floxif | b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8b

Analysis

max time kernel
117s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
Size

1.4MB
MD5

57ec0f36f5e75cc1db4661544f29b7a0
SHA1

5bf518f39b7397df82015e8eb932d155c039333b
SHA256

b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8b
SHA512

d648382fc598bc1fd30deff94443161265d88d0ae895e39bef647da57938b718a79791aebccf21e98826bbbae855020977d7a0903d2b0c5996a201428304eb47
SSDEEP

12288:CVq0SA9h1SxfJ4yb+QdIKYKNCJKHZDgdVw8XkLavV2Q9yW+GGYT7SLHBjvrEH7TU:Mpb1SxfJ4yL/tNCJPXUQrP4FrEH7w

Score

10^/10

floxif backdoor discovery spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000d000000023b6d-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000d000000023b6d-2.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe

Executes dropped EXE 22 IoCs

pid	Process
2820	alg.exe
1472	DiagnosticsHub.StandardCollector.Service.exe
4000	elevation_service.exe
4008	fxssvc.exe
1488	elevation_service.exe
4756	maintenanceservice.exe
3796	OSE.EXE
756	msdtc.exe
1448	PerceptionSimulationService.exe
956	perfhost.exe
912	locator.exe
2856	SensorDataService.exe
4332	snmptrap.exe
2080	spectrum.exe
2172	ssh-agent.exe
2920	TieringEngineService.exe
5080	AgentService.exe
1792	vds.exe
1860	vssvc.exe
2332	wbengine.exe
4484	WmiApSrv.exe
5056	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
4152	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\95d2eccb983eaefb.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000023b6d-2.dat	upx
behavioral2/memory/4152-5-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4152-41-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\java.exe	elevation_service.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d34b7d8d9f5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc92268e9f5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063e7998d9f5cdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ad3a58d9f5cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000603a4b8d9f5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000733e68d9f5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005313448d9f5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1472	DiagnosticsHub.StandardCollector.Service.exe
1472	DiagnosticsHub.StandardCollector.Service.exe
1472	DiagnosticsHub.StandardCollector.Service.exe
1472	DiagnosticsHub.StandardCollector.Service.exe
1472	DiagnosticsHub.StandardCollector.Service.exe
1472	DiagnosticsHub.StandardCollector.Service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe
4000	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
Token: SeTakeOwnershipPrivilege	4152	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
Token: SeAuditPrivilege	4008	fxssvc.exe
Token: SeDebugPrivilege	1472	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4000	elevation_service.exe
Token: SeRestorePrivilege	2920	TieringEngineService.exe
Token: SeManageVolumePrivilege	2920	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5080	AgentService.exe
Token: SeBackupPrivilege	1860	vssvc.exe
Token: SeRestorePrivilege	1860	vssvc.exe
Token: SeAuditPrivilege	1860	vssvc.exe
Token: SeBackupPrivilege	2332	wbengine.exe
Token: SeRestorePrivilege	2332	wbengine.exe
Token: SeSecurityPrivilege	2332	wbengine.exe
Token: 33	5056	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5056	SearchIndexer.exe
Token: SeDebugPrivilege	4000	elevation_service.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 908	4152	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe	86
PID 4152 wrote to memory of 908	4152	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe	86
PID 4152 wrote to memory of 908	4152	b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe	86
PID 5056 wrote to memory of 3112	5056	SearchIndexer.exe	137
PID 5056 wrote to memory of 3112	5056	SearchIndexer.exe	137
PID 5056 wrote to memory of 2340	5056	SearchIndexer.exe	138
PID 5056 wrote to memory of 2340	5056	SearchIndexer.exe	138

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe
"C:\Users\Admin\AppData\Local\Temp\b0317d04cea216c71968feec3a7cbed54a1a8ed27b687c4f98c5be0952eddd8bN.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /tn "SmadavSecondaryUpdater" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:908

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4716

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1488

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:956

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2856

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4376

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3112
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
af452171eaef63ddd86d596b4ee32adb

SHA1
00ae08e913c6e3106d8c65f199f203f6a49ec1e4

SHA256
cf1efad3b8c5825f62fa90871500f078704ab416e295c77a0a3d56993db47dd7

SHA512
b9a6749f122fad632f8c216de76a43e67e1f6229368f1b762acaa80cb52149348d39db293834432437d9dcfe652ce4e8e128e816e7c291eb32873733f4b48637

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1fdb184b0bc6132dc589498c139ea82b

SHA1
3b97e6bb10f8c4a17d099da341bbc5567fd31f3c

SHA256
09d01c318352cc5a1a98ca16c45e949619d166fb67b807f449514917d747cac9

SHA512
2fafca3f0868eba088ce705e971d0d76f0bf2f6f1b0a96b0c77185eb4f6cb2700e245b60169bd870203654829c40be8f6d1cd890604ffd43fe1f2ea47f7b1122

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
661210da0da4a6bb9d678627db83b0b3

SHA1
b02190854d1e3b1121ebdc3500e962d1ed456f96

SHA256
a2c9da758fda808917c365a0c10b644f52a84d235d322e96d709db81e8d74293

SHA512
9828b24f6778f956e8269c5a9545f9b1c75a5b0c08b43071c0d91d01c16f2b7777d986da510d1c6475b26bfd229f54c09fbc6931231e08a3c987949068afcb27

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0ae9142197821b4662b097c028eabc28

SHA1
f57588e702b8d5644ebdeb16ee1e51f30a05bd5a

SHA256
c8dd99bf11c7fae4a23237773815023de4896816de9c03cd24f73c92108e85c7

SHA512
30d41b8e4139a42b8d4f3ff9dc6ae8dfd4bdaed5eb353b5997a08b4a417e9adc5837e7b07585539d16d654a52bcbf6b20024e613eb7cf3cc12c0c3bb49f82a29

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
39ab0f38062194dcfd2f68d48be5038c

SHA1
569c6d522dd4a3e79d27b98d61600a51a0ecbbfb

SHA256
58fbb6faf5ffbf9148159144fb74dd6ba003323299cce684681d29dfb7207ba8

SHA512
176a1dfb9ce6720f8d10929832b35edf562ab74b88af36523fef92529d65f0ef881e00cbc7ef648bbd002e2bbb8a7d0ef8860e82be1c86ef5ec46a0cae67be0d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
93bfa0b448a82b63f206fbaaa6ed8813

SHA1
6cae00c9a5efd15dfe1bd2bb12ee4c3c5a888b2a

SHA256
359ef5f226262e42ac95ea2d546b8dea3e1eb53101ca907d4630114497302c2f

SHA512
02ab9fe4212914d923779e50f4aee5c5fd8e00f47ecefc84cd6640eacfa52ca2186cc667db1f42238acb3c44c67355041037c436f973b77012390dbc3d74eb1f

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
78bf6182c5f43767dbe1f2ecfe5542e1

SHA1
d66597e5ec47da8fb634abf3c2941b6a42b9ba30

SHA256
296b98e8df95aa4745e1ba0f70bf54af3b1114dc5b20c0eaf5c85d44c06e5abb

SHA512
f0c0992811b1fca4056178a851859a36a6267fc340d3dbdeec9dc39fdd979e0b5018152366e27eb566b7eead7ed6607061b5c1e698556aeb96ab0059c7050ed6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1ede1e651fc7bf1e5dced7dc90289a7a

SHA1
a5ee65fc7cb667c6d0f45799782a539762cc2ae6

SHA256
b7a6c484ca04d891ecaeca5b83e1fb0879e070feaa522bdabdde39078d661f75

SHA512
4f447bf17a76479b45dbc2581e72e1f54b7eaf113e05151f3a86be73697213dace9033340e17ecd7fcc95358cce5284d0e653331d2b880adff0da77125b24bc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
617ed70711a34e9051074e6001f49871

SHA1
960f13d33b61ed226373c882cba3acce050676d9

SHA256
fe5732d7e94b2b1452d024b4f0683286cfb7c7ea0c40a66a0505081c785b6dd3

SHA512
3d0c277b8458d24baccae4260a53d534ef1a023fcf2c65c8e43b8ea09b16cad11b3964c648b9f3907615a06bc4c3b74c2ca57eaa9f31119c418c970361f5bd3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
49a3db373d98b0cdcab2e7288262aed4

SHA1
9689b3d1394b2429ae561eac6a7fc7751aa72ce7

SHA256
20b135f2fce2cb23e771df6b309676c4d8357d9414000abf5db1a360b826f5f2

SHA512
c604f06858940feac54cd9d142fe37069a6bc011b3413742867bc35d6d8489370e7ac22524141609db215cf44beabdb720c66d5a6a05127dcf5d206f2b7ed786

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ef7be9267e17cf6e98fd3e7da75eac84

SHA1
9c38959eca890524ce5d4b362915615d6005e4da

SHA256
9507335491779480fc691239561930e0ff8ba01d90066d4b5ef9637a10699b6c

SHA512
6f10a389f06bafe8bda022f009492a0624b39883eb3f58499572e4383cd76eaeda0d4272fa4076286a3022191c6fb9e0992003f4f2c085ee74efe3c4dff305b7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
deb13bdd26c84148300edb0d98cbc051

SHA1
0b43a3cf4e764e39871ee517238ba2e5a402a43b

SHA256
f13ca4d229a6d45787bfe786d0d7513d7e80d20585c4dcc78fe10eb74de6d74e

SHA512
163022e3bd3205627a953e009186eee35954e0d24e6b8a748b1d55e0c207e55996a8aac7f2e0e5b64e118b3bc213c0d14970e4c0fc99475d0beb0cf948100d8f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8f3baafe6bef89cc61b3fb2dfd205539

SHA1
f2a6ff1fe1a3ae25d40561e54a90284f4cf84d08

SHA256
ad0d18ad565f6ef354bf4cf6c79ffa02f6b296fba483ebcfca0010333eb55ec0

SHA512
739175d4edee63f62b64d9e3ebe8435094f23f876d1c6e35ab8ea049fd01944ba879defb332efa51c28f3beafbc499348f270f9f98cb4799fc62d717d1c4b0d8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
59b07531a5f7c1e519f64a2b288655fc

SHA1
73e374078e16298129255b6e17dbda4d1bd8f5e7

SHA256
c3fdb64bdd9aa77c5f67c7b841f1985ea7623355ff10a3277689e46e89b1ef1c

SHA512
10532d1ffc2fd9dc4f59c8a379c87669571d000f89da7ef592da03e04fe54f5f91cd9c477e8ac44ba88e401f8fde9eea77cc3d99ab9d232c2a5f865ce661935b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
6179abdddd66ac14d86cd51b0ba17054

SHA1
14850c72192f442ef9888deda6a37ece38e25bff

SHA256
df26830db45c193e35e25dc3f19d597cdc1e102073a803a9e9816c431e223383

SHA512
e5afab89f333216e4f41e7d236e1ab4ab0a24ca603024ed0003fd909a1c6fb865dce73fb86047b9032f36e0be0c9515ece2944c9c00850964321c853a1b77dc1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
9fd80f423520da80da82b0d257c51c1e

SHA1
fc9215f8d5d1fa45d7e83e0e6eb67f693dd6a505

SHA256
4e236b27b9277fc2b4104e7ebbcc0c538cd6ff245f631d6ca8ee71dc2ecb3b35

SHA512
57832c1e47e4a79cfdc7e38b6c2b144bed17596321378191d3a7ec63d57c09dc88066d073b9a6d9ff28c137de7c89bf3de46ebc5a4199efe138f88bacba22449

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a52fe3bf76c6d9aff9678ddf45b32239

SHA1
5c913a5ae81c5f80ca93dfcfd72015b366912e52

SHA256
1fa1ef16510808664dfb71366be265029080ae3015192e029774b0f7530d4f79

SHA512
5dcb1837373dcf33a305af2e68557cb86966bb70314f65db1f03b03bc22874d0ada8ae1b060401f3875273ef56c37f6a9e661163ab42b1e0298e7ca560f9d423

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
abeef34247b0689ed7edd26532e319e1

SHA1
94adcf503978ae56ec5821c7e4ceaa5aa23dfeb5

SHA256
71208222b60ce00ba65d2907afe307ff1c07ba35b25fc81722af814763f98f27

SHA512
114a29f3fa8079035090ce46515b559617e038d5971e145dee195f4a8c7fbf5835529f3b4fc272d2f706a9d25b3a6d549a41467b58d4bc63e08907f5102e302e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
e37ff872384897e6389e3011a9f6dbb9

SHA1
4dee04810b0ebbdde2b6cd17ee21c4ea45cb7366

SHA256
2ff0a067e82c201dc6ff651ea7be5a874655960cdba84de1ee2e2aa0f62de22b

SHA512
23db73c81ef0849c4f5187646d04b8514b7c6cf169268d553c9a484b7247cc9862408ada109dee35a359ef8a55b634a32f2d8086073e522a91a6966eaeb0fd6e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
30b6f4459bafdf74e573936a7d3b7657

SHA1
fcaa3ca2aa310fe05aa1f5b66ea812d3a3a1f2c6

SHA256
47bcb95206d3b259dd3d38967ceaed473da461a2594b4d881f7ec9bb24461f84

SHA512
92fba02c1cf38da240f955eb2cd61fa41a99de17c92aded1c68e83a0054d15b09bd5e1db892dd52962d60e99dde6a9c20c46b8b3f6389243efcab9bf7d567f77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ac7205d67a660e86fdf3917d5fbb5df5

SHA1
3a8c99c9cc1034e7845832b6827d93667b900582

SHA256
2f8f51777cbce887e8c0de28aa7a49276ae2e59a367f3657305a0d9497402a2a

SHA512
006448b0be47bc20b05a97e9957b88c5d735f797906302534a448b69221562f7c7ac39ee420ffe98b3790ccff6111a93476a24759f309f26c868847b6115e6b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
2475b7881333284c4c07febb2d96d498

SHA1
f5c3022cd1417e28178d50ac8e726c726ef85414

SHA256
dca6a89673ee2c080ca5e81f2a048a59bc503fb39367a46ccd714272eef407fe

SHA512
6b30dfa8995c4a46a547223587f47c28de4a70ef7658788a5865b095c42292ac976464ea98706ac271d700547962a5ad55d0c0f4d8694d889b29b78cb1bdee5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
3a4108140604419967fd673dea50cac6

SHA1
ee56bc5210dbf872f540618d8b6c35180afd2a3a

SHA256
4990b13970dbff3ea35c3cb2193c6ff30e93011f6e2bb8a2ea7d69a5b45b5927

SHA512
b30e6f40588783048ad8189e30a2ac488e9d48a7f0b35ddf5606287cbd7818558631de4eb8fdbe3ff936e9f5199bc89c35acdf76c3986f1f90fd61f341a473e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
eef74d4f5b1a9a1fbbd25f4bc174a1db

SHA1
7a67975d2f09df2d9f446a8985b53ec5515e3fc3

SHA256
6b922479ffcc0ae8e19fa03bd48d63fcfabbd9f8ed6f0b0b05cbfbe1a9cc99bd

SHA512
2bc4238768b2857a6d81e2017388bf367f3a22b56b3b9777e64a8220ce0caa7f1d04ef261dba3da39949d0e6947506d229d87657a38b3b318a633c4e87092304

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
71352c1bd3127ed319fd2c008e88c140

SHA1
abdc0b02241939c78c89d2c7702de2e32e0a248f

SHA256
3923ca788fb55e94f3b0594432a7b609027150ab69fbbf934df7044d23cf333e

SHA512
12946616d6b7fd90da6b9e9d3608dd6206aaef6a520ceed3aeae276b9c7e83844dc880e39fb40741f6e4b359b2aa774336dde9cb3bfdc7d0cf8a9c5f4c6e3bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
0651eb09339e1bd79d2f81974853514c

SHA1
9c0d7b8facdf62c11f0cc323291e3f224bf0b14b

SHA256
808ded2502548dceadd72e2fee3bf557bd0464f7677790aed3357db735dee2f8

SHA512
42b382b761bf4cd7bdedaab387774a6416852502a646b4f74b786a5cfb5f43f33713ff62f9acb236733ca12d44230cc81e92ef6aec50df2b80957e765bc93863

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d6325fe1d9b14c2dd252a05760396fe5

SHA1
7a0cbb593e908c1bdc4b9e9ba8665661c4326ab0

SHA256
f7b881846236399d54f23ae78a26068b938fac3c9b225cc0f04f451874672079

SHA512
1eb94dc7381a4441772265bb2898fa121a6a76c0729aac92bf90bf0c85ea2f9bbf6dfaf36db21cfb45699d9c6b6a8b8cec17259d5f21ca950009aa675086ff31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
5fd3872fac5b33aed5f21e491ffe3a11

SHA1
9e3b3580347ccf642c5f7e75da5bf03d36fc0610

SHA256
661a9e783b2ac4c346b561a5322894b32858a7bc8953c6531791b1b3931199d9

SHA512
b24caa38e81889fe90d9b6e3490df4a01e440d518877ed2b19a064553dc9e26cfbaefa69fa71177761786cb34628d67f1c4858b24291c06bb4358aed4270978f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
bfe6b42ef4ff608b3eeaf60510622f56

SHA1
212fc04efc68b4e5c63eb4b46a51d2a05c09ef95

SHA256
5274f66c684b8b7191915307a12c953598b6f7427c7500ad6b5fb6f1e78b4729

SHA512
1a942e802f562b5d2c3eca17affa245c82cc344f36b30d6c9c27e0c53670572eecd75e1f4cf1113d69975de027ee6f49007141e1b7ab567b3be0de347f593e59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
98eec5883e3b09889d48e907c3723580

SHA1
d70257e22063eeab76431deab9136743963e608b

SHA256
1b92fb2f853f6b657719f392cea3ba8b6dc463d6a83630e019b2431d0b49c51d

SHA512
88dca1f989b18d55e93178abb556ae472dd609588682609513e96fafe216016ffb4a495fe5dbd10ad06061580fb44ab233de8cc400e252152daf8c1ce5b2fa56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5de5e6676c18d3156bb08b6c0708af4b

SHA1
6936554057f6dcd49d0582887e996a1ee5c3d421

SHA256
9b5d5856cf5ddf7249969f279cb082c5177ca6fe1b59aa45bd1e13aad1a0698f

SHA512
a1d533e766b46638c143b9d8a42fca5bdcc3ecb9e75450685accf305919d1d5823a8fcf5cf9b81f7c958c585bd64ef4ac962a6803af5c9426513acc6e39b434a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
8dcc806e8bf6c0aea8ffdab0b12b7f24

SHA1
c38448332a251a6fcdf73f2fe73f34a6a3ef0533

SHA256
737b1a69e72818fbfeece036fe404ac2b0c1e19c2311004b2c78e86b8b98f23f

SHA512
a86e291d3da35aa47560ac50fba5153041a1bcc6dd8051554c2daf067100ab77e447f67e56479aa5d43b71f9f5981edebde09fc21e2bbf355c81a48ae1ef1159

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
253214344b58ad044b3e9acfe3f482cd

SHA1
960d38135bd6e93e9e2ec9dd7164f0bc5e6b49cf

SHA256
2e853d4c7a77aef2cac62a5cd1a72ddf6c057c31f08989a3a82fd5996353c3e4

SHA512
55f68970709fcaaebf32786feec35bbc5a53e479120c91e4bb7d73c15ee1d6771fc8f2e4a1cced57cb2ed0816b6a91c09d54ec031e5e2bee4d72c3ddef4d0b78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
48898b4553c4ec28bab15ae9de7744e7

SHA1
737546352dcba0d3fa1f6847b63ca358a1943afa

SHA256
b0410708c607f15fb793fbe2a39a5ed098901e57f76d8cefa0ec75e70d507f9b

SHA512
ef153b6ae47a17c275fe740337d9c1388e03c2ecd7485b93c56b133ad04c27382083b46aea585967bfb5e010a7b48ae3af1029abb86e593fe983588d31a93b58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
911ff60c98a314e259dc9aebde72ef8b

SHA1
9d01a60742ff74b399a49491a7499a0b4936f302

SHA256
c1deb2f2349c12359a5938c387434f27e743873a9b2f4799c4312138a3aa180b

SHA512
b70ba470377318e41500d2642c92e72f135f660697cee6ab3a5b7adce7f7ef5dde67c04731eb95df2a3345a627709406e230f4a1b2dbe06c3e6bcdd2263888d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
613c5ef942d250fb58cf024d3902fdac

SHA1
f051a71d9ff7e4437ba823ea233afaa15cacb2bd

SHA256
9920cc9b42852bd9f7ca82a32663f84a5edb117b09bd388627edb238b515d9a2

SHA512
3b28ff6fe0d2711a8d873fc5a6db770701399f719b0dc013e8e2ac94b02f2e946f605846dbe1e916cc2319a7a58a8d6c05978cf8735abf7ec033066b5e2bb62b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
7636b587e6833c931deca5b2e82174a7

SHA1
79f8d36f5c8395adb699538cb884677cf321b119

SHA256
2b22966b592356acbb0774d25b4752d4257e00823a662f87c9192ec8c81d9909

SHA512
4e1c5b6c4c5ccf122aae862ec1bdb2cc0bd6a804e3b246f4d119bb647b3aa4e7d5ce06a442d2b86f86fd152abc2bec666764c8024bcafd89d89d020b72d5fc67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
3fac01c4ba0cc6b8c54f01ae6e74d0f3

SHA1
9c0cdc51f33b686dddf2782aef765e0f6235e823

SHA256
329eb98db4676ec69213edf171ac0a247881a5cd9fde24edec40cfc020845692

SHA512
98910edd35345b239e9d348d6758c6bee4b35b166ea2f80fbfa7fcff21c4929a3b44fb785fd9baf102b35eb5a0fd4ef83fe78376f3ed60d126348882c4887aa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
5fbaaf04c584118d0f19877966c98086

SHA1
910656658dea2d2d035aaebe8f8ef62de58c7aa1

SHA256
216a99746be1bf9acee2b89033bfabe50a2c3833e76ecdfeeecbd4f96d6bfa13

SHA512
944e2227a7f272cf4eb3ee8ecb53458682a3b5f7bab87159d25341dc8ae7f7cbd90b3a4da005a7540faa80a51e95d654f2604930d4c3281fe344e697a44e4422

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
f11888a678b463405df2023d5aa6f0e1

SHA1
6eb33ce161265bc468c6dd118e223b8f497f7809

SHA256
2395a14c01189103a80aa6dffa6f779b514f3dcc9b242b5801ad354f5f5484b4

SHA512
b0c8b73bc31dc59fa7661254a9c15241b1023da54512f85c56340bd9bcbd97a1c607fb773d66c5bed07fef89249eefd75b3549f423bc0952d536c306725d72db

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
600898ebdf04cfe0de8d68788cb51239

SHA1
1b108934511abb27704b390ff9051597b37a6890

SHA256
7b01b5000631842c25ab7fbc81c7b2f766d8c1f2c415715a8af5c2fd5a52b10e

SHA512
698240d833f97128d7ce0d1ca2b2cb6ccc7df8bbc6aa0684a00fb09bdaa88018d210ef3ba7cd6ef3eb701dac6d7559d3a60038db4437ba873f42c1e7f5e49d93

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5d2a52845ba722c91c8a2abec15ac058

SHA1
301ae36afb8a240505698cdab480bf993e8c5025

SHA256
f53a8ab79a3faba088986cb4d59026e403b4770bc6a3dfe64d8be3d6e54a1218

SHA512
6f59d213d0e0104f88da03ed7f80111837cfba54761a449a0613df8eb887de89fa6502cace4464f9d3a89ea853f9309b605a5de5e855e3f323b40a3975997a86

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c1a37f4aaf90076b455c84f4279771d0

SHA1
d29bf4aea6741d245c873cc4b12251d927e90a4d

SHA256
2c19c540cf12f56f908b426d991e679ec6d6f7e5e77827bd7f658b01b4270a3e

SHA512
53907ce2c3b30c694775bfbcc20f12e2d91b630f49ad807533e495486cd9a6e5350be17040b05f085d13ee1e8d0a7d24438a6016273903ed21122e8b42e7ab3e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
05d6c56cca0ec3dc3f3f7903423b9cfe

SHA1
cdffeb5439ae469e41f7532913dae6eedd3fa511

SHA256
ac048c59fec4d766a8cdc166cbe410d555c02f7e3b43178716a9c726719370fb

SHA512
a7f0658278b7a644bfa2d89a9f29328bf17cb4f1cbec34c471a22633e4c80ba34663cb003ac8d8ea0abb62357d4ac6f44f47809ff55eac7f2fdb59df874a3dd8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
61a9a66551cf58e7504ef3b850f363fa

SHA1
a2262bc80823da104b44aaa840b0d8d6542c7ddb

SHA256
78ea62f4489967257e07515bca86afca7396795074eaa2a06334710bfc10c163

SHA512
4adbffb1d81f69a4dc7ccdfebbb701d15e8c8195aa62625ad03e4f449171591cd7be54dce2d59db532beda389e728e3a8403308130f8bccbd8b639baa11ed5c2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c9471333fa798c069c5ced08ce7befa4

SHA1
056e32d4fa16517fb26bc503301a93848dac5a80

SHA256
50bb8cc05b13758a8fb1a996043bd521ce8eeb05491a2f5ed98d819dbb4aea31

SHA512
15ff32f7fc86559c4c9c4f9caab7b16d662ce48929869dc7ea629a437bf951fb83df50eb6063abfa046da7e97f75f0426e3ca1ccb9935ab325143dcfeb1cc280

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4aef67597f549a403b1850a18be1f031

SHA1
f1270fe38f5713e1f0aa4e8e7186d5c9197d3ed7

SHA256
769ee70a07f324bdd81ebdc451136ce9d4fae10e7de724d6fe0f179c9f8ce7fa

SHA512
4b60c192efcd730f5c68d056e7da4c0f8d6599fe5cea1fa803b53f8e5767afb19de20cc49cc3468e9d5baa29f100bffbf42a9c488d40e26f7acac6c95b896e74

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
28c35a6aec5a3444f7bebb2fb18d4700

SHA1
931cff99ad76a029f7e5b3a59844a5ba56bea378

SHA256
61f8e90b3ff52841e77024eb7077f83ad6ad4fdffdd1cd322bfe809e96d4bd37

SHA512
cb8425cbe7ad14c54dc8d0b8835b704991ebb9b1c9ef668aadd426a8733af2c5d4198a9651e71527ac5d96572a0f630a1c0a3ac98b7de974355664c425e1bfc1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b78099a2c67aea00c64e1f27a312e134

SHA1
b2086a41d4602d1f2bc226e4a62c4b1282d51a12

SHA256
e7f3c5f29bec9ecc5228ee29c546040e031b4d34f823e72464538d0373ce1c76

SHA512
85cb4fd4c1c6d65f2df7215ba2f821ce163d6be9f573fff6be82d4b9b7dd147f03cfd51f5fe0dacc8798c8aea1dda6de97c39807f23a56184ea4f244b1163999

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
91c69a8aff31e8fd4bd5e29941776e9f

SHA1
1e8ff76c8702c580ce427e295125a523c5eb6989

SHA256
f583b0c831803af0079e33b0c2f9100370f95d1dacd265fecc0955c64a1b9102

SHA512
157093dd8dedf8d01fca3ed28923fac2a73f3d5b094dd86f1adba33e9856acd1c5c8511a3aedcc920d52d8aa2b82f1102e8d8dd7676a7ae26b5aebfad4702cdc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5f3c09b5a24241e2e7fb3581e684ac2c

SHA1
280549e84ca2ee9d87849a8419c4245eddb52d82

SHA256
dbd17b372fa80135b53811fc297556ce3755fcc81d6b6b068888a9966562ff60

SHA512
17a4c161426e9d92bf16c00357ea51c4a767d9db446a76c116e492476dfc6aee8f533bb6a8ba13cc1a7d57ba278dafa28cf73a8065a36966d1b201fa716c38a6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f269191f413179bc52f7a80e263ef741

SHA1
7ece74e83534d7f90f0de55c6460420bb81426eb

SHA256
24f3252a9ff7f017afd3b26cba68b33384f720f88284be068a52ba74071bc6b3

SHA512
feb0d58b85f05a8a75264ba4805cd8358a3b1f12158105899129b0d00eef38c82e91c97851482ef084ebdacc309d623462219c7cca51234995eaf758dd39bc70

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d7d30150e4b0f9e227285c7063eb7ac9

SHA1
634cca2f573b05e4c72305b714564a379df92d4f

SHA256
b3d8541475a5c1d0b431121ef31ef6695a6af32966c26ad659a6d0ea1bb788cc

SHA512
ad796019350119d36ece7411f86e8646bf35c19b10fa17035b132aa689d88b3041c12074cea2c0e4ae48833761d1485567a8826b953ac12e27b13b95f45bc0b5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2d2110cef8dc1cf8a4fd84952711ebca

SHA1
b5a448aa372d8203961b3e8799507ff715b93a3c

SHA256
6b0b5661f1864381afefb537e26ebaab53de9e6d29edf0cb2c7b771a7afc2bda

SHA512
34a6290c1e92eb0a0de57e8c68c0654c5d1fc5ecac66cd39b7432de7a228f16f0c9b82584149c610a320a2f3426aa1b8b9533dd1d810fd649f8404e3025b1db4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a467b792edd63965ba5502458cfd6101

SHA1
c65710873600ff2b751f803c1783b519709c0611

SHA256
9641d7ae7b7454f638d28306fe2261ad344fc8783eb8f97cb68b430ec6feecc2

SHA512
e72410115c6d5c25a9ec769a8d4127f81f365e17d9164732bdf0a35f791d4a19ac1a8783b7874772115896bd95c99683073e71f8cb6d6d26bc0497edcd8240a4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
93436938f38e8989efaa2f955945ac59

SHA1
5fc69c419d2cef60ce6b432d072afd0db09ab413

SHA256
1fb655285c6daf75ace3b842382f7f931560aea6d3c02e1ab42c8ffc44d081bc

SHA512
a9fa4167b1e374691bd964f2c7b3df7003fca6b8013f3be5ad36ef9c80724b85f658112a1e919ed1b8e402958db40c535305a25bdb3f43772a2e96d233b90bb4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
45bdacb84afffa297c95bb6f190d356b

SHA1
9d03c229a68a34cc44aa992a42de111228fb200b

SHA256
f465ed44d5779113b5c9f1a00e1dc4bca1a1747bdc6200d3f6f48f03db9dce19

SHA512
84a9a26fd2186ffd245352207a3518c7019a6575834e647cadbc0a8acbbd8dd76518f9206f7cf33d94bc6a8122caefc9a63db5b74503819dd44d75ccad1ec2c9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7efbc5ef210fae124e6ad1ad99bbb4ba

SHA1
aca01f0a131ac28a22810ea96400ea7658065890

SHA256
e6c4c28b54f7687959e5ca6c2cde86c5144f30edf58ed2e50c47e83afe5d1d83

SHA512
341d27dc423e7e326174f1dfb401c4753fdaed7a9c9db89c01ab244c36dbcde6f31040b24410f2104cbe885a5e2b86547d0dce7cc9b6adc03f41719794c3dbf0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
abad04a04de46af4723960d480943314

SHA1
37870a05db46c524d82934d43b54ec1bd758b90f

SHA256
4d564c3025d53bfa680c505a9bd55a33e0a51957cfd5eecbe6b1642f0f81e621

SHA512
6fd6b145781dcd5fee21ed481b4446620d6e01419bb997e0dd10f241d8ead381ee0b622c33486ec882fcb9457857d4d6249fc46808c18e40e91589cb29079537

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
516c753ae9b906e9901a0773c67c50b8

SHA1
463776c6b4feec557009fe8a2f0af13acb7dbdee

SHA256
2c739ccd3d4aa71fd27ca7dc93d2ba3f0d548bcff10723eba38facad15c3ef1a

SHA512
143a98686ed2c0ead10ff09e19f0eb6c60714ef5b1ea66a10a6a6ec6af7671f71d9a3cabeba45148f63d578cf287a81ecd226908ff65dd0e8c4dde0920310555

Download Submit
memory/756-326-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/756-258-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/912-338-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/912-286-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/956-334-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/956-276-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/956-277-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/1448-330-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1448-271-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1448-268-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1448-262-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1472-248-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1472-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1472-30-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1472-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1472-29-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1488-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1488-250-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1488-93-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1488-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1792-327-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1792-489-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1860-490-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1860-331-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2080-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2080-304-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2172-307-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2172-422-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2332-335-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2332-491-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2820-244-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2820-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2856-289-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2856-488-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2856-343-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2920-439-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2920-319-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3796-94-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3796-87-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3796-81-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4000-44-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4000-52-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4000-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4000-249-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4008-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4008-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4152-40-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download
memory/4152-41-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4152-14-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/4152-15-0x0000000000408000-0x000000000040B000-memory.dmp

Filesize
12KB

Download
memory/4152-8-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/4152-5-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4152-0-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download
memory/4332-293-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4332-416-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4484-494-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4484-339-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4756-67-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4756-73-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4756-77-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4756-79-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5056-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5056-495-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5080-322-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5080-324-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download