84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
Size

1.8MB
MD5

4dc799d4d6432f24ef2d5ad6663c6009
SHA1

fe5fc88894e999ebc69075de8d02283599cfc27c
SHA256

84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db
SHA512

a54567d3129f2a11907edf69dceb79bc7479b0adda6c87e8a477c2785c8a66d431f2685bbc4ed36fb030c4fd74d30fa41268715fabae6744ac87c02d13a25835
SSDEEP

49152:Ax5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAi/snji6attJM:AvbjVkjjCAzJ7EnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3108	alg.exe
1752	DiagnosticsHub.StandardCollector.Service.exe
1560	fxssvc.exe
2880	elevation_service.exe
1292	elevation_service.exe
4412	maintenanceservice.exe
2860	msdtc.exe
1280	OSE.EXE
764	PerceptionSimulationService.exe
4052	perfhost.exe
3256	locator.exe
3552	SensorDataService.exe
4616	snmptrap.exe
2576	spectrum.exe
3580	ssh-agent.exe
4664	TieringEngineService.exe
4180	AgentService.exe
1180	vds.exe
4532	vssvc.exe
4444	wbengine.exe
5104	WmiApSrv.exe
4952	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\vssvc.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\System32\alg.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\dllhost.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\msiexec.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e7eb837385ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\AgentService.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\wbengine.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\locator.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM372D.tmp\goopdateres_vi.dll	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM372D.tmp\GoogleUpdate.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM372D.tmp\psmachine.dll	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM372D.tmp\goopdateres_mr.dll	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad77523368a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003928633368a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005494323468a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d789843368a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7b24d3368a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ece3213468a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad77523368a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040d8733368a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d136d33368a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1752	DiagnosticsHub.StandardCollector.Service.exe
1752	DiagnosticsHub.StandardCollector.Service.exe
1752	DiagnosticsHub.StandardCollector.Service.exe
1752	DiagnosticsHub.StandardCollector.Service.exe
1752	DiagnosticsHub.StandardCollector.Service.exe
1752	DiagnosticsHub.StandardCollector.Service.exe
1752	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4848	84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
Token: SeAuditPrivilege	1560	fxssvc.exe
Token: SeRestorePrivilege	4664	TieringEngineService.exe
Token: SeManageVolumePrivilege	4664	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4180	AgentService.exe
Token: SeBackupPrivilege	4532	vssvc.exe
Token: SeRestorePrivilege	4532	vssvc.exe
Token: SeAuditPrivilege	4532	vssvc.exe
Token: SeBackupPrivilege	4444	wbengine.exe
Token: SeRestorePrivilege	4444	wbengine.exe
Token: SeSecurityPrivilege	4444	wbengine.exe
Token: 33	4952	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	1752	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2672	4952	SearchIndexer.exe	110
PID 4952 wrote to memory of 2672	4952	SearchIndexer.exe	110
PID 4952 wrote to memory of 4316	4952	SearchIndexer.exe	111
PID 4952 wrote to memory of 4316	4952	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe
"C:\Users\Admin\AppData\Local\Temp\84d2b0ab49bb2657b46fb1d6c996d5fac5cda8a52dd0f680f7f855a50a7a77db.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5064

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1292

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3552

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2576

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3852

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2672
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
75362393890b3eec8e7c0f335e683969

SHA1
8e2ab666feb6ce2e7c01916e715d82f5ef107137

SHA256
72a9dba9219727b960a44ef6c003d4ed30dd4726791c178efab4f7816d33cc8c

SHA512
63db6c26e23d579f1213f2acc589b98d92bad9f33a4b9728a0500cd9ede298f98c0c0840b299e89f4f019a8fdff71d6aa4eed3ff5ae94f4251312025c6c9a383

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
736edc25691a9ae924a7515a733d7d47

SHA1
8d566c180130fb47e5db732079d11c7f05d86a5c

SHA256
48e801b986388ba8ee18a8f1751ef3ec6800f55661930fceb7c72b8feee6eeec

SHA512
8e8168c496473b91240ff579514887a79917951d771fabdf26434ae9fc4e5acfbb8f04421a98456748013d0f85a0f4f8ff6a024dcd272801fdd9fd0ef4c061ed

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
55f6ddf9403310ff5574b692fc19f3c5

SHA1
4e1912c5befee3c3918671b5df258e07d70a2cf4

SHA256
08c4160a3dc3e9045e3139da791ee92551bf7db0d4d93533d285d120f0da4018

SHA512
7610f59ae6eecdaf689869659d84c219bb5f918331a81dd94d57b14c3542fd8af267ad9ac7c7ed74229c7fcbcdb7d7f1f2b459847469310947fbe87599ad634a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
59dd680d21f3d14e4f9ac14e8268a76f

SHA1
60dce9745bf62d57d2b2e01ddfda936d441384f5

SHA256
46159ddb2e5011f1f44b887327e5db50e5827f908f4a13f775d033b25fbdca4b

SHA512
f76f813e0940b9d8113f79bc0e156ac46cd8e432e5af9cc988a7c1c7a69a98c69777d4c88915070767e733dfe4aee9fa0eebc1a7f95480ffe67f36897b941c93

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
eaaf84f2acb934cb12d6cbd5f08fc9c9

SHA1
0b6e6836afde9af6973b91d93cc4188be5fb8257

SHA256
c38404bed0a4a68e88c3afe58962dbeff1e311bfaa1d2c0264515622cd8d9432

SHA512
eb15d39bcc26844258145778d10ce8c655c4b2bf4f57e56079d839deb7361de7caf6e94a85f15bfb1ea9adfc4bd4ee50f4801cbcbf406ca73c590af041df537d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b0481388ad50e5a4f63870c4b109903a

SHA1
bf0aae4d509eee142fe8fdcc369c8e982c0c5a19

SHA256
069f978252d2b4ec31dead3a442a8df67df5ce9fd8dddc05124ed0382618ca98

SHA512
98c442279a57e6284770f84826c0f1eb13779ac05de5eb5c57a6159f72824cd3b6e2e4831b4a03a9c0f9b84248f6f7aa954af2c90f2df790d2572d52ded5205d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
3e7458527931e0f0739df98958eb1083

SHA1
51ab9a57bf728bcd5675b607999e2d8ec970cc5f

SHA256
598d0ed1cbc909d4aa3919cf6931d6510e09c16cb03b931fd18ba371f5c1e45c

SHA512
010bbed40f71f966500429b1b57ddb55b231d3e1297d9e323e62383fcd8e7b066cd2f468d880f9d12bf2c2ae3ff5a0def353e06fc64f3492153941d0ef58b67f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
db981c1559aae2765d984c76a62d17de

SHA1
ec71568e4274633197df45aade20ff62531a23f3

SHA256
3150d429c70f158fa336373f17e217eb5da5d8237d835c07fb038cd6cb42bc71

SHA512
814835c417d82b0bb09734d460d85aae4d3c0b7acb63040a90adf72a5f1a2bbf952cc5d8f340a2d91a4a5e9c829b6fe24c4b0e270439434b38e52de8af5bf2b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
14a844a5fd71ca871b2a78d9ccc2039b

SHA1
8b497d2481f9d0532d723fc4f0492015577e1d52

SHA256
066be3608fcd881f71b6f0ce5e85e09f4c37168c5edb220f523b2aa96a287e29

SHA512
11d80c34c59fe5b6299f6db7ae3e091ed2417620141dd32ea40246da78c2c38aa17c1c915ece6c159f61c00b5c30b489741947a6512a5391d2bc3c729aa296d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
33d01e099332398ae9c5ce9a7cb79282

SHA1
87967717aa3f20fa3c3136f33f2c5d4088fb5f71

SHA256
f0f808bc487aff3697de77e3c674d1d7cbdec0c76133a45919a778c2c81a5936

SHA512
76be573377bf232cb633b026dfa311b0224da1ba11053a9e186d75c815f2a48db07779f24b9148d15c6e4af48a7623b4273207639efe91e93bb26ce0691341dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b19e00d05f51ed9a1154aa2967764066

SHA1
c8e7720d04fe7ea1846a208bf481785ccdc64fe2

SHA256
942065739fe6ac8b29ef1000cd7236d8d776d3a532939e61f38c390e991f48a5

SHA512
f3ac3880b7724fc9bf1cf55ab031b98b98c3a20b98e4eb7d45f68aee350a8bab299c315d4bdd6088da88693349d89067f592bf487a5e3d5abf186e2f29616c90

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a3d81b39917eaf82a4bf44dec084fd3e

SHA1
2805401359c19e3f63069ee80f6762eaf79ad894

SHA256
30008b10d3d77542c289d439a3e3a9ce1767cc8d4a9758f380ce498ac40ab109

SHA512
5ce94c5a2e6dbb5c9e767dd4c624df0f7c6511a0f1a369510cc7b6c51587f3acfa8d8c5bc4b365e6a85f9f380ea6f4a35abe189560eb59c8d5a6a310f21592bd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fd668ca1d4407b032e4522a8210bc6d4

SHA1
99ab4e54cb80e21ca31ebf2f87b00c5f12bc0523

SHA256
9ddc7bc0356309cc4c28505088346a316aea5b30b0061c3c2b7169fef48b6be0

SHA512
e7cf5c29e12c538960957fe453751470276ec1fcf59853f84db857e4b9f1eb41af7cd2634e2a441727eb5234a3fd2224ae1ec5cb18c5e602fd62254a27d8b94b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
db003ce79a737f0f887d638559cd2551

SHA1
fa6ea2dec5560ab631a4d185cdb038e0bd66f9ed

SHA256
ed75582637f3ef277f42924f77c85982442fc57846f39b01eb1e49f413742e89

SHA512
fb120ee0cac5e24efc5f03684118e4d70b23498de78910170639b4b1bf9fa587d57f4e7960061e19bde51dd4b0a793951e80d3afed05e51acea6df93fa915a2b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
88e9f80343f485151d094eaa1e240635

SHA1
9fdf9588e427433ccccd78f9305ccbac79d3d916

SHA256
ff2dccd2853616fb474bbe118009eedf43ff9fbf15ed47af49a3f2c1f4ccab87

SHA512
6699ebc16d05504620a2a8f6554fecfc1f57b2a45981b8f23ae266effb3b2388ce4dd8a298c441434d8f5737eb64cc8158cbbcf38d561619ec0cceb0954d30dd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
2ac14b90a100c7f14ed268e7be8feb4a

SHA1
cce240abdce74c476746d82f92614e9d2f73e97b

SHA256
31f798d8740a5ce79e6cd5fca0323cab4ab38ed142f1221e3fc9c2768f7a0b3a

SHA512
b7465c0329451194c8fef364e3f63e31a3c3115ac58280b084c06e452ec4cabb2dadf2ba638871468077df7e1426c4b00a971e10c3ab59e55d74f8ef274aa10d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
28b3a83e5f1c4913a8e5b738d7eafb42

SHA1
da05c0175fafa5aec0325be7ec25566c00840331

SHA256
eabc1b27e8015e85c6c71c231ead549f633d14c76d5b570001225d4183f11eb0

SHA512
87ba6437aa16308fc7e9358d70b03073c5810daf81f3bfaceef50e325cae92175d88b2e5293ae94cd569f1094e38d340c37c519d1ae3ba924d65552b41a84f6c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
de2c19a67ec0241c9023379b405a69f1

SHA1
fd8cde33ac29064e8ef80647818e31ea2be48267

SHA256
e247dff122a548a28d33e51932e786f649f544b4740f9ba8010ce2e5d48571c2

SHA512
12d2e6753091c9450bb7c1a22a068c596ef8571267acfcc39e98be1e4116521ea0567ef84bdeb984530fd860f95251b37b95678b04ed22a3b0755180e30afacd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
77396f421a7f7925c3dfa6126e2e6f2b

SHA1
c6c4525ce9eb089224dfa096a604503ae10ce7ba

SHA256
7dc533f86da59447180684af80ce8da4fe8b93336c0e46bcab2b203dff1fe5b1

SHA512
6a115a777d3883ffc18b8edd79c3e6d9f2718786301382551a859f71e121515c49723969ab7fdcb4c5fe8fd54cfe9978446ceaa7526ce255a8af2fd8ee55378a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7d191591fad0150fa891aae692c6af8c

SHA1
05212f422f6b7e45fb35394d7b2462f45a500516

SHA256
d75a4e8dd012682b51226cea38afcfe6b53f342dfaa37025c270ef58ca66a2a1

SHA512
48f5492c8951a632f7f7c1f445e566a6dd497d28439dbc21b2507fb1c2a8bc11cb45a699a663584dd9ebbaf2977f1d860bbcb0ee0ea53a5eed67d9ebb88819e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a8c06a51058f658265410b34f123e80f

SHA1
ee128cde2d11fdb63e3caa47bd50d31ed6770756

SHA256
0cf4838ed0d5cbfd88943332e2d05397f17bed93c5c31b19b949c7c9ac74d4dd

SHA512
e1707de077a51a5aa471840c1fcfe028ede8dd7504b4f18268d7617ce0aa7b67e84c3b170ff8c1ac2f1773710f7d06da840c36e59b935f4caff20ccb0f212d66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e95efcff3e7ae194bd0dcb0bff062802

SHA1
f49340a7dd70600e76e5296871c608b54304fadd

SHA256
5d485d82c207faa4e26a521ef29e5280377b1b8a23c421c140566c853e19de59

SHA512
4e9c1ae1d2bbdccd6a2f8bd386d017f23b9c55f94516a1fe577846d8f554e8b5c43fe2b9cdd70dce40cfe3c394287d5f6a5d263e14871b76cc30efe301d338ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
944cd0a9b290f51f1494707c49ca0d05

SHA1
3cc8c6d6c20447ce5e9bdeb9bb8c04796d793233

SHA256
bbeaa265dbb244565d42b332fa0d9d79b26db326f534c2fcd564874d24303d9a

SHA512
beedf0fd3502fe964fb587fbb04e5ce0f93dd551f03dc31715bd1ca21b5a6937a4795d6bd82d6d4a39baeaade67f3d8ff3b2e0f2cb3c90e9e3464e7067bd6fe2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
95941b9798d85b112470c2c0f08cfe94

SHA1
5e6d24e5eda137839b732a45c36614c178bf9216

SHA256
3955e6285df05c45fd6a36f65388e2f532fd5764cbd972db3d12c195ac61410e

SHA512
70913323524866877186c4635a9e380818b96cfe866d2eb8c31cfa05b7363e52a5fef5edb608e4374f9378154c89a205f44a3e64d932f282c9ba9af343368591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a5013dc8f7696db7c242f001dc5fe706

SHA1
4fc6d345d9b6bffd02f2dad73014855ca5dcd8e6

SHA256
401a23647854bbcac14aa257dd1d3fba5cd4021faa9666d2e541e89ea1d3fb1b

SHA512
ea4e949881e33d944e4b5c46071752e95cd48f5e4784cb5f2ada4973d37c71e0fe68a7785a3715757e8beab53916e051f8e34b6d2d0cea2f9d25cb13de4dcfe8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f13926c4cbc7a0d5e82cd07d3c8c106b

SHA1
0393e52bf484af5dffd001fce64f5be35389cf21

SHA256
bcc60c2d2ea0a9732b51fcacb934b07e1f911bf6836d812b438dbde9ee013fa5

SHA512
7d3981edc76c14086e78f0cfe265fe1c200815817120b93bef8aaf1cb292c70a7bf3d7ed696f61c362534acb27e48a717b0443f40cf72dff4a3ddfdab18ddd5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1e96ebb9770277145bd2e30a85b664f8

SHA1
1a21fb39332aee35bf68f9b865a6d128e937028f

SHA256
2a06c70b4bf4fe717593eb43d029619e726e912ee24effca54d01f73b83d767d

SHA512
172c5740a3e2a7a6b4b5ee8b79f7fb9ee5e36678fd1f7045225b9dace4bfd611627a628b53ce3fb8a8c64b1e4726e51e2d5adfaf6a186f94bb07d4c0b95a1782

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f000e69b3fbd1f40b2cbe09fc9ab4bc4

SHA1
8f295228d0752d6270475b66d2c98902beb58a25

SHA256
bdb3e710811760349fc58a550f807c5705a296c379e47f0fbe1b0982d32d6b98

SHA512
5feb1977d89bee8f6af3c66857279db95328ac3a6b68b5f9f9bf38bf17df02f07e12ac84ec6299badeb999dee2a15668a7f99950fb1016856d9959c5da052d8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e32fc935bfd104c991ff198831454afa

SHA1
5b6f11eaf3799bce465105887b6a9d31e83d9e84

SHA256
967e24407c0f7f07b8e8e513e89756d0165243322bb209afff9f2ea49da36947

SHA512
d0122d83f556112d717cbd1afc582fdad8aefe56e5a4e53e99b55e59193c43ee9f1ae4af684b4900ebd69973aabb40f0ca1f4715970466229f4d30972694a9ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
672e54759175fb743305cce6b127963c

SHA1
10d009f106fa758bc00b2ad9e213c6234ad8529e

SHA256
e45b60ae0a3b741c1899a8830fb33424ae8b060018e578e4a0e7d86d0859b9f3

SHA512
b683624872b10fef662b4bc8c43382df2dedd71b489c349824a4e445703b001e416793c9e03335d1ed9671bf006b9fbcc6e788806ec7dedd103e479ee399da20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2bac82fc9047570d9c9b7a0b53c4be20

SHA1
527be0f16df3d3b0992a443b586ae7168d860bfd

SHA256
1044cfaae56a7c82828493afdbe68a4dac8b671ae98c0ceb17430f7e3e951724

SHA512
bec24152f554e376dfe4615df2f103ae093422f85abae956415e53e7b6170e990c3b5d7d9511ca58c0a017ad57abae86371a5265997b9816ef9a8b418dc711fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
86e383c88ea430f758594bd2df206926

SHA1
20367fc2fa1312f2a6b14c38747a1bf697f841e8

SHA256
a53b70927c073920aebe1fa8311a36083cd7b163ef78763872165ad82042bfcb

SHA512
4675f21b13274193d378db1991dcbfab6c9471a8d0ac90915f4ed40c972f48c80f4538399333dbad7c319bae2e42dc6ee497909554025b1c0b08236283950893

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
dd316a8388ea0ff5da4e03f246605400

SHA1
dc60902f81444cd1968f55dfda24b344c84921bf

SHA256
4ff887bfd3e9497108eb0a54abc4e559f6b20a96a7816c2ff6cc25a6916a26bd

SHA512
3f5352dd6e3ed0bff741ba29aac16171c7e4394f36ee79fa0dd100342010807faae57488846a35c6cd0b95ca80e5226527c2662da253cac842115c568e77a387

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f59e05aaf63ca3b5b0ab4dfad1fdc55b

SHA1
a28bf78d0808c37509ae7de994c9252d7aa75ef3

SHA256
3a3fda5c0455f5f9fb0c73a05d3e2d889eca5a4c6463ea06158e7f13863fba80

SHA512
9c58511e25cedc689e679f7aa071401026b97d8d3a281efda9c1601a89fba13ff5e28e40687c3ce764f7fde194eb2073213de142c51a9687e1cc25fe72d255f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c4669b9d5d601168ad04b91e4c6eaf8e

SHA1
31356914f24fc2f7a7b318869dd30f6795b0f3d7

SHA256
51edac1765dbc1a3e88b11d12ff5fa981e26a492603141e430a293dd4ac2e53c

SHA512
bfa30c3a3183d16da46a29168d954ff1209d653ac405ddac4eef623ccdfe0a3eee0332eac0f56321b4cbb9093f1e5b566ba1d6d0e50736390fe20a133018fc6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
0028703e2ad7f5a8017fe60859244db8

SHA1
1ba3b95f3c9e466b57222e6940f33b0f526c3c6f

SHA256
659c4d4a9995d969601ef7c7fa86399cfd37eb622e1a00331a58d2d1057edf9e

SHA512
72ad12eb6bf4e61632a8c901fb239d0b5c7c33a88a6c84ecf7621915c304e26f9671c89607fe03ab51858a13c2aebe92b0f48358e4bf0edb1ff30dc4e098064a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
80e35becf482d2b3b84b0624965f5f0a

SHA1
731a0d161fcf21c47f15d700dcb7941286c3ce0b

SHA256
6049769cab3f84f673e1c49960be60ffef00f8b211ae141db1f12a7de4a3a9f8

SHA512
fbcc3cce88ec3f896f433afe7fc35d5ce612378340c6323145a4ffa9c63ea561fd499dee8b8bb02e2e7b9f127563ac8996a9c7e2325249607b67d2b0fbd2ff81

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
29a025feff2682c30b021ce9c82761ee

SHA1
d5009a3749d0ed114e99f043abf9e7043e7a2675

SHA256
24b143675d4f76a7428d0216a6a4695218268693815e4f5ac61870aaa41f20f2

SHA512
c6b5d23c5f5bf20619579f9a0d83ee9afdc7482e88d48d6685a076f71f51b0d339049e3c0d45c8279299401b86410fa28cba376a737872569bf333f38e861618

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3788b6bde65aaa96e86482d8110489cb

SHA1
2a3316ac03747ee753855030a65a14231e873c84

SHA256
437d2a1ebfcfd1a064f10b3277c7b0746cfc4a18713190702d509c59c247a88b

SHA512
3191431fa6a1c44bc5089d43b394b8a122ae69442dfab1fa0e47b9da32750704c0ca575b5defdd6323eaddae9be45d1361dbe165f9bae221a52aec848606d203

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
697daa77dc013bfc592bc14e5b5250f8

SHA1
614e26e6fe37270f6c0870e06199e0783bdfb213

SHA256
d46ef1737999944e21bc5c78e44eb5e83a80afc4cce3968b66189be17778e2a9

SHA512
37693b413a9f8fd7ef0b9004343d689050d50ccb9c136875ae05beb711dcb5b08f215d92f7f3ec26f6f5507fe7536d247d691fb8d20668e50b2bcd051860bb2c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3a1c7ea425cd8e584bcb052677b10a65

SHA1
cce50782fc5e43a0f4080c524ceeaac58d89b3e1

SHA256
23765dca12f5e8ff64bc66d846edb7a75996c3dc0bf3ac2844de1511716210f8

SHA512
a3c483a49462550bf12a5a7dc003d91e47694bd9ed3db2e056bcdd2613df2d1fe9538b390cb40916dffc0e28c6b182ce1fdeaec21e08ea9a739207c2e7aaec2d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5939ebddd3763448ad502707664c213e

SHA1
02d299248291b9cfe3b7ea095728fb097935947f

SHA256
28c1d887bc4b14198de5c24a7bc9c35d197d36a6937454afd18073241d273117

SHA512
629532c0355d74cdd3fcf9c0cf1c5d0ccb28761a3717c841574064412ef698e7b7b28e9381746b0eef9c4dbaa97693ca90c049c53ed72734e6a4c11255021877

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5289271f8ac9081272f039a772d12ee1

SHA1
e49b46ee04291010f16c1ee3d677a2564ed08ac2

SHA256
520b904f78477af6b02b241f6879ea0345f5b1344fb38105ee07b95f2162853b

SHA512
e31a4d048e36ad786991b9a9cbf9696870babef1339d3d6082601a6c8b8aa56af26e5f78565f28f7d3c3f3c176e291c24a1fcc01b1fe4d825e92c8cd073c9b32

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6bcfbe0ffa76603ec49a28106d53014e

SHA1
3b6e9f04a8ca0b93b3cc58a3b1d37da3ffd450b5

SHA256
586444d81ff7fc20643a4323f36b0c975f3e38a8570b66246fb4b9c05709bdf2

SHA512
06124501db86b2003240fa4a315ae373d4952272f9980ba930ea9244c62559d14d2e71347f5e50cd752e37658ee38096af1fbcfcf860a403040918221b4d4103

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8041170643a8f8f82685af69f7ad4b8b

SHA1
48f9af98a1a8224e409dff2f2548654bdd26c47d

SHA256
04f3783954b8c179cfaa86d49e25ad3f6e7af2631663464e36f4ec07c861d86b

SHA512
aaf83dc3bff080e2366a3b529c78bef02ed480153b1cd9ec89e82e24e5f6fd8ad898eb013f3e2b7bea7fa11733aa024e6dd13dbaa65de3ed394766c69f938ab9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
181a145e114ffb13ed1fe221c94cb9f1

SHA1
daa362bac94c04b5ea9bce989c43f35c20063585

SHA256
bb4d1393786f167b5f6ab48a9b33ba0def697f3b607e0887b8d6e78e0ea91828

SHA512
51535b139a4848642c69a39f33434eb941df1e4f064ba2248063fd45ac0268eb1ed859cdacc79486e9dbd4129aac66a0a966741550e1f02a891a5f0c0f53770e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7947613b1a897c291b8306cba2bd8703

SHA1
99e97e83883696aa5b204dba5c3fc346617ce6fe

SHA256
a6fed59473ac3697c9bc142bd4d8ae61f2d6c658109b0bb8566f509a09517de6

SHA512
74736ac7d60cd324ba49d8fddf4250a7b3ed725d7cd2ee956f6a32c3402986bce7338582f8212d7706ae2b355ba2fd215a8738abd1731f234835c7f84d9f45de

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2b7ef9cf3f3cf30103f682a709d7ffef

SHA1
90d2efa693f6808632a6a98734c1d0acfb36d5d4

SHA256
4b7964110c876ef1c9716574e4a77eceb5995b009874879874ec8dd1855c598f

SHA512
895dfdc1f6f7a518a32ac7deb76efe467986b6983d79aa15d997dca584621724cfa116cd5a6982d19478987711ff4bd81e56761e89d674cd9d761b05286d0d0f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
75a42be61fce17bac8446282dcd213cc

SHA1
0a9c5a8e2465c70763d43c6cf035e478d17eeeb3

SHA256
09d0aab16a286c939fb9dc1bf611f439afd29c1a660d00939ef0059da7e68fa8

SHA512
d1d8cebd3712b8df95770836d06be527191fc02204d25bc539349a38f5bf250ea533bef36b069186bb162af9485fa9d450750b4934183472da04da7fa6e5e165

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
71c24089f182b0a8b367cd5a873f8293

SHA1
92ad159802b23986374058a59bd6972b4239dae2

SHA256
578eb37d3ef923a12d753396330b9d4cb0349e569df7ef7d1bff282ba24517ca

SHA512
23cd3a51dd3e8c2180dbf046f050c55b2a31c80abe31b9f077055dcbf7b8d92fec306b26182bd91a9c85f56d6acdab350f57e8d52376dc002f6c65b638073f8c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
28ccd8a1f0aed6787a4de262b0e2f0b7

SHA1
d3589496c66fb1333770a7d83d774e748c0328b0

SHA256
581371cdba79b7215ad0b7412d9ce76721f6d445070ebbbff367022983f44933

SHA512
5a8e78535d8c3f19c015dd3f5b6cd8d4f9ff093f6e2dd1843d3e252c961fd9f0ddf5353dc9792653bcb077e84d280a106f9cb597acdd37bd57443d87ff1c3883

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
54d1a2118fc6c00a94abc4a5101aab83

SHA1
e2b85bc49b1ff6a52b7e1246ca677b2c163c8681

SHA256
59fa6cd195ab9e04e512f483bc6f7c9ba76663d3312b01ec64ebddc3e5750cd5

SHA512
857ee1d3b2ea72ecc3756d2f3fdb94ddf004189c2bbd2d0eacb531cd3b6897929ca1a13fde56d4c16ff4ff2ed894d3e6c74e10d9e506a31e1976d29532bb20fd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a7e726117a963b8744b3f204a49dba3f

SHA1
9ca9ddd10c704d04d9b852e167bb77a223197231

SHA256
c56645b0760b2473f1469dad844a309e85b6f02b754a7de2f12c782a2f64b9e7

SHA512
b80abb6e9c33bbbb2724880af1e5b72d23d340c4ca413a1d491e35502843863b6d92a46e7060b7405ba5ef870b9ca9fa2bd2e80644bbe66a6f33c8613573b96c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
57c90c81e08012b9a1e59db764e36e8d

SHA1
5670514ac48a5a4f783d288b699b6171f5eb41be

SHA256
b65e12272d69528ca72fa7cd558ffe663ce5fefefe4711125012fb7adbdd5314

SHA512
4925c0d27dc09d179fe88e12c66d74f8086190eefc1823fb997d7d9b94a4adf298e54c146812cea8d6e7be0c3b69893b27dee80eb45b8e2c0f7c51d098097366

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1f210073335b0ef20e408348be771702

SHA1
f7dce1deecee8453622bbb733673c64a7cae4a92

SHA256
dba98f4e8236c9b52c2f06d9a14ca6dc00b70d3ed0299e4b8e680e81bb168a52

SHA512
e93d45b8030a9d2a4284ded39712ef4f623e9e01e3159e329b4302325b99903a8e2a5b5d730e3619c183e81758c2a255f374808462148b56a105b92658c64d57

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d85a2b243f665d32424c5944c2a3db31

SHA1
172bcf09318b29209b2a5addc4ab50d6cf8c913b

SHA256
a64c5992317fe03a56f591ae3707f8ce8b7c3b3f1ac6e14988a0e5a836673075

SHA512
7cbf7d1f87b22297235f52461819848c8a85f9923bb2b1b1e63f4bce04b7219f7a033a9d1fc69f127f8cb56dc7b254b889c44c34bbbd9c7af8db2b5e19dbc0fc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
afb0fc136b364ce8e61e44dc303d30b3

SHA1
789955a086f4bf2c2d0b60b96d22ccf40f368c56

SHA256
2ee1689cf061abe88e3b697a7ad4cfe5ac8f296eee34dcce37f6c1d43923c160

SHA512
1550f580d02cd56f3c21dcd563f7a948977ea6685dbcf0fe68f87a87cc81d97e5f6fb4f10dd3f6993729d35e52097d74ab42055df3e91bb94cc97ad98d007495

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7cfd757369e620c8ff7faa05f256e66a

SHA1
ba8335585e98be5dc24b566ee95585880722b28b

SHA256
d4dc94eacc3211126af23a293d5e483bd748c825fced39efa946b298c4c4d730

SHA512
ac8cf1d81e2ae9a75c342c953a2040dc31ee01b27176f2b7becc6a1a779ca022a555df4e7f951d3e89fb2351434c3d0fd3db7b3819a0fbc20d4e5ceb32e289a8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3f92264496af477093c518df07392c5f

SHA1
c5341936346960ae7e3ab944f4eb962c59e01227

SHA256
e85fbfe8e3cae8e6c7f238eb74aea11209d3126fd54c7afd7c65cd61e28921ff

SHA512
b0f535b53f82714786e8ff64fbdec14057883d6f42977dceba4a7c0a09a8e7e881c435203093690f8009de94a9d6ec396e263d951674f8c740a1d0736ae0f898

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
7947c1194d832970ca493b0be8675830

SHA1
e11ee07376ae227c1538d8fb9f9f71678e163606

SHA256
cfcf5c2ff919c544b25355a9b91140f382f4f95edb2a3a972df0bb67a5d72306

SHA512
ea539cc340fb1325f1fd656703da444ec15e1fc96e77a67ab41f17db2e1b832fe589548bc8d63002f32afba8498404c6edba764c2115ff0a28a8c8149d2476d7

Download Submit
memory/764-293-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1180-336-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1280-780-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1280-167-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1292-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1292-126-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1292-775-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1292-164-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1560-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1560-146-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1560-97-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1560-149-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1560-103-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1752-71-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1752-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1752-771-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1752-82-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2576-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2860-154-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2860-166-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2880-772-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2880-122-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2880-116-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2880-134-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3108-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3108-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3108-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3108-768-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3256-295-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3552-297-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3552-765-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3580-334-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4052-294-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4180-273-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4412-143-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4412-137-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4412-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4412-150-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4444-376-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4532-337-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4616-318-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4664-335-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4848-6-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/4848-618-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4848-1-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/4848-375-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4848-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4952-377-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4952-782-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5104-374-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5104-781-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download