7fe0c72ee4b60ed21f976dd7e3fab94ef1291079ede600588c186bc5b6e10c67

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 19:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
Size

3.9MB
MD5

c0d99d4a56cb376fec16b93018f8bc90
SHA1

89ca8261089e81347e778bf0209e5bb91182049a
SHA256

7fe0c72ee4b60ed21f976dd7e3fab94ef1291079ede600588c186bc5b6e10c67
SHA512

599c2facc757e77acbf62cd4115c1954fe0f4c864ac7efe6071d0cab8eab1f0bed9a2299dbcb4f0480995a123a33c6ff47b5aef76e6955b0f98b5580d5e30f20
SSDEEP

49152:UKCOkTfkuFOGwtf3b8OsRTaFwI/iluG2ned5cFSixAa70u/rfz85WK+CksDM2jhN:FkTfu6MMQS7kGLws

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
216	alg.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
1936	fxssvc.exe
2564	elevation_service.exe
1020	elevation_service.exe
4692	maintenanceservice.exe
4664	msdtc.exe
8	OSE.EXE
928	PerceptionSimulationService.exe
3116	perfhost.exe
2028	locator.exe
4056	SensorDataService.exe
3340	snmptrap.exe
2892	spectrum.exe
1192	ssh-agent.exe
2888	TieringEngineService.exe
4680	AgentService.exe
4388	vds.exe
2096	vssvc.exe
3268	wbengine.exe
2064	WmiApSrv.exe
4540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\msiexec.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\vssvc.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\dllhost.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\spectrum.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8f767b22e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\AgentService.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\System32\vds.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\system32\wbengine.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d345972225b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bc91c2325b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc0a152125b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce941e2125b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e08182b25b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a380922225b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
Token: SeAuditPrivilege	1936	fxssvc.exe
Token: SeRestorePrivilege	2888	TieringEngineService.exe
Token: SeManageVolumePrivilege	2888	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4680	AgentService.exe
Token: SeBackupPrivilege	2096	vssvc.exe
Token: SeRestorePrivilege	2096	vssvc.exe
Token: SeAuditPrivilege	2096	vssvc.exe
Token: SeBackupPrivilege	3268	wbengine.exe
Token: SeRestorePrivilege	3268	wbengine.exe
Token: SeSecurityPrivilege	3268	wbengine.exe
Token: 33	4540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeDebugPrivilege	1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
Token: SeDebugPrivilege	1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
Token: SeDebugPrivilege	1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
Token: SeDebugPrivilege	1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
Token: SeDebugPrivilege	1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
Token: SeDebugPrivilege	4412	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
1032	virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4864	4540	SearchIndexer.exe	109
PID 4540 wrote to memory of 4864	4540	SearchIndexer.exe	109
PID 4540 wrote to memory of 1160	4540	SearchIndexer.exe	110
PID 4540 wrote to memory of 1160	4540	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_c0d99d4a56cb376fec16b93018f8bc90.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4692

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4664

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4056

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2892

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1892

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4864
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
25811cf5542878311a5a9b98187a6b30

SHA1
2d98643672b8b1dadf1a02143973c10ec039f29b

SHA256
46ed3149dfd43b826c5e801f9a2adb9c309a69fb3369f51e34e4a873f00bfd9c

SHA512
811e1f082ec751f75e2bc832ed1aa1194340a7dc6024a193a9d50929edcdec3c1182d9477f5d68b84700ee94d49598a1b86031eabaeefe6c59c2f3297bed5958

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
84ad22db9f4d4410e7083f4a076ea7fb

SHA1
4532a1cc0b9283e5361601439c029add4c8c8b5f

SHA256
02e45ecdee3d12a88d0b52f42cecda3080b4683bda1d7736493721b26f7b3361

SHA512
6c7767fbeba6c729f18178da3efc7fc24263c651e4bec0892525368ce7576fc4b1f7c707d01f691a8bbffe89db28470dd02e3e1f9339b3b401615caea31cc178

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b8b6d85920a8cfe3d826190ca9961254

SHA1
32629943043e963b5426f56d340d62e0da692e43

SHA256
0248d925f3f5da7f25336a6cda9560cae626f13311e7e2688c8037939d5e34a6

SHA512
e2eb651ada51cea6cdc3b96a944408da089a1f502905beb1f3dbb18ea1574024b81f5896d1df1ad2ceaf20c7446422608b3887eeae9b4e9742fcb130c35a3610

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
93230e336a8b31c4713d93f7e6cf1f30

SHA1
967cc9b59da3eb0adfe7200740b0f32511ed6b73

SHA256
68f3746a77dd6dc2aa898c563fa9aa2c9ad22fc23c127dda3686cb5cd36409c7

SHA512
fd67c33641947659a29ffe76c0721229d50f25e37b858cac22d02305caa4cdc1b831079189ed2b8dfb1f373d056ccd66d205f82a93f2ecdc7e1886e0fc236a22

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fc9bd4a52a74d48a004bb79e0472ae4b

SHA1
cbe4931cd3bcbd8c08158afc3376e3a498d9dfc6

SHA256
51986f69e00e90043dde7ac96415ad6f0d70d82826d949f46368e9fcacb62045

SHA512
edb38b779aaf89877d673ae6bc163fdda2c1fbac3c3927fb12893d9555e5cd21002801780fdf0fbb5c5f8240430d0a2112996802d1a943ac8e937aea9f06ba1d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
baf610d3ad22f841c566916b5bed6f7b

SHA1
c66cd47a74f2f30c924a4470d1414ff36552bad3

SHA256
fb813a09daf8a6504e08d3efc2687d5bfa021d20dbd16fed14fe2694dc75d98b

SHA512
224f01253d3de831fab3c1b38dc4e736ff0c92b4c2a012c5965d0196e3186bf19001e9b0b67d4c5a400fdf5728d6226796e8fb037e08a67a88ee5a88449098ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
0b2e4dd8e7b269cab543c38d25fa7c18

SHA1
4c4c3e7d9cd093409436b7553b31094b58d280af

SHA256
a09e7e4e476d2154d923764f06f87208c4aeae8774f2fe9b880d4d5892064ce0

SHA512
28e314ae734fcb8bf4b9fa262ed1baef847add1d7ce1244d10829c09122df82980e6fb401c02d0bb4dfa0b495333e9bc8f8d5e8d97336d7d7aa3f7762e1962f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4aa7c84e85204288e7656d24c79e9a92

SHA1
10aabecccfc91845f92c4445601ed242e260f31c

SHA256
0dd96059b76365f683ac623039b7eca4ddd4d322d8588102c91923d8d26665cb

SHA512
c333288b2e42ca1a90737c690f3ced1bccd25edc9bf4c38a15eeff692607bd6a5abc25e1236a87ba2ba2e5ffbff85b6df3e6e836276836a187afeebb0ec37c3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
6988ace5a36ddd97e86faeb34715e32f

SHA1
ee4ae35e687351e63441f8e6492e7a814fbdd91c

SHA256
0e9c4d368895c0cb9f5c286719a0a7439c58b48198df2b3c0ac0ed945d6017b1

SHA512
b21a7d6fea2fe17e92781fc0f7969f15bf81de0144029533dd3ffa769842f29c647ad15eb4f20339d3e300d80f33b4ef80e8469b727c5642f0edc8c2d38be9a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e29fcccf3424547fdde896215ec6edd3

SHA1
2dcab1a395c573cf9e36db9b9b90d8311aa68906

SHA256
b2955586cd525653494fe233801e2f5e3875004b0a3934620c499b5d105be7b2

SHA512
8e57cd2a51cdaadacbf99b2201bacb51b56ef4d9f442c97d81dbe948faa4307776ce7ae6b4f21ed49e7d75d93a93c6b923ada2886281bb1b32ec0f0010b3fb5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d7b559df3d22417a65e1d57c067c7f88

SHA1
42bf66a0b76cebcbeba67812c43e5fd4e7da743d

SHA256
a68036907001f322d1bf4a905f0960cf7d72c73e40410672628272d934c8a835

SHA512
1a827b515db662cc66514ce5a32f559767be664c983c8f0cd9894e9508aa43d02864910d404d982d25d77c7477644c7ee15a6fe042c59e6d43b300de07decfb2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0cbfa7cd9d2ed1e759de918905173c40

SHA1
9963e332aad7290e89884f4913b0d67529c2a485

SHA256
2a9b73d3a5ac37763ce101d064f0895de90039ce50378ec79ca68cfaf1c05df1

SHA512
aa039e9a491c1bfe7e3a0340172af66fed40d3197a44e20893e904b8e41d3b351eca84f6e7f61dab5f4efbe41ab2dbf20a70dda51db373f3b40fcc9f52054d20

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
68359ca6ec3331734a27f911095af960

SHA1
821ff4618d296ea8467b15eac7d14fd0892a66ed

SHA256
a506144298d851f18d72a94d8a834990482ae66267e18481c592fb559b9e039d

SHA512
251ff7e8b5de1d09574bb31a04f895f5364d9b7cbda3d9c777f6ea56a4f7a2324c58154d129ecb7e96c7e1a0a8a466ce0aeed3b2902177c0c81d8048e9aedfef

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b2cd956fb8bc183c1596eff82ca6f06d

SHA1
2f2a0aa75bea4cbc69bd23ef971a25644f9d7c92

SHA256
ecc7663cae189eeb352fdc099c6b1c56ffa52261eb6b803f0e1babb3a966e3dc

SHA512
d9be57741fd86275023edbc4aaeea4482be45e3bfb10ab342a901b4ebf5761d9e3711fe072a5dc6b6d9ae86ca040ddc793f12ad23a8a150c68bdda389b0705ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3d9b024b75498a89397f143c0c43cadb

SHA1
ddd9d09c40c05fa24e8611b4cb7ef9ea84da0ebe

SHA256
ca6f3b92e8e6ffa3a60310c596a7838c349b405692cd5f1b84049bd436145fa5

SHA512
1b165b0b5e44c13f7707e7981d54ef27a7c4ea792e057083164c89b11506f24bc40caebe01e59d864f086ad61df48e09b61babc1809a44835216dcfa3de8437f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
389c2441ef11e6c3e740fbc34c79c84c

SHA1
ffe2b3d4d7d0490b69b5f9898df6d788c39e51db

SHA256
75766b5ced36100f7eb3bb48c20bc6c983dbc85446d9354b3845530addb39921

SHA512
0cc455f97293b7fcd2a6f98a886c00c176d14e00ffad8e23d5a2a6b5cd9e3ee8f53f82c63ae0148428e908451c92c18f60d9b85d8f6990c5b8f6ccef36c6051b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
adbf8ee097ec879d82c1016b4aa923b9

SHA1
33f51b367f953c9a57273d219d6b7f32b70cdee7

SHA256
b1ab85f8d4b2235571c74368f6305f2837486e964b6351d5fd79ccec2ecb3938

SHA512
e68aba8aa97c20c43db3930ebdb115ff485749ec5b138e9d3e6fee323c51c022ed0f9acd6018767aa733f54163d8ea6c4668e60af22723f06b247c0ef1f0f985

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
abfffccd9963f9edf1295af57f20eed9

SHA1
e091656b52aa92121b3687196f6c0901ad8ee205

SHA256
991bb66b24ee53c3eee1a3ed839850f8fae91a79900abb2d0718c43d0ed61aab

SHA512
b87ecd630883db4febc2f332843a5fa9cd9b60b7138c4aaee20cdbf796b2e3783cc2e6e13a2481ce39a2fe18fffed0e053d168f5f2a327e101c53b1202103a19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
747a24ebf399cc036c5d37e5e4acce26

SHA1
d574cbbd26711e444fcbc37337cab9f28ba2f714

SHA256
468aa07c40d33ae4b2191dd08da7f7f8eee2d844ecc716e1f291879f34c5469a

SHA512
0a832ecdce65683a4d575a4b4f1ef9457181ccdd9d0fff40e0aab0e7460e3f33d17c2ce1efa582e06f52b5352ada8c89c0095a342095e1615e6ddf4e4088e53c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c4d436d3273f02fad5e4bfdfd99aa5ef

SHA1
a5793693a2aa8c8136a35d7e45af3bf6aa4f7b33

SHA256
e6083374908996097801c736e2b53ebefd4db18ebe8cddc1d78d2d9c260547ea

SHA512
dc0e2a6860015fbcaa6742c9c0ce4044b8776aff7d3f36b8e2e5590462f0cb6b7bc644f81ac41d16f2475750ab256462cd1a1db0e5649fe6b6ddcea423f4eaed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b52ed565679983f72ff30e16148710f3

SHA1
4d1ff9eb8852cb3e844046b36c755455fd204a8c

SHA256
6156681ea87c951c407c81ec6ecb216cf6c51b9928c62059368b7c9df631990f

SHA512
8213ec36c7619815db3daf61b0570726df115ff3a3418e3f75629087a154e1ed8a1761643d5189dbc09f30c1ab9354c7e7fa132cb81d3ada1d78ad85c21ab1b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5070a62267f553c840de3691dbd2b4ef

SHA1
13dd40a90b31d3bf65770a9541ad2a47e49f1539

SHA256
9db1f713ebb7df1ebabc46aa6d04e6da3340b507542a65a58cced40be6cd9074

SHA512
83c2cd76312751831d382c1276de3c4e50695c71fae1a4ec6f30bc0c5db291d4863b4e8543f4ebae570aab25b79825b8160bdd08883601effd1bc8fbce9f2d27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5510029523edb50d30c5d01c92656fab

SHA1
7c7e881c6e513b847f80d20781d676aa1d3360ed

SHA256
b401d8fe466b4b93a03eb21abdec0aa11bec37181627befe6ac9f831b5672da5

SHA512
ef1486f222f72247dc127f969b9122cadbaa1c0981c34d24f2c0f78b18edf128079e93d6f3da1974c8da6b397038ad2628359a72e7a952fc2ab85ba028b0503d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
cc3cfe0f83a73344b097cf149c8048a2

SHA1
4750271b6d560207ae140da76173ecaa93e68d77

SHA256
4391ccaf663c0d524ee9e0920f32961bbe3e2b6977b89e633a75b9ff61fce228

SHA512
ec6044c6d1ab09eec7dcd6ae5c6297909ce6840f674a44b24e7bd0f369d1b758d41141fb21e10e473bb3ffe9036f8797ec109a5e1a67cd439301155e439d70cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
0941dc4f5c8cec4f66640a31c5d88a35

SHA1
fa106a4f03bf83df2789283109aee11808051b90

SHA256
2efac999779651356004fee17e4a26c626754354296185bd47e56b9a3633ffc9

SHA512
6f1c0ebea2e2fff776a6bad9805fb80994733f082f09688c274b1e2c8d1a96b3a4a43676e29a34e58c0c43d25d765b964bb31d09f5905fff39e60d7f7998ef45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
819edc171a5f73de14903e32dd26e73a

SHA1
b600c3208b6d507177dd6cd8849b72e5076a9c1f

SHA256
661154da99a2eea2cc87b818a74870fb7459658c5c41bfdf1f422a03a09c5483

SHA512
21eb762327669708d25d2828d3003c604af6daa88883cd4394523d8426d2f07ba95ace0e579e27a396800df1885b50fd9ab7dd2927af1727efb4d4bf15448f8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
88046aefcca215e77cbaa361845a7442

SHA1
cfae5e057846abbd7bdcd492a9757a2f78595e66

SHA256
ef074a8b4be5922666d9a8b09195c1af7362279c38d4e858978a125002f940c2

SHA512
581fd6a1aa71306dab4e2e1e77cac9095d65a24f3f80605121226adde995bd3755318a1bf99d3ffc33ae9b49497d75d80862e2c6d8538be5856d19f10b9cd81b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
7779374e0fa4f9108c1f76ee4dce4ce0

SHA1
9f5b39be280e4c6ff2a6eadb81b647d17feeed6e

SHA256
c4bd8a5f450a34e9bf05b0749b1ce6189ff0798106d02a3bb0786484148a345f

SHA512
6a0c62d786599918a60c34bb110b4db33cf8f7241fee61497d3db6ee137a7d113f9e045c469818ee0fa10fef4fe4f998c27702ae67d731bbca40fb00b517c217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f368800bfec634067e1b0159edd8d43a

SHA1
3e1c82996323ec31c28d1ebeb77c9971194f0091

SHA256
6595e2ceb76bcd7c776699ad890151b4a92191dc7b5c90430190a69736a5d0c4

SHA512
44dd4ebb3702570688a139191a16c377d279bbb0d6e0441c26907c58ea8eefc6acc8147e15c71dde9063e3caa553620b4bbdbb8e3b4bdb4522cddc7bc7fa907d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5e326db92969b070bf4f3e91894097be

SHA1
abc9d89db9e27b386cf59ccc7661b837c1100bf5

SHA256
2f3260deb51b19ef5431cabd5924a9236d46cb491d2df42b1b27a9c9f6ef4c1d

SHA512
5df0cd6570b64c7acfc22d20d68384b6e3a518d97cd917c5eac25f9e5d6c345d14ca2641f18c8501b0363543f4f82ee9db88aa9a40866afc3ec1929606b64bfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
08a1081df8e4e04fb91a26abdab1677c

SHA1
61ca552c1fb02e0c9cdcc1a3b746bafec7f8ba5a

SHA256
4a1f2bb26ab5a94fb7766ffb89b807629d3942c236ce647809c49c66092c9444

SHA512
3106441ee518543253eb89cee3238ba53cd48f4e5ba79cc35c40910735ba8fe4f65097cf08ddeffba6314dca8ca234643ab20560254eced663be0242455b18d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a4e03f3cfd2d86d630faa095cf18196e

SHA1
d643886b9d8b116fc6f8ea9cfceccaa50d224568

SHA256
052c033d8cd941c66101361841e227d4e88d9975390fbfc17151ec272e2fbb66

SHA512
d8886c3304e888de101b083b6854cfa5762301f85af8a28582458bca62d0a42c51c5d38ad9bd44bb62a10e972ea0c8bf13471b12b79b375a11c5e5f0f0083237

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
688f5bcdecd99ec686655986a946c09b

SHA1
8956c6bdfae59429a3a210dbaed49a56e997ad8e

SHA256
8726ebe9011c70d55f5909e90b52276d155e4871fb60c429414e86004d8a352b

SHA512
ccf463bc4c74005b1747db0af8eca8e8764a92f076ce1c3cb4e74a64ffa9406c524814978e2164575c5c2c05e06c0d3fa60c5ce40a8173b72781fd231da64f31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
c2579144503618b32e16bb528cba252f

SHA1
0ec204cc1dead2f594890d0a4efdb0ebe47ecc56

SHA256
f647366d6dce7eaadd303610b75996b9f79d7354f3d8f5c97af059088593f6f3

SHA512
877d48d91ffb6702c9ec62a7abd5bb480d523813d2348f96f127a1d7342e24f3f2eaf32b1763e11380569ab4f6a154ce9ee8afe2328a4ab68ee09ef0e451c721

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
2c747e9f610b4fd5c67e9460d8ec34ad

SHA1
ac3842603298506b3e15febd13ddaf0f408a847c

SHA256
7b441bac2f5735c83256937d5f482a80c082dc9e395f6dd151ca1c2f84cb35cb

SHA512
7388f5332ed2ba2e280d90d3945a9bc31380108be93855362ddabffe30659da6d6a19b39ab9d7415336ba66b2c90ad65d3e7172af1a1f2fab0c2f1f8d24931a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
6f5d31d0f1ec872200c3c49764802652

SHA1
435bba522cbd5fb76c2724cdf1bb50059c7f21e6

SHA256
70aaa64a712469d0ec5aabdd6923eb173ddc3aaec69c8ec24c239b9a5c98f76d

SHA512
d6cc59eab9e157c389857bf7b1aadcad72e6b49f65fae0cab789fd404754606ed833c8015622f7a81caf0464375f6546f18f15dd6b6ab69ca32796ff3cae997b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
967d3cc0b2c17b68e8a1abad20494e9e

SHA1
618d8af8abbe27543a222c1e7d3dfbab62231e86

SHA256
edb38862310f9f93a4615008970f937cb15165757e2f50e0d0542a0aab697bf3

SHA512
95f4c58990b525c6fd89460ed7ff25b36d5d16f673950ac8c283e4e9661f75589869803c1ad16286987b42b263756f0398f1e11906ad6ca43c7d24c57f4c91e4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
0cb02c9efa00260a4f2f37bccdec4686

SHA1
54a2c8c8d33639e4268452d5b5a9ee05d09c9e17

SHA256
1449b30201bf62e499e7e0f9ead3024673addf31bca75e7c847b35260d45c0e0

SHA512
56bd926dadc5fab327d5d26ea9f8c75e96213a86745b6d99022e097a3f74c39689d1bb98509409b9556dcd70862a42794e802fdd7282de39e4d98272251192dc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7659960e2e07d38dea347794a5e9b767

SHA1
25433e3e206e54d4203d5a40c8527043cd62a252

SHA256
dbe90f73f7066a85291bfe8af4a0c263529b3e732e51053090c2294762acbb3d

SHA512
2bcd8f3f27a003881766d0c75a905a8a32db80ebb029a012a7e578974337ab3dcb342ff2db737a6e7189def1edebcf07d745ccdcb4ab77419ab649424a3f68a4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
812e634e7a5e163c68c216dd8b857415

SHA1
8ce74fec1056555ec5d1017574088ec800a4ceb0

SHA256
d6ba31a011c52b1c66a49d5df088a43ed47f64e84c1b660969aea4d0060b07a7

SHA512
c7ac3713f53eb270a5206785ac1f5c3f203e2709d905d7fc1c181f55de11a730aea7bdc534e49d48eca108c68b2243dfcf36655045e1a20dd53f4a70075e18a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
cc4deff4ac90c5fa11f1e77193c95356

SHA1
c30467c9b2518573e73b8e7dc006080b447a2ff7

SHA256
cc0140a5244ecd3a5b90812f2442343a77d2001d35b745b90628b6553c0238ba

SHA512
cbde11bd01e811fb36fe3bbf0d7d305eaccd364184b37a7c5622c15bda268c2c2cb090809491f92b369f41d75a65486d764e31a199aa66fa4ea6dc3cf0e9cff3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6ac9ae0f0dc88792607a61a6123fbe0b

SHA1
87ad6b1f292cf2fd370c9975ce351d6cea74d329

SHA256
cb223b844cb487acdc50f8ffe8544c665f5d0be998e76edfe69e1645b2829d88

SHA512
ce351fc0a04a8bbda9a310f7306c83ff62ad69ca9d1125ceff00818c11e8bc768c58e0e93b72f2c758692e4c0e3a90fede5294bd086c995f8cd8c9e2b4d970a5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3594655eff65c140715ac07090b2f6e4

SHA1
fab7975e3bbe6c0bdd785dabf685584c786c2a60

SHA256
0009a1acf519001c626df36fe87b700a964e667aac9acf52f47561761ef7a80a

SHA512
b3e6783fe39bb3a1f82b44b132c5c1947e91c8c3d4d163b5d2524ce1d8fa7ff1b63705fa10c047c04fb2646666825f1c8370ab851ca7fc1861b70638e4a02c26

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
af1b7eabe9edc41b5956b5212877956a

SHA1
6d75be58fb68730fea5a23929dd345a6dac62c87

SHA256
f8b249f312672d343cc5417d1dbeb312087d499b1eb761e68efcb1b6146514c1

SHA512
9f15aa820e29d02dc462ef60b54c5669451634a3178ca7c0478765df09f9c2193dfa546f7d5a367b5382fe45cbc69dff65425db7020a330a62d2b6c11f33b164

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
93123e5a2296b740def3e6d0359e7315

SHA1
aa281f7028ef20b7c905b5213f8ee7939041e525

SHA256
b84a3a3cc8787bb755716244808217bc145a238e1e35933c0411d14d0d88ca9a

SHA512
de27142d30e1e92bae3bf63c52815807475b0328076df010cc810160c486f4b0886aac7b54b68aec65bf8459c77fb05182dbf82e3f87dc70dae31aae018d5a91

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
86be5f4db9a91d57fac2c1e19527247b

SHA1
65c7438e65967a481b4c934217540c56c67b8858

SHA256
c2e70e132a3dd10987726bb84f3936b389187c78f07792579fc55f6526e6415c

SHA512
1ffc9047139b159b59c66aaba39871a8d2d826f6cabf1736d9c05a16b7371174e86667911bef27ff9d81f40b0f8f7809da89d37c3349b575801dd28b4b26514c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
240dcda6d3cad893ce3d5ea652fd69c3

SHA1
8edf364e5428ce5d01e9ae7c9efa891dcd1c3f8f

SHA256
9f5eaec4bce0d97f80c39b6a9e6dcb11924b089deeb873e0391e9c7441536bb2

SHA512
ebb1c613780cdc9e45f0a85cc29f573d841185c8f98c5ca8673b71ab1c8a23d808979d8840829898439c4009f5b69b162daca0131dd31f97a06b1f4426cfd068

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
29722b9545c69a7e2e144dcb934e73df

SHA1
8237b09765060ea584a5be3dc8f1c443bb89dd12

SHA256
5ff90f22d4042738561ea19f4007600927005ab35329585b7b48910054598552

SHA512
0d95d3fc48720830ad13c55f00b0e4c8f7dcc57092549fe4e6f99aa64ae1b09b10be60d201139a72e1bd1ace8ac6adaeae1cdc06033fab0bfefc54292dcfe934

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
7531fee9da3ded2a553caee419a0f4b9

SHA1
20f324a6d6d536c225aea2259a8b5327d451d404

SHA256
210b143b2af1a98591940c498af72caead2988d5a794b0b73524b1f0108a4b8f

SHA512
ddd4f687f88887d3a19a6b37ca41ce3375cca93a0fa7abcb7b2ccc96405779b745dba507333ba6b1f53955fff5ad1982348b6ee3ae0ef836300708fb5cbfcc4e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3f451a436d57a3238fc6c01c4a6a16c9

SHA1
ccd908dc19ec42fdcbde026b2141be45d90acaf2

SHA256
f0494c96001b6149f8769449d3355b5279a7832afd0b0c06e5a6cf7f8de00b81

SHA512
f6b13599e34151637ef088747671a38f106e114e8c327e2fbf51784238d5fab749e11587ca9aefd90407c5f79177067ca129cfa87d4f27f2a5e84784c94b4d5e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
73963df7f68fbc286005df60c490e23e

SHA1
37fd38f7ee96050ccbe98615425caa0a44c58b68

SHA256
afe9ec4cf42c16aa59044498a49a8b43ff65e939460c79132dc79708cba209e2

SHA512
5474acb4b201afbe9aa35292ded0a4762b025da620d1dea6e69d25f11e5250ed113826fc9ae36f9ec1ec91c022ccd842242fb3bf60f896dd11fb619e61f203ff

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f80cde595b894f039001d049a47d3d04

SHA1
638ef9d3663ee2c6626e775635bc0fff1c69835f

SHA256
bd778f6ac566786471d276e0dc14a67a95afa28a836383e05c8fa447fa2172b5

SHA512
e7d7c5e124ab9b010d9eb78a120b43a72aa7fcea7c89308d79c4c7cec1ad2998220f21d8a6d3b77c30f8482365918740afe8bb825fda95feba1f7f0f7f7cc93c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
73df4061f11467828875104db26c2770

SHA1
3b6bbe9021c48c341a317afb42ce8cfac748f0a4

SHA256
9b3b2ef476706416a4b5c41a573016773ff982721900f2c66896e358ff0ceb7d

SHA512
eb2351b42813edcf375f0fefc5b7e35254fe554e6923f7690782e1150117bae0c7b289aa235ab5573bce0b07ce830175b3a73f274dc2c46d530cc528e34478ad

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
731cc79be632dcbb98f0016b41321ffd

SHA1
e0e5e4c8fcb6ae02eeae92a09dfea2c09bbe7f10

SHA256
eae07e2ec2b049c6cef43f49e23c8aae6350e921b18a44725d05e812d7db0ca5

SHA512
d5c32d100c4d1def356de611d62074e8ed8269362adbdeb982c95b8068a97e8ddf65c815dcef1edd28c8b1a9f3e8de1d31de476962a71f1f4f507a86848d5528

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bb62abb94b5b28e9805f55bcccdbbad9

SHA1
dea9a8ba9814c51105a422c32b184ab8787f3a4d

SHA256
aded297c0a768045334194c37fc18b2dce3a3383bf1d052154e1cecb6e55bb17

SHA512
b948e2449f8dd671e34de8fc9475dc2aa3bc0696b5ae8787dca608b20ba0abbee9b160a8b98889d98f0f34e6737b30b178ec239374f28d70eb4afb7660d15a34

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9d85ec2ad38c1dc7010050a4b1d0a89b

SHA1
e30cda93546a83c7384188a517e10e4db8def283

SHA256
854173b233e524114d2109288b7365e55c45919222e513250e890c4b6f5a5769

SHA512
6f2fe880acf7e0231ec8877492b17860014c3773499acde0f30629529389270436f5ff0693bf2452b9e385ff169577a0936c71cc2fd9f28079ed41eaa11efe26

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
97fad3d45fba80fd2047823f23801e4a

SHA1
eff844bbbfcbee1853922d26c70ddda1629b9fa2

SHA256
4a87aa5ae7520566afb535df90e7088563605888b1fc1bb2ee5c9739b51f9438

SHA512
cd08ee9536c2aca1a5a4b84c1496e718aecbcf0f9e472274492cd51fa3d915aff3abbc96c5726d5f3fe83bf8a2517a580500fc501778ecd2e402543cba4855b2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
88ca01a83f14ed4569b9e0b168c8aa73

SHA1
f81016e78414509c49bf41a5cc46e6816f72dee8

SHA256
63c162a854dcb9bbfe895b77d26a704b888204aadcec18e95550b5910b4e3e7c

SHA512
c6c826fa845fc5cfd3a91ff2642226f581fc3eeb57f4caeee9fd921752b2df268809b4dfb5fc650fe7cae491df6d899574c7c8f10be02dc68d466f2f6d7a3d91

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
926cf736ae2f3e80e26bba313693e3f0

SHA1
5c6c65754ad162936c292ff20504e37459022976

SHA256
b3d3d0175564ae85382f320a7597d221d043748f3dc03053243a19424313d0fc

SHA512
ea5e03674b67ba193c19c613f3153fd4b3f1ff2967df9ced420ec30a9288ebf72902c4949a4993ef44d068c876c7012b04bde1b1a9c64bc210d667bfda052926

Download Submit
memory/8-79-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/8-73-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/8-94-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/8-395-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/216-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/216-155-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/928-95-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/928-85-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/928-91-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/928-396-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1020-394-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1020-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1020-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1020-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1032-7-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/1032-1-0x0000000002500000-0x0000000002567000-memory.dmp

Filesize
412KB

Download
memory/1032-8-0x0000000002500000-0x0000000002567000-memory.dmp

Filesize
412KB

Download
memory/1032-82-0x0000000000400000-0x00000000007EA000-memory.dmp

Filesize
3.9MB

Download
memory/1192-161-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1936-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1936-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2028-157-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2064-166-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2064-419-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2096-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2096-418-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2564-38-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2564-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2564-390-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2564-32-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2888-162-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2892-160-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3116-415-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3116-105-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/3116-109-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3116-100-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/3268-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3340-159-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4056-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4056-335-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4388-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4412-25-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4412-16-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4412-22-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4412-156-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4540-420-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4540-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4664-83-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4680-142-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4692-55-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4692-65-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4692-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4692-66-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4692-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download