539c4bcd6fbc03

SHA256
d4c6a960fb511c5fffbea3ae20ddb3181c43a2677dcc6d0b9bf9a5d32e62b099

SHA512
8f048e4cf5ad036ebc217ced52321e7145738c8e2e7ca49306df43148a4b58d769694557f3d2e5b167fe75dfb9db86cffc90fee8da430fc699578076486d552d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
96bc433daea69153efa225bfe601b8ef

SHA1
7d4f26d2473950a96e66daa61738199f30923d66

SHA256
0afa43e1a7b04cd79fab7b64fb1bf37d90e59fcc34d9e6f032fd7799a140809e

SHA512
3ff2dff9cf3d92ab0d775e2a5b980c844c91bf12464d6b7cf1c710fef350d8228af311e3055d0c2c39db6ce95b9e346517ff39b3e21bc0b5f1e960031221d54e

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4b3176cc4ed5361aab5249f17f7fd667

SHA1
6edd5cb5fcb0e1e9c992745c78f4dfaddfb68d53

SHA256
5ebecc59bb0bf5619da3e93de35a3015a506e5615b31ba2d7f5884f0a3316296

SHA512
9089a0ecc0758f6404a5b409fef175c599fdc7d2c8464a9df973e497dd6e23034be31980f9770b42768d5648e3431cfb3dcdea8d421fa4c0888ec71bd85bd1ce

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
1547cf7d5b53d36942c530d211ec70a9

SHA1
d5fd5538e5dde397fba44975d15caf55ac92ad96

SHA256
840e1791e892b5e08a264c2192057825e5680282f7dfb128054e13127df69469

SHA512
8c755bcf9a983ac10fc88810c1c6aa9ff811355fb55341468863e9c34bdcc11d86593561a814fdb18dd27ba272c2948d311b61d089d469f089ff916fcef217fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
1cd5ad1da14bfc8e06d8cac3a315b1c7

SHA1
a0e14b907a5b962850e1052bdf88edc1ed968ed1

SHA256
f013f7d489f4319db97bb987f32443abe3392da15b586bc7ae1352ab215a14b0

SHA512
5efbfbb559122e35d4b0a1efe0436223c0f94e9cd884aa3f9d6cf2595795a2639f2aa9b00b78944db0fe566cc62510e5896ccc1424d3370604eebdb025f7cb4a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
ea87f2f0e15f977cf026b3e0a92e21c2

SHA1
c4666772e72784f769276d7becd40554d9c9ce65

SHA256
5ee7bfb135197334744d1e4226fb831ae3d2a366a4612f5f5e2a335cc943faa9

SHA512
310bc32d911e66c5ffd9b111eb8510c071907cd8ee040a53bd51ddc6cf4a7d6e138e41b07025289eacbca6a1ba2c3d483b7717b3e19c0e7bed66febcb10f9067

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
379a4c743200675933ce2f542f647ae1

SHA1
875c5169a0a6a92950f2a14127c31f9a6cbfb11e

SHA256
e3590648f9deeecd8382bae68d9f8c17dee44c0ca7cce31e96f8ab501c48b6ef

SHA512
3fd474791cdb7afaa5355fd4c95f30093b7e7362c3c905bbf453e6dd9c3aedb13c5d353f0e4b2f37e47dd979fb8040c6d541f1d12c64b2245cdc5ea4fae0eb7a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
fa78d2ae5aa67112bb3a6dceffbb0086

SHA1
161540f6570d58909440c81eaf1c9a482d622bf8

SHA256
08c05463f6c08bbb83f1ca7d226ad2f39885f50e81c88531be28fa1a8472919e

SHA512
5ccc71f095ab3610b6d02c69b1b2192eb6f4db24bc71e8e7137ca0064f14a06804b7c9ac175e87d1943da91ce0b34efc647ff705a76e2f5f514df77d73457d4a

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
1510c772642b1229f4029b68a6f06576

SHA1
7356ae51916a34eb09bcbce231bc3b5e5625121b

SHA256
c108cb331e887f422792e7c340232244b7f6d5861711272becb19d6862e15442

SHA512
9be88a88363c26e2bc67f494e8d7de8e9049d6c28c76fc8dbb77b23596358119a820528f8066f9fba7555177f432cddc84423c45ee8e60b7c22edf7da78f40aa

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
1d6ffaeb2d07e3a51b2760b95cbd3713

SHA1
621bca820aa009001bed4e780c7f76693c9e7bc5

SHA256
e62001e9b2bd3ae7e040abc674cb8618758fd2f39199e69275e21729dd7d76f7

SHA512
1bb7ff56d4e88e1550c1f496cd54f8c925bbc80e6d6069fde1d822d7f2a3360e2bb250510ebf79926541907fce3d016b22da2b454cdb398abcbed148940dfd11

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
95f7987c13fdc268af8a8be38d2234a2

SHA1
666b46fc802fcd34c0342e0e2676703813bdedfe

SHA256
367cb7996bdd0379bc7b48ce76617bb9bc90a4b59d4ead4ee9d5ad31f5e7e196

SHA512
a0172fe066e58f42287625ba48d798cf4c31a7d3fa3f82c094151488632ad20e7c8bdd2fd4e60ceafa5d160cb8f9e1952407f55bc2889eafa8f90662380c6b41

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
1e3420645bba45851e15aa7fdd0ac009

SHA1
fc71c27929100fc1d4694986059e6f7618573343

SHA256
bd280e604072aeb78f31818a98747237814d5381f823f1eb959b500f49840d4d

SHA512
f3c3e3ce947a42cc662eabf99dfdc994e96bc7db0c5a6420814de75a8081eb0fdc7ed465cb197f3c99cf8883875a595c8e1e26e81096643769cf5ee75e6bfb2e

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
66f59586db430c6b5fda844ac641fb51

SHA1
7688ae18b8f486ac416f073be01346ed8195457e

SHA256
51381c36199d4cc8278fc7d90e5e5540b2416bcdd7202c4e0912e8346274ee0c

SHA512
c87a907c199bdd5edea13a0a3ba37d79e8d00cc9d21754be071511ef7c5ffa28d9563bd71e1a81d66b9743180a755902de6c6e678bd3c0bcbabb5ca2bbef0cb8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
4e517c569777b5d9bdae14f381eee99c

SHA1
aab6bb5ddb081566f5843f685b6e06c438da8586

SHA256
e745d9b25b984b897530e702ab7892559e9ed1e67f41e2159a009d72072009d0

SHA512
2221ca4f080cf0e8e3bbbeb438f6abf716620a4d9299de532c82398504cc12bf93cb7990993d6371498a012ae18e25144c2279a092121f84bb1a6def02a929de

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
9e26ddf1a11ef24361779d885a1ed8da

SHA1
e86e007e6a076a2f7d988bb9cf614ef19ab52ef8

SHA256
4632c6105d692d8cfab3658bfebcdbbbed3298f6a865db56f4ce36498bda9bac

SHA512
91d9812b7a17c48d1bfeff54b8b0741046862061e22d685f29ef08a1ae4ea14fcfd79fd18cb7cf97240acb6961aafd0a99624d98afd7f29cddedd3188429f2b3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
1510b26c88f5a2502d3af78e6746ded7

SHA1
efcd8c26f452ee48e502bce3eb2bd782c0599e9b

SHA256
60dbbb4ea1b106828addd57f3089d7c82e2fae997e71246b7658400b11674339

SHA512
7b891909c5f19a1c744de0c534b5172b1b6c5da784a0f5d04fbeadcefb48983b843ceb8aa16f44423aa523fbd61d24b6e1ca490a69c996d9e6222a83be0f0fe9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9aa8289116ce860ed5918bd19394aba8

SHA1
ebc51191cb97964bf3fb78892fff716b1fd4d4a4

SHA256
1386dfec82f50ce9e1a2f3f6f763a8df25e83060718484b087425f501f6476ad

SHA512
0a73997d205cd0946b0c680e9dea4c693708813c169d5d46fedf5583aa4d6e402d2f3fd65819da09375a10f22ceb131d1cb38dda31e22f707b7433f2821d007b

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
beca525ac83e3024276c31d469e2c699

SHA1
adaf4f40a6c5175446d148fc5f81351548da2070

SHA256
afdd23f37049b7e43b7aafc1fe1debc83c71d9267bd73886de17afb7a4cfe2e2

SHA512
6d28dbec99073beae527e23647eb51f362755a644538f264b8a5a6b6c66872859f25da5dd99c5031c5a3d88769d473ec513b13b9ccfb3059652355611796f320

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
5c55e1c7669f17313741c2d65e64193d

SHA1
604d5f43ea0f19557ee0e87452ffb615b1f3ffd3

SHA256
99b802cc342eb13da1403df396014fbadfda5ef5c1722f94713efe3f2c1d6f77

SHA512
05ec1cd7da6f28fcbfae223dd1a18d0c8da477846adc155ff2a57488831624601642fd986e578665a1ed13d23555a11801cbff48bfd8d83fe208a2de5e6416e3

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
6333329338fd745b60e5e7747ca234cb

SHA1
0301c9db9a193b2e94802653bebd8affbcce0c17

SHA256
32106556ce37c979494c65c934f56c47198ac8cf1a0d468a5f32aeb75a155792

SHA512
67b9e42867584a7539a0e9b666f0c8502c18647c859a7045e3b61e75f633b7448008ce9721a07ceac2356f854c0b57e8d7afec73b2027000ea7d8fd8e69d2957

Download Submit
memory/364-178-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1028-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1028-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1028-158-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1256-183-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1256-12-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1256-18-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1256-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1836-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1836-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1836-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1836-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1916-296-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1916-896-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1976-332-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1976-901-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2024-318-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2024-199-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2060-94-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2060-196-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2060-100-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2060-93-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2160-258-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2160-894-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2676-121-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2676-124-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2676-115-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2676-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2728-105-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2728-128-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2728-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2728-111-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2728-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2968-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2968-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3136-148-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3136-152-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3136-142-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3136-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3136-141-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3144-500-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3144-222-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3264-893-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3264-247-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3464-900-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3464-319-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4112-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4180-890-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4180-210-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4180-331-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4492-184-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4492-295-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4568-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4568-156-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4568-579-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4568-6-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/4568-8-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/4568-1-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/4892-899-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4892-307-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4916-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4916-892-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4936-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4936-895-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download