16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
Size

5.1MB
MD5

c43553aa330256173da04a55e6fb7d6e
SHA1

64f338702b237c8be387135f1f38c3870dc119ac
SHA256

16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a
SHA512

50fc0bc7c139a687215076d03e50c540d8f7aafbc2bd3e4c9b334265bd136d659ddac368c81f58fc30255aed0993824849356d38494e54d1fd352b1c31ca074e
SSDEEP

98304:SmoP7JqXSceajGYYMCgQ/UxOETRl8XVtZyVwDdjeS:824K48JTRVODdj9

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1028	alg.exe
3988	DiagnosticsHub.StandardCollector.Service.exe
5692	fxssvc.exe
1824	elevation_service.exe
4772	elevation_service.exe
4972	maintenanceservice.exe
5340	msdtc.exe
1020	OSE.EXE
4080	PerceptionSimulationService.exe
5740	perfhost.exe
5820	locator.exe
4608	SensorDataService.exe
5184	snmptrap.exe
5444	spectrum.exe
2844	ssh-agent.exe
2456	TieringEngineService.exe
1344	AgentService.exe
4408	vds.exe
3852	vssvc.exe
6076	wbengine.exe
4532	WmiApSrv.exe
1204	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
2560	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4c9111a5163578df.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\locator.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\System32\vds.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd949323989fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e828c422989fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c3cb822989fdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccc92924989fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027809f23989fdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8e2a123989fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2560	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
2560	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
2560	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
2560	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
3988	DiagnosticsHub.StandardCollector.Service.exe
3988	DiagnosticsHub.StandardCollector.Service.exe
3988	DiagnosticsHub.StandardCollector.Service.exe
3988	DiagnosticsHub.StandardCollector.Service.exe
3988	DiagnosticsHub.StandardCollector.Service.exe
3988	DiagnosticsHub.StandardCollector.Service.exe
3988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2560	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
Token: SeAuditPrivilege	5692	fxssvc.exe
Token: SeRestorePrivilege	2456	TieringEngineService.exe
Token: SeManageVolumePrivilege	2456	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1344	AgentService.exe
Token: SeBackupPrivilege	3852	vssvc.exe
Token: SeRestorePrivilege	3852	vssvc.exe
Token: SeAuditPrivilege	3852	vssvc.exe
Token: SeBackupPrivilege	6076	wbengine.exe
Token: SeRestorePrivilege	6076	wbengine.exe
Token: SeSecurityPrivilege	6076	wbengine.exe
Token: 33	1204	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1204	SearchIndexer.exe
Token: SeBackupPrivilege	2560	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
Token: SeRestorePrivilege	2560	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
Token: SeDebugPrivilege	1028	alg.exe
Token: SeDebugPrivilege	1028	alg.exe
Token: SeDebugPrivilege	1028	alg.exe
Token: SeDebugPrivilege	3988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2560	16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 5116	1204	SearchIndexer.exe	120
PID 1204 wrote to memory of 5116	1204	SearchIndexer.exe	120
PID 1204 wrote to memory of 5084	1204	SearchIndexer.exe	121
PID 1204 wrote to memory of 5084	1204	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe
"C:\Users\Admin\AppData\Local\Temp\16d041ccb18960ebfcbfe842ac55394040fc2cbb85782adb9e8ff8a70cbbf28a.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4032

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5340

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5740

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5820

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5184

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5444

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.3MB

MD5
2f3e867221a3c9eeb2b1c130934e096f

SHA1
335bc5628e14da1e5985914aace4ebbac7dee95f

SHA256
3ea9ba351cf348dc4679025246bbe130cb6fa71975e5bac1ce05b04e12c08064

SHA512
70cb5e483888dd5714beb5aef3997e72cd1399eed08a91a78db76c9d245885159c88bb48b62e18341c038766c9f57f3159e01d8d69328d4f8a314482a2483028

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
edbf911fc730eb62b369b8afad5fcbdb

SHA1
77fd52a77b63c20748fca6d03fe8e2768c890686

SHA256
db332bb46b79a6ba70a284d46e9cc797a0197fbba0971e2a81adb0d356fa4d2c

SHA512
095a9451a383e107c77953ac1decc96e2a536bd3d68cb908cbaf28fc31d362c14fd4fc04a5a16b438ac751b872083d766773398ae2ab3a8a27bade1b114acb13

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
9226963ff7b9c561428b536b0872b1c5

SHA1
cc5bb85d8230151fc6afb9543b712138b9470dc7

SHA256
6f8b17fb90c1c43838c48405a70d9dcb77a5fe945beb44e39df252ce591ec193

SHA512
dff9d56e66a33a6448ef2430fc1f770920c4799665cd59a84e0cf23248f59a99cdb793c60c95c26314fbf7a9cad62d852987fac8819982c1ee86900a9529392c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
64e9edb59ec2439ab6824f04a8f476de

SHA1
dfd97a4435219c6393d047575fb1fb57bd293082

SHA256
519870582bbc778073e80b6e7878520157ab66c52d6ab2f70c83e5bbebff599e

SHA512
c633606ccbf750f7f30cd58880cdf9d4cf828f290bc069125cf7991024abfdafc4815c3059f5624f2fbcb0f2673a451e679fe84a0914a97e9ff89159d2532fec

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bcef82e2ed6d5aafb4437beec5e0a96c

SHA1
c58fbe78b852d16eea84d661a0e3fe43982578d7

SHA256
467dff8c1a45c7d55fdea26671226f464632f47ea9b2003e57c53e8bf6683c03

SHA512
a6a48adfa8bc0705eb79327c809177a3978241cfd108e5707707e6359dfaa9b9c30a4edaa637b39bc9913eb9a5e6db795071066c7e9cf0237b2d70b3ecf4186a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
7da18b81dca394d217c5192b28dce844

SHA1
a0f79f397e86b0f1470e8bfe886f208d9af84752

SHA256
b56c3f8b1c908e81e274a91a4a626711708e79536810c4b1a619bbc909775346

SHA512
c6c9a9600ea977aa7b1e5a220f49d2118a7bea13ef3ed3681d1e815b074c5b54e172abe1a7196d9d0148e668319ee655a22eb8f2ee5315e81829c6ffcc9b7e05

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
ec4005c3ccef637c08d51c7c44f9b900

SHA1
6e65b170d85206c2263223136341bcd8a488271f

SHA256
f7a797defff27d5a2a9afb0c2b0855ef687883333dce93d7605fd4e5154896ba

SHA512
fb66522c43786a92f1338ca09f9b2b0e3fc70c728880226686f325d4feba6787c054f4868b00be88a4d5e15754cea9f01b65943c55882ae208f3b54eb0f5e6bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bb9569dead4e9d7174f64d05f177ca7d

SHA1
26ab92660c788831c9e6117113c744026368ad9a

SHA256
aa2cd6d92bb8e457c4133bf1ab8e43116ff1d9ac6752a843a579a03a863978aa

SHA512
5e15e55791d55dd9d39a28aeaf36480b7a064e8a6c41aee5766cf214e7fc714af24cb01412a25ae985b8fc79d756495ae61456aca0c103a03a751c8aa8b485c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
fa2492211566d8fd08c33d593d190a49

SHA1
6d6d7ad42aebaab672a13a62819d5524390d06cb

SHA256
36ef39b0cc26e986921906716290671778c41a117db18b10a4a1177c1a8189d9

SHA512
5cf6048c9d6819c5e946cc07ee3ced5b69f64046641e8b8b4e7210700e3afebc87b4ca110cd50901ec75e95bd9d7bc5683e98c6330d20eb980e13c5c04e8db2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bb8b3a81e3412c884ef288066fac0eb8

SHA1
5bfd0c466dcaa5c103aec530199060c27c218d62

SHA256
8c328188bfb3f0d46e1a5a464037171bef527e0b537cb5941be20d9c84a1bd05

SHA512
ce1c9c7d90a96642013808318f60b7c241aeb4b2c8c5dbf84b96abdba2008f7ca6697d6129bd72304e67ee635aca8fe01428831ad34c021b2a74df854a94f008

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a72ae414b40cb3581c0c632d9d31d7c1

SHA1
4ef1c0c44fe66e558f5a7deafcce9ff2a1a8fb7b

SHA256
af1a20664351b621f58f3c3bb634e1e86bce2702d108b81c8f32246244db2521

SHA512
038e5538e10e124760706bbbd0f71c6a4d5f7b55f78b429f95cace59dd025d56ece660d9d8ed14afed03ab07a2af246de0256aa3c9ad91f4f849698222cdf5a9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c74983272f4a2807e729ffb41ce22930

SHA1
d7d3f6271d58077b24d46342a28bb6a113f7b132

SHA256
32434498fbdda8e573a6a30516889608b5ec42833b8631c5c9e65717d369e110

SHA512
0bf342461759335f5e341b50a83ea65be18f4fb80e8266c30096abb362f8a0fcccf6f4f564d863d81e5e1b14bdf74e9f3d5593b5442f11d29c87420dc53ee4b3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
e643485e91ed140b56421cc994bc1006

SHA1
70fe21a0a134ac5a14f648b33d95bab478afc69b

SHA256
bdf710e62f8ca6e34319053fa42d115edeba794b332163c0e2941dd164c57fb6

SHA512
09ae82c74c6f3b171b661c3c38b3f45973c80b94733c89bd48f1733de8a3dee3c8139138d155f3e1c63af0fbc21f9f6791c07eda2230dadda0829c7d30a732d3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
15a5bde3063b3efa6aea182895e676ef

SHA1
6030e6e4307fd48b1781d7b2795bcbc10fc08909

SHA256
34f8c5f136d971f0b4afd29eb79f6ceaa1f7b120dd8bc4dd7a62851851f3fafd

SHA512
9ad0d67815e3a542694c2487c05027a7c3b730924ea30b4dd36a45af22404dbb411fd8022a8f60104d2b53e477b48ad3f6f81dab65a4a0ef55270b322b7c448f

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

Filesize
6.6MB

MD5
56ad367aaec889def16cf2d8ec1d8619

SHA1
99d9e312ed315cd20bbfb3fe9e5cb24815b5205b

SHA256
619ab51bce9ada203b0de624d64c4b3ed7411b3a88faa4d15d852e5daadfb1dc

SHA512
cb40166de70c2d6ae9579f7cc39c6bff79bd0bf022b7f7c275a91948afff8424f338bc43b5b5bc7796f8133fd976f343720d576f012b7b97c9015ef33ae9bb60

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

Filesize
6.6MB

MD5
6ac27773a3a6ec55920dbe55e53683f4

SHA1
4d0be1eba419fb1182e461a3be351bf8c3c2e9d7

SHA256
b2f1ef7808a6f805d2318a9ab5b1a974f8043be90a63065da627ba751cede3c8

SHA512
dbeab3a9239d0bea9d2871d83b801c31a340027e1d144fb198f34bbf3cdc6439f0bd55acc1d434287c9031653cbbb1550e21b9d4c21f78f1fbe4469a3ee53bb1

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
7e77f6eb5bcffc0b5d1d750fc93e426f

SHA1
0db7be4466cef5aa3619dd2a7824e1b1044f368a

SHA256
bc1734478bfe28f46e74a4e67fa9a87cf39533fa6949e24ef97402845316eb81

SHA512
94db600cb83556addce6d02a9092172672bbcd682dad901cd1dc6ae1325f6aceb5d1e2cc85b7c28b58041fcafda3b55abd0e44d3a5487549d20aee00ba32ba5e

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

Filesize
3.3MB

MD5
ce7afe1e2e7dfb82a1fd28a5daac37ad

SHA1
89a0a338d02f7509c49a57d050bc73d96c5468ad

SHA256
96e993406798d876f17395da67b80a49770785df7def62cc0f557aa85a4e8d6b

SHA512
c9feb5886d9b67e49613f693eb78d09d37cdbb44307e89e31ed95ed82f58651786b5c5bc1c165ad456adeb95d0e2ac1376ae64ae519891a0556473c1a338bddf

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.3MB

MD5
f74092c058ca12a75def1683d4f53f7d

SHA1
56c89d3740bca74ff176bd5f348db71018bec39b

SHA256
7407b95f02983d706a8d056df64f72330abb28422a9e85266abd8b2a5ae4779a

SHA512
29fea90ed5fcb7672a0bcc3559e09f2debf93401313af5310b264841c6f65e685f2914a417876553bd44853cd503bac3b311b1498768ffbbe6105ac82263d65e

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

Filesize
1.9MB

MD5
57b453c3c3dcedfbcbf714ff90da329a

SHA1
d51680c63ba1cf56621a3dcb0a2af9144d492c4c

SHA256
622042b23fe3353d976ca65130bf536a6cdd1385b384ab18210ed249c277a4f8

SHA512
d16d16bf59e7aaa62f7eab1f6dcbf6fb7ace0a620175175c9789a12b24afde4e906837d97cea073e4912f72dd53dacdb0335f89fd38d4e455c41395ddf1f7918

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

Filesize
2.1MB

MD5
38985126ea8857c06099436b70095d1d

SHA1
1304ae1aac9ff6c8a7b32a4458cd0b5897d2b7eb

SHA256
8e56739cdbd4c1601b14b782074204d23d6c3845d8837d3a94e31305144baf61

SHA512
a9f625df09fe87edfb61c8ab0da03d168c11a0e8f61a3deda40a7464eb1eb8d38abf3a55761d5dadca3074a280a129bade9fd8809a5e2e78b00a4c8b788001cb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f8843470ad65eeac5620057e124424ab

SHA1
1c6e8ce3c1e6758ceea6fb53fed11659c66475c2

SHA256
bbe6218281b6d387b3a19c96fa206ae2d3f363ae4396b8621e395d1b6f8d0ba9

SHA512
55b56a3c4f90b006b05cf824589030a7be5ab0f94a53f918ac89be4f60d4120426d9060128770c9ab3fd2bc0034da0f309fff4d9bf564085294b7f16b8c981b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
d4069ae11b357d9e589281f32e042830

SHA1
5940b194e0b3fb3945edfe935d1937f8189d74f2

SHA256
bb795b4880a78aff76b7a82f3480d410e31d879120903f4de0f213772b5f420f

SHA512
fc642c40d0264499c3912c8b8dcd21d18cda511c1dd1acbaa1d3eef61a6274477ee001567550556c120b38fbe29ecaea7691dbe6ff72b0949f21c721183449b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
517ed3672ffc996ceaaec424af3dfc9c

SHA1
b1caf7b85da02702198302ac153b40384644e4c0

SHA256
0a875faa5f0bff9e0ad9103c77d3e3e983af7fc9cef08b1cdd0e889cc2a566da

SHA512
5872e53b48e0b17c4e5d78e14a2529bfba80481993f59d22e5f82689cb9b75ecee1a38ba9b98b40b5e868c908476f43efed97e376b718a9987473e0ea857ad3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
275b1b8425e68767d31c231b0ad6869b

SHA1
bc0d92f9ef6e8f944e61987534a9c504788d717f

SHA256
dab01b05ce6c962750ef85acf62c74be60341ee03d47312e85a33b2fbb24919a

SHA512
1371ea4273c7118dd164c6a3b07cee4bc5d201f25c16074c851fc9bfd30c8611380af9ae268fa83fa604ef6586cd6480f048f413a41ab67078265f55ac1fa8a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
0b269733ba2a3be62f2f0c50205bb67b

SHA1
c0458db758a22c0a9a8ace8e50eb8d964e227dca

SHA256
bddced8f4b6e74547016ee4ee71e9599938a91685bc9641e4e80da555923e719

SHA512
f060565a323016fb382340ee290f3ec64aa74a0906c186927d0f833a448f4492fdc52f3f1f9545e0b6b15361ef8a9fe85a1b2a5d01df241909c0d8ebd0710ccd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
e7252a039517d7a2013e66531be035c2

SHA1
e9a0adf4405e6b324bc4dd17ee0875738446bf7d

SHA256
e4bbbe38e09da9b5cf9d0edda222d11bdcee12fc5aca82f26e5d1f43c1bcfa4e

SHA512
852605c22a0e12c7c79750583500f003f50d24a9c0575a12208508f57a9a27ef51b3eba50d129fffc7fe57054d2136aa6462e454dec846451c8230418f1b7390

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
31acfa3e9c756351344b1f83516efd67

SHA1
1957a0e60be5d107c9dd4845909b512d405de0e9

SHA256
f2776c0a16d119104ed2d9fd3a4760310e532876eb739306f57144b463e52749

SHA512
ec9df6e06d15a34d3c7f5b0d6923312f07193c9aa235f9a48f8cdca5f88b04e3a86a8456918206a6aea5cc2788b1e488f2fc0f5ced841cdb521119ab3d117aac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
7ed32036b94c7b17a5d3e640e41a1b6d

SHA1
d22c63bd0859af7f3d16d20870b1d0c00f092fa5

SHA256
11f36a12c7736e14c3f115b5f432bb9a25ffc54adeb35745642b8765f6495e12

SHA512
bdef80e7861f27c23dae1c5829aa00ead0d81d9d6d397a0aedaa74c5b9419812da5174dea8611d66fc53f497fc68f98fa7a4590ed40180bd4657f3b15a0baeb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
bc7499032a9a9cef3804ee5d78ae07f1

SHA1
81f4e279ce65af62260f523471b38c6c61eb76a3

SHA256
e0e2938e52d6fd51630f1f3dbab2d00716c99bcc167e9c94b5e220150f5c283c

SHA512
fd0eac611a97e6661e55ee73ffdea3ce720ee6364e9dc6fc700563b7bf6e788c529c2e9ca8eb68ca4a5cb9ac3d733fc24eea61f2c522f5a2224cac9509ffddd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
92fe48bdba965ea9f6aa650f779ac21a

SHA1
c3eaf3aee99281ce393693ee0e23283f80b86a6d

SHA256
069e07bab8d5064d330739642a2f7ed159274a461b45edc397531df6a4f29441

SHA512
4464a4e90d41256ea3c5a400007d89dd3dfc16bf7bff25b094005b3acb247c70677b4d59f5d78238e75efa9a34f55c1e5919b8be0ee050a82afba7a8f5ee1f2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
83550ea5a150ec95538f9791dd20f31a

SHA1
71886a683babc197653667827086ba42660b8868

SHA256
8b4f5116aa3aa5af3b8405ae59b47d3788dfa682c8bd3a85249b3040ae7681ec

SHA512
d6be11917d3e73775a4a532a45dc03d55aad22aab8ae4da76d16b2ca3fc8b70dcc7b31dc407638d816fdafb00f8b7bea84fe0ed7b28febecd24f62124310fd9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
3172f320b467e637d9f6696f7b17b22c

SHA1
57f74a27afab4fd5e0ed1daf200ad45c0ccd0304

SHA256
4e60f7fba3a82e4cc8d800480c0a9a718c777b7d331d34b8f9f0793a932d5847

SHA512
c7e926d71f5bd081321e8af4d5d6b7a0535e2e722f5cd3e02d40eae534d87b52a9f2d120e3d16335e80c8e935c7a04595588ebd3da6a62af78e23fe3fc5a49de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
384b9ea82ce6d97c9ca4a42d575de0a2

SHA1
5d360f2d9fecb6ad2205e15d8b7510c3213c843d

SHA256
e8f6ea23622368d9e3849f7c660754b8d12bf5f481a5a4a61559d98ed0d11a03

SHA512
0d034aabd0dde56f414fc345c88860a36fac79414ace4e2cc3b3be08bc084fee6f1087d6f3b2b2b501dbcb3d8c8903f8d9764287a5d1372257eb2522120cfc0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
a3abbc9572a5c3a7ba7bded20e50120c

SHA1
7f8bf144ac79f6df88a2a857c057ed5b3700811a

SHA256
cef34c7866aff883edc393fd12fd63b5c284bcb22840ae27c41301436700d62b

SHA512
47f224338fcdbdf3721dec701e46e3f1926014c6633b3d9bae53dcc84e210fff8a1d2c4fed3b9a426f64e5e020a522d9c042bc7563d5ac1d7ef6faa753c8396e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
64743d4a55049867734a5868e468444b

SHA1
fcc9ab61f29897bb3978c6e9df774d1641158b6b

SHA256
c94cd92be3f53f2a15f3aeb33fc345bfe16d0c46cbe4f29a3516bba269cfc8d9

SHA512
ced8fbc9d3981efd005ac9835115fc5307672904e58bcd1951c23f9783fbcc08eee0683381f0ff6119609de2c0b9aa5f8d827e1af5e5829bba438969dbfc48a6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
1afb07e4d3176f15db3d0aa0378fbb1b

SHA1
f862ce9e0e432ec18cdd711a7f093e0e6558b572

SHA256
26dca22e7c03ebae0f748008963715b6c4a89247a9e9d740a8cd0318f4d0864f

SHA512
5c69cc0db6030ce20f7d89f44ff7578cffd2940935e045a0b6314ba487d2930dbc1ceeb2cdd73659fcc6d2d1845081944104f8f3277c62fa4a8d3e5bda0da121

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr.dll

Filesize
414KB

MD5
e58c7d21a08f8038f2d69cbbae4e7484

SHA1
3be5356e6a32a52d929b3bd2bc13f234ae82801d

SHA256
7083bba256b59c5e9ba62f700b858e0968169653cec8284e5e0c6e0098e9e191

SHA512
e1429957e7a7c9fd8299d9ba451006351457e4e6b9485ee5ed74d427c8b2807270c101ec1eb57e1f20b62541655c8a615dc07056b62ba944cbc19c314e85d65f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
88c5191879037e9a404863c020932c7c

SHA1
c88fe5e419fed458907e2d530d172dfdfc5a9cbb

SHA256
758f8366a8ca9a9db3128fbeeb7be0515076e2be0a84886529dcd349e657cfa3

SHA512
c505072c15e315aed14698e17a2f33c6ab4b7aba00c09e4a56a1e37d400e75bfc50303ed4491e00c270ad8202b58b97e4c7bfbc5126275984e1dd62ec8fc8ecd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5c4457662ccc2b29101538d686c67d6d

SHA1
38dba0761d836f2671fd028d7a1336af0237c973

SHA256
431d0befe8b22653a3e55ccf2106ef0d16c409edb89a12b50702f3901bbb1c0f

SHA512
fc186a3f1a21641bc69c16a9ca046e5a31950a3d77c3be3251f0afe9ca0db9cadbbafb7550d8851320552a9772a2aba910102da981dd0b3ada14de192fc8e9cf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
c52141a4911b1bc0e31435b67aeda107

SHA1
0cc15276c54d65232bb1ca8ba02caa3b6c8b3b5b

SHA256
053eabc4d9937da855c3d0622b19756006f4a224a448844fdb1459a9dc0a7502

SHA512
8fbb0193426ea79a778d3cde9caba8ddd5d963c485e7ecfce752dbefebdd69700b662a3868d061d4a3824f2dd13bb1d4c9adbb0f54528d34844546e7a2e294e5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8276b108233ef3ffc37e6a4f3ac78610

SHA1
a60adb4f9bb5733057ef0d39a5a16a85e2b765a7

SHA256
ddfa8e82291d97b3fe28df7f0f96dd39dcc316538720293823762f2bc66a0a6f

SHA512
d59a81223d2caa1e02228f52d68eff593cbb5ad923a992b5c262b1cc2c4aff84c0402e1141a1327afd9f24812c30ed8dd4623ba69d7e62576eff172bb98bf03f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
3f2bb5c2ecea03c69422acf20ff9f6f0

SHA1
42a3aa7bba6878e4af81fccfbd9d1e6b5c35cd91

SHA256
094a32b974f308e75515383f5ebd59af213dceda7d004fecbdd1b7db1b7ce90f

SHA512
eab8f6f107e75c5ec6bdf320b10c6456d0547d3d55f4cae4245d79e3a98c0818d0d416ad6d443bccd00fb8c7fd53ead27461532902cce452a14a85b42f441b6c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
2def79cbb8c48b7cddf063885f86c113

SHA1
37414270d77c3b0fb2ae2fbfd47f34ae14a8ea59

SHA256
0fb0a2706fa19518e6a3a5bcf55c61c62126ee10398f15657b210004e0c388c0

SHA512
c19c594b10520996f19fd3a4acdf26afb4fc47dc2d8dc7c1deb4657426f49089f855c56afc0159366b66a9fcb39f8090712d77a8b059388a8f26551180f587f6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
3f2120bc4caaf485a3b90596fc87c9e6

SHA1
7a887e728f4f004b0bcf1860c2c8b5888610d554

SHA256
dd8c474253f1136a2a010e4fc209cd70c3f97e17d063367baa0e8db037ca4adf

SHA512
c95ea984362ea23a84ff82d55cbebd92f12a16512a6f493fb7ee5286dff85aa30907970ce980a899032b1a7b1ee1558abcfab83d828739f59b68b013b7fbd941

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8b591eb34dd2be50d1f6e51340166787

SHA1
bca409c34ad0d138b724e53bb2a9d2f43bb2dd60

SHA256
115cac8709ccb2c501643b2e3026f787072d4e78999bacf3349f749dfcfc5b58

SHA512
834dd9dcba20c69eeef8c8278377391388d9a7c6560dc1ee72ce617264d523b350df96752ebd022a906e512916645cd41172d619931659061c4bacb0658970be

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
07f3609750835a647f6bf128735167c1

SHA1
aa10ed87b0cf5679846ffeff05dc297fae9f0145

SHA256
8bd63e9597de009fc2c191233d68cb716470c16f856ea24c354117524b642df9

SHA512
72eef9f412eb41d41db60f0761c08bd0263404a098da57540061c3e51ecc4935ac8f3bdd92e54a44df8ec6f4f8af74d7c768bea6904ecf3eb352350826910f0f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
51dd44a21c193735978a4017cdd30eda

SHA1
1defb5dc2bc1fcb55769f75fe11f1aec42627890

SHA256
f3ed3f64f7bf2ab894d9a3b3dfe07121b6c3d0b9a3e1e0642e4213d1a1e4b5df

SHA512
7981fdee9689316a5b32d1033ac426cc5399892e41f1c0d70ccba10b24814a4bfc7e35df47945416644dde300fae07ca95d0f8f50e59eca1d1da7eca93d24887

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
654e14f953f0450f1470737c2c60656c

SHA1
b89461d5cf21468f6fb976bc48c59c546ea14c1d

SHA256
464362c57d1dbfcb707af1d483339f282818588cf40c5213c453529407fc3359

SHA512
5c39aa3af71883be933bb1dc3608dfe001c46e330d424f7f4f05a5285f8873faaede23326e6e6c5f969d349ea0ac301a33e03c8d683a5b5d4a83782b95ff7c25

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dd630a8ca3059f4abc9e0ad8c8ff55a0

SHA1
c3258d7b6a65b9d237908d450480e314662fdf36

SHA256
fef79403cb07908e4f14f73d527926b9c03224404be35678405aaf5763788add

SHA512
9e865bcc18d8d2b630f007e2f30b0311e00ac0448a59ab07456e67a5e95a632ae2ec7c03802c9de57bc9697c19819eadb2f57d20b10ece6085828830e1609105

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
5bc5e83d4add72be61f3fca804c31e2c

SHA1
e4028ca19f51659199a430ba1f12537b1cc37c04

SHA256
ef5467145f8b9266aaf0a94cbde6d39582749dc997bd085323aa9fe7906f5bf5

SHA512
657a04f19d2a5223fe936b3fec815688412c3ad0dc57783423968dc99684bef0c2d59d67d21245fb38f352237d0baf28b8afff0a36c59d0a2e30d6fb393ab895

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
62d0acda229a2b3dd156e1b64186dd9c

SHA1
52e3a8f29484184af36ae7d4c4ca9cdb51df01d4

SHA256
3e72b91505d57883948d6564d0eaf37b21fb456a8cea3916ef1aa4d8719aa44b

SHA512
617153a71a0757cc20ec052cb81fe022af7bfdf8ac7e9bfe1e6d30ebad026a60018041f1b2f40d22c70f7b2cf5553fa1f2dd3ac1f58d13c86ce35e5cc9745b63

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
b693b0f6be926b0ccdb02b760e6fe300

SHA1
26f001eaebf3cea938f772dbbce0f9ea1699277d

SHA256
1dc968364cb21629db0d97e98669492387ca69380176059e939001498b266b22

SHA512
8b01c41e181e08280c7fe0869995d427c3daaf3b4ee88d694cec2d33dbcd2692c911813dd64cbefcbe27d7d7d14b8bb34f06d12fd65fde92cd27b2dde8efe3ef

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ddaeb10e5089180e3a9b9f5096d98abf

SHA1
051955f11583cdad5ce73890320238f502333045

SHA256
af2eb9691fafb870cf71536a9e345cc05dd5af0c70eb4ac2634a0adbac039cb8

SHA512
7d12d47b7cf247f11c6d8a1a18cbd99b232e49063cc4e4c1b2fe43a6cf33d02d78b2f9691ab85a4c381384da544c43943fd4f508f5e5baee20d76738f93d952f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
61cabd0e0d78c83705dc9f25fdc423c1

SHA1
3d7626514888531509a44144118df0209693a772

SHA256
bb1cc1f604193e1f7987265e58cfebc2f9091a2676baab2bd76fed1c3f6aa094

SHA512
8a4f048a07864dc44c80c73accc2bd0079665d8af08336a4bffbbf84e0ae33286757cb26b706589ac901a2cb637f3c186c88d98c9968724b461cebbe1d6438c9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
73a55dde66d139f933eb6042590cae18

SHA1
43d924acbbbfc5c59dd99ba229eee26ac032b329

SHA256
167d751923d3561ac7c605c90ad780b6f0de96874dcf90e40482ed972bc8df80

SHA512
c81d04b2bbe04c8ec8f75da216e123cb79336d5f8bfa0cf85316f1e0940cf109fa0939149e12a037831e08b7e00951e36c2f069221e30ed3b097e984b86b7b1f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
638f5c995cfb7d5706bb956295fcc13b

SHA1
0b74012841c3007bffb42e9e3cf5627fbac366c3

SHA256
a9e1841066c43ffd8fb1ba2951e080be8f02166a4189a999532161a37082ee12

SHA512
0daf895f2bc7ed63c559fbb7ae7de1b910125df1f2648640c2a705575fb7da07341fb67ddefd96a3f5321f88035cb6e98d77b00d397120de764d5de0401786b7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
38dc7d4d824037902ae404f2d765af1f

SHA1
836648b8698a15a4b0a0f64a708defa593b01705

SHA256
4a40ac042912dff902ff19c1737d911ed09431516cded9abf175e65a4c4b0e72

SHA512
11f142b73e34589711c1f8821de6b25d2d14a5d832981ed89c1d1e0be4c8c56c33814b20edcf153d956a2dac624b21a0bd5ce633fc91a26d3464960df4acd58f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
f8c497075fa06eca857702240d54b3c1

SHA1
32a8e8e80174d87e65d5ff5bd0fcaa48ce23002f

SHA256
c1f6bc59a54135f11b6633bf60aa58678b2e807db2fd96379ec527a5952dcbb1

SHA512
2d6e3c4e7a33439026ed1d718fe7c0af6a1c391d65f43a4c8f2f6e1cd209b819a62f998f80d6aa767a3b6a366789e636c19fdf1493e6abd4878478dbb4256e52

Download Submit
memory/1020-116-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1020-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1028-113-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1028-14-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1028-22-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1028-23-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1204-612-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1204-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1344-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1344-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1824-61-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1824-168-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/1824-56-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1824-54-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/2456-193-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/2456-541-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/2560-1-0x00000000027D0000-0x0000000002837000-memory.dmp

Filesize
412KB

Download
memory/2560-621-0x0000000000400000-0x0000000000933000-memory.dmp

Filesize
5.2MB

Download
memory/2560-91-0x0000000000400000-0x0000000000933000-memory.dmp

Filesize
5.2MB

Download
memory/2560-8-0x00000000027D0000-0x0000000002837000-memory.dmp

Filesize
412KB

Download
memory/2560-0-0x0000000000400000-0x0000000000933000-memory.dmp

Filesize
5.2MB

Download
memory/2844-190-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2844-519-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/3852-605-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3852-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3988-28-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3988-34-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/3988-130-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/3988-37-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4080-231-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4080-119-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4408-604-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4408-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4532-256-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4532-610-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4608-153-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4608-609-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4608-276-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4772-65-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4772-71-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4772-181-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/4772-73-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/4972-76-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4972-84-0x0000000140000000-0x00000001401C6000-memory.dmp

Filesize
1.8MB

Download
memory/4972-89-0x0000000140000000-0x00000001401C6000-memory.dmp

Filesize
1.8MB

Download
memory/4972-82-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4972-87-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/5184-157-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/5184-343-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/5340-204-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/5340-93-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5340-92-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/5444-177-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5444-390-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5692-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5692-49-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/5692-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5692-46-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/5692-40-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/5740-131-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/5740-243-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/5820-255-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/5820-142-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/6076-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6076-606-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download