010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b

Analysis

max time kernel
147s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
Size

622KB
MD5

ab4b6232923e8c83e3d2fb9da4cb9e77
SHA1

ce79672f2e0b618d09483eb53d0238688f0dd77e
SHA256

010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b
SHA512

5325d0c144be30b49aa514d5c55b5332bec1b2038bc5a688a846bb0d73ef70e97e9b8bb720bbdc9dae7856928a0dfb33d670690b290639cfb4b4068d11618233
SSDEEP

12288:HuCUNU1FBtfcPKcOYRLbzQkbL+Qg+H5oeIj5RLLB+lOakPprNFzSRY:Huq8S+LbzQkWWbCzLLB+lMP1NFzSRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1852	alg.exe
1548	DiagnosticsHub.StandardCollector.Service.exe
3536	fxssvc.exe
1532	elevation_service.exe
3548	elevation_service.exe
824	maintenanceservice.exe
392	msdtc.exe
3508	OSE.EXE
2228	PerceptionSimulationService.exe
1048	perfhost.exe
4864	locator.exe
5104	SensorDataService.exe
3560	snmptrap.exe
2708	spectrum.exe
2132	ssh-agent.exe
2260	TieringEngineService.exe
1124	AgentService.exe
3156	vds.exe
3528	vssvc.exe
4196	wbengine.exe
3848	WmiApSrv.exe
4780	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\22a9155bd8c8c63e.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\System32\vds.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112359\javaw.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112359\javaws.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112359\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000604600a207ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082c61b11207ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a87db010207ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005298a9fd1f7ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd4d9bfd1f7ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd18cd10207ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e07030a207ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
Token: SeAuditPrivilege	3536	fxssvc.exe
Token: SeRestorePrivilege	2260	TieringEngineService.exe
Token: SeManageVolumePrivilege	2260	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1124	AgentService.exe
Token: SeBackupPrivilege	3528	vssvc.exe
Token: SeRestorePrivilege	3528	vssvc.exe
Token: SeAuditPrivilege	3528	vssvc.exe
Token: SeBackupPrivilege	4196	wbengine.exe
Token: SeRestorePrivilege	4196	wbengine.exe
Token: SeSecurityPrivilege	4196	wbengine.exe
Token: 33	4780	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4780	SearchIndexer.exe
Token: SeDebugPrivilege	1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
Token: SeDebugPrivilege	1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
Token: SeDebugPrivilege	1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
Token: SeDebugPrivilege	1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
Token: SeDebugPrivilege	1864	010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
Token: SeDebugPrivilege	1852	alg.exe
Token: SeDebugPrivilege	1852	alg.exe
Token: SeDebugPrivilege	1852	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 5324	4780	SearchIndexer.exe	122
PID 4780 wrote to memory of 5324	4780	SearchIndexer.exe	122
PID 4780 wrote to memory of 5360	4780	SearchIndexer.exe	123
PID 4780 wrote to memory of 5360	4780	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe
"C:\Users\Admin\AppData\Local\Temp\010db27a6f76009a54ebc6df77a6317cb70c96407c50dfd31c86c1735d1d7c8b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1924

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3548

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:824

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:392

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5104

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2708

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5324
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9168459c4da4105b3b282c20f89307d4

SHA1
ff6fc92a7b745bf448ff60b975c4792fe161bd29

SHA256
781d45cf45affc26249912527fc3f3ccc3bdd1914480d48cbf91a6e2b1ad1e2f

SHA512
d57c6e75899d2fa61c940925bbf7b7016bf675f0c290f656dd3c6751e15bfe75d87edb3fbbb901b4bc930fce41b6f7367c4c3d3237df498437fd1d65fcc9be5d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
07fee73b86284d2f502494283e455876

SHA1
f73c1226c6587b1b01757762358481c4f5a95a26

SHA256
10cb2b3c53a3ad9869d4a82f2ea575511bb8893de2ac057d05f89d65db95b4cb

SHA512
0f35800cb3f895c513c171d34c92610bd0594840f562d6673c31c01a00ee6b881d46127a45721b560611a6cde95a5c80c756a749b1b825cc245a80e14e9cba9f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c26826e115aa7c5e57aa28cee2ccb0cd

SHA1
8b0f7efc98082e4ce29b4b12ad670d3b4e391e99

SHA256
4a701c1b5499f2d1896568bca1ce173cabaaf1fcafa70d579eb144b29d6bbeb8

SHA512
bcbaac822cb9cc284acbcd0dedbec55f7959cd56a78f7318306a81f1852f57f0f7f448abf0953396a5528bc70ac0a274f9738649b6c5167e98473933e871ec75

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cb8cfe81fbf18ef0a6bc26dd8de3938c

SHA1
cc6bcfdc5a99ec9824b30b44fae9a4404c87556b

SHA256
b165d12002dfc001716b9e94d78da940aa8fba8253e5f4a0d699a929e89f027d

SHA512
7c08d14f8764dc261252450659b3a5a6c596566cd8022709068b48cfc6f5393f5cdaf4c9f9cce65e77d313c68fac4c803a46b7d9c858a1546cba454d7af531e8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
55fdc8f2ea8c9b238e9808e41d33e759

SHA1
15ddd331a998d30bc76e8870bd6a93a5a4b86072

SHA256
c5b49cbb8596766b9bb38b9226d94c8d947dc94452772bfffe344fc35e58d8aa

SHA512
a9bef937df5a6ff5cb75c21658f6532a5d99390020915d700679ac8716f63d59d46a978153f444747d1cedb13ccaa8d860ddf96463b27b3f9ab3a05882385b49

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f7d374b6e979d89679703f186905beb2

SHA1
b6f8205b971b001e6d38235f871ff1bd8c8c0d7f

SHA256
f6addbff241d5dcafdae442a8348c631fe426739cdaaaa0246a2da747804815b

SHA512
ce4b520e62de459304c3b85d4286ea823e53c226b409a5049c416aa7d162bc775b325cbe333b733dcafdd3cc81268ef0f4014f5c17c84558c8ec82aa53670fdc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
44d53692fa55f64c5cdda91796ad9ed1

SHA1
dbc6a8d414b8553e8ecb6b81321aa2ccf423d9ba

SHA256
5f2b859ade53ac5f081957e411a65af7f99982b8fb250b0d53402827b29cf280

SHA512
b5f7e0566a42d11e5b55cd990a0662e9d42d81148d75f8cc64d7aeab99b11ca33be6fe5d8403c0c77c3c8d6ab879b96d24296f28c590d2a984ba277df9e8f573

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
3.4MB

MD5
3e31504d07fe03632ba999e75f91dac0

SHA1
f7d4ee2b2f1624c0e9ee50970f8ac889acaaa161

SHA256
90331659a1751405aba1a1fea74de6e17894ac970df830e54e14d86850c52d32

SHA512
a20939ad2a35f11b8df1610767829b1ade03a0792dae8461538c87f756c06dbbc6cf0981cc1b5652fc7fd22554280993f5e5465fd29e4058aa04e3827a4c51df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f1034181ad94b73aedf44ce733013db9

SHA1
f090da2f7f0daf75dadb99cbeda5516ec01c4835

SHA256
0060d554eb512c8c00bb5a9dd9bfc0588bda843d972702778c2136b59bb96f86

SHA512
d4343f372405dad870c89c4b0c7977f81bfa4069167c7c7c3a2768a7f70fb4cdc65ba8a2f3919bcc64546dfb0d2251985d94549fc0c7cd9d1aab741fcfca0b02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
128KB

MD5
70345dd6e9e4ec59116f6a89940a3c9a

SHA1
7aa9aeba5e9c5846304b86145b0aaede003c1bd4

SHA256
0f870cb62d9727869a6e286e54d1807a6c5df0a6162e00fcb9a210a04f067ab8

SHA512
93d73063fe378428a8708ff77479342eb67d3971cf7a02dd122c3a2b7c5eeb2927822c88f12d00f89e398ac1b3fe93b8d2cf39cad422b63fbff7784b82b81a3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b77918684c684ebb8ef5fb0c5d2a8994

SHA1
d0d86c4a01ca34e2e54d7f089a2e755ac9e1a3be

SHA256
78516beb211c0bb223b2598e9baa3a39707cdd34f9333a3843aa897f9f74e45f

SHA512
5798631644b792307b20ee28578c4925db47637785769fe4b25a5dfb58618a885d486137353db69b0610f678cd6f1103cdeca2da0a161810aea0fa9f187b4f61

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3571d718cb38660d3c20ba73ae887068

SHA1
d8b0e146e110c259cb421e0bba95a0716421989b

SHA256
eb21cbb5796179147a7f523b9a2eb8ee5b7f720db664cb46d2e82ae498f53d6e

SHA512
cbfa4e24112057d73ba188cd205991503dc5b652426fcb3b2e61e76f04569665babb6d15a0f547977672adf843cff74d2a71638ddd2ee0dac07a85b5c9d35cc3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
240f64ad34bf80237e172f7b7a849c84

SHA1
f5f62c32e8e949a9b9e33f83315d027e2082f950

SHA256
95f9ce8d2f03a0aab042b84d9035039b107258a1eb98055fed2f77e53514280b

SHA512
b4c841f471cb69ec34327e56f7e17efb60f60454a891f822349c100fefa876042ff03ca93cadd23be40b0fdddcec1943643bc94b5b895023d13d2e5fa26a40aa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7b3a2bba1ff563665b8db3001f184fa6

SHA1
8547e3d75053d51dc869b22b40c02a665d4e8acb

SHA256
80adcc365fc9b9c9cef2b136e9956a22c724d1e1ea61cfe5471641abdd334432

SHA512
25c29fb965910ac49ee6d3778fe39444ab4dc8dccee6264b2e01b11a1fb6b1b3d5204ec4c53e900250988e7707e3899f4a0dc57013073c1b69c9ce15d4437bf8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
2.7MB

MD5
1e640ca4aeeb5653d5b79c599fbe59c2

SHA1
5ab7b5a980dbdfd87e8a83694983ded35053b928

SHA256
ccdb41cef72c3236fa6643082fddd35fea7e1ffc106cccad010cae958d548ab2

SHA512
d730f93ddc42593876aba36ca5339147188edbbe2331436da8d34b611ee771c2e040b0b7ffb1f0852cab26ad58a00be19b5583e91b3425380457be44e8a688f5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
2.5MB

MD5
d4dfc1242ba540234f2485fe4cb82d12

SHA1
04d4f1ad3e971811aa05bf9ece60adf6b2b1d405

SHA256
c9b563f20670e328c29275c2b9b6b709885ea20649450453b5c527aad421b66f

SHA512
923bb754788ae4c8f818fa867449a230c90f03673b50e20f2abc66f01d2eedb7ff7a65f9ae8d2646591f2a9d3986c7bdc10db104fb6d06a43313073f4640175c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
b482aefce881dee222ce4230dd6b1188

SHA1
18673333d887ab0affd46f50470eec0f1c76cd1d

SHA256
5f94c99c89a9df2e68a35e9b91e48001a31d86fd380cb6d8bde9cd53076e7d2a

SHA512
7e82bb902d27e24c5857a36c2f6e5f66eff3da9ff29b8e9b16ee831812c63a825550f08c929fb5d2a917aed85431189c4d19428a6b66886910cba104bb180a8a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.6MB

MD5
1e449b7eb5c4e637e10e93099aea2708

SHA1
34268bfae88eceafe4dafba3c8c5a16e4f06d2b6

SHA256
c557c38c6d78d57f5ddb0e094e1635998284754eb44f5fb094d692121b0b4244

SHA512
40537df3d4959d761c68fe2762f7f287782d106948b3b08576cfac81e44163b5f177bf98b3195ea747b4b8ab33819c0819b482a0dce6b90ad973f25691aed3c2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
1116a7ecdf5eddebe5dbd4c031754e3f

SHA1
2da401eb4ce23f176eba6d639a4a277e8ab366d1

SHA256
3d7d3fe216166f0559740d1435a24d80a3ef9dd0a7345e73936336ae5e961a48

SHA512
c12f210350aeb14fd790ebea4ecb2617d5dde3783ad597bab24b0d4889f174ea0b05f9d5ba3969f691c375bfd1e5ccc7450f9200b9c3524fa6831b82ac53d227

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
e6cbf5bfe42cb9818fe1b04ca629388d

SHA1
e3b77098a7f5dd1b3a4056815ad8def8c5104e32

SHA256
ae5180666f9c6249f6817da5f9088213cbca67b373fb30b13f866a870cca0828

SHA512
f3af394ea4736db65c8f3233f254ee03a396a0a5dde04c0e1d65971dd36e32102ca789fa2cd7ab1a52e59e6826aae35a770197b0236e77020f8d4d4c56d309c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
57462cf8cce1fc38f76c15d5a6713389

SHA1
71c343f362b89bba6f915dd7afbde48ab3265bbf

SHA256
711798658de485026744c9f96b5f643ab2b299cf75f299ba16af4bdfaa664a40

SHA512
87a96e7494cac8e8924a13376bb32a501e8d34ff0b1635f19cdad2dd3f0f0566d07951f09fa3dfd8a36e63961668a09543003f16423e3aeadec81b98d5ebb2c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4c9ce4536b0a82c58aa639ec6a10bada

SHA1
bfe10c7fb5eb23856d4a149be390cca9fb1d55aa

SHA256
4b0660832daac0ad8e40d3e83118e89c5ea3143e2941c15402f4a6d56430100c

SHA512
f58aa7abe32e140b2dc16837fd9dec3b93e19169603bfec13a0eb0c2a48e186475f07616225b1c82a343b33c9bb2601ad567ea5319a1b299aa6a7ac6da236fc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f382d936ee77c0af0400accc59237c29

SHA1
5bdf7597968e6665f534dfa67ec97be191711b7e

SHA256
8303e675a4383e4f2ea384c74c0e2dad607159bab53b8f20e6e012a7bcf36311

SHA512
8f681a2763d388512c9aca8fbd925dc6ed74356db8e0576b3c44a29054ccfbb51681c49421fc171e394210c646cc6a536bcffd5be480ccf45a7b099becdb0ee2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
05640ac9938c0772d6b1312bb4eef4e0

SHA1
e1e188b67f426476563e6512877950041eac9207

SHA256
ccd8f4a9211a7aa1ef2c7905f616b1b8da1188bf7d318b506c56db2e703f9f48

SHA512
88289252420985af5585d185ed46e7fd12c336728d9fe20d241fcdf5444e2bd3c00bbd4b4e2ffab2f486d09b29379a8926224231408fa04a7e2495a09a661a38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8b323ddebd74ddeee6a70bdd3cbab07f

SHA1
de3782f2a8d143ec4ff6e59d07c54c5c03ed2394

SHA256
61037c34b72ba39c19c4cd798e13bf649a9a292d4412231377eb408f769a5ec7

SHA512
44d9e499e9d47b25cbe0f8aa88c97bcecbeab6534b120f1efb31c0a3bdde1a692b0ab6e5d52d453e45e4f7bc357b8c7bf5d60e66ae9b574c39ee0edec5b3a5a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
48894f73bfa7317fd0a3402ec0107f58

SHA1
d0c9b5dfe9473afc0323b9a30001f5c79378f881

SHA256
cf3d77a4f5d2533bbcc4059082f9fd9c438128daae40e08bafa2853793436d95

SHA512
e5fd7c21d3c97aaf9d853ad1b50cac1c7bd8e5c84ea3fbf9a4c51aab038af3c1ad198518829bb999bc12a9efc11c4ee281862ef1045e9d12a29bbd72a6c65ea8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ff26d92509fa713378f776769b62fdeb

SHA1
27ffe4bb3f53612973e2fb5373ef1a0f3aab3702

SHA256
df845e946b7882cfed4b509a2fed8bc4ce54e3240a6f2b16c0e9014e1ea8184e

SHA512
f63efdab379736a56103ec5f183ad1bbfe9c49ce61f23153b5f2c6bf703f0eb81872bc525e31cd31e6f15c9f5074459737d91076d62390d2582e4c63618c8a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
dd2933cb081bc26ce15f658a9574f2b1

SHA1
5d28d292f620c276892004f00622ba1acf2f1071

SHA256
c601afdf9e352640bba7a199f39f347bfb749abd8e89d4f07e50e3de90022121

SHA512
baf1a71aa1821604f5ed05d87c0e221d9ab6c007caf2e2366c846dd17c81c657c43ddcd7029856f2090fe02856e1883fb5e3554a2dcfd1057320a64c348a39c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2e460e763410af7d8916efcbf434b7a9

SHA1
60a63eb90882adccb0b5a84550bb768dc021c2bb

SHA256
aa54d492a9c90a9765604f334dde04bb1a6988c004d12009098e9aa3ef86e6e2

SHA512
7a087b0c3b0217f731e1939b608ab6dc872a9772dd45c506b1c3becf0e031e0b3ed583300a4af6d1435bc55f701675bebc1288a9dc6f92a987d26fcaa3484e5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d770b7cb5ff4359e696548404780d6fa

SHA1
ce5976a2c66d1b760b02874eb510e350b6db7184

SHA256
5048ea176570af22ff7a92b4a5e645aa3574f1f6a7b6e41152b70d508613266e

SHA512
d0f25c0b994de313c39a25fb3f38033f8520cc663544ee6b002b2e848d08b03cf24d79f03d090a7607a77939d2df1eb81f1d6621d61ae89786a498aaf6a0823c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
417009719dc6a956053c45ace6c6f90b

SHA1
cca5bd766f0cd7420e87906b0e7bdaa47ba806f8

SHA256
2131a18e39eaae49807182d9e32736e3716c845662e380dddca0a6889e3b99ff

SHA512
9e5d70fad764e3bdbeadfd2c615d6632499c8ff546d9ccbb8ed72d10f58b032d4f81ab0f4939f02daeb14ef98f060b72b26b50ae14e50e2144bb9b4d7c40b6c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e79afddd1b195c8c093c05ca4c044077

SHA1
49557f43340fcb2df368fc7285457a9da4db19f6

SHA256
4c0dcbedfe2036ff7fbee7b78cf50dd26b4fea435a0246ba2b611c48e5d66c30

SHA512
cdd8eb025d3bbb6a2284a5e1cac9fbfbc8fa2fb754c167fe5b5b966c349a8319fe8a2fb0511ef4c41b48f94dad424f11d43eca434a9ed3f659022edba4f5623f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
64KB

MD5
70600425ac305d0c86bc7b72041940f7

SHA1
86aab4f0858bf4e06903e3ea483acbf4490d0653

SHA256
59d3f6cebcd3d2eb488e1544d8c92c23b430e3f87e7523436cfb9d3b41455387

SHA512
c2f48ed30b144fe17e5bcad3ce7ca5d71855450ea45f7390f2e9ae41773817247f54776549b5f7989182857225c6a765d22f137c907b9e69501a8098a15310f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
64KB

MD5
f2dffe3704ede9d0898c3f8410c7fc81

SHA1
61ad7e2e1ac8d0b5ed5c0e2f0adabf68b13e22fc

SHA256
859270de07251cfd84ebcdf18fa74267600be650abea10eb250423ea6b75b1bf

SHA512
8a21174ada0e4e30cdd677e8fc96ce63e259a11de73a6093689a9fa9b6ff6fbbf7bff7707b7b511fabeac8203c8165a6ef15409dd375a155a01ab5411ba235d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
64KB

MD5
0a0c33022534bb96398caebe42f93c7a

SHA1
4c091e9a493bcbb8119c910858e6bbf9899e2a0a

SHA256
cc42b59af7728062ba94534c55fe228e59a799a2aaaa32a683371e186604cf61

SHA512
a81d825a31cafb2a700824665a58fa573af86179303eb797b14cb802be94ce631170fab1ba5236e231d60cc8d23191852a98c326f3f8da670dcfea2694e66c98

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5a040b244fe8399aa20dd4d3bca72a9e

SHA1
1905cc08e87b0a75d8f4cb473b0731dd4560b5a7

SHA256
3ccc08df382b9e7527d4606d5421150cf0065c82f4adcfc6594bcd7b91f5949d

SHA512
ec08de236298966db73a606d66c25834b11e154741335e26eaba4c7387a1c775aec3c5281998efb06dee47f6c117164402949185ddaed010ff16632ea26eba71

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
e42de755f43388bb7a47e97d253d98eb

SHA1
6ff3f6cb34c1786768ab5d2db611f4db7bf9e5d5

SHA256
3a05ff19a29eebbc880a14fb4501b42501c6c770a6ce05297776e107f617e2fb

SHA512
5ecffcd78696fd82e97eb293af9c19c00226c227673f0b60257f65d92146f74212f334d84921c1b777e2c21accc7a520fe6490b881c7e26962acdbd0224373fc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
bebec8ad67823245a032f07bbeccdd70

SHA1
eb124b27710be252c7e5684fd0270c1274d86d7a

SHA256
6d9c52df0124007a91ef69cf9a64b38047062d10cc776e51b143b55336d5f80e

SHA512
e01a4a8ab6d95c7e8196ddfec287b551255febaee7c92295975613978083ecf6031d35bf0106b1fb2bc3532d7bf04f8c892fd34c5108de06ddcdc495dd5297a1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ba3ed4074ce5f8323f71c9ae9b6af2e7

SHA1
43258347fc971716c00bfc67a9238325d989d4d5

SHA256
6ea9bcb11bbfb7576a245ab8fbabee3cbb5eefd6f59271b31b5bbb04eb540806

SHA512
d00cacad88fa7bea40df6ebbfc05c749b5bc648a4433e0ad67965607448dfce23b8ca366a7316edcd3b5341daef9f8e161ca8741cc99e48598ed2e36bd896f0c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
509f07dc23133a614973ffa9739a6b24

SHA1
3b8d6fc9739320d404225e4342fd4dc91c3d5b64

SHA256
4c263c5d36f7db941ee067541fa7676053d5173a8c8f0b1b7b0f7674b7f37d7b

SHA512
0e8a485b95ee2894ffb23e134e53a1ca9ddb1453097df0126ae6ae5ddf0c14205c622bd7a68e13086dfd274100c5e53b873475975254e7209231986edf2f670d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fb78e3e48163d7d5ca0568eb9078b84d

SHA1
2ca08d501143987cd48995ebfc35e6e3a388c34e

SHA256
c0578d265beeeb74b3f52efc0c58defe480c2213b72d3c96e460b9dbf9cd939e

SHA512
330f075066e2e6eff13f194b1db4d5cc842651350849e279edb6b3460a3ddb22ec71067d37994f05cd6d613734bd18465c4790d5b9ddc8dbcf045d8ce4be7fdd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
459c5265e1383651367e3425a0380943

SHA1
3ea93095b3ea83f8e8fec14681a65ac2c06770ee

SHA256
2d2d5deb212c2965a833eabee520d09de2bd4c062b53de78e25a69e892ccf6f6

SHA512
5680e99e3cb364b7645f5cf45113ec4ff029feb8884b1ee53e3cbc111dc459163c4310e155d69fdf065af7058d73f5184cad31bc3ae910e5d0cb9ec4c5d5affc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b67bdff99dc79d5043e864c08a4dff64

SHA1
260fc842fd247dd0ae93f7dffd28e8d75692f1d6

SHA256
36dcdd9cb83fc0086966f197645ef36a415abb53f61b8924816d945bd3fde01d

SHA512
aa1bddba171d9807ad3877a33be601dbaab96ddb564aca71e137ddeea3e4d92d5db555cd9f59fc6f6aa45ff76f4acc34e0374e5ade01fd3d227ec0595dcee7a3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
576KB

MD5
e3c92ac0622f5a4fb26b34a1a2ffb596

SHA1
7655644c11c456daaefe30c9465d9ff4005f55e8

SHA256
97eb3107de6564c198fbd17b561b91e0cbad26ae7f6057e619f0c28d141c5e51

SHA512
5edbb29740187e57e6dedad6c55f223005c83e043a0c544b724acb6c6ae6bdbfd6949cdd2b58bc38ea992e5d52afd900ea00f6db27ab4c131d03b417f02572bd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6906f2dd109d8663587e407ffb1571bb

SHA1
f1c2ef109a6f360171f7168a67bf0516527f2764

SHA256
5043c746acc15469ccb74822cd454f55ed30bcd089ce19b05026c734470747be

SHA512
e2345cbd443acd4641bc2f107c0fb14201517c11a3ef29663ab31737d13fb00b668d26c9ad609a1b8a58c6a80b31b6640142ca8f827f1830ca8ab6cbf74bae9a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
376c56f61437fea467d6e3d9f6398558

SHA1
e95ba4ccaa5e369373785334f0974067ad9cf37a

SHA256
114a28d2438e44054125f895fdaf87c9c5c382b67fe6107ccc18e5d73840db61

SHA512
98c94c589e6c88c9960827542621c9fc79ac2f358895ad7c887101f01094a2c5db599f433005b9766a66884345e7543a6adc3637d15ec8b4312dce039514cb79

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d6c9c5279b7121fbc85bb383027a78eb

SHA1
94e22d69522605f8052b4c4f07fe3d463bb0ddd5

SHA256
36b6130650870f329787b7374f95907126fdfcdaf487fc58440a6043eb950733

SHA512
9b3775788cd1146dae1217dc800f4e667ae509bab8187ba69836a3c97669dd41253bfc3fac39a0616b9ff8abaf76cf76927e4def85542572f5b7b7849ecac3e3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d5e7082d2cb67c60017bda3f0ee0c7b4

SHA1
aa977b14fc39012bd48679c72190234b678e6c30

SHA256
26c031e10b228e3ae5c380ec48ebd6eb4fdb82fbb736e5c16582f419cbeaa0e9

SHA512
c32c140a1d5dff279419a10fc6b661a7281f7ca5f61399fbf854f6566419ec399da8cb45d9bb3b5e11e9f984cebbf509c375573b7cfa795845e396de8ffa2a6a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bd4260110ab02bbbade99e68632dacdf

SHA1
c09a8d2b8fe2b18dac54e148b7a330d54e88eac1

SHA256
c54c33ce4f4b3b6b748aa568717bd534dd754dd080481bc3cdd8f82021787a71

SHA512
9358c110e48994197ba649d9ee5d7c982c2b331e5488f89ecdcd9508e9b21ac20fb95c34060c7a32f22c3951c663bb3891758b96837d031e2648403672bb5492

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4e09f35b54566f4f4f6a6b615fb9ff39

SHA1
adae365e35cd599c81603fdaed7f829955e41412

SHA256
5eaae97e66ce270b479fa76c28f43994efc172583b5e03893ba8054199879f4e

SHA512
d68f5cd95679d0f793fe8c2a1746409227b9cdeea440a855e433039417008860dacd4e5cb46d7584fada7773f0bc85456b81406ecb5e653bcdda179302d98642

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
19564f19ebb11d42e4c55723aac7fd71

SHA1
43ca4838b3e773bebfbf1cb9f147a333ccb84844

SHA256
943c872434334cbf85efb6a30645e08e29edd1332473ace217a549d424148d20

SHA512
b8dd3af0dfdc668124e980a1def3665e639b9118cc28accaa237f79ab60e693077e9e8c90933177983eed7a28e4efdec43ffc70861b3ff05c8d335c9f4026b35

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ae672b64cb69fd12284c0f436eac8403

SHA1
abaa49ffc214e72ce64d593c5ebbc1235533a66e

SHA256
872b78522bc88be04fdedfa1e6d1e47bd4a4f0fac7dfa69f0d7ba6cb7739b92e

SHA512
d977fd2e8eb51115a5da28525fccbbe29b773dd167081a8f028bcc43cabacf6119658a60e405fd6b00724c02af30f683fd53dafb66c5a2ac0c7565f65d9de4a1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4c267f16e8d8fbff31bc9ed8ff317557

SHA1
b2bfb8106f0bb7ebc1294c004017c39ab280d1a1

SHA256
5ac06a5596602de1a1de822a91515a2f3eb6462b1b7ebd5027de141a64b03b12

SHA512
d43c74cd0c19bc89f5f5275dd072ed87ff1fdebf35955c7d5cbde362c6c63f54a661aab8fe6a0e7a6410dd1199b323185da0a21f4f68f1d45c6d7e16d385ee0c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f63c8ff13d3e75a948890815ac5d0ae1

SHA1
93d77c56e2d83c46c53a48deacc6d4cc76bd79e5

SHA256
cfe80abde2cdfd60ab439bc55d68e686af6f7b81cf917311873c4a8ee8a558e7

SHA512
f7253a839fa8dcb735740e1e379c286fa8078a413063fefaab4270914af0d5c60a6fc7a77a6a18b7b5895909a0c7a4416205fdcee229565e1a12bb398c24c679

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
04823073e9852a7c6e978e9dbf2973fa

SHA1
6a7c2bda66e62658e82020af5734ac715b439d86

SHA256
2022d8e67a377b4ae369be3ae509d690bc4b57a359af66dc91949f3ea0044ee3

SHA512
3145e09cc7ba5c817dc0b51effa2f7f009461663568bde61f554f055b7bc827a4251889e7d016ac1a4768a3c1bdc7e65668e2e8114badbf54cb126d4d1a83b0f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
64d488b0a95b53ae956a04626a45a72f

SHA1
f8495d8b136cdd877eb880e1d4ed4d32fff5b980

SHA256
a86d090a8baf2817f78d3f6e0d31e6bebb4a5d55a3defdb0aa3a861f95869b1d

SHA512
a25443b5ac57c070311fed33fba5e870e9c3f6efbe12165618a6925d9b6b5dec372babf8899b9a8dd3803db97eda070b9e52d4fbfc5c477629fcfc05071fbf1f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
55f288a008de17ed0b084bd3906496fc

SHA1
43d695eab6db02d50d713ed4cc8a6de3a466db54

SHA256
1225b0e897a3e6bf3d72230a484e1ee4525b60961cb2864066617d949b80db59

SHA512
8047deb0c7f5e3b2549b63b4fd3d922960045c548898a35faa0a25800b143a0b89478df71a72852bdb4d139c54e8154060cdc86c48c81b2a5bd61f763068cbea

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
256KB

MD5
9fe5cff64af3055db1cfe8c7e5f0343b

SHA1
c96c62975a32d8193752e505ff4517b0aa917966

SHA256
e92d254a34c0f4028ff65713b6c520c5ff9debc369ac1b1f4befc6ecddecfa37

SHA512
af4e45b213f5179e3f6053ded89075791505dc389269b9c14fbb092f50239c966c9cda8ee6f8e27fdebacfecf8783e217db6a26c86f7e639fa2f83fa59b0b78f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
520d74e7ed13b0121aa820b0718c835d

SHA1
a65c6f24986c8a9a90bf4b290a171ea131d72e22

SHA256
567512d1b069e180b34cbfea19b0140fb248559af4b7bfcdd9281e0cd7482a79

SHA512
f937e7ed0aa6995660b5db91040631ff8eb39d7e62c375da63dd35bd14bedce1aed38f2089dc2a819745741b3b11265c97f2a8d4c5e99309bb27b8d041af0fab

Download Submit
C:\odt\office2016setup.exe

Filesize
3.9MB

MD5
796c646efba9d94de342014de0dabe3a

SHA1
0aee48d2434ff5cda91f2d0e18fa8eb9d3e0b534

SHA256
7a0a6aa9dd86d5a5bafdcdc56e60f9fd326b08ea8d3ed85d63417ea6f789ddf0

SHA512
c5037a518f8b71cf8b64615313a63d37a04fb8bfbadf7c41a9b9ccbb4f205d07fdd83db5ab0ccfaf4a6b3200de88456e3f487720c82ad239bc5c7af8c91e0a2d

Download Submit
memory/392-93-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/392-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/392-102-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/392-94-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/824-91-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/824-78-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/824-77-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/824-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/824-88-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1048-198-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1048-138-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1048-142-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1124-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1124-239-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1124-240-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1124-235-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1532-52-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/1532-60-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/1532-50-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1532-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1548-86-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1548-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1548-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1548-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1548-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1852-72-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1852-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1852-13-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1852-20-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1852-19-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1864-1-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/1864-7-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/1864-61-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1864-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2132-200-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2132-266-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2132-208-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2228-186-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2228-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2228-130-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2260-222-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2260-279-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2260-215-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2708-257-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2708-193-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2708-188-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2708-254-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3156-306-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3156-245-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3156-253-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3508-173-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3508-115-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3508-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3528-258-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3528-267-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3536-51-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3536-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3536-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3536-39-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3536-46-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3548-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3548-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3548-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3548-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3560-251-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3560-180-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3560-175-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3560-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3848-293-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3848-285-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4196-280-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4196-271-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4780-298-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4864-155-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4864-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4864-212-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5104-167-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5104-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5104-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download