d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 02:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
Size

1.5MB
MD5

539e507fc46cc5161a02cafa37c7053f
SHA1

0d8063668ef33cb38fa6e76c82cf8c7293039128
SHA256

d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425
SHA512

ec62167337e9d4889b3e36fed96b98179217eb0f36cf9272bdb6edca0d608ef0e32fa027f2cb1ad7fc6d0457266d459c6005d90f3023ac794d3ce76eb8b12d88
SSDEEP

24576:lkF8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:lkFgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3624	alg.exe
3588	DiagnosticsHub.StandardCollector.Service.exe
3656	fxssvc.exe
2244	elevation_service.exe
4228	elevation_service.exe
4744	maintenanceservice.exe
4008	msdtc.exe
1436	OSE.EXE
2020	PerceptionSimulationService.exe
2236	perfhost.exe
932	locator.exe
2824	SensorDataService.exe
5100	snmptrap.exe
2992	spectrum.exe
1232	ssh-agent.exe
5084	TieringEngineService.exe
1852	AgentService.exe
2160	vds.exe
2828	vssvc.exe
2816	wbengine.exe
3904	WmiApSrv.exe
3248	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\System32\alg.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\412f1be15e51cbec.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\System32\vds.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98734\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c190ea02e099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dc03702e099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024835b02e099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000343c5803e099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a793403e099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e66d809e099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061680203e099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ec92303e099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
Token: SeAuditPrivilege	3656	fxssvc.exe
Token: SeRestorePrivilege	5084	TieringEngineService.exe
Token: SeManageVolumePrivilege	5084	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1852	AgentService.exe
Token: SeBackupPrivilege	2828	vssvc.exe
Token: SeRestorePrivilege	2828	vssvc.exe
Token: SeAuditPrivilege	2828	vssvc.exe
Token: SeBackupPrivilege	2816	wbengine.exe
Token: SeRestorePrivilege	2816	wbengine.exe
Token: SeSecurityPrivilege	2816	wbengine.exe
Token: 33	3248	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeDebugPrivilege	704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
Token: SeDebugPrivilege	704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
Token: SeDebugPrivilege	704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
Token: SeDebugPrivilege	704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
Token: SeDebugPrivilege	704	d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
Token: SeDebugPrivilege	3624	alg.exe
Token: SeDebugPrivilege	3624	alg.exe
Token: SeDebugPrivilege	3624	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 4756	3248	SearchIndexer.exe	113
PID 3248 wrote to memory of 4756	3248	SearchIndexer.exe	113
PID 3248 wrote to memory of 3756	3248	SearchIndexer.exe	114
PID 3248 wrote to memory of 3756	3248	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe
"C:\Users\Admin\AppData\Local\Temp\d77ae4a6e5ab7bcdaa69c38a0f16062664108fa0305124fcc8e871ce3e2b4425.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4176

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4228

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:932

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2824

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2992

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4756
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b680f509930abb69ed55e89f98df4397

SHA1
3b98171f898d4295477422340c3cde02eb534e25

SHA256
aa72a350523987b2feb7a46f132f02d34bd343a2b68bf463e515a45bcb474d8a

SHA512
aa408c2bd9cf92209edf01cfade0d94872a060b4fe7cd17f7c6b9f801fc98f964a7542413d496c66d2dc5dd3091e07594c75ec1e0ba2acea34100122664cab30

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3a901c2863f7c9c4d03f86c3a9fc66d0

SHA1
9f22bb116d1115f3acc8156ef2ecd2ff4b399a0f

SHA256
36804a7a05a45bbd7957f13ce07d6295d56775c6651df66e3084feaf749ee652

SHA512
714d7254dde817343d9115ad86a75c7660eeef275508e2d75cc5e9e1a81b6689004379507e472b595d6488dbf7f4f7065c2c19f4ced520ff0591a7759d8b388c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
41954497937fbed3810ba1d6b7f36b72

SHA1
4fe4899b3c2a000016a58a785c41da1b2bc9ab05

SHA256
3fbe5bf90c5f1006d6f99651118005cb6a99ff8d3b9f77206f403720ecfb1bfa

SHA512
92318803fdae21d61aa2c0fa1bed5feaaab0cca64885fc023f2e506b239488a53d21bd260f7263a0b298ab770f791d1cfab808ed35b8481600dcce7e82002afd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
75f89b35636b27c3ef9a36148a22aa6e

SHA1
12b5bc379404f7cb8deec9f667f9e139727892f0

SHA256
7f5d8676b78093851188b4f98ed40a216efb88d3026ecfc2ae61db9dd1eec121

SHA512
d2d47394e92bb4238c7f099f8249cec499fb6659289fe99d164b9789aeed49fc20fe6968645535fb8f6b58141613645a9387b06f882ed7886684065cd15325b0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
39fe927afe218ff9f1bec3182fa1df6b

SHA1
ebfa2d821d242c70a69f849213bfd3318a3e4f15

SHA256
ac1744c193c720a71c557b22a21d18d027bc011a98473c19222b1b44b937e3e8

SHA512
da999f5aef9935ab8a8c15fb2fd36745ee2bd01c99138d8c7c778fcd1f477f0e75db1a10c65505f76b1fbe2b66698fd72f5a40a89bf63e45812d6d2cbdcea0af

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
bfe5d44202a54310e77340bb8945b542

SHA1
0fa7f44c8173c811f27cba8e027461ce82cdb032

SHA256
d248e3c21be552a23a4f54bff687dac892d83d25138ac9ff46e21b83138a0867

SHA512
0d46800559fa764fe9ce996e1596f316c67350a4535c6ae92e1a825b1accdfb6d0108d472b1ee37653c5a7e9869d31bde5cb83093b997aea0ef7b83fca15b54a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
b4606d1f97b7d9cc1f35557c5f7345a2

SHA1
32a91d47d91f381810bee03bf6242bd8a7996fc7

SHA256
c19ed0924e0122e5c759cef1b029381ac18c633cc43da7d3b0e28b268c9caa07

SHA512
c4f24b341c2e0b9ddd407a777d850da0c02421726c030ec23efbf641bbe83e37ca4335cce60c08e3b1a8ec8c516730f10ca5743176325260b406bc5782063d5c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
24efb0739283227dc2e492a1dfc084fc

SHA1
942ffba30ec1ef506f183eeb90e73e8e3ddac1de

SHA256
edd35ef574625cb5868c31502cd35ec336e815649bfd3ec82972fe8238346374

SHA512
d210e60bdeee898693e860b80348c1abb2d72a69fe0be6efa4847a63c72dbab53334026d5459291dfd0d8ea3436ca999a118b4054dee36eba5727fa1e0d8aed4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
bbdeb789cc308d61ab57336eabf7df71

SHA1
6ccd3ace3c150b37d34c0df0d431cef9f7f2b1de

SHA256
ec738d5d98d68f6d7a4eda256cebc4c49ddd86bad62ab187dd2f6273d945a44e

SHA512
8688444f28382d8793cce2150e1eaad004d82e2dd309db8ea133ea0768697c5abd919480972613e192e1f2792027d0468acd77f4a7c66162957f9ffd63c556d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
efe34f75602c90ce6c15038e1e93026d

SHA1
0537d4b2570b9b95a9771e01f404ec73b28b8d45

SHA256
f880deb5b71d6e4f1b40e58ad9437cb00b5ed30420b7c249018e3899671c04a4

SHA512
abc38144dde9f5fb681a1034dbb3a94acfa469cd20364b51646972cc93372cb2d335f9b91ac57f7569675cefa72598d4c443d4562b61a06b2f2e8f616a840ac7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6e23baa0c8cca870e408c5a8612f44ec

SHA1
cfaae331e3ba73831e96a61ad70f4e72103c5192

SHA256
c9a87e136a781fd890e78a78b557edc4f3b0ebce4737c4c09128bc6298984209

SHA512
01bae8c51d0620facffe68cac6a9f85c4a2b715cebd6275cd9f82d57962b6f58be99451f46b3f359e7a115a923ee8b3fd8806df36b1b2124c4885e98bfaa565a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f46ed478f0e83ecd9572155122ac768e

SHA1
18c0a64de0b26ca913fa720cd120a5e3d8631cbd

SHA256
4e044304ee210e69e7a0dc8f855a14f79ea2f2bd582a80136a04b55d09757b3d

SHA512
7f62a09afb177793f65d9d91982f6fa203e8dfc29a6c41cd7fe3a31281d6a6a6727e1e2a865c2d7ae79896748409b717e629d2905b7bc9e186eaae7b8ae5f908

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
6ba11b81af7bed957964436aff70b66b

SHA1
012f07bfb08c73861895f0be460da2d49fef30d6

SHA256
ab2ba2f33e0173b26ccf3048fb1b35537bf7748e8509dbffc4a969aa62977849

SHA512
d6ee46dfdf1c9e780690af6e7bf18db0270bb58d5ab951f6a22133771587505b22f79d1d858a131a573d8829599a45075c0e455ffa22562305dcae9b1918780a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
dbca9249071125d24b3223772e4b1301

SHA1
8c40a2b8f7f831ae66838228de34cc083b256b64

SHA256
62c6bdedb9a60a978a2a79df57460da69b4bd9bdb339cd1beb2ec752d36ce9c7

SHA512
197852aec634703999c0c0829893ab4cb4403842e76405757da9b90e560a2842488b543e276254bed7b37b697ff201a69b5a721fe5ba81a4fdb34778b7f27a3e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
511c3a71e3a6d67c6a3eab55b8e3e37a

SHA1
267d72eb7fe669c90effb62a081583d9c7ec3b9d

SHA256
7662d5ec0d1529c89c0fc0b7b719cc95381eb1e199f0a4346b71c9a5a39a6153

SHA512
c14f5c8803924fcb9bbf2215e40ea752796299a2992e4066c4ba9386fe9c95eb3f5b9264cbfeda466b4d36ebec304c37b480e5738737aba24277a490b413ca78

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
07d79124fcbf979ee74890f2891c1583

SHA1
7b8e0037ba619a669113b5fc5d1b40a69ea23f90

SHA256
612509d7d5bc01d1ca2b8f44f45cc84f937e9e83b86dab4fe72303856e3be610

SHA512
9a987d563647efedf862187b8a85be19bc577fe1389db135246a4f5b977ff583e49eb33aba11e0b89c05b3d0db833d92ac26492b302b9f1863f6881969336f22

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4f6b6703daffd28fe4342bf10ab41d43

SHA1
a5ec6bcf9e9770e5561ad5db66bd59c4ddd3e845

SHA256
e10772a1569f94a6fe2bba78fa0bcf39dfd37dffda3d3ea8424934bd45a56dfe

SHA512
d39b34f66b2be99e5fed15a86231c46cab82ecc06c00ed9d04f40b2b315dfb615229f0b07c462524e78f7c47d306549e36e06d60bfb0940de965ff7c297ae613

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
3ec9368fdfc79f30ccc2892b6dfa050a

SHA1
510fdeff234f1546bf871e52c06febc259a8bcdc

SHA256
c03be1c53db2a60523fb1f49e03504dae8f19f79931ff1d43c6b6c280f575148

SHA512
9c05c5ec7988d0a96b0557da415b54483bb6fb9444208ee5c02fae3de83f84e640bb80e60e67597e149a26fac7816e433e84c4584b5741aa5ef16cfc5041df14

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
1f9c4c79a5055130f585efde99899f9f

SHA1
45a66772777d737420fd33adfba3d4b8cbd94d12

SHA256
d646d292c6bd9a63f5ddafdb9a372ce0c134bdef6a09d4e31756320738131ead

SHA512
12c89f7f1a496b5a6ff1312412668b5905d0b7d161eff9e6af8465ba0aee81f9a924274942cd84cb3dd6e3f1cd72dac15fe35c74934c9bd00233e4ab59f7f206

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7be2b84aec42268de53b9937a0ffe77b

SHA1
b9f2c07cba13a7447d08fb841acba0b838818f2b

SHA256
d92c3e37694929b9bd0720f10e39adf710cffe225d451c88449d68227895809c

SHA512
0196c256e26231337a633b040138a5b9c5c9ff0b0348395cb57c06c692e4d9f1d2b013c4ca8b2d258b47f342434b8d7f756bfceffecb6fc9b2e99a5f7651b3b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
d40d8208e33540a98d6eae5f4a2d5e0f

SHA1
21305d7ab55e961ef8bfd043fcbc4b79bc275c9e

SHA256
73ba5ec790c21e343bb9c24b610206c7d58fd9f103d53bf7925e2adc9560454a

SHA512
dd015b6382b0b9da63659f9b531c7e888fcfa13903ed75f14dd5075d0d66e7ec40bb512e543a73316b0f5c0e417cea6c284f80390de597e5206229a5918d9d05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
344229953385cf6bcf61b2a20bb1ffb4

SHA1
a753b46bb6a9843c1ad9a0983edc05281e83beb8

SHA256
f9d3df154744382525b542b7d697bf5085350d418ea1bacc95ff22bca008041e

SHA512
931d1c29db0f754e9bac9bf4495de80921186b99e9e947223893262dbc5559968eebb986a22e69c2c8fc6cb11e82d56118fc7859a11e8375ee8f77260d79b8ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
0d0699b6404c484e5fbc7dd593fb7f72

SHA1
0354f374b5847259e1ff2612214740e60dd8b6b9

SHA256
7e567a914d54a30c66e1e3278d9a11d044969f39ec195b4a63891dafb98eaf4f

SHA512
59ea379cadef74715f07ca6348ac28a3a9d8b41b26b85f423dfbb45e245685ba660958b9dc39204668c4fcb3e7810c567dd48ee085e0e6c97156c2fe97b77a13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
4ae1646229978f38becc51af51ecd808

SHA1
6af6c8ccc1dd04e6de675453f61c28d24df73727

SHA256
701053d5b3db0ddcfd7ebda8fd74457a30dec2fd99f343b9f423ddaed754381f

SHA512
4b8b75e5a0e15e805f4a9fbb1160d2b099b85f894b376c334d4ce9000a542bc3fcb07e4569d1aec7329e53d9575ca9f76ff1406b31fd4d2593116d2defcf8735

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
63d8c31953f5b5899b4bb7fba75261d3

SHA1
ee206894bcf718dc6515002f10a1c76bfb0cadc2

SHA256
aff82e2c5364d349a0330bc066a902f3e1187ef210f012aac2188c29db53c2a2

SHA512
6b1ae72c49d4136d186b252491188773a99b0c213df33f3d052c34322ffa887b93e1ca2eeafc21c5b67e5efe872b6942ac2e173ebe4db04fc2b5381ed20b0561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
8cca055aa95d3204cdc1cb653a24edc0

SHA1
a7ff8f2ce6adbe11eb75c8f46ba07ae1b0229742

SHA256
f155e22befbb07325f14a7d1d7e26eb31077647288083ac4ef38b5cafe0b5440

SHA512
30777303660788b49518cd9917e360ffdd757917614e48b7873741cf87712259ecd516a87d24b81dce1263c72c2cd1cac1b21718787260eee82a6ff6582dc751

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
e98f403b87e0b1e5b55e621d457493ae

SHA1
bf356b54364c9bd36859eb672f76df0e2b8abdd0

SHA256
1bc668115fa841b2a6eecf873977c34c9f8b657fc1812cdebb644540e4086fa4

SHA512
b688dfcbbfc377db8101c35da6cb4acc60ad0dbbc129e1caef62419465e69f92d6cf9647c051786101aa4e58eea13863f44128ce115054842870284836c87c91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
e2ac35d96bd06d6e31e284090b738869

SHA1
583eaaafdee4f53a5b919d0cdcac26dbcb2f4644

SHA256
cff6a17e0485348fa02e5819429f8775647881fe60e3b2dfbf5768e54127885e

SHA512
0dfb54f9f60771740d323fe06373cc5257daa9e495090b335f28a285d1e4de32fe56fd27659d41405e9d3d6a11a1ae0831bc326859fac76a33289efe7d4c53dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
c1c7ffcadafd759b17f085bd002db1c7

SHA1
167a6ddaca6f0985e6ea978ab2d63726520bb456

SHA256
578bea30b253455a5e36b05fbd230b26a03e4c38641c5ae9ec4a5c34a6b7fe4c

SHA512
6090bf04f2fb2169d3d69760589a21beb06772c0274861e6d8a1c799f99c670fd337696bc44658ddbd4880bb47684257cc338a9cda9038369dbbb36747a996a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
c44a9486e1c8242706aca15404d120c7

SHA1
86c531b43d2a96d208c580a7ddbfa2ed4be8cf67

SHA256
f73f9d468e3bbe90c69a6110146db90239b507b3f192f5c95eb819a73178d718

SHA512
b3178fe2678c39eeb429c170d84476140889518e8970a91d234d194688fbd935909a4ff7fb9d1f72d5fe62e027d97b3984f3f3ab3f130211a0caf86b4092c733

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
0e6335a2344b7d81aa0f35590c731fc2

SHA1
407e1b568c5f86903f079121a0a0c3a9b9a34a7c

SHA256
b21d88bcb5894c7107e7fce05b5179436f29f93e83a030041634f37058777ddc

SHA512
f38584d4d4e8d20c268975f59878db8187c7db07a93d935dc9a0bcff2536f563546aae07a7343013c50149ecf50a88dad23a54098970c2e2c09bdc0de10f3d7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
6dfa3858bf8c606c4898ff7a9989123d

SHA1
f6258bc2aa166c9379b490c8af6527846ef62aef

SHA256
fb987088a69e86c5086a1096ff759a47368a7048a1840af13973a4319f99dbc6

SHA512
4d8995765c6c73b00503325092248b345667d8e314949ed80aa76193a9e5ea1ccbaa20cc1554d444e30cb4ff8b10da19a4e9fb2b960139ecd39902b1adca3c06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
8543334d5822bdd4da42fd431bcb2b85

SHA1
0604cd238bd723c29d06d5053c40c6a7025a1634

SHA256
7bbfca0c3be7c11d74e293e6941dc960b1eedb101d810abbcf168c0d9f6ec0eb

SHA512
56aeb211704ef99a6ec751399bdf430a38dea1c52db48d0d78133ef9eec27facd300f2678f4ac8d1cb1a28eb94c50add97df3edc011b21a06036a4d886d33c51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
4ae4c235b8df4887eca9269f28e96463

SHA1
e22ec342b1ddb104b16b0bd842e169574c7425b4

SHA256
a6e96a70b79863f109314fd4eed486e26ff88dad81ae21f1aafa5ead51be5031

SHA512
bc0189ccd7cf751ad6028fb5a75dcec796b3d42b616deaff9782fa7023f7bcc03a17f017bc3729818fa2b3c6cf29bd20cf464fa82b9d839dec76c396aec5651e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
e19dfe1e539b080fefd3ff69b3369707

SHA1
e07681de1c3786c31cea134da53992c165fddfc8

SHA256
0f34a2eab1573484872ee8b9362eab7b884c75bb3e592c6fe0e343234aa13047

SHA512
28e3de575a0831ece09b3e0f96fa9d37142afc17d6930d030dd58fac12521d45c6456b264e06cb7258dd052d947267412720b164a68cf64539448610824b9309

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
d07cc9fcc7e66a6d3afa91d5932efad5

SHA1
c769a56c4ee9bef130b6f5ba739a8ea210556677

SHA256
4da9e8ed2cd1bd858d40815a89260cdccd822fee4a9b4d180abef53e16f63fcf

SHA512
b33d6d50c1b6b519433e88debc73e3ed9ed810f3e2e1d54c9328fde5e838a1f568c0274f45c89b0beffa731230ef661f4016f17a5e092778b72ca1a31d46e9b1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1cd90435c28d7c914d6b3ad64c7c4b09

SHA1
c7c8faaa37dc6221c1ec9cf20557b99c903b362e

SHA256
ec8b5a9b78b70c9266bad5d76e18557dcc730b2567eefe61e104c48690b5a200

SHA512
efdd42195a19f8c03fda5905b897033107f05b5895186b4d29283b46f3e4bd616679ec40c9eafc6b2a85dc28633649c46ba0a784bee7558f17dc3f13375c56c9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
e66187046439ef499f3db92d9b6fdc98

SHA1
1042253468170d8bad318e83747ad0d7cf0d8417

SHA256
4e73387e0a5a6b4255986378880d0b7ba69b25cd914d1ea36a013833ca8bbf9b

SHA512
7250a596d3420ce942ad1730e238ed64678b7025f6f80866cb37613b22e5659b79f2c0f8bf77533f5d0d3c034397c0b4da66ff5e3fed522dec3010fbe9425e19

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
5938af05346842a09846b48520409f79

SHA1
8f55c6c0ce7804e8ee7c212c44888d6aa1bcb69f

SHA256
dd0babc131fcdb19d88aac03657a4ed9a152c0ffcc1b5ae6a052d7d79edc675b

SHA512
84883d807a8dd5d1999293fc96a0bdc2830d432cea2941c797513370334a6b1067472dfbf6ebd9d87e869f30f3d09dd0d4d96f53fa231705c04f49031a48be12

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1af24bc763f7fa9fbd2a9f7a8a5ea837

SHA1
1299720cddf221b43ba6fdc7c30ad77263577015

SHA256
5d2dd382ebbc607c0357cdbd577d0fe8928fabb035968bc0d87957b7f69a3445

SHA512
360f74458f506c8f2f0fe8b9d5d339e16fc2592367e2e55d0fee1c2e77568095a809004a4075b6554c53ff70ae56b1ec2a533a501fd0d6989731e8b3ed1634bd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
aa0215f4b11565e20241094473420136

SHA1
d8a313cb5d889b553fabeec17b166d081c031787

SHA256
24b2a79ba4c95743516dae9ceca90cd74e9df23809a48a5e4790d0ee2ad6636a

SHA512
847c63fd3f2a48ac6e41dd75e8ecd81e4d872cfd5009e589a55f355c2044f93a802ae5cca26f9b8870a3fa1bdaf230c83d9b939ab7ac2a9d2a3de5a145623948

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
200c06c3ac0f40e02d261f39413711e5

SHA1
2ab1f26389f3ba71c2c509775479d6eb0c40fdcf

SHA256
c669d0b424d42296fee5a53b3bfaed57c1d0ad90f0d039c0d4f4502268a3eb76

SHA512
a6b83e9a00990dea5840a4d626c256b13e3aea88a7ea070f707c507bf64c89d4fd6f03219be9dc1744106c499dde36437d63b49886c4ce920c6c73bb06c07e52

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
2d4fba4a8d180b9b4f013ff43379b4d5

SHA1
df0f933bc6f0dc122c1f8bffac545e8d5005056e

SHA256
eec000a7ed3ced1b64ce137b7ddd0fbbd84b159e1c4ff2904258761875822ae0

SHA512
1cfa5d8a8814e4f819f3816c884da5672be256829ae35c29756d008dafb3ef828842a0d3011940af9a83796803e270959b50b9eb359e5420628727b2011fffb3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
20f64b376f7078b1c26a63a608ca7fe9

SHA1
249e049329c0793ea036594742232ce794bc193d

SHA256
4dd7b7c15d4a5d5cd58f014381a11960e73b42dc09ec3f4df5bccbfca3ba7ec1

SHA512
4a63e6b442a03817c8ab2e80dfa95260ac36e54709070deeb02feb93905dc596bf26892a97d6c76b4678572a5a90e72f5a66c4e2a9f54f70fc22f58e1d02146d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
a8b26989d910db436cf7e3ad800b8b48

SHA1
417b358e71959f3274cb4f8f5cd3b7454e6eacad

SHA256
5dc96d98c32da8ff5dbbaa21d1be6ca837698325f4192ade4d50f208249978b4

SHA512
12e938de72d81a41a5655b73693697f22f6a2076a642e8fb5f30fb1ca86b9b9f4a93cf397b1ae540f924a282620a94f2106ec665f2e2e2c5d4c71cc75ca58bd6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
70c04b468c0e763546d1500543c84d94

SHA1
2b70f481a71df80570314bcfc38bd848845855ca

SHA256
5367f64b11b521b5376a7cc6ec0bf50cb6380305f131b239822d4dc1384dab3b

SHA512
f5efb462cc3fee611cf2c52c1352f7a11906e6deb7ce98a154a63ce2366ef7edc5ca5dd6fac9515b60c6e3ada626ebff0eb81caad4915277df113fbe62ce1f88

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d94fa17b7bbc056cc50c56500586dd34

SHA1
0e3027e55dbcdbb27098906cb4a07a3c14754925

SHA256
3b607f9d7cceab8f22cfc01532145af504109b5f7bb2da772714452027456304

SHA512
2d2af3cd0459b79cd5a9cf161518ed054cdb1e80e73bd9b00d3367c8aeb060667227bdef1a5e4412b741a538e5eb55f8a5e0d3196ce6dcb5ae176e8702f060a5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
441e6980ec8658920ae6bcff5959e920

SHA1
b28db6c0b1a07781afa145044acfc381ccd74090

SHA256
0b3adc59798944edc935ff3f1fbd00649287c058a9ebc1fdaf1983152335596e

SHA512
6f8cf27cb66ffb26b456c9381b478814aa354792d62b6e8fb37f5c3200b56d98c545d40da08aca12711e9eda7624932e6f8afaed8428285190207efe7a3030fd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
c1f2ab7590a5f86e065cb1ca56d9143c

SHA1
887d1be93df00b07522c998620f98366bc5cb612

SHA256
b65472a4e964078c312812c7399fbfd1d894645a77c357af5447b2315528bb48

SHA512
811292892d7662533f835f0b1b5cc1aac6d3429965dc5271903bcd238740c8c56b7fe6c1ce30396b80622fe327f6cac4896623c2a0efb70775acc3436a9e7294

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b5d6ef46e03647018741509dfc964060

SHA1
65c572b341eceb735a25e3493beb64a8adc1f2c3

SHA256
35598b80bbb2631783326a3e424ee60bfba987be7af8b039c40ea0a1c5b8e83a

SHA512
d695006aaeb4d0a864ee439a4398f7ce46743d9dd734864fe855c0ebcd4dc68e0682d97a32bd935cca843017a7dda5dce3abb663cb8a72271b240304057424ad

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b1b13349ae78686fe6396c3b04c31931

SHA1
d4eea12fa8d9465a589ced56af7619112f1ea647

SHA256
75a903b36fd22d15bfdbb67e76d6e5dc9ee2291482bc34917153bcb8924fc173

SHA512
ce586b6f32b7aa4deb1425dd40c825b56de5fb0ead6d27c9c238ab88bd4aab52cb8d477d3d3566c04ab792a84e269fa8e0bfa57268ac6c44fee4d06d3277f553

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
4dfe56fb5d34e9cb195ea42df589abdc

SHA1
d7e55404b987d2eab332f6840e08d045c3ff95e0

SHA256
c69ef941208d5402df5d3e188e5b04cafa14ec067247296a3b353a76f20a1ba6

SHA512
820e009e64d08f245435fe7fd2cc841fbd3d8cc7972d2aeace3f6794bceb4cc639b5a5505e6a7bdd88a6e5d70c51987a859a530c3bb1899103244c7538e466d2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
2403e949f1bbd82eff9ab5ae004169d3

SHA1
ec8f09bfb956e4e9f6e44b63847c16f2c7397488

SHA256
63a3ef0c4ba5fee6e30dcba212555ac8c846e1e90a05bde3a64cfef5c0b9ca56

SHA512
e96e66a8e72f72480bb1b969eaf2420856862513dc09b6990b9e9adb7aabc4d75370f99ca91aae6dab17310de96dcee7a42a83906f99213b73558b396aba96d1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
20d426f294f1bb96b271ef22c3582117

SHA1
1a62e23bcd533f7d74736508da64fe0ce6c27f5f

SHA256
a4efa55a6b4b65d06e8a89c25a26a3a312f9d1a43b35580a67db21bf335ee964

SHA512
e2258b62e44ab40641cc21f41c459b5558d981aa801fd947896ba20639d81e7b6f855f3cbaa13e4f746dda61cbd57149e749884005573a20b381e432c4ffca40

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
82e6b985a1154b87244b1e41f9f3792e

SHA1
2225c4a86eb3a9c6a91fa766e379621870e5400d

SHA256
d3eaae92c2ef2de51f1e036f0e65bc19db6e0f031d8be6b4571b0e888609973f

SHA512
6d103e8f0a79fc69656eca4088835a0b737f920929db2b4de34217d641e9d0248842d698a7af70397f4dff7f5d66b973103000001883a3589a45357e56a3f0d6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5f9a5738bb75d2eef4fcf72b700c8a2f

SHA1
f0bdc2137362340ee8d13d7f0663137fa214875b

SHA256
31e05bef725757260afc4fe8465489ae87e32b57906c59e8db1d025ce381f079

SHA512
9aeaa6ed72ae8f1f38bbf9da5f5332a0852e36116a05876ab5e48bb6d2361b644fa9f332b96181a1629c1365c39816d7aaea175a5c4d76aa8a8e2f6a1e8ceddb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
470873608ca5ac2a6e0d9b6af915c59d

SHA1
dca0e3986a73da459f2bdae071ea53112e8ca29e

SHA256
f9042b419f9b157cea0327cdeb1608fe1d442f091a3b99f963828f202a249382

SHA512
e1a21bc35d4d3aadd7b37729fc7f43853105b5e09c03146248c1608ba1338a96016d29ef0dfcc07ac44088aacd5bfe5c0ec56e13f7f3a57bfdd2fabd238e5bc1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
3b4d8a14553faebc949678ecd4b1e533

SHA1
0f432c8886f9d8201abf3a93fa830a51ca47a251

SHA256
b656b1565a7a92e78708d17a075dedd82f8770a1e9c5d2fb071d12ff42b3394b

SHA512
22570278cf50117c2053a8431ae2e50c77ce3bea7dbf84e4a1c545f88225cb554b8b83460b1738adaf2143ed765dcad7d2882b1b1d5e9c89f9fed79f95374966

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
43e1d0f11793227794c7631bcaae80af

SHA1
59caebcb7066ccf27c9e9806f03b75dfff766a66

SHA256
7cd194f195f0b7a8b53abf0edce4e3ef45ba81d92c285751f108170ba30321bc

SHA512
c4a864cfa700a2417f85eab05f552a58d890b33b31a21659d15d9c54d95878de4fd39899732640008e88ced9e4f532b33cb6e1967994fb8d9e1ea6098340757e

Download Submit
memory/704-0-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/704-8-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/704-2-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/704-86-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/932-157-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1232-514-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1232-185-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1436-154-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1852-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1852-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2020-155-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2160-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2160-526-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2236-156-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2244-49-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2244-55-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2244-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2244-232-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2816-253-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2816-562-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2824-499-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2824-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2824-268-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2828-561-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2828-241-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2992-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2992-481-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3248-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3248-566-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3588-32-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3588-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3588-172-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3588-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3624-21-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3624-13-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3624-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3624-152-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3656-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3656-39-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3656-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3656-45-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3656-58-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3904-264-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3904-565-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4008-153-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4008-90-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4228-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4228-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4228-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4228-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4744-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4744-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4744-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4744-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4744-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5084-204-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5084-525-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5100-375-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5100-161-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download