1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
Size

1.4MB
MD5

f6f68f92d2e12ff99edb7d14de9d64f8
SHA1

ad787acaadcd4b7685b95c3c81f51992335c1d6d
SHA256

1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876
SHA512

889ca80a9e83594374a79ba31cb8b5eff8d686cbc8b97ca5affa67340201c65cc2e7245205a6d16bd3319f13e6a241be6d1442b43fa3d67ff8e90b95c0d0b091
SSDEEP

24576:gVT/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:gVTLNiXicJFFRGNzj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2196	alg.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
2300	fxssvc.exe
3296	elevation_service.exe
3844	elevation_service.exe
4312	maintenanceservice.exe
4528	msdtc.exe
5008	OSE.EXE
944	PerceptionSimulationService.exe
3112	perfhost.exe
4732	locator.exe
3464	SensorDataService.exe
3092	snmptrap.exe
5016	spectrum.exe
5116	ssh-agent.exe
4668	TieringEngineService.exe
4920	AgentService.exe
4924	vds.exe
920	vssvc.exe
416	wbengine.exe
4488	WmiApSrv.exe
472	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\locator.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\System32\alg.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\21d516ecc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\System32\vds.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007562dabc7eadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021110abd7eadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d90c67bd7eadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a49a13bd7eadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd845dbd7eadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004add19be7eadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6fdf6bc7eadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5e902bd7eadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe
3640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
Token: SeAuditPrivilege	2300	fxssvc.exe
Token: SeRestorePrivilege	4668	TieringEngineService.exe
Token: SeManageVolumePrivilege	4668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4920	AgentService.exe
Token: SeBackupPrivilege	920	vssvc.exe
Token: SeRestorePrivilege	920	vssvc.exe
Token: SeAuditPrivilege	920	vssvc.exe
Token: SeBackupPrivilege	416	wbengine.exe
Token: SeRestorePrivilege	416	wbengine.exe
Token: SeSecurityPrivilege	416	wbengine.exe
Token: 33	472	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	472	SearchIndexer.exe
Token: SeDebugPrivilege	1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
Token: SeDebugPrivilege	1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
Token: SeDebugPrivilege	1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
Token: SeDebugPrivilege	1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
Token: SeDebugPrivilege	1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
Token: SeDebugPrivilege	3640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1816	1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 1004	472	SearchIndexer.exe	112
PID 472 wrote to memory of 1004	472	SearchIndexer.exe	112
PID 472 wrote to memory of 2964	472	SearchIndexer.exe	113
PID 472 wrote to memory of 2964	472	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe
"C:\Users\Admin\AppData\Local\Temp\1ef4acfaf4f424ada5e481ce17371fce2d34691966c9068fa43f66f0be358876.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3844

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4528

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3112

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d4c6b86b98629e1ccef73a3efc943ab8

SHA1
e7382989c9e034c63bf534d417fa70472d2838b8

SHA256
4940df72dcfd223ad96ea2701bfc3c8dd1d58d813216c3b13cf704acdd09ad30

SHA512
1192a131010c6802a51357ee202f48717d45ff931e76c995a435fcaa2ffef0f26127d28eb144c3ec5b8f7897ca735f5f2c152a05375b64be14ff2b69a66584cd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
3a7981773ef868d9a8426fd960b8438e

SHA1
7a218cbc48d8d50cbb430ae3824cc593306b6f31

SHA256
c72e45406c13dbdc0af796cc47f8e8a346fb7dc0b178f623b7a821a0aa356317

SHA512
c59ecf870cb8705552de3b95da66a9cd6ab1f20111ad426d5ce1e6fe20346670cda797767d5f6e032ae75f406016f096674316702e17e5fe76ce7340a5df985e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
3691fb868452e5fc0b0de7da4209d3f2

SHA1
4616622a07e4f9a80808c2eec15e1cbc4a58d98b

SHA256
9abaf7d3c0b3e4c785bc714d0069c85a66209dfec361a8e1b0435653c273cbf5

SHA512
cc983287cfedd03cfa9b7940e51a64386dde5deac3d1daf7bdd0c71b66d37d2e55118cbad19bd4547e45702daf4fc18addf24c5ca7cd78851017bc40a7fd0568

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7cd65b004c78d400d808b9b031c1afc1

SHA1
0dd3435ad920641cde793b91290d426e7b143673

SHA256
0de9ad4edaf1f6c626a231046a19144f17e120b769177131b813440d006a32f3

SHA512
2f0f3919a08854901e1e17e78d005b76b6d366f0832122f501a62bae53aec339a74f9aa54c38cf70cd504126c1b959bd314f347b9bd10da8a4b10180d3734510

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5e51e7bb825928393cbfb5c067c82df0

SHA1
e0809ee79fe41e1e4cff054bf0c9af4527a76784

SHA256
fe24187d65275d9e04378e1680e431234e07d42659f7e9f337b259867a20e506

SHA512
dd42921e35ab472fb01f5d88ade78b92640cb4c4d587c1d38a4a6a2682e6cfab4943d38f6935d486f1b14c405c155aee2b63f6fdb18401b909508247be5e5fbe

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4e115b3b82ac394deea4dfc56d93eca3

SHA1
db66c30635ded25427b8f7ca81933393d320caa5

SHA256
bffeb64a403d39dd275c81cc1a93b8dd2b2ac09c92d6d6357663d8c9d65e9711

SHA512
e64e0f5cce823f2907f357458664a6cc8d7488a8ed9d385ac8a85639720bb2b63b44ec1c44654d00f05ffbcdee65297f45de606c24e64ea4e54dc506bf7a5ee4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
b60d4d5edc6ac16f035cb08f831cf0f1

SHA1
eda3f5840b0cf9c278cd4f323af98f9e9fad8bd7

SHA256
1478b0ae9e90e08f485d134296804768f283301da292e4c5341742b5b5c6a5e2

SHA512
4b5590f8542cd4c146fd1d3bb17c285db7ef408586faa376f475a4572dd060a250f8d070bc5e0a59c9ada5cf7dabef934b3556d9a4331a15e5035d71e89453bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2410665dc4e46a949ae9934ac7b07b5f

SHA1
b7623a7575c0dca646dada44f9af21d39ca6b12f

SHA256
06cb69f8b92d3e7792545cca210ed5d1e931bcf927b7d967acc1d746588273c2

SHA512
b529a3811f259cb02be655bb2d24b2e10acee4c59f6dea90d3f3c465dc4b846ec1b9ec0398deb9a16eb7de42fff730d1bc02ace2adc7040383f4a192a5a9a5a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
dca1c246b7cb3f02c3fe961e81d9ab02

SHA1
e8c64a6d0fcd50d8784daeaa9cd2ca14d65ec9a9

SHA256
fb7a55d7b14b6bed477859c1ac1dc2e07bdb13f524a929c2a59b47d0d14840e0

SHA512
fa7666b39c794b2ebb1dff80b13feec22c743b23c60d4a967196e617996dacafcd443ccc16242ad084509a63629a64ffb5973b688d5d3c26f91bf2c513184026

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
da104d1eb24656cb3ddc96635afe31b0

SHA1
ec744c9149f5a22593cf85af2ce9bcdae43e9ce4

SHA256
42980258bbe8bedcf1e9c8d17f5639d1a462066c3d0fc844bf53ef34a6829a31

SHA512
1107523b47b78ec76ee2fce1d34a6b11e2d77fd69020ad19ff99fadf263c74ff022125d799ee6a0d1460677e1e415d96eed96358a567d90d6e500453b07d1454

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
125660c8989a8bc1bd28532a483f39f5

SHA1
bb122798ff3f22d2439ef46f9d0a648937c9c559

SHA256
3aff31b8379fb18889fbcd79dda7e6bb205f0531720e7fe5a8cbc7a74f508490

SHA512
5605819d2b4d1225790c9d9ec8cb90f755628c798c168499d39ee009ff3e909e52aa1928ca1d945669f62db1b75c392526480ca9f6a8aa85f925c8c9f43f79b0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a8fd1c819c5df592736f52904817a539

SHA1
aedcb0d1a3f2f6aa7cea0a89973bd6ff8493c635

SHA256
10485db14f68795675d518805e7d500ac2333e5b9151d7ffd4aa577c1a9399e4

SHA512
ddfd5901f22e01cb3bd38e7921190e0eab6768be4d208f8a2e788a4db7f69ebe6661db3cdbf27916fc275d416f2c41a4fd8efae55638168fdf6fd014ffd85a74

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
18a2f270b38b14df127ddaaabd9e4203

SHA1
8eae8faa7b414597f1a12abe95d4c96b4cc6cdb3

SHA256
e76731191253d49cb76ad8a5e113e390d677e9aff71a7a159282aef122b7b81b

SHA512
566b1ee847036cd57d93162335754c7c285ae4179e9bca4b83a50a277c0f43096a2e9cb873a0546e9bf03731e76d4453e612965c88d6914d15322eabd1349e18

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
82bf4edbc7265061a0af7e014805fa8f

SHA1
1c5d20c9c95ca1ebdc0c5a14936f3a32562d39d2

SHA256
59651d408cf47087cfebad57fbceea17d38fe78d93a8deb82d8a1f3497503268

SHA512
12ca69c9c367437ee3ec4d9a9aebe3a7954b39e1c0c0fa5deff88007d004fb4c6706930171ac36195086f4e1b9c1bab4c74ad16cd136da0333e0150699629a9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
51c11af3f78bfac3a37ccd1d5a863bb9

SHA1
ba2c1035aafaf40395120235b82967ddae4c6ee6

SHA256
38f5b8bd2e47739641bddf8af441a4b9d871107580381872bd730539423f0c2c

SHA512
2cd7a7fe11aca3fe7b655e2618c75fed991c79dd87ba39ee5c3fbf893ae821737f825e046dd62bda2c3f98287df605e8028f14061a93dbe2a07d0185801e2c45

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bf08cc207cc273a0dc19f5f99b4bcd3c

SHA1
31c9fec2c8b9cc7e864cfcbfb54f19afd15578bd

SHA256
c22662f71eeaf0208a831ef288062e5422b8621da7be9b1095576c8780b18aef

SHA512
fa8241cee29f8cff20fb333798d5b66e80e0d95d7bb35e806190c136eef00a76f9cf9272c7c56e752cf6584156affbf76c66e6f8591ed8210e426157281b574f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b05c0fbf2aee9b3dd53fbc3736c51d51

SHA1
500e16cd82e1bd79d596087f5c93b830e11d9e31

SHA256
f4157efdaa2a6add4b2b973b22feecfb457cec1669aabe823dc77b10c7597960

SHA512
f15702a0f7526eeb6e5abfd7f68a5373368fe168d58407612d8c8c5e84f9ecc5feafeebf4a25d9e531f9b8d98f2675a60e93625f28a45aa6c12b1d595bc3a6e7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8b1bbeaba0faded330b05a7e4b35f84d

SHA1
e7c15e44d7bd229ec3f5f696315483d0364deff6

SHA256
7e99c28e0cc8494bf1d7956ffd9fe77b69c35d046d8f5011ec416e3404da8c37

SHA512
c1faeb488e010645e67ea48a502043feadabef556bafa71410d96a0235febfb0d181befbfd526088bc8a6345a88d3a037099c090b788890aa929d8588fbd6630

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e2183329360263972092de01ff957f08

SHA1
2b7d5c87d8be959a99cd4b3acb74c1efd042aa46

SHA256
3086fd355a5116af844a15415c84d507c06619a3d3147f5b3a8922289733e79b

SHA512
15aa0ac2bf75e95df6edef4f4080b8eb5e9623aa1da4d6f3e1b0f5acc8b154bd8fc19166fbabbb0d080e130260a57d3906ec8838e9b366a9e359ea77eaaca8d4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a23c33855fe8a8ea3c39892d4f4ce3e7

SHA1
6ed428ba5574204b06beeaa5b7c30753e481579e

SHA256
22a8fa722ff56c83b89bc9e2858bf28eba30d0b28dfb4fab1b4faf91fe5f367d

SHA512
8b65705380a701d6d3621a0eb12c06f8fd28338c3092c2b0c030534062de79b0e288921fb9bf81fd6b32f8c3ca97ed956e1f07bc0a563e98771471f99901fade

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
fab543c06205135f1211a7cf628da64e

SHA1
1ed449a8d43f6d07bae339c4deac1174c329eece

SHA256
901bd66cde8df15308b2e7f3d174094c54e171128cc925409f13352a419763be

SHA512
adccad23c704e45d52a48cad436ebbb35ae73749d5e7781310c9162be53ef1bcd559cffc4327c97b1579e1a02e438e1e5588bae112dda06a3ede6f32dc9decc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
f390ad70904fea7a8e682521150f8565

SHA1
8298570c0d3dfb9cb469c26285fe5d1b8df8d179

SHA256
2e1d3614d84ad0a32207a77b22e2581867e9a363034e2370ab868654b69112df

SHA512
8dfd2ec4e4c063398f0539ebc33090280389ed16a5fb7489d627ec9d846951315b12a5eba5e9c9d1270caceb76c8591bd6b3064c36dd1a4c9eeeb2748ba3a36c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c225d3685f79619e29ffcd4063d4837f

SHA1
e09718c34ec73e65415f0604d9a2c2f9bcd1c86c

SHA256
c0aae950d9e3efe39e5796552e2aff226c14fa494967c52dfbd64260d2eb07ce

SHA512
97b4e144e11c084447568a98901d10e87532a335a963dd8c8b2523253ebd1ba8693360644321ee6e64951322dc60944d05d6f6579da96f8bc6860b6744cbe723

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
bab8a2277df3734c5aab8805b486898c

SHA1
92e38aec52183db72e4b952a7e9d0caa44bc9cdc

SHA256
4d907008ff5d734fbbd3e636f7ebe2b03f8c6fa4aa2042c924df4d570c767bb9

SHA512
17daf37fc31338dd61a6b863eb176266b378e931549fab2e3f8b4e114fa8424fe65b3108e491671766cc97dde2561caf18a22cd5a4d6937ec767ad39f4a2ee68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
840d1ab58f55db6d73ad0a40823f6a01

SHA1
ecebd2797e5fd824a5ef59d58e42a115eef7eaf6

SHA256
1d07c2c6a0453859eb8268687522096040c51ea146afe91adba3a53c761eb00d

SHA512
1266d7ffd41530a7f25d7f2581e4f779e4f8c4f1e7a3cb839f26afa603977c5c931837d61f98f9b7a39ddacc43a025885ac08fb7e3a7d13143b3937b7cfedcdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
379a097dd407907e5b4c37678bb5fc3b

SHA1
23c48509163e2b35d525a4b2eaffafd3d6c1e625

SHA256
f432133da99e4355aff4059f41d7d8af396355b9d25b17d6fb3b45aa8acc9bfc

SHA512
e1c16c03ed5e7c46600cb65d44ea0688b83f1860e2c0b7ef1bf38cc2062d8f8aae1a0bcc1df8eaaf4668b9506668e070b6495ffcde8d55fe3d8cb99327044d38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e11bbb74e5abe111691df22053b2adb0

SHA1
572f96573c67639949aa751b13dd7d0ed74d5337

SHA256
7f3ba9915fa1076e420f07f61dde6042f366fab0a55508eeb8f15e9e5c035ab0

SHA512
b9bcc38bb186978b71546d7f3319a38c5246f674d8d7659b583cad1b7571bd54b70394928f58f22a609512785d86509a3ffe3a6b9874dddb1a3f237cf8995bc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
17e3020404707affaf8a94404c0953ea

SHA1
ceab30a91e48febc41bfa51645187ea6b43f2e5f

SHA256
d3b2bb3c4b579c611f9d205e9f46c13fe2ba103c1bbe2dcb8a9f54307a7e3443

SHA512
f92bd7b60e5d717c8ebab900e2c66e231f462f73047db119f89c9a48aaa32907a21ba95b5f07ff6d57f961d3873100d72b196130c8dab5b1ad21502d5c9c748c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8377fd35d909412bc455502ac5caec48

SHA1
f0b79898334396b5eff00b9dcc363d23733ce4a0

SHA256
dbf1ab304aa498a9eb47128297e671fdb90525578f922bc927fbf4aae7ad82c1

SHA512
2ed37389c0ade24eca23681a69ad45323ab7497776ff7a5136a4c49fb8c562653ff82e8a9a629dd13c8b8843d30647c108fa6989fa9c57b8ce4eda801f0b81e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fe3b50409c2251469a7687f02bed8a71

SHA1
1796251e3b69abe2aef924225f36d1c1e0261e46

SHA256
e144f63336106f5c853f4e3201f93f8fef98f670dbc831dd8d036cdcbf352e98

SHA512
bacb644144611ab9f1d1d3d4e40d71d68e57f7910e427d6b83a37042acb70c0fa21c4e463e1bcd4608d8506fbea969fd88e7a72e970183d8e19b766639cb35f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
0402ee902c9f4007be5001b7d913aa68

SHA1
b69f8bf611c0c2054b0d40560f1d222c7a371012

SHA256
4aca1ea51859ce9011db0458ae6ba8c56ebf13b053b1f79c79b00332ecab6be4

SHA512
532a2d44098d4930a4c2e1cae446f1f270c21ba490afa52f9b669ed2b07b561d16db4e37494c4d67ba028860e7ab0f14460bf0090c4e18eed75f38d4f843c066

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ef6b25a47c9d813e883dc25170474078

SHA1
7f4d358b9e9f02d1e44ef53fdbf053419311c898

SHA256
edb09b9a2437d42bef6e90e1297746169500cba22ded77c2e29bc1960c8da29b

SHA512
ee8e1ed9f063de0eb2a07102a0e30c3b52fc09c735e58c461c8d9a8dbfe3e13185f49029f693913adb0cf435c901ac99f7dff51dc9d280f7e132e5aa63cd8e0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
244707801bfe047032b45141c383c352

SHA1
1a4ecf9b76a0bf07a3dbd3415cac5597a41327c2

SHA256
0083658b8ef3009299c523a5aa3e0b3b0ce80c0aeba0f5c903b30ffe3e379650

SHA512
fbde9506360994b29c1dc1e2e111f4d70e38f28b3e29e8d83bc8b947d907512df46040ccc6294668a789d2f17c92b45467eb5b699877b37960d2712264c51c1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
2537ba4f104ce4067e10d09797ca9534

SHA1
bf33111ce9f4f5a80ea1313503ffda00af395fed

SHA256
c2ee03687f88ae719d4877890dac86bf77a125c104e2c044c1ebdc39594b1fa9

SHA512
592b4ce10b728cfa9bcb43bdc86f4d6d6c6da5236ed3570f891a7fca7c86d0a0589d44a3dc3de43097a19649b05954bb123d3b78dbefaa5e8643eadcb7d8a35d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
b21ffaa13800acf9b1fe90c7dba3de1f

SHA1
ccdc2395078de81677e7650f9b1fe570bf6b37a1

SHA256
611aad7f6335c56ffc31131d3e6a90693e005e30d1d595223f7212e4828d0778

SHA512
9f3a9ae2815a5fbc46438b37c834ebb64bc0ed0358152c64143c15cc68d971d7bd6f63a46b242af0c3596f92281aec5ec78ef6bcfc8dd85379216a637698c996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
2f373dd5dcf5e23d00ae94c24b1cfa22

SHA1
0bbe7da476b700a33b93a2dcf99d924583b24174

SHA256
953b69c392e5c9b9fc3dca737151e1f7cda4293689dbdb1a3e06104e953a7247

SHA512
e04b6528f72f848af8d570d7e339ef9deabd4eecec458d99685a45cfd05e39c2d48327674612ba42118bf83aad1fbddaf66a5604fd976541f5106897cebe65f5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ef3555dc0b8ae45d44907a84bea59f6e

SHA1
9c29e4fc57babbdb6ca165190a459ed13448f89b

SHA256
844b32067c1b503b71e6811a21476c22adab95ce8aeac81a73bcb54c1c044c52

SHA512
a53b4a564ff98ca646e063a158a214cfd087e4d6a7ad6a446fbc727e56af3ab16ba222bed7bea29e24bcf27ef9ac13118e25d96c1acb0b6b0e8fbce606d12a13

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
9678278911b4adbc45139a4f06532284

SHA1
e9bb4dda93451aff02ab9b34e735903dd2fc18de

SHA256
0025200e4e0be49ed0b6274f887f88eca090b279dcfc24e15c27f555998a8ddb

SHA512
b7d51cacaa1ef0c99b8b7b06ec2fb58ada5d64f8afb05132bb4027c5b608eb13ab87e6e888f25e346cc55a6933f57771abe5e5e54eb80cc49a724901529ed0a4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
17224f9b64d23d8d896ee3841dbaa388

SHA1
af75864c4c52421cb025b05179db9d66f747f7ee

SHA256
5806d53ee54cdfa3dbd4adc9ba9337d8a060f09014405655c5bcddfbeb05be54

SHA512
361db20b32fb6323e796de104f576e5b6b771ed32cf26283e7e5beb50f3b797d0fd1c550fdeccff30dac213f0e0e9f4909c6f68cef7feeaaa07f2619748b0dac

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
edacacf0a5fe6c862f4cb01ca3e21791

SHA1
ffb012b84cb1f119158ec898e7b4f30bd15c216c

SHA256
69ca574f4e4c0414449ab3da17a9e08be4aa79e40ed98521f9b64b64020b2f0c

SHA512
4de0ecd2e5c64944cb4b3fe3c39d810aee599a520593f50081dca830ab09f9b01d4004a836536d3e0beb3e2a8a43f432897a7d97195d68b465dfa4a96aef9032

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
eb99440ede956b86a426a6cae0482e68

SHA1
f290799ae875fc4d903be6bfca25f8ed79990fa1

SHA256
8a986c83df104ce9a828c1a33158cb11c02a905e78e8fddaa3a9e1d4e50265f7

SHA512
14d73098f8046221a6aaa084a4a909fe84439c4bfc1130f191c9ffa2654330c85e56f5530374099d0bfb4ee8f356b841305d616b11bb2d002ad04ee30d27ba33

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
73dd4d92b37f3adbab9bb26c0bdc37eb

SHA1
f298f415e9d7c9cfdad7d621a1542ef74143d39e

SHA256
f7f707bb1c00b9fc68ed2b82e1bd41e65baf2a1e6d04ffbead11ff728740e07a

SHA512
e40aa6f342b7d40aef63c970aa84cc6f63ce2b7093bc2fc3b6f50067e0586b6ef657a6f93dec2ac1eabe00561dbccda7c811329546c07ea0285ecf01070bb162

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4099616352c193971cf392bc99c21474

SHA1
5ea5b89d55f5102f70803285110ac1d66a35d4e5

SHA256
6589547b5f076fcccbefedb5ab293ac9eb577d2de90ccad3b6afcc15df886012

SHA512
5f194d47687072d8fece69a9b96f9d40aa0f1bcef2e31dc5deb8956c0325a6ae0dba5f88a17c52224f899c4a37a90b66674906b3845c71113e6c7a2072e121a3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c10b132a17398489a9f9152ffef2420a

SHA1
40ca501d60d2ea62ba447433478496b386fd1c30

SHA256
2c363df141a0244ffb2a363adfe9f31a4ea055c47b8b4a32cbe2a5d260761f7c

SHA512
4d0eb2f58589d95c51ab840a1c0b358305c1a602bd4fc176b4b687bf4fba853b619a0b923c2007d86b4ff36072d0ecabc9bf4e0566027a5004bfe1dc67db484c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5200bd515b358cf38a78036f625d428a

SHA1
879224fbff43700bc14cee76841831cc3797e372

SHA256
6125440e46a2256186a9c36fc7399a9976e4763e72d95381cd18b1fe3dcff541

SHA512
18615245f3571acf9a5611e6f3aae4ddd41d9a477f454c28326e3a078598a3d2065c3d3ed4960ac06aa43da510d2c3a5193c6a4df8a4d6cb811d50cb69e6d684

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9d337895a543290039c4f783903ac0e6

SHA1
304cd026af8ff15142807ff110b3d2c3b24c0efd

SHA256
22f17acf1315c4834d302be0a3376d77378bd5ab0fc4969709276a4355bb7001

SHA512
4122ff877d7a0f3773bf71a3c84acfc8b47b7bc7856dd535069adbeafed3ab9b9d9f36b9cb4c2bbdadd1524cef65d056f17343b066eb906aff04ca733818317c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8880f7315b301536366c68247f144032

SHA1
14ebc6532f5c5e4c5cb889de8b43630dd3d337f5

SHA256
4ae5814f1facaee5a6bd17d5728f699f692c01d23ec4d98c7ec679e9552d16ae

SHA512
f2d0ca8cc8f825758e656c963d2628db0af5fd4a3d27fd2e3498b208d320a89fe99b6cbe80a5c8f614e2a3946362673d4914b9328b2e7f73fe46b21fbeed7751

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
933388acb85a525ce4d24b04537a36cd

SHA1
073b9517cb095e9acb3f890bad33dd8ce177a2ed

SHA256
141092d1b0f553a80c6a8cc54d3b6fce245e8618ccdb149e1862e6f01120f562

SHA512
2a5e88dc457201f364ea8100183ae631c1595bb22133e23e26e382063c24d3052b66867e673d7cdc24abf8cb16ebfbc22a42e70157d3dcecdb89edff489f284d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
61f228824e55efc70e861fd9aff9ce43

SHA1
9be4e088f1b1bf42a551b7a9167d4b6184c880b6

SHA256
dcc013fde0eac10573b1a449e8a6dd6a9f1509bf15fdab45bca173f5475ccfee

SHA512
ea9e6015c87f9cf3328a5f61077940253b704f9d8f6e613272857218e598d626ab98970dc5e6dcaaa3850dfcdc8a94779d915305f79e6cceb091877f43ad03ba

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a0f071b3715e02b494063f42ce33247b

SHA1
4639ef50ba0aefe4c8ea6bcf3c9a9047828805ee

SHA256
b4f7c113e0b707f1d286634254e452137f41056afc46a53cbdad8dd451e9afbd

SHA512
7653db80b77552e45a5784eef2306fb458832f7816e0041b2fda0f13bd0abe8d987f00608b04be92360bafa99aaeb9e344a23d19c2df54a35d3894e0849fd989

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0b6663bd94da5fe5428a33d6a8f285b6

SHA1
086db16ca274f9ecef1a02673688a908e49f7f37

SHA256
ec9bfebfe56b86ac3cecb6e703234324eafb99b0ea5a55cffe53065b92617283

SHA512
28a867f2dde4d45322a3e30d190073e41aeaf6e4e3434115bbd3b7c157db45a5372eebc5bee758156b289a72d78d9ac0fcf10c1102fa6ce0ab93a15530429411

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
e90d659053beda94c58c31932921e190

SHA1
467bfdec9012e4d12a2f007b98d2a562c73d650b

SHA256
0f71f0986af946354783a0ff69e3cb0e652adccd6889eaf8b8f9733b3ea9091a

SHA512
d39367bc1b04da7a55a7483287e778df67a5d64fb76e254bf1962359e8b099fe6d27ba1fd5c3e11bbce9848a2712752fdd1f98bedd904f6b865f67ffb52b32bb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
988d94699cdb0098c67fb38ab4444e01

SHA1
457e79cbfb763a9bb71f5002960da10ce6400dbe

SHA256
fc0fc85156a89ac5f395196c5e1357951d2462564d891facac0657638f9099f1

SHA512
0e3452eec9935cdee2598efcc4f6af42342414be08964b8d478afbb2dbaeb31e36fe8a329ea52e3acbb25f9cc25de6cbdd762edb8a41af645505a17b2f354296

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e8778673d7e6eba09442e282ca11fa0c

SHA1
96168a07592b479103b132e626517f392de4434b

SHA256
f6a671e0d6000572adce26d790b96bc22c0ed16db119842260ad40d5ba00e83e

SHA512
63e9977cd6dfe80f0f7076cfabde6d28413c277a93ffbab571d4604f7da37d5444fd6c9f64057a602ec45983bf95fa1a6d3d44cd97473054c6141f7b594b1e59

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f16c2bd5ea223a1a9081f7ae05f215a1

SHA1
c0580aa639097131195f35d76e8304ddf310405e

SHA256
22f366f5a0459fbdbd86994017e3172ffc29db9d1f242bd16773155d1161ccb7

SHA512
98d8e30146e378d5d22bcddae040bb5b6fa28903d9466382a273779640763cf69aa1c6cc013786aedef877ca2509bd0b3f4fbbbfee3b87c788198ba90ad59fd8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ea5c19492c1d67ae311a2a2515be5bfd

SHA1
326d0c7496390dc37ac1fe7b181cb02196c93efb

SHA256
df8344633cabcc627ef62400167082a01c84306caae620c66db067e4a546f619

SHA512
5940413a858a97d851d230295a529bf2d3a9c2c7a60b479686b4774c9c1db8047a2d25ab0f3be2d81aaf5e245d00577e86ed4e0afecd364c64ef99daa71d108c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ebe30664a1d08e0ccfd13d83fab20b6b

SHA1
8c954bcf8f4fdb5e32684fbed56963263ecb43bf

SHA256
432ea93a2163229e97f08df2ab58221f6bfbcc96e45f2782eed57bfdf66d7c84

SHA512
c2ae962266281669de11b9e82e5bde523c4a4d97a0140c959455563f79ab7ce9cf4adb2bd8db2daa2d941e8d5b526a19fde520ea4bcbf7d6a1bf614d840b96e4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
682180656a15e1aa5d3f0999a1ba5943

SHA1
bf5a6286998fdb57ec0d9d9d92e0d851dbc433b5

SHA256
4c5bc27db8a0ebbaaaf99771ea3f6bf24634aae1d4da1e71d1a0acd70c33f723

SHA512
308d2fb845dd106da65e24c08508795e27d24449beadee4cc264c04a9c8b3245623cc511dc3fa9e19280afc59fb39c0e3cd062161db03de0781738947a0c373f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
165d88ce1a8ce115c57abde4c2f1fd96

SHA1
f4f446b015d00f540b292352ad8860dd03ff4769

SHA256
06c924e982bdf439bd08671eed20f3629cd1dc15fb0f44720d4d12bae2668b36

SHA512
7fb8923c91a2e7ed16204ec3b9378b7dc58e42cf892eaa0913c0870f60c3a6262bb9b5ead69daf75371f9ff1bbac7d23844ec743a7eddea027bbfa8fcfce3c8a

Download Submit
memory/416-204-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/472-207-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/472-481-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/920-200-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/944-86-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/944-92-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/944-156-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1816-8-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1816-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1816-453-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1816-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2196-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2196-472-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2300-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2300-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3092-192-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3112-157-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3112-101-0x00000000007B0000-0x0000000000816000-memory.dmp

Filesize
408KB

Download
memory/3112-96-0x00000000007B0000-0x0000000000816000-memory.dmp

Filesize
408KB

Download
memory/3296-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3296-39-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3296-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3296-476-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3464-372-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3464-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-25-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3640-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3640-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3844-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3844-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3844-477-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3844-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4312-64-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4312-62-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4312-67-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4312-56-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4312-478-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4488-205-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4488-480-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4528-208-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4668-197-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4732-158-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4920-136-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4924-199-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5008-155-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5008-79-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5008-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5016-193-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5116-194-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download