3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
Size

1.4MB
MD5

ed00cba7b1a1798f4596ac52d980d701
SHA1

ba846da4b9cb4ce357f575215b690a7e5b3ca953
SHA256

3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e
SHA512

fffa313caf951333bcb4a78fb64ef7a519d01467eef81204208f766b60be36bbac50ef9f15bce4fe2c41b7132fb7a6046ba27ad8fa77f50b4f68190d269c3a7a
SSDEEP

12288:XxMNR4U0ZwXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:bVwsqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2676	alg.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
4592	fxssvc.exe
3008	elevation_service.exe
3472	elevation_service.exe
412	maintenanceservice.exe
2768	msdtc.exe
2152	OSE.EXE
1500	PerceptionSimulationService.exe
2952	perfhost.exe
4108	locator.exe
3996	SensorDataService.exe
4112	snmptrap.exe
4732	spectrum.exe
5088	ssh-agent.exe
2140	TieringEngineService.exe
5012	AgentService.exe
3128	vds.exe
2884	vssvc.exe
2812	wbengine.exe
4484	WmiApSrv.exe
4620	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\System32\alg.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a555308a234f82a5.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\System32\vds.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057f3967b649dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000023bb07c649dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4dd317c649dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001644f67b649dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c19cb27c649dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077afe47c649dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000990abd7b649dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f17ef17b649dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2a1557c649dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
Token: SeAuditPrivilege	4592	fxssvc.exe
Token: SeRestorePrivilege	2140	TieringEngineService.exe
Token: SeManageVolumePrivilege	2140	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5012	AgentService.exe
Token: SeBackupPrivilege	2884	vssvc.exe
Token: SeRestorePrivilege	2884	vssvc.exe
Token: SeAuditPrivilege	2884	vssvc.exe
Token: SeBackupPrivilege	2812	wbengine.exe
Token: SeRestorePrivilege	2812	wbengine.exe
Token: SeSecurityPrivilege	2812	wbengine.exe
Token: 33	4620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4620	SearchIndexer.exe
Token: SeDebugPrivilege	4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
Token: SeDebugPrivilege	4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
Token: SeDebugPrivilege	4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
Token: SeDebugPrivilege	4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
Token: SeDebugPrivilege	4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
Token: SeDebugPrivilege	1692	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4888	3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 2244	4620	SearchIndexer.exe	110
PID 4620 wrote to memory of 2244	4620	SearchIndexer.exe	110
PID 4620 wrote to memory of 4572	4620	SearchIndexer.exe	111
PID 4620 wrote to memory of 4572	4620	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe
"C:\Users\Admin\AppData\Local\Temp\3fac9520fa5b09cb82215f50a157c003a1a12cffc9345c857f27fe8f204f960e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4208

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3472

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3996

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4732

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1508

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2244
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
48d1b0d42cb4d8e6d01312d3f2d2e426

SHA1
0e203e047ceafbb7e53b6551b99767d82230967d

SHA256
cb0cc124b2ec44141d253d9ee90187858e3bf52e96bddc980ab459af195f49d3

SHA512
04ca31c7f5da29b37749a02d502e77975479e4e052fc5340b15881cfbb18089d937af043d771c8e033ff73e8547babddfc17a513524558f7c14cc0ccdec73619

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7b4a96950567430a9ebd5dd7e651a3d5

SHA1
074eb8fa9347d75d856f1364e8f7cabda4c0a941

SHA256
37d9e183432beacef517f01547ada77e1a9cb89009fa7bff460c34fd2f7d38be

SHA512
ea46aafb47b6c855a1efe50e642d0f40af75e5a59e14e09e817a1f7d3463c476ed2cbdb970178fecf23ee3965c3de45a7bdae3f3faaf5482d5d3a4d7e725b0a7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3e3f607c0355506be48091999bb6b185

SHA1
d117c3f4f8814b48a09900c6f0de60e25f1bbfdd

SHA256
a1c3af019abdb08dbb0b5055628487f210dda956b749a784407b85098b7f278b

SHA512
4010c5f8f92be513eb446e9926139ce58e2a89221941d14f4d35e6a9ea36ce21080024a45bf19bdc197ed2f263196a9d2f31cbc0798969ad4feb0d61cd47c814

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
84893492f138803f7c59457bf3e50921

SHA1
89c7357f9898815344b68a3f021da4e5c95bc753

SHA256
5441d2126756b4a950891b0fda43c172b453e0b6d055d5191d374544a7c33566

SHA512
0f290afe4af54f2d554f8c20c0ffe6a534ecbbbb3291e1c0f9ddcf788d55d5789d57bf8b91aa0895532f8ebf054ed1f92d14c1eb8a7ee19c16bcfc5ec8d3ebce

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a5f71857cdb87d9330c427c9daf2301c

SHA1
6eac0ac7c76e1120f9cc5fcb565d347c27597d44

SHA256
36a6b433ab895291c74295909c96db41e081b19faed7d0fc7fddd8bac57bb748

SHA512
a313331115cfe73aa7ba9a6f2c4c79d97aa6f9df48465cd8ac0a393d08626e78e2350df59166b91b99a6f24ff3aea0d217dc417fbec7920f4b636899b65af101

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
83116f6e98df05fd8a7e0ac90d2c7b8f

SHA1
ddd224513b5600cf9d885524730058804ae8d460

SHA256
91a2a52bb2e67db2a7776770a7e8929a19463ef14267f373b04e0c4402d22c0f

SHA512
97315ba142cd844bc173ab6359934e735e51abb67cadcab194e429232cf9e12654de7392cfaaa7c2e8d5e59ce0608dad609bd57202e15d87e1474a5a7f0b23b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
34b7ad5682c74627edb9c7a9550197d6

SHA1
022863fad0f523eec7a664b999768f8d06371b11

SHA256
ad938dce66d0cc0a795056095f7ebabb8267c8d0649671decb6a78e925890c6c

SHA512
4e947fc2b1ae29cd0137acf4b3709111dff5c2ee1b3c6e9093ccdd9a8744babd10dba75c33af77d6e558ff5f90c56639be47b5e7c87531933796705571ccb4dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9d01c7180e6e2d97a9ee47c77d3170f9

SHA1
6230e0896a5d3b36b578dcff1b0f647d50aa8173

SHA256
3b111a02cfcda24c31939f047157612d0d49cf0242ccb9b8461d51064ecd0af0

SHA512
9d8113e7cdf347946da919cf435bac3ec7636235ecff2e67d933c27b02db76c6de182edaeb7c0c3a1f5bc0762984d45a0422882585c1f7d7135f509958935718

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d5d32a8d93082e118ae49b03946625ed

SHA1
82cfec7869072ea1cda02a370d866c15b88c42ce

SHA256
4f05a47460904d05b5b0962fd6343998c269c0dff003cad09ad9817c34e0e8e9

SHA512
d8521d904b4e496f7ee8acddfd43e7de6b4860cd9fd99e68ec94ead586728d676ac6e46c043389a13b5a1a65196145ed59845b154b4829da0d378770ff4fb8e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d0f43c1f978318cbcbd49c7f6b72e6b7

SHA1
0cead80804dc33697482905914f550e63cdd4ef8

SHA256
25d02e3b34f11f48edb897dde2d6e42e3b7861e08cdc115bf1f184b043fcb1da

SHA512
443e285da80848c32bd699e3c4fb383935dbd22599142fb7ceb1db657f89004b995a4ba700903b894908398e0b7bce92b90d744a57da7c062efa0222fa56e0af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
33198a10ff21546fbdfd52263132508a

SHA1
46b9e928094e94ea326d8a0434e00ae99baa9905

SHA256
d9d297a98ab5dd15515c32c631b3c97075cd5360aedc3decd9d06fe57aa30628

SHA512
4263d24e8280db286823379b42cfbf2dd3ab8a9b609722112f5b735450867a572a7c554de7dde88ad014f474b5579e52d6fabd7d2441d8f35416fa54fb7e8411

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ade1d5f986d6bc6af4ca9eeb732615b2

SHA1
aac4535397d20d1245c0138f472f86958b25ed63

SHA256
d869cbaf6e005b80efcdcac6e5a777d406eb48cddaf2bf956afef26745f197d4

SHA512
79574dc7dcd0a87393a1a61dfe083905e9eb1b609b4ede6be52274f0d0fa975905c8f539f7f550ab8c90f7d27517391757e13ec4d6df3fd23a3713dce0bdf6e2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
685df53e2ca59d4f1219a700aabf717d

SHA1
5c68b20ccbb7ef5c7156b84b2b1de8aee8a7a41d

SHA256
258ac71c13c737697854f4689b939d29cebba8afdb3374add3d90b0521ba89c2

SHA512
a99a8b7bc8284323ce34d0df6637170ae56a45ee5c4339776771f0abefdbab5e83133308a199839528549f2532dec4b80d9a57f9698081c571697ca902797d50

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f88632da158b287303ad0c36e2c82a2d

SHA1
487d7eda7558ed929f7a69b76463b0e876ea8a68

SHA256
458eae5a2036f942e5ee855b6a0aad8e2418d7cc6dfcdab697a32a70295aaae3

SHA512
b0f3b23c8f648b4a1ee931a88edaec3c2e3d9f1238105928c85aa7080fd9d326473436ed1e80374ba6137ee58b6436dfd4441aa9ee71a44e0789f97b13507535

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e1b2cf7514ce780e308ffdb735ecd8ea

SHA1
f715992f9428844a49af0c20254cba878a9d13ee

SHA256
1d581cc02a5727cfe32cf7fdf69d7726c329d294bcc9ea6bd13f3e08f69f020f

SHA512
16f280d54faa45a56697730ffd0b3cfa1713f360dbc7054592e1cd497333ad704adbdee6c0d025953214933a370ffb9d1e724e862f3cfbef09b54a26f2eb31fc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
2a64507a667d7933f12415812c4c7473

SHA1
6ccb9e2d386cdae776d3980f3e3ebcfcf5ecbee6

SHA256
f74c0d9d341043678d518425f490d05811d4ad23e25659004835e8c5023db4bd

SHA512
d5cc898e8b32568a710a610753636b5fa0d442b1ba6f456f22b8ad7618d7ead856c0ac9c88e44396122c8ddf3ee71ba7e319b5810264acc98ef7e0c2750773de

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
f887ff4fa89b64d86d1b6d0d0f07bc44

SHA1
e6d6cf7f48df2692c709bf54b791cfcd61015645

SHA256
cc1d5a0548ed31342074052581e8549786dfa2d7f488946444198081fdbdff73

SHA512
4e360caa2f0c2123c566e44e8b7704863e45c04915071b7a6d069f5212ae676d03698887e3ec8ba1141d913b024cedd8bbba115ceb62ebe606a6ddef720d7322

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
e95d0148f0ba8b3ce174c02182994fd0

SHA1
b500034054612ed5148403768e5ae9b373f3170a

SHA256
b9d3eedf7847c718aa101d937a6faccf87dacf6150f07bc027db1ae895e6169b

SHA512
c8417e5547dc81b9c14e7e4073d1736b6657f3ea187d5bf55cbc59828a7675894538e94067414c8a851b6041b8e5109e61ca0c9c854398b3a4ffa207ef2cb544

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e5afb26b4103bdd204a1bd487673b729

SHA1
fd688cb99e6397cf7156e427d5c7608eb821832f

SHA256
435e3b341d3652dd056912bf38021bf7039a94480f4a5b76a588d63caa473cda

SHA512
3e283bafa984715772ac5149155bd532a6f80ae390be29a655eb846d096d6f2e1688453ebff414c7069b0b3eab888ba9a823cae155b37446548bb76ce5467610

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ae217efdecb39cdc16a16df5646a773c

SHA1
225f17325757c90fa9cf736e55d6d3f3f81f468a

SHA256
6b34798094497b563259cae788e7c5a7229d68132d2c1e9a1cb7bd8da8679c16

SHA512
65f9c6915c8dbeb24ebe29709d662ae152079947d420451bc40c2a175b40510c4a4ef57585c56acc51c1e85c78ee51d6c07c0e1185afb5b6e39db0e18a3af65c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d7a0b815a6916d54b008289beee43545

SHA1
19d7c2a24ebe6b4c27ad51ef080a7e7844002efc

SHA256
6987cf4af0dc7203c1bbe496d48d61f59c58260cd99f29c080b8180e615bb177

SHA512
dd4707a2e6964f61f7eacea9cc9799b46c596aa6fb4e7b120579c309b767aa64e2405936f1686248dfd4f74690d255a0d568e4011087427fb97ec73ec0551afd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d93d7282d392bb7f0bfa7a91853bd4f2

SHA1
367afe5cc15736505eef4c4160a06c4bdca16c12

SHA256
dca6a5e0331557571f0d7276e53b262350ad2668d9ae36b716a3619c87b4e69a

SHA512
e115501458f821e6c029cd3c4f892e6cba4f6cab73ca21eaea5b7a1a72293ab0178652f523b7f256faff080d50f9d576402a0e737b302fb15024c2127be0c7b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5292eb8218fc3ad394e553c622702334

SHA1
cf694ab06850aa945ad97b737eb166d581052f44

SHA256
b34f8f6636423c9577b85f0e3d0719a1862eb072f328659d1a44d8da65712842

SHA512
6cb71b14af49612ae0cd2749b6a5d7a0dee9c01fc40afd146ed8832428ba59d3e0bdbb7ae49f2c974a95bb8511420143bf8d1fab9d03ae0afc4c07f32bfe0cd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
9af01fcc37d3871046266e820bdb78cd

SHA1
bfea3a1ff9d623a346dc405710580aa9383bf6e1

SHA256
f668631dae96385ad4da161f2ca0ec8566b05d88e477581e34ccd169eff0901e

SHA512
aa3e00dec241f660199ca47319fdf70955c419e8c5f05a0bb7e512d7a64eec991857f7d5fbac487c89833d9d4e526481231548937c67aacba221849782f04170

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
584acd7c1c31585a05a20c0b6d100208

SHA1
5ff72f01b4bd56c10442c0f35b20617fd7a2745a

SHA256
9885730dc23c37900ae00fc69fe36a58198c5cf2b63343e433b961e4feb4a1eb

SHA512
d00c94d9f039c57f7e1c9783cb53248fc825582019f4b5cbb1b60393ad2e50afb4e92967d672deb780b5fe22df89f00f2677655fde562f8b7b001169ad77a880

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7aca82cfc97e897680940bf4fd2df782

SHA1
3ac8bb2c840839ba034f4202bb658bc99210788c

SHA256
5472269270d89f6082a5d238fa3b39110544e484a085ddd45e8b1dd12edc91fb

SHA512
7d207501da761e503b00749300d988d0489497e1d93d024debb5518a17d25709e03b4795625ed0a90c41924df115e887e39c62050faa4795765ed112375c81a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
712e2bb541d3cbff1b075997ad5858dc

SHA1
edb93a64ff76e90a26d09ade78dd91ee6297fb8b

SHA256
a71047bac1661ecb6f4dc8f7aa5d663c604aa70920c8d97b82ae8725b9f2dda0

SHA512
111b477d8f1bd3d18e3e4432aa2d572a32b999d71e5e4d05383dd11b97c3503f7e152ce2252ccceadb8fcf1d5bd31c37731eaed7b75f376855629b29905a5869

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ae4cbe8ef82479bdfd75fbf8fca733ff

SHA1
6714347698b676d7be9edaf113df8e5f1d9ab277

SHA256
0e0cc69998cd28716fcd687fa9d03fe9861aa8f4016d654e2792bb424d2c5449

SHA512
161ebf5d612e0705282e0cd543f1c562bda1f9702ff81254a9a192cc743cb74c1a18ccebe3da48b8b80681edc1f875511bf7c38045c2c2401d0f408421a13e63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8a81a4e2653e2d58906a170cbe3bf9a3

SHA1
c62651a9817e78f7e62e994ab8eec091ff0fd704

SHA256
9ac569710f749d2884a4bf29556f1ba7faa116dc81a9f5599958fd6be9811806

SHA512
684da2484446beaaec52244523d68257508b9a691318ddba479a4dc5648d257999ecaee6d6a50d56c8323899fb60e968ed11520c3f7e240fcfaad54ce629ae72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
0a353dbc48913c21f565388517a45169

SHA1
f2142d65da62d783d69b17c2f89274aed2775f02

SHA256
d76f46095a0038c004433f404648c1bff880fb10c17f00f4d869fc4cb635cc7a

SHA512
bbe231619013e5047b54e078165a283736ac0b5317ea44344e7d6476671747889bf2460466f21c0db2b1aea13a83234479dc639138f8203447876aae22d37007

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
451e6985e991add40e85d1d94fe98750

SHA1
48abac5db91720e72c4e020e81336e5bdd7a24ca

SHA256
d3fff894f83e051170d319eb0da69d7deacdbbb3736446f26f744e299c8887dc

SHA512
18bec8a77150ca2760c052ed1f7f172b3b606dce604f64bbae75b3b1336218540988900eaf6ea7f312ec477b91848a0204f4b02793401e43302ff45272b18400

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a61d953ae6eb163b23d896287916f5f8

SHA1
e469d4c8765d268c2079822ad115460455965f6b

SHA256
1579f7fe31f846c2ae9b693e4025ff9ef8c0065f04fcc129c544ce43aabe6dae

SHA512
b39c74ebb295bbdbb48e1fc03dc5cd208b123977975c0d8b8d33da56548e905daa23cc4835b90a9f3eb6987586e9d38e7be721fde0c84f7e6702767264b786ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
1b9f131a67bfdd9e89e5f25b24746d6e

SHA1
0375c646aa6b768f26bbf04c057cfe6b2c0db9ec

SHA256
f2a828ffe222b426428db86db9a96dcda37344ef8a183f01f598b623a1ed49e7

SHA512
72d718ad7632247f0b46c4609862a9a4327493e818d7163a67261ded3aabe2cef8993f8fbdccb5d926888774206d88f9cfe9429e5c611de5e40f81efddb4b40d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
16e436b2011d8930ca1828ada20de9db

SHA1
05d38e766c65420c0318eef734d1dbee3b68e651

SHA256
394318cdacc7f33683e19506182eaef304307c2297de262e5bfd4a38140eedfd

SHA512
060880353249215a5982067883b9275ed2db8472714d2daf0393e1b1c332c863584686e4985badb311bb872333e57c66254b5247455b2ca4f76a9458eb1df075

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
931237370b8a3aa5483c4aaab7001fa3

SHA1
77026483b2447a3fac41f85ed518675bdbca3806

SHA256
e25dc374d795c453ac94f18e7bcefc170acec5e7e8502712cefb7b7e269b4320

SHA512
3d9d4f6505087c84672ddf521c7b50d4ac4a0cd5e32ef66afd1050cf74b59d8ddcf8048afb573b743e8f9c7e0cd206061029c7fb7a75830a52b5f4d24a561ceb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
78e51a25d81171b964ac2844c22ba6c9

SHA1
b6ea5f3c951bf18b06c1580522e8e31ea3f7fde3

SHA256
8ae89011def1dbdcfb5a73a041dbb1050099052d7a2c1e0c40ee07c91ca4e471

SHA512
f067f952a844d8669afc0f038217b5a41a004b67caa9a10a894b716fab9951d86b0c78e706fe45aeea8600e524667a3ffb78de02be0c953a84f7bc650aabc52f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f7dcb44954cea0d8a2fd3aa723647ba1

SHA1
548474125b041af98a40ba186f9bd66d36163288

SHA256
91a5187b07708a2bf05e9c1b4c182e4377ef8fc62f2f5aed9d3af0c341b0240a

SHA512
8dff19d576c8c6129f3d454052da18e0fe119187a123160eebabc367428e3eab3715703a812a0c3497ca839e75a4bc4be57028e4af96eb7eaafb49917cbae4bb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c531c4310fde99a6277fdd171a396ced

SHA1
b88dfc4dfedefa69c6c8bf0cf4bdb414744b0e13

SHA256
d89dcdf0fde3e83d0d5e5b3df5ec6d6d7793a4b7fb104378410f2d586d3c6ebc

SHA512
e80c2e7b34ea43bd602f495bc0d40f5e2e4516b45e0d08d687ed2cb6751423bb8b9eba060cfd12ceaf551a90036caac7b3c664a849511d4494af5a00f95694aa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
dc568461acca174e7761c7e165142fd0

SHA1
9af472f697bd6a7df3633158b2a55487600ac81e

SHA256
b5e6ffdc7ae9408a2ed2aecc56eef7b3ecb21d36ea65c7390e81de438fb8feb8

SHA512
0c98a90eba8188affa65f1d9086722c071881290826317a0ecdde6bc095707c9d58ea0d79f0227619da77ed8974adefc6c416813948bb08e2c4df1ec343ce324

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6c61039c523c1d058ebed39f8a6690c7

SHA1
ff4809b8dfbcc820b0476899b1d56f98934eff66

SHA256
e004e8e561c3aa47df65ae9743b91831440ab52ac2a2b923ff42fa13d811921f

SHA512
125d7c042aacf04b83f0c49905f49f2313b65cb77ef4553beb7fe9b9f0fc8854924c4851bdf40144921668851eef2db929ccf284471656a92f29f8817e4d46f6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
619b9c1c2bafdc039ead3864323b3be3

SHA1
a52c2f51a59619f35ae442835a7264d67b926c1f

SHA256
692cb0579ad346b60a55484cba8a69268c1bea35730855bcd3eb29d466f9aee1

SHA512
59936cfbd03ee86daddaf42599896f817c6fb50405dd1a09c5fd7eab87baa1d7f2cdd3d728d662f614b21c80ce6bb3f64b28c7282c018e252542837b7e36b68a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7ce2bad6c107f7bddcccbb1de760cd54

SHA1
7a7946d2b9a631c76d933e361648d7517f12fef3

SHA256
59a9a7d6d921bb1655007c5b5016aae390d4d46c5b88ae26059e834a004a3572

SHA512
e4009a1a7187953d4c0dd24cb10d6930efec2db6e93b870295dd5fae9fbcccd9dbdabe6313376974831bf879549ebfb6a67583e86c66b25c236512c48961c35c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b02110fb589dea9b15cc0529ecdec07d

SHA1
f64c1aa3f448ae75d47d294291c28c9eed69d1f5

SHA256
5987233b3a63e398c58ec13d1a1b536db48b911f6a6f8bb9e6c4b008480e7a56

SHA512
1d3639feff6bf88df9a4ffcb592296f3dc7e7753ce9d2f387302b94ebe082edf832db3336d91a652c13282227a39edf404e42f664655a5855fc8f16a0a4ea0da

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
8e74fbe0f4398976c339b1fa6275a4d9

SHA1
b0926ddf05479388b3fe0a8641d51513ab3cedf7

SHA256
686dad801e6ec42aa7a672681d3b768fca2e4b186d04e84f59c891086d74dca0

SHA512
0199cdc1c3c509d78acd500802dd190992cf0246b3a0301d2df12b39a22761114138865aa4153e5e2ff08028d07da3732018982d1a57bceec726b3abf3deea01

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4c9b2073cc9bdbbbe76ab75eca303b69

SHA1
2258968e732605011ae3bcf07a343ce3f6201441

SHA256
01b6a3f358c68d85fe247fe467dae149d95422f56243654a14f9d876a970562b

SHA512
8b7b877496a1daeb8ef9480f59444f314b1c7293713f389cdbcfe3a4162faed07447f60caf4438b5d5979a0a168608020cb5ad5980f1a61191060eb137b19a43

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c97031626527b5fe649f97b72453d7a4

SHA1
1a2cbf80196ea0f17ff67f050307a00e41ab799b

SHA256
634ce5f9bde5c95538304a7805c0ee04618e542a9c64e4d105293f90fa8a9703

SHA512
71666f7137d07f8efc8e7a057594b28ddad03f6acfb8bf42a096084bed3d02b1001c25f1e9831967727a8cd4df90c31c358153bd48a228103308236cbaf8e2ed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
207260e08e937c2e1ac7855083bfa5af

SHA1
cee09643768ce834e4502cbcb4891e69b737ff5c

SHA256
341044a0a92a3c0d390afae773c17ea19f548f4e1bdf80d2e01755f60952a7e3

SHA512
247b1c4306d1989494a90199735f22b78ce385f6b2feb143ec9cbb78cf9b8db43b919e98dc08b0f50c592ea95ca9491bd20d16a03e18b04e306a294c1531fe5f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d0d8781aa7e439cb09284b2821fded36

SHA1
49f6ba8c8e075a88b35ab045a135ffc665f6a37e

SHA256
c2a00f1fec608457e0000f71f41187b806353eb6b6f64e984bceaf9a85f7ef5e

SHA512
701014ec1664f42edfdb570709a53e1f6284100e409aa53a241fdb693fc03324007f9f2e9bdabc20045cca9fbd3877eeb9b9b03a6106ed770cab04545f99c6c3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
476472d5b7bde4e5a7f02f1e51e4dd41

SHA1
7ee8ebeb0eb65bc4880272ff34ee3e1d33c2c709

SHA256
34dba6b8bd94d76201be9239aa8db6a4bfbab5093a5cdedf710c2de683ba26dc

SHA512
6ae4dd5f314eaf2293e7f602dbca1afe26596aad32e4bc69498271b5defba1005b1a218ead7ed710e6c1084757f3c05caa42a77e4d8fa86f9a9370d042cd133b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7d9b4d5842148fafb67d391d25b25061

SHA1
ce0c5abd611ea53b0509fbd967a6a0f19db4c431

SHA256
0b28e018f154f4c1581517ff4afd7fe8619673274d3aef3b85f5e7c2b389fd4c

SHA512
20c32811cd3a304841c2360870f706bbb9b63481a4e472dc88300b7776d6333463a59964afb5925f641b22fd06724030d7d595bc680d1fbc8a726922e56879c7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a7f52875c26b73bf1b3e7ef1a75f3f77

SHA1
98d6d58ec27ae2a4fb75ebc3aa95e137259990d5

SHA256
5aaa2ff8c899eb01407140dafb72e1e6d46ad5c5a4dfb452d4acf929227562d4

SHA512
95238a8db4d986fdca1afa5e006ba6a9fc1817b9efa778b93bc06c9e3a9023944e33b0cfaddac1812e723615a845bf599753b324b991bf82053f9d67427b339f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
201fe732dd9b9e594a55184380adbe34

SHA1
9d0ebfe0dfbe24085b2da6664b5aa70d95d9e643

SHA256
cb83b04d69fe3f4b73f4894c635bce861e5ba57819634af01e5d25e04c07a7d4

SHA512
cea75119fac9cebce502b50c67dbb1bb80cf3548a4db30026ae29c512e559aefb87560d58f9e8cd93bb571087ddd3269d49329fb19ca12b8295749c0ce03f200

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6b763adb0ba13bbf14ef02a059c2cbf9

SHA1
df2a850968a47d2b7d85a65dc0a048fddc1220e8

SHA256
6c1eb2b4979472ab6ec636c9e883162e245bdba811ceae98057efb31ee107bc9

SHA512
834ba7ddb01e6c2c10ae4b28376b3ca6aadf274ceb9068f188f62f4193d20047da91118d2522a5b1d762511e879226cdc6850b650ae4b755be23ebc72881c084

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9b0b0337b7d1a84868a4521f912fc793

SHA1
13a724a2e58eca10e9dd9db15a0e24651a3aade6

SHA256
2d250ad9b588e6c24c462aae0aab113dd861195399069f2de1b6a5aa373a195f

SHA512
a79d6a9fa7975ed948416245c5d58729d61f8967fe4e7cbb161aca6587fd18d778d0ee2a07fd7f1374f068f163b6ffd0019bed589b16f154730721483a38af2f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bb24aa3e1b8bdeb305886b933e50ac0a

SHA1
aebb1b17d01fb9c15865396752f60326cd00f840

SHA256
273985d91e733d4e639fb7b462cbbf2eedf6b64055e9caaef2b0c902352c54be

SHA512
de8616083f07e9f067d8b3dc512f314c328bf9ef5af14c6329c717432d2577e087957981f2f03582ea02910fac4e7e44e0f7cffb22a65d11a40ddd10187b3b1f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4b923a317692ed663187f783e1a302fb

SHA1
10ef27b395eb88bb7efd7714d653079611e7864a

SHA256
ad43abece42ec2092b8fa57b7e4d6106a6524edd44d972a6d88b5c06c11bce64

SHA512
a1a6d39baf3de41df7c22a3bd0adc74940bde6c1bf83e980da2a4da9ccedeb87152d60129990e62a15c5a39048585f78ec40d2492f8bfea1151d66f5fe597aa3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2a8da33f715fd43fcbe04ca214e2a15e

SHA1
6e1b98db59aee6c2fa415884cdc56feea7e479d4

SHA256
48bac2ae45c2c3a60a10da53791167a73b4f0e7706ceedce57244d414f64d91f

SHA512
21f62f894ff2742d35745b7a7b6ae30c81d79cb728b734b947a7f9427be7256136592720f0abeede530feea3927979dd4030817a70f319beb1572fa6d6ec7953

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
b4d0face9962fdf2f920a8afe82b986f

SHA1
6f732ea781baee052460223dfe5f98ca06e996e0

SHA256
32d5f67ad4b269be552272615da6cee2b0220155a84cc51635e7f511c30c5ff6

SHA512
ad4823655bd6f24f2a85a246ecd597bf6c021c9f30eda93b8c7dc8ae2bb797818b1d6e77803a1772f7f62b2a2ab1ebad2fdfb98bfbd7ff8d20d42a8d363084d7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
f49f2814723e46ab9d51bf90ff7bd906

SHA1
cfdf7d2b120904bd3e66bf34c0e796115b55aa4a

SHA256
523001f6e4f922af9102ede7538d9a96845150678fb6a765ec05d21a299601dd

SHA512
6cc97d9377d1dcebeb73a07b1d24c49e52480cc8fd96d26d4c62e333b74c1662f862f13dc026bc76f0a9dab135d4e86b7f2d9353f4b6473fa3dff9884c42573c

Download Submit
memory/412-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/412-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/412-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/412-55-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/412-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1500-87-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/1500-93-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/1500-96-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1692-24-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1692-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1692-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2140-145-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2152-74-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2152-75-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2152-81-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2152-474-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2676-14-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2676-138-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2768-70-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2812-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2884-480-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2884-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2952-475-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2952-107-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2952-99-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/2952-104-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/3008-37-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3008-163-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3008-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3008-31-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3128-164-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3472-354-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3472-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3472-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3472-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3996-139-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3996-473-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4108-116-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4112-137-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4484-169-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4484-481-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4592-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4592-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4620-482-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4620-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4732-478-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4732-140-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4888-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4888-10-0x0000000140000000-0x00000001401FE000-memory.dmp

Filesize
2.0MB

Download
memory/4888-6-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4888-109-0x0000000140000000-0x00000001401FE000-memory.dmp

Filesize
2.0MB

Download
memory/5012-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5088-142-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5088-479-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download