000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Size

1.3MB
MD5

4878339563a804b6f94fcc5a363b7535
SHA1

723fb3b6bf650681301632e689e5254f05a003ed
SHA256

000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847
SHA512

170e1553f7d89c27544e13f08e0b140592c4763341b211f5c23ef4c403eaac719288f2bd1af7e4af6235c594a2289262c568e1ec2401acf3a53ab436dd9eaf3e
SSDEEP

12288:rUvCbw6UBL8252uui8FbECP7BhdfswdJ0NXdU8ZWH7DEP1rCJ7U3T:rUvD6t2rR8FfBhRJUEbDk1ulUj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2072	alg.exe
2836	DiagnosticsHub.StandardCollector.Service.exe
2088	fxssvc.exe
1588	elevation_service.exe
3032	elevation_service.exe
4868	maintenanceservice.exe
636	msdtc.exe
3592	OSE.EXE
1060	PerceptionSimulationService.exe
4152	perfhost.exe
4256	locator.exe
684	SensorDataService.exe
4888	snmptrap.exe
3400	spectrum.exe
1964	ssh-agent.exe
3436	TieringEngineService.exe
4992	AgentService.exe
2076	vds.exe
1196	vssvc.exe
2316	wbengine.exe
1888	WmiApSrv.exe
2956	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a2725e6412d07ad8.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\locator.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\wbengine.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\vssvc.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\System32\msdtc.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\msiexec.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\System32\vds.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\spectrum.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\AgentService.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037542c69e86fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072a3d26fe86fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043eca569e86fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008649db70e86fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096b32370e86fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeAuditPrivilege	2088	fxssvc.exe
Token: SeRestorePrivilege	3436	TieringEngineService.exe
Token: SeManageVolumePrivilege	3436	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4992	AgentService.exe
Token: SeBackupPrivilege	1196	vssvc.exe
Token: SeRestorePrivilege	1196	vssvc.exe
Token: SeAuditPrivilege	1196	vssvc.exe
Token: SeBackupPrivilege	2316	wbengine.exe
Token: SeRestorePrivilege	2316	wbengine.exe
Token: SeSecurityPrivilege	2316	wbengine.exe
Token: 33	2956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2956	SearchIndexer.exe
Token: SeDebugPrivilege	4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeDebugPrivilege	4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeDebugPrivilege	4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeDebugPrivilege	4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeDebugPrivilege	4716	000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
Token: SeDebugPrivilege	2072	alg.exe
Token: SeDebugPrivilege	2072	alg.exe
Token: SeDebugPrivilege	2072	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1004	2956	SearchIndexer.exe	119
PID 2956 wrote to memory of 1004	2956	SearchIndexer.exe	119
PID 2956 wrote to memory of 2892	2956	SearchIndexer.exe	120
PID 2956 wrote to memory of 2892	2956	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe
"C:\Users\Admin\AppData\Local\Temp\000c6e40037acf9ecd6e084eabd55c9c0422d6d590a0817e0466aecad445b847.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:684

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
597917e7c35a3275aa1cdc0b0f844249

SHA1
6e8b2ad4d0a7a954bb9b43bd8e5d706cdfe7c7e1

SHA256
4a448019dead1a603095d8b67ae1e2eb9b057f556c010a489f8a0af20c16ba30

SHA512
c0331f1cf0c5c0bb949593a59e44403548066c06ba546e3e533ff38245ecbb9c0aade53bba57dc4ed290e03654ddeb59050f8884a5d39927c60f69da1983543f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
a4baf9a434458733b2d3a8208a53eeb2

SHA1
1562885b7ab96e0e830ff450a2d6df9f87c732f8

SHA256
4ff0733d5ab88e2c60cc35339a9eb5a25ae74ea711f9f838c2cdd4c2db68abeb

SHA512
3c962920b368671c99af84119dbdfa7c14b0b833d6dad1502f6c11f894c74e5c64018d0965dcb1ea6628fa7132fd99b2d4adb463d1c081c8c21ef27bafed1a81

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
128KB

MD5
41ae1e1e3d2da333a036f3c7cd23a2df

SHA1
9c2fe50361dc9319e36fbeb5e15199b8c6edefc5

SHA256
9b839ebac85d1d26f0dcfb8eced85c545b83b580e26a4f173d822afd1812a1c6

SHA512
cf78a8b5f84048b9c4f2eb502a41ab9e2cd209a4076295c3ea5d4ebc83f18895a77754192a4a7b023e9c7bdb75cbf72c1852ed3dd4b6c44d810907a1dc1e50c9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.4MB

MD5
f358a65b9d8079be540af13f59a4ef75

SHA1
f0ed05f4b929b3367eb5def04e27cd43303281e3

SHA256
a0c613835904589423a458ee3f9f58dc4162e690b09fa13e7b05e74babd66dc2

SHA512
bacac927fbeec0a529accd2ba82e47232c9d783d70272393eaaf0af46f8dca7578d3077e09fd0ac9109d609c7a965fc54ec6c503e1da6042ac8c126a0da75d24

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.2MB

MD5
57baa8718f4136e94b04e05f9e65d3a9

SHA1
68779f0f371e8eadfc727b25a43fa95a8e1fc7f0

SHA256
d8c359fc27e57ce914cad1a0f2e65e1b949cb62a7a43bdb9db4278d0f3cdb27d

SHA512
82cb7b0cfdfbcf0ef1b2c77a8d0b32511225311f81a321c7cc5c01e0f2f651a8ac01e520cc21c8d5bbb66e1465e5ae6ed880d74d3f27186ef6c9099264eca6f3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1024KB

MD5
07652ddf094415910a92ea495977531a

SHA1
5333f73046b44ea291a01d9f114a6e6eec44ccd5

SHA256
f9bc16ada099333e9766bdbd2162c45a7b896cace22621ecf552981aec8f7bd9

SHA512
99042dca972ae97c2f35f1bc937df5e230acc044c39b24eac1e9e517bb2c1cc71c4be944f9d993b173e4d4db2b617a1c4e0d88f18c172937d1947cba487f1a86

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
c6ea6df7df4e02f29dd7e7de70a878de

SHA1
190c32813a2e4829b4655ee5b33d0ba6645094f8

SHA256
e2cc5a0ed42159a1e460b975ab5e23897c91b6618c92ab9d0ff70aba7571e2ff

SHA512
e24829bb6f1fce6287c4cc924a20e06e0cafe47b09303270d278214a944f2f0f3e78ee296e0eb50a672e38f6026d2b782a14e3ddf8a3a58d44be5841f869247b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
960KB

MD5
fa3b72805fc1f5131d0687a897385347

SHA1
99a322a427dbcbff4dc936d31064f43914506e75

SHA256
e3bc302595e1d2874baea51b594bb4178cfe73f08a8a8741d112a0425425622d

SHA512
6eca3d944cf93870bc5c4e6afdc5cd18ca3a4f9d376ec93652880010ab43ec35f25eec31f6d13334b415bd7e90305219a234b319e37d5751808226c276ca78a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
960KB

MD5
13836156247d4200ed4335329b7075a3

SHA1
1ec20295f77cac0d06ca74400cb839bae30da316

SHA256
a39c5f2486d082e9eecd47318b447abffaa018890f8e7e66107c1b5e3e7dcb8a

SHA512
b61e133b81b59ecbc61256671c6862022eb6ae1fc2637d48e5e279d0e14bd4d2112a3ed013421d0daa0ca3ff62814c8e9f5527cdaa8671a3bf32b6fe46074144

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
896KB

MD5
338b6aae3aeaf7d341344f592afa801f

SHA1
62de4bc9d9d7b62e563db754fabb24035c440125

SHA256
8b095b7381238681a24a7cb116b05f2a1c40ed366120429bd18a9f188a87457b

SHA512
5a4491690159ebba27ba48905250355072f2f321b0a321262df35bfb9cd9d3e71d4a47348ed4d937de5aacecd3cfa705775d82a8de736122696aaaf9af0a843e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
896KB

MD5
d4b0a9246f054ade379d28d676be0f41

SHA1
5ac1f6aaf341bc771658c64da53bad94a7ccd8d3

SHA256
b94c81db99090615a86c37da5f8a3b53f2001badde9cee7e15409e475acd20df

SHA512
17ddc24c133776a38ac05387e859ac93e4a9d79309c83675303ca939f619c834e164cdacb2704f6a3128ccfdba07d4d9b5d33333b36f7b116fc0fede51521e51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1024KB

MD5
c72dfa657b8df80e36b5050a562efea0

SHA1
735b2586c4b028a36dd8f6b9c1510f3d0f9ee96d

SHA256
981adf35f0eee9143d4ce9131698f99174600eecf433883fc5447421644ac31c

SHA512
0dddb07ae8dadc8b9451fcd166a9d213cfc4ce4634f23a24923b1861c3a24663f815e8f43a0efffda38ed0f38e6a4d541fc4853344f5199c72425cfd4d000936

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5f4306c22c2b2819bcbd774c59402838

SHA1
2badae1bdd3802f74aae9ffc878746b3e3c37a95

SHA256
f8005eacfd21dc1809bae0c5e05a5f7b22a04c02e93717e8fb9e9d08b8f3aee1

SHA512
7466ae241dafd9f67192bd09210ffc690d4d632f8896040673fdd62cc1709678bf251e9ca3a050d9b97b2b07e0cd4c200c62152bc26374e3721353a06caec2da

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
3f8356c9e78032b7aac72319d95c66f4

SHA1
480dc084dc7a1dcd143149ba8b4ae20906a761c2

SHA256
daed3ce78892eec02c0fdece128834af62ed43d4fe7b77fd534e9dc666e37567

SHA512
4cc7868a44561024d5bec1969882d486edc82ee7051feaaef18420fbff283691585df0a356b9cf7ed3d716b985e37cd961d5f926eb0b2ba895063ed68e40b309

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
49242445dd21e1e11e5e9ef8154b275a

SHA1
c836cc46874b4f8cb7d838d24f1469a270e146c1

SHA256
0e19f0494869ad5baeb51d1b94a6c2a2009c33ed1908aa1bffadaad2516d7f55

SHA512
1498ecc5736905ce2105eb1ce8afe2464c6e709611accb06043db18230294e9bafbf3854d31f7afd30e8dd1c3cbf7113e0536e59564839876af1945e3abedadb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
2.1MB

MD5
b69a031c37bd63821a1750da3730b6a1

SHA1
53ad0b5f6a040779e97875a3973034f7abf97dc9

SHA256
363d10d20ab4132411afa22f63a7b6c295f031e4848f45c23c1e49ebc6cccc46

SHA512
b64584f5393df3aa165dc1acf32549d1218222ff2ebc3352384fac45d9e8478e34ef44b3800717a722ba1f0d7c95d5f559b94a9f98a9e0acd40f53cde3472b2d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.6MB

MD5
bb4fd53d27d32c92bb995d888753e0fb

SHA1
a7e9cf19b3783e5887576b62955834116b9dde57

SHA256
da8fbf9a7135e7a95e15dcda230e7a9d58f920f450fa1eb0ff40378cdf172fe4

SHA512
1e4bb1c2044001dd35aa5e1c19ae911e47145e7d635441f56f756c7ff0f244aebc8b6f90be226b01c43f33accd163a985bf7b30ed10bcae1965b2029992222e7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.1MB

MD5
a1216f511954d07043e8eb3b709cbacc

SHA1
4822df518260737d93cfe651cd460c9792500cf8

SHA256
5f49b5addc9895d23dcb7a368440e4bb1491c307ffee1c2de1888cc7b99c7e68

SHA512
fcf624d341838de19ac166bb94624ba151adf0bb54ac78a13f5127b118e9b69bf6dfdccbd6d6a4609b35a2b5f94c0d7232b06c2b85e0ef1c53ebb337b018119e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fb2a0137cd124ccccdc98de5ccbc08ee

SHA1
2bb36576fd5feb70384216e4caa9db5e4c56ae5b

SHA256
1cd08536eb654ce524edc2bbef9553ebacea510277704bb88001fb1dddbfcf75

SHA512
05f158243a7fd4dd1de64ebadef2ce01daa8580b44fd969db7a66a17a3d88fde8faeabf3c3599c7845d366de23b2b933086a1ebd633c58259a4c7cc7d26aeb88

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.6MB

MD5
9d569ae86bd125fc8aa803b82934a567

SHA1
96c4bcb497f6df40388864aed67250e04be9dc11

SHA256
daaecf19364a6e36dbb01bd65cd5c7ecd12c75ec0aec23456fc1b42a6d732681

SHA512
964d0a8b32f3a54f975d86b9a986568b2842d680b2b7ae45a4a75c28ca9f5ef41b51e505b18a95f0a8f82bab1b0c747abea1f4b8f8c9595952685d5ef8cab075

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.4MB

MD5
e52938c6193e20a71f4a5bd42e31fbd4

SHA1
f61341210699ff448ea08027e964ec00b0133306

SHA256
ed441760f694ede8afa7e5c0a3d58830fcd8fa72be60ee2cb001e92618b2f874

SHA512
c3fda9bac032789b10125e4cbd9eaecf2a8fdf2dd598931331e83281ea639509a0dedcc584068b4487155b3b31f2a7707fbfd17fecec11945fbbc4fdfbc86f4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
4b463023c6122906e85922cb91ae362e

SHA1
e203b7ebead102e514a76bdff4dc737f65a464ae

SHA256
fc797a085ed3decf702ed941207ad218ae7fae88656bd65556ff8c55b351890b

SHA512
cf77f25a44855d94997cc90c62a49bbeb0f0f4fde9ad9380c71eb44c5ac0952090b9cad752ba6a7401f9388e1f7e163cff53d69c73083304d5cde14632d6576f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
6cc55b397949944aa404f71925b586b0

SHA1
985c052ea0d8e964c881a4f50334eeff47c62bd9

SHA256
a4f1af66e9dca970d2d095a06d8a259c1bd0398b001377f0c6d50c1840bfb522

SHA512
c2845c175e9632324cff5e9a0f7ec0dd3140793a09ab43b065bc5c3a4a1bd5d4d60e2690755e3fdbd260c3c514699ab5c8aa338418f56b4e79c387025f7f58eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
2983dea711fe0097d497f107d3854c22

SHA1
5e3cdc9c6fee35ae90ed8efcca79d9d90e4f449b

SHA256
21ff3c06500296316afe0c2b3f04d8b1fab8468340776ebd39cd42e4580ebb4c

SHA512
3958e4125b42666239bb6c8b0fc392289cbca44b1190b4283792bd035cf42d42c1f363958d16d4017f5625a96ba30884fa5c7f7537c848190db8d115131fd539

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
e6f6c1344a0fc37986c5838ea8851a0a

SHA1
dcf2890004c98ea96676ae5d2cf28a27bfc3288d

SHA256
f3612ceda6e7766d1e800872a38536a434af70d0d0a37c34786614addde52bd9

SHA512
74b21c14fde06d16dd01e41fd891be37a96a0e3c22381b8ec0c5578faa441812b41310a9afa17b1e6366e306e76436e4c230bf150cfb0b20d61f466160f916c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
c04fadcb798cb32097aa8a927b2c94db

SHA1
d94eb6a75c2c9ca8ffd956123168583073383405

SHA256
af666cf3f11a430288950ae8546ec14cf3810e872ceca95fa9d1817b5ebade30

SHA512
a5219851836fc3be120b12fb98deaebf48a39958895121f550bbd455a93d31dc542b49dd772f34ad1a9b87fc7b62c7fb557f3f1acc83b03b55a3855b8469b5b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
07c61975e09fafdc6640d99cb1d851ae

SHA1
b10805f16cfc737e21e34dbcb07baeae4dc53e4c

SHA256
861f8255ab7c40b8bef37185f0582bbd76fd1ae0a090e697819dd446518cd58b

SHA512
b67abbabe19467c44971a6540b9bac2244e89b0bc7f69d4dbe988e1be9c3ff6b5f2a6be6d3cad158973a842dd14695b6c4d3d62353ad2c07854690a58b76d9e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
74992cfa704ba96adfe90f6aab856983

SHA1
048e384666e22e69c21e7b986b2d1e6cbdddd233

SHA256
d8430048e09df081f15e9d46259fe8c9bbc71f2aea3bb84f944a377399a4555c

SHA512
b42d9102158e4cc2f18d8f7a3200796e73f6196c69163a85ae8c7ce2bdd486b4fcb80e366a6d6e7f4c9a480e0914aeae8483879c8ea87bc1561ef9bc976a3acd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.1MB

MD5
91a95b760ca1506c3bb376e74dd49958

SHA1
93342dd6ba32e1814cc9bfad00622e2840de75b7

SHA256
c79790d89e6b601356e09164cf977630333fc2919196ab3711bdb4cbb5f2020d

SHA512
0762c64cb055c0e5e8781eced2fa1a18dc3c6d3cba0e18d733ff98d66fc2a26d73e7b90bae4e92370a4d409cdd0aa57bf15f77a39029b09aa9764318b97029ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
65c181a10396f758fe326f3694dfb50a

SHA1
27d57e614fbd880d9fbaa72ee605a82d52789822

SHA256
634fd83e95e2b564f009f5c3d6647d7eda9010e1465b673d0e680c4094492127

SHA512
b5d8e36a5d03811417a9bfe8608333c51790adf50e18d463d092fd10d69b176a2cde821f551ba62be1b7b7ae2c9060a6fa0b5cc7489f0ce500890f2276926b35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1024KB

MD5
b970c6e002d874784895f4d4f2ce0383

SHA1
5fe7ee616f69ace767934b1d1bc1c40f7980605d

SHA256
7cecbd137a78c45b218099aa202b87007a54cad31cfca287a3ebf47c183d8969

SHA512
20dd28a76906479e3cff94dc7579da12f8b0157fe9df14669746ad6f8db6d2309b3c71948b9002500776e5753f603226c5d0c92933de36f3adebf92d1d4656cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1024KB

MD5
c94a577f1b93ff4bfe0113982f66fce5

SHA1
362fb0895f15117051a6e0f9693145a3f8148f92

SHA256
27b2c8e392119f21c47a8b19ad5b2ee265f89c0bf401443ad64d3dc9d0db22d0

SHA512
79ad84570b72145e4ce18b5cbac23a9728aa56a6170069f0cdb48ee6da1a311948e2112c97e52f61c32ac5446e18a2cd368ad674cc05ddd354e8e97ec1db54f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
704KB

MD5
a1be7de90a2664b25ab6675680092381

SHA1
d08b8cf4fd27e5a7b32e15709b63f745fdfb81d7

SHA256
03bacd3edf6e3f491eb9373d451858cb5395c28529c923fbb997e18ee28f23d5

SHA512
a1f737dc78f11b10fe90fd6c9ab20dcd8ab2679619231477b85bbc3d2e97a79a5c0bc186d85be887fac70824338b2a6e3d787e8b215ce35ad5e7a8a350bf0fbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
768KB

MD5
4792d070f5d5169c414e018519a21adf

SHA1
744328a77e167ce999863b57b40a1e7d9b78b711

SHA256
118f235179b69a743fffc8089c90d6378b9fcd4aebab68971be297ec81052730

SHA512
59bf556403099229bb99956ebeffa165442822b1827350e9613ef03fac4c4a9bbe7548c0571e8828a6ea5a1849ddc03230a2a7ea404b8f07aec6a31fa6a6c9b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
704KB

MD5
71a90a7e0493dcf78edba44fdb20b5e7

SHA1
5ead345cdf7e268d7402f5026417170c211dca47

SHA256
2afda1ef850b8fffcbd4d3ce5501a040f21368a4fcfc3a295448d75253665129

SHA512
8110e86aa23226083c671b96c60b342cf2a3e3940ba8548d9a72e4b35bafb7f7e96034b067c46907de6489c807cfd8493fb1f429d68a829e785943d3e786e9f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
640KB

MD5
516c5367bf3875ddde92733e62584b71

SHA1
5998e1db1ec1321b48403ba4621d7a8406663abf

SHA256
6e2e526c59a63869b33002d2fe6ed34b9569840993a16217595106fe047bc2f0

SHA512
070774bec4df8f1e637b1768aacd12bc54081bbdf44dae1e1c6a50052212c5aae81f74398f6ed7467ce9d34d4147f8cbe32901a121b3f36cd3441c3c67474717

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.2MB

MD5
c20b9265078a4e011165f991eb857e7c

SHA1
ba33a16715ec91f81aff011059978327397e4949

SHA256
06421743c0c08caf69e089018434824a626a2d3b676359dfb8dd2eec83cc5d46

SHA512
8649027c6f5fb26b5023119546cce2e623ca63a993ee1a55a8d50360f1e44ba4f74967a060a6c4f2ddfb4c3d27825751fee77b690d503923b10ee6ffef5c6334

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
e0950580e12b252e9a16cf2bcca7e72c

SHA1
253a9b6daae5dc77d5b588634df5c83b71abcf66

SHA256
aa4cfa2445f901f0bf2ebf4798bc4dca8c3d1e249f4ddb3d8b9199af50371ef3

SHA512
7bcb7fa729b99d7e11727255b799af803a2954422ad8bfa3c1ebfae9887a0f5c3a1ed15967c9077d8d9a5bf61ae700eec74a30a354371f22b6c4646d7679195c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
3d42cb8e3ad6d2d81fb8fa71bf47f6e7

SHA1
e080740620643a09e386e4f9ac016618a08235fe

SHA256
839b1f600b756fbc970ab311199b45ed5c830f427a711ea71b98d6d9fb417594

SHA512
6db8edcd957f77ee3e687c4a43dd5fb4d9ba2c5328b159bc6c86b3ad55cb8f757a14bc3e6944e6016dd193629417bb8361547334d589fbc956d5913b53c611a3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bf432529ae22ab3971107a3631df48f1

SHA1
858816642c638394a7ab51fcae2254a416a68ef9

SHA256
be2e2b37de7abc297d9f81a96112bf81041efff4ee9fda7c831099094fb8ed6c

SHA512
db1373f3493a3a21c8472f4bd5a46b963e27645073c45e25c3724437477491936b2974d83961590018a42301ca3c2952c85b7cd27563d715346cba275bea91e0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
2cad6560eff9b672887abe4ba3078993

SHA1
62cc8dbecf64ed9176ab8c6274c5de4b961845f6

SHA256
7ccce78dbcadf97c0354fc82c90cf160127d3ea361fe89b5184737312f75015e

SHA512
7b42ffb7c67cb24e7006038558a8223bd68cf8e3eb15225e1b6f92f61635106f1a4c4f37062e4b4e9974cad6184374d10ca7f2801ed1f3dfda35be469776ef06

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
03e904725c5acff68dd23ffcd76cf90e

SHA1
e0947df853ed00b3bbf2cc2f1b7f6965a284b417

SHA256
654801a74a0a440d52ddbf408b5887728d47e7d751a943af945e02e34c811cb9

SHA512
883de71aa1e5c28dfeddc921b32d166014d38020c78388dd70ed755d93f888a7c85122b1002c829c971633f32a88ab5eb2fcfcabe1b7c5954d10b8a7a6d98f82

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
00ce05c9b3f47527dadb8134ce2020fc

SHA1
3aaa977cd68116bebee92fa78caea8d489cd4e42

SHA256
067893ec00407182f43fc9354def82c4660e776585a6b3b6edc3b698854a5453

SHA512
766b985a0ed8fcad73e2db3026f6329501c09113f47cb3a23a6e023915a43e75d652d9998821b108dfc62b92cda2960badf111a69b2003b83db64126fd6af076

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
31fa47d6de8e6bc89b587fc0c3b5c88c

SHA1
b4a824e24c2f1137702540d7ea3dec01d0e951b1

SHA256
bdd07974b3fe791a9506659d48632319b9d53ac934b2dee92d1c6f246c02e1fc

SHA512
85d3d71f2fb5a4120689ee1bd8a183211d43f6e5b08bfd344fea919ea1cfcda25df683cdd722839a7f0b6d05171f81f3efc8e7fc7977e5c187a42d8ed3ad2ce2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
0a31bd4e379601caa7de7f53469994d0

SHA1
2441d685eea2a9150f1ced623dcb5d3d3708dcab

SHA256
6e11aaab73e3988be1bad6bd94a9e5f9a9709d5199f41d63b8168d9cbb47ee6e

SHA512
89cc93059faee47330f9106ff819079d22b264db2a0a695d9e7d7ea4e858a0d095ad3097ea1304da3575c21cb3ebb45d1a289c547a69af503bbc3d469d75dd57

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
186c8c50cd488481e024a2c3342582b3

SHA1
767f596ae958f50aa60c8657038c4d7e5484855d

SHA256
4c2b4936107fe44983998eb2ffda14ff62099141b2d33b0994862314afa2533c

SHA512
0131465ba39e252442cf5b7aaa82d54657d9f9d323094524871f48732419ebd21d91d798bcb33cf426f31b43900a9b513d71577ce5031351c341560245ada178

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dc8c6f729d82650d2ce9d17d226ae2ad

SHA1
664f25d2387fd99180fd1d07be66b4a38815ce61

SHA256
e697dfb576860e0339c32a71df7d94c077f72fb8faaca4876c35c01017e6b35e

SHA512
dd39af7f85b226b7f9f8913f3921ff80a504ecade33d2530f827ceeb3a00bfeda4796bac889a58d77866c6795bf5664f3045b8024a7c1183d61c441310ea8566

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.4MB

MD5
bfe0809b4b55bcb75b83263bd36b9eeb

SHA1
57111d470fc28a88bd0a7c957a0997dcfeaaddc0

SHA256
06060812b915b71882c461b230741f65fcbe8d3f58c2683d55649e82b9d9ba68

SHA512
e506b71c2b91d3d32c71780e2bbb65364db5d2d2586e273471db546a10390c0125e6d1b7ff95f57872cead2227a714d98ecfc1f3329dd265b0acf1a44063da4c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
505661c69b353cfb5edb008ad9705438

SHA1
b96e789657beec5776970aed49395cc86caabd40

SHA256
bbc1d1feec3a64324475ffd7752437a6798c17059eabb6a2780fd997e81133c1

SHA512
361a38fae09bea494873ddf3cc750a3b5c619a017f2a025ed012a491ef808e02268bcf20d2c6c980c9a8da69dc47cf68fdeca08f56d9d5928192e80759fb078f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
9b8d6931075259a3a34dc22d4372e39b

SHA1
f01b91e7e012d085e7fae12c1ae4cfd881389478

SHA256
4499c031e188820b975e49f7e7d1847040aed973b2db5f1c701c3ec7ab1ec246

SHA512
409382853e7ec8e473427511ad82b7b34830a56b24fc9ebc1eb43f89780757668f9bc356a4c13d3fc56fbda3f85ffe04f54d0e7d0654a4776796fb7e8e416245

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2b2cc2a724af6f293d6572604a7d57b7

SHA1
152a7b605af1af972c7cbae1f7a2bec293154a52

SHA256
5fa9d6e2109e24f3ebe7652091d82263f65c21f1cd0566d830633e1fcb9efdb4

SHA512
fd5b9f669ec28ab48d25bae322ce4c405499fdc23e7bacd5dfbb0a66efdbc4f90f51111b6d3b440568657f7640871f911a68682f48e86bf6d53dc8fff849125f

Download Submit
C:\Windows\System32\alg.exe

Filesize
320KB

MD5
8c8ba9af9bdaa96dfcef920a19a6de8c

SHA1
ce27ae2b531163b9f41f73c96b8891e28f019a23

SHA256
aea4c156598b2dc93348c90081ebc691ea7d479a4dfc1b5b2f968646545d1b55

SHA512
51c9e8ea144378d555d4950d924db683e2c06a7ee8fd73e83b014f8e0c3a05c38ec6b11d78a09b0a07e63f1313b6a0c97ba08ee2afff3f7a58cda9d98b4df6ef

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
f1c34e5994a8eb95b8f47a0d0a6852e0

SHA1
cc159b0bc7a538cd7553e8e88d4857b243816e1a

SHA256
12fb41dcf1538304076ce57cd626cb037a4bbd2aabbcbcebfc074dcabb24e4c9

SHA512
8a0bec05a05bf45cc2f6547d5b3e0816985f4b7ca8a293d77c43aa25158e82f33a92d74382b5fde4b4deeffa0537207075d114f38e90d96185877cc90d7447a5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
3babf015e6ff17775b19d60329583199

SHA1
aa0d5ab8a4e9a0317350f2b2f3c4a719076fdfa4

SHA256
85278c38b695d50571e88daded815ef4ffa92e4a02c4df2befe4c94544bdb02c

SHA512
9a2ce576d2d1afd5b947c6292a2d4a83375fa0e8e50a57bab6c1b28269705e2c73e733dd2d1b098147360490b8244d2a40ae5cb1105749647d6085253620d9b1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8a69e3a9c1e768f4873b2a9f4fffce1f

SHA1
7f80088622f735b6edb330d80bbbcdfe9a8d3101

SHA256
0a6ee52ef13e2ce5ce8fde5f283efbea28da1e0d1af9021b1dcc3d862b1e6d5a

SHA512
9b4e3e708a960adee867f70177db4bb7cbcbd5a49607682e96f15fefa2c8e2e04a1ced224a711d70f36bd3f0308f2253160fa300003e707734f4a7bc38f69af6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
930c9c24abe9a4ec3ac8feb442dad54a

SHA1
1ff511daaa2c3274797eb4d374acf66f046ce04b

SHA256
55e4f1c2fa7c7d484bb5579efc12726f22729ea09c89f977fd32b2ffc06af0d3

SHA512
61831e937740ce2a288ae2cd5bb2c651772705bdbf1d9a5eb330ab77cff6d9361980987edc040e0c500f86b5e1d00a26e8717f484b15de3f6c5ea655656773d0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
384KB

MD5
e5b3f2b1649671826c3b72e16d710b0d

SHA1
6df05969c8e64d5028173610d5079ba11aef9a51

SHA256
8d8ca7381818702dbd082591c64cc7c530b42ff437d93a73fb0a0a1c11e6a120

SHA512
e75545df029352d11b4f04f16f610dd05f5b1189f3d8755b101d60ef8a420d6de98bf4d670e92dcf781bf2705afa2a8adc9f208f257ce181ac9a2eb75c949f13

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.2MB

MD5
cb36ea498a3588d8ab0a27d6b49957c1

SHA1
6e05b17071856c6e9da72a812daf0176097dfff2

SHA256
c99fc291d5fe2eb8e9f44bd96cac170dbad500ca9c9130dc97510653dda57147

SHA512
ff346b6afb4d1a55e2a284917d00b460749bc9fa06d3c4041f6e6dc4b61f9edc38c0714ffad8b800f724244a7b571e0f23c649ccf0f85e108cac28993888746b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2155f6984d223e8c9f597305721ecaf9

SHA1
eefe33076487b1f89d91930f0b2115cd8c2377ac

SHA256
c7439f63e782ca9de7b18ae4da49bb208fd574d271cc530373fd79f81ee1277f

SHA512
aee8faf3b106f0f5c130d9f1e9e7fe73e8f56a8e90886dd155e8aafbceb0970d7cd0a8e227492faa0edc381a906641958f3707d4b37a80344c4b6e5354c7af8f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.3MB

MD5
fb84fe82f4a3e3dd5294fa13ab634e96

SHA1
f002810d885f527131dab836e47c8321aa51ff20

SHA256
85d290385d96e1b5a2119aa540ba9df7efa9feee8f6fede904469c655f6d7d36

SHA512
b3f535d9eb7fbec0bdcb1a1f5061352a093047058650ca7521786f57ebc708fe55cdd0b35773ab3105a3622b339795e8cbab4293d53db1f2b884cec68a83a09e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
c16ff5f0db5553af527a570b8ee89587

SHA1
7692144e15b394bc1e98b53d06ff20524c8984f0

SHA256
663b6cf4d16270429472867a45fe6b7d04ef50a31c4bcf1864943300d2b03779

SHA512
515419c4b1098c22bace7ebbf64d7b6d8f86f3de3b2cd9cadc8fcc723960bdf4115420546f47b15c0e1c5abeaa47a43d87198659751ff7c6fb74885adb2afbf7

Download Submit
C:\odt\office2016setup.exe

Filesize
1.2MB

MD5
0295cd8383ce5ffd7bb9d63fd18051ce

SHA1
979f2a3323c3a7070b009b3e603512e14451e4e3

SHA256
6a2c71f559b7d671e22485555e288fd4a11f207685d83a5c2dbe00649b09b546

SHA512
405f9bbf613199ba569c53d9c558cada5a9ff92de33017d346f68b84368614e275c85abd62d01c5a4d5a6b0fabeb91c0b80c52f2210c5e78a3061023e76b8720

Download Submit
memory/636-95-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/636-158-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/636-102-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/636-93-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/684-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/684-168-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/684-161-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1060-185-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1060-130-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1060-125-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1196-259-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1196-266-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1588-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1588-122-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1588-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1588-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1888-284-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/1888-291-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1964-270-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1964-210-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1964-202-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-20-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2072-13-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2072-76-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2072-14-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2076-252-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2076-476-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2076-246-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2088-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2088-49-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2088-45-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2088-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2088-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2316-272-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2316-279-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2836-92-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2836-34-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2836-26-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2836-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2892-500-0x000001FCD9E50000-0x000001FCD9E60000-memory.dmp

Filesize
64KB

Download
memory/2956-304-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2956-296-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3032-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3032-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3032-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3032-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3032-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3400-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3400-195-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3400-187-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3436-222-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3436-282-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3436-216-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3592-107-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3592-173-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3592-117-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4152-208-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/4152-199-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4152-136-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4152-142-0x00000000006E0000-0x0000000000746000-memory.dmp

Filesize
408KB

Download
memory/4256-155-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4256-146-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/4256-213-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/4716-0-0x0000000140000000-0x0000000140214000-memory.dmp

Filesize
2.1MB

Download
memory/4716-64-0x0000000140000000-0x0000000140214000-memory.dmp

Filesize
2.1MB

Download
memory/4716-8-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4716-1-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4868-91-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/4868-77-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4868-78-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/4868-84-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4868-88-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4888-175-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/4888-243-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/4888-181-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4992-227-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4992-236-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4992-241-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4992-244-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download