9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
Size

712KB
MD5

97819ae853a8ce79bd457d44d92706eb
SHA1

5be41e60157086ab9506a433fb87db2e924b715d
SHA256

9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c
SHA512

47b8a2e7b2ff2342ff8473c9a1afd468dc8288bed2373f1f75c63ca8cbdcccdb32c38dfe20136bc7c4f14ab4b736b778a958cd6f238c6b2aff3129c99da2de05
SSDEEP

12288:ttOw6BaHFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:36BU8NDFKYmKOF0zr31JwAlcR3QC0OXn

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
796	alg.exe
636	DiagnosticsHub.StandardCollector.Service.exe
4624	fxssvc.exe
2872	elevation_service.exe
2816	elevation_service.exe
3816	maintenanceservice.exe
2544	msdtc.exe
4216	OSE.EXE
4904	PerceptionSimulationService.exe
1676	perfhost.exe
1928	locator.exe
4536	SensorDataService.exe
4532	snmptrap.exe
856	spectrum.exe
3932	ssh-agent.exe
3880	TieringEngineService.exe
3684	AgentService.exe
2652	vds.exe
1820	vssvc.exe
3276	wbengine.exe
1772	WmiApSrv.exe
2036	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\System32\alg.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7e87d3bb1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\System32\vds.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c319b1c15fb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e2dffbf5fb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4f2a9c15fb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a36ebc05fb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009275a8c05fb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd0d03c15fb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003aa77cc15fb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdb608c05fb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a54acc15fb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af99cec05fb1da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
Token: SeAuditPrivilege	4624	fxssvc.exe
Token: SeRestorePrivilege	3880	TieringEngineService.exe
Token: SeManageVolumePrivilege	3880	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3684	AgentService.exe
Token: SeBackupPrivilege	1820	vssvc.exe
Token: SeRestorePrivilege	1820	vssvc.exe
Token: SeAuditPrivilege	1820	vssvc.exe
Token: SeBackupPrivilege	3276	wbengine.exe
Token: SeRestorePrivilege	3276	wbengine.exe
Token: SeSecurityPrivilege	3276	wbengine.exe
Token: 33	2036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2036	SearchIndexer.exe
Token: SeDebugPrivilege	4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
Token: SeDebugPrivilege	4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
Token: SeDebugPrivilege	4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
Token: SeDebugPrivilege	4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
Token: SeDebugPrivilege	4736	9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
Token: SeDebugPrivilege	796	alg.exe
Token: SeDebugPrivilege	796	alg.exe
Token: SeDebugPrivilege	796	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1304	2036	SearchIndexer.exe	111
PID 2036 wrote to memory of 1304	2036	SearchIndexer.exe	111
PID 2036 wrote to memory of 388	2036	SearchIndexer.exe	112
PID 2036 wrote to memory of 388	2036	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe
"C:\Users\Admin\AppData\Local\Temp\9edeae0631b49839c658833ada9196cf629b89ecb47f3a083c55cca9abd5623c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4128

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2816

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4536

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:856

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2164

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1304
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f49c86dc0f1389ddbedeb58ea90aa68a

SHA1
629535461043f8d898547ffeb7c34f903a99d9bc

SHA256
0f082e4689ed31738ef617479c346d75471bc8fd43ab352d2e7680a017133bc6

SHA512
7b3e145b292cc86fbb28f72ef42070e88f4ad883f450b51654146008d7976a87f72832878870b024489b94065555bf7fe78b8964fb8e34c9ee5ed1d1bbf3461b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
8c95e2b9607112169fb24a1550dfd378

SHA1
99522cbf4245507f9e2c8acf1d938d59bd4a92f4

SHA256
817b3fff27ec527fe1d385cfef63dc8bab68f18b7ded6c093477b187f782c9fd

SHA512
8870d11327fd985d49197adc0ec242d1fc7727299c60184d1701b5def8c3eb40615b5cf11ebfe2bb1046e3578e98bb219d5465e0a425569f7f8f101e619ef1a8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7352f728cc328056e6972ffdc2f89f13

SHA1
7c7926cde12df6d2c8ef13fd964f451cb220c685

SHA256
937e38ab7410b602902499b36b3e4fe551059d963344dfbddc422efe1dbef52f

SHA512
52e8e167982049bb604528ba35a00eb322c9753d71d10155483589e7a6d18547fb73fd17f95a72317377f8d85a57be554a003e48388f26d5cc45fda5cfffbbd5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bb2e0759bc7dada6ba0c7f3f83436de5

SHA1
915af678497b740e27fbf6f3f0a98db232cbfc43

SHA256
ba3103c044a6c7967d099f256589bef8f2d9b7ba886bd56791facd528ee39944

SHA512
24b15eed42cd01a3d76f18d8e42482d57f07aa0570a1322ac176a35dea6fabee88225551173f1a8cec34541e5ee7999f18ca38071a552cda16177a0bf8d7ff2b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
030dcfe4a8aead00993f67416db6443e

SHA1
4675f977593a47b93f0ce7472d81365cf3522f96

SHA256
c4f9a7cb65eb8716776d2ab79f5278d1b3ead46403f0301b1db912cf8ba763f1

SHA512
fe5bc4f5bdf34f0ec68f3ca4289349f0577362f34fb0166277bb40e721316e1c698bd22b62423487f5dc7c6c1b547d3e72b81091539a15af31ed4e53c3dcd796

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
edaef2fb7ca81f8289be55e0dbcc7740

SHA1
63cf95a8150644da747c9d77c1bedf126e9efdd8

SHA256
625327dfdb2e9919e1fca8e543072c5abfc985f5739ec50d97b0517550d93e62

SHA512
a58a485a1ee7664db2154c9811b62451d185b7f4fc003fdf908ac7cca779b80f00edd9bf1b6dd88e363c46061f4feaebd892e4a894d60cd0c6f2e3a169af5f54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
038778c88b86ecd78d1961fb14b5d021

SHA1
8247298ed938ecc1d3bc51929d419c8183f5455c

SHA256
63c0df3410db991c96f7b511f2b17cfefe370888197a2876e840c2b96f99c3d8

SHA512
889f276772dfeebd90c02744aead035f06e1e2ae8b37b47dda85c1ed4f436011a516541f19f4f08bf89c531e66badbb24c759da10d27e14d1b4d3df730ad403e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
14f201a4874d4d7beb5d6c2b426e955b

SHA1
476b1318f09cc894063099052489d1f9f9aac660

SHA256
3649bf339e89de1ec75c97afab091e1b25e4aef998bd5b83150e804f0a2b7f66

SHA512
69ba25b3121d93576d5a32da5f7f90edb1c8aee19d798ce36d8cfdbe32472ab0a330d3ff2705100c5ea4cdb6291a214ec824dd2e5ca0f163144679d69ed3f278

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e02231ef9d8a659de8ae3af0d94bf3d8

SHA1
8ddfb67a195afd64ba52749fd23c3576762496c2

SHA256
a21f65eccd79ca8f8fd5993bc92987cffcfc41bf13072718dcce2152c4ee9808

SHA512
017682d3835963d77d810ffae69eb4841164504c21ae35b286a4f45e669297efb190a21760ce64d1843bf1ae35d9596a3044ddc6bffe0c893cd70f29e8b94d12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5f8498ec97578bacb0c8010a97a08aeb

SHA1
f90d42dbdd78de7366b782400de8d3af56bd22da

SHA256
9b50b48e08a65b1f293fceeaee95d0d342e28ee602e7aefc7fa9dd14de962ca6

SHA512
249829fb066fbab231b076b44bfe9da4f9c0e86e048d77372732cdd2165b5f3bc8306a86df7294444856dc74c3b8e5bb7654c44a2fbbf61e204296e8847acb9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a5a1c4a527f3ba6f789c23c8d897e251

SHA1
90469b08bf9cad703c66874eaaa2860ccf24831a

SHA256
cefe19fa6fc630bb9e9f332ad16cf647ee529903974cf96a72798f74aec0526f

SHA512
39f258e33a2767ae30e8bde6df1873a3388cb054c54c981483bac797069bb56761fddbe7246f38c8de7882a483d1a4781fe25ed2f75fc571b48cf30df5a0cf52

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
699b537fc17f1143ec2c97c001b8e8d2

SHA1
30121b366618a9a648a162517e7e79cadb1f05bf

SHA256
37d0dd0ccf623d65ac87759ff4b6430c51865df37d6ecfac95140563bb6e6ca9

SHA512
32152729b5b41b5f7e5bee32a1aecfba8ed301addcd91739c36a0907489e2481d26189bb6389463735846bc1b9e22729d415b777a134164ca5a409588b65d11a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
32032b853d65c52768bd340d3dcd412f

SHA1
a83950f732093d07727f4d189f822a45d0c643bf

SHA256
7dcdd59e06e448b6894811eaf7de6e12ad54196902337cf96aa08f854cfb8163

SHA512
3ebb094771f687d69bbfde2ee790def7f1f9b7d96308d6646b67c2708c744dcb3756bf5f9b530bb1e90f19683352faa3b253ab28cfacf77aa8db46eed6199d34

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d9f7f1e0d0041aeac56570bdb87315e3

SHA1
c6805cafe7ad6b361317b72e314f04a0ebc54396

SHA256
4f5147b8c25239de80c2413c546ff5bd5e0f8685ded43a727e5e9af843f3403d

SHA512
8d3cff0b033d59ea259863abfe4b542a37e96224792bf79cb555d2aed80a63e2fc1c90af75ee3313ae5e6639cc1ef51402cae8b1b57e9bf2b8c635c1bc872415

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c7107f628577f56ce5f8bcc20beb68f0

SHA1
59ea774cefe9386ab97059886758f8671b466c44

SHA256
02563766e0f52883d6f25157a34862b94535697a0a3ab0473ff71e815495f622

SHA512
c5ab771586fada9a9ba779e81bda2a16d0a26d6ae53bfb4287c7855d64de559b554ee050b78b83715818c9184c01fbe4f49d8887cb369a2f0ea8a480f8974a41

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2660342d8dd30ab7b2ecbb63689159d5

SHA1
9ac2a29795f32f10eeb7990b071c7bf4f604f2ee

SHA256
9c7cdde1074585e5d6e9b76f5eabc14f79653dd96dba4057e6265b9f23770a6c

SHA512
ab0a34a3a70de128a73dd90ff51cbe58eca913b3565fcb90044e948a37fc63633df0496bb943f78fc2d28e91a5d3a606763f1cc89d69827604814012ee243237

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9c3d62dcad8570d8cc5ae3236719942a

SHA1
952161f59599218c197f17d192411f46e475e1ba

SHA256
71625264f2d35f600dcea35fa123c8aad7ef387b9e67335754b4a57d8b5fa9c7

SHA512
5929c49617365c34bef75020840d356eac63bfbb5a95f6f947b848204dedbb09596f7f9636bf6bf1ac4bc4a48e5fb6c347598067a8dc8aca65eea778d5fe5d62

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3f2cdfa2b21326d43ba8d94ab5f28cc5

SHA1
231273e34e88ef3d990d5e1b96fcf5d44def2b4f

SHA256
0a5a1febd548995c36525082de46253f019b2d90b3a39be7f8930c764faf2831

SHA512
49969c3465b17c46bc6e45be4a6a93428e6443d5e34cabd02847fe400ba9253fcb15486897adea9882ea88960da0645a3bdaa0993f8694248478f149068d9e22

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9921651778e7e4db167f28bd08447cce

SHA1
d60e44098b827de856437febb1a8ef177e098dbb

SHA256
a2a4b60e080f69673bc49dc72f1bb85303e2290d0cecba5643278e8b3e218c65

SHA512
097d9d9c59693834245a257a80a0c706ae33b4183a0b2e2624aab091f9e50401fa05a5a7840fe39a8bf5d4593f36847a978bb39e4cd8b389126391b63800e926

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
792aa4c94f1d788e708c99194d78b662

SHA1
6bec4d8b0ba08e49c6edafa916d3b76ca1505404

SHA256
e6e57fba6cdd6328e08b332a041dc7ab57ad3c2b7eddf23d6053a65d4042b16c

SHA512
6523cc31dfb309435e4b2ff7d2e382f7db2cae390017ea57369d8faf78db9c68e609d519df9aa948e819ee6864bbdea1f9fb5eb5d5744ac48206dc09388a7bb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
793e3c32981c93e81a5f299a285e65e8

SHA1
4a79988ce86960e5f919d0254b775f5d424337f8

SHA256
3f29b0bfc48193ab6e4ba53c1cf34bf5d81615887dd73062fb6e6879620b72eb

SHA512
d733c86f3db3cdb3858a958ae901be80529fff9a65c49f8b65a82ee60891a8f8e871821803af891cd89fc1073d513f61c49505a932338f094bb6f63947ad2dca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2cd39009f5a8e876e75c54860ea15986

SHA1
444e1172caacafebcf57c99d3a58a7ebfa5421f8

SHA256
b61c86ca0be0ba201c8c87d8161ec59b186a9a5501e698dc3726fa574afe8711

SHA512
c375853a1caec05b7f1d993f2eb6498f07df3f6df6a4573635437c3cc3560201e6c39c491e2b576be816348563b44bae4bbb2403e693e79da61af724ad93639d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ea9335da1c3ad669345bb3fa815db014

SHA1
e492151ffb9fe819afabd844b8c5ef0933624dfb

SHA256
893fb900da6ab2906d5a786c3e039eb417a54fc77eabe327ef48a5061c7582f1

SHA512
0c8965d02dab0dcf756be1459ed37f92088d0d650e51bc3e458e5e4f7a78eafa3c020a3f1878f59dbab129015876d65461e813819135afc87b10a42821eefe59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3c4e475fc44c26ee956bfa81b257c9f4

SHA1
61a3fd51e10aecdeff729703b8377a8e9229e93c

SHA256
961129726e4506487226b871189376c800aa896f361da9c3407e21b7da069b27

SHA512
34be13112dc8af6a2afe2ea785c8eb0534fa9f37d30a3fd0c8a39270d112cd50382814ac126c1815e2b44013f327c70bf4311e9919cbabe188f43e97a1dc5488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b9aa12650e5fa345a236e3faf56384f9

SHA1
88c6fb3b56717954e0de6c7228a624b2a1768a57

SHA256
557c1eccf2cbba244716e9a755d354a9494ccfe6989842c42c189cb26033c0fa

SHA512
de658bbf23e5b6cd4c58406a3cd5256a5b9df1250c0340cec1b9976ac42524ced11995cb1332da3e00dc217549f47756932e445096ae32c19c2458a8c8a51ed5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5f6ea5890268d96c10c09a1cb29a39a9

SHA1
a7692f0b2eeacf84f0561501043806b51f6bd76b

SHA256
0fc32b9600cce50e08954a9a28eb0b75b4f797ffd31f8e98e9a4864d5b2ea7e8

SHA512
dba9ecba63f92144bcdfbe7848748302ec8a61331521a6a3bee0f9204c851ac4e223f7a409610ca9865732c98b82848ba198ddf3cd5064d9a2784bdb546403eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
fb68e415cbbcbc8ad8f3ac1c2210370f

SHA1
dc29374e244d93a5d13d186f09090def2bc9f636

SHA256
92223623c3fcb4ea72b79b5495dad8259508844714641624a475d26acedbf0a8

SHA512
be8786ae4cb78f76bc78c6d650c10830e11665178e0ec9dba8b95c512471a3158b1a06c4c48dc1ddbc3aa4fd7b6650007f7271391bdeea13cc3ae81df054ec75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a471c08719f5d2bf90c7369036b7ddc3

SHA1
e5a9f12286641c6cdb53206b2d12fc38f05ed32c

SHA256
759fdca5abdd51c77309bf2b07c0779f17eef7ebc80735fbf10d8c15b89857d2

SHA512
371ce1a06f463680b8549220c55a507a7aae22d51835d867f0668516f8cd6093500adc82078380ea5ae590b3948a3ac92726152343b819fad81117de26996781

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5adc0ed75feeedf27dc22e27e8a3c1a2

SHA1
daf7db666595707c1e361b502cee701b4c95a036

SHA256
0184e9d0830dafbc0d08ae92af00df33ca300dc631871be3e2cae0810f03d57e

SHA512
6596940dc45190b8c5bf9d80acaeb9ac70bcc25582029488f09e56d36c6443c91d09b0afb910d7639e77216dd152709b49e01f12071363c446fef5cb3dd5db40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
bf86b3c2084b1727b591170c5506de74

SHA1
c7a64e5b6afaede0ccfdc262bdcebea7693ae35b

SHA256
883f92b53fc4f8e4910bb6aa309b9410b35fc6b04b488ba8de37bc9bd6f09740

SHA512
469e9ade3471dc459b7c4567cf4cd551638f81e06ddf4a8c6f676d5fb6627c430850203682792ab7a6f879b85552659a07fef8ec5b98a564e6080c0aa6140fde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ee684aabae67d3eaf7e25ea1a0c980e3

SHA1
79c7529d720e5fc170846b77fe66e38cc32ff737

SHA256
14087fbffab5051eab8204fb1614fd7c3725dc0f9bd82aa0a4c99ded627f96b8

SHA512
9fca4c9f6cc13b1a716ccc77df7ce390f07610eae31931ae6467fee3eb86cca714c4175a958ec27176469420e609e67102b1e86a9e35f839a0318205ac30c8bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
5fdfc018aa7435f659c55424446e1e67

SHA1
d965f7106a2b745b59957a6b38d840369d500118

SHA256
5a023e94dc1339de917d58ab0877f0da20a8bfb45c326a7778ebe1d4f361b286

SHA512
ec5884ce0d4218ef50bae7c0214ac3556dd2463f83006ee89b38d0fd8eabebfef490909db72378d24f285f3b62a8b8da2b1891f8f2b594bad17b148c1c7a3f59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7dec1af54e1676947516237d4db926fc

SHA1
3a16fc23d31b9a8a7e94a5b1cc073044774ebd94

SHA256
5ed818b79c15b55eec8e4c922fd87a2cd018a0379246289ff1fe6ed3bf0e0c5d

SHA512
b7ef621f3bcb3466a58b33b400602eaec106258450e97697fffa2f682c117ae4e60fc7d36d4409d03f7752b6a9ad9b1702b4b2be2faa7331da5d126e7f366f76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
86dadb5c507726afeb65036df743ad10

SHA1
2481f6bf255d13d6040d3fa9415cb97cfde86397

SHA256
51705f81d021c5a4b7571920f529dd1a33605bf220fe7b9f064be9efe06fef2a

SHA512
a4a16c16bf4b93ac60ac60cb94d94a8bd0c7e4a373ec542bd5373f773012ab2c895831372838932197f8146dd70a161c9b62d9d53796f348a44ed2bf0995ca16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
f5bee69f81d5d9ec2107a2ce816f1045

SHA1
563caf8a797b4c5ed8ca2c420eb746bdd7589238

SHA256
1437739f13a8005f85dfb2674cf5e5416b96433282d978d12a5818bb683d4d0e

SHA512
d31736e9964c887f6373c2f0bad238bda28696390ca8be648dadbfedc567090fe2a246da5252db5230c8492eee566b15d35a77b7fedb0575634abb61ab3e27b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
01deaaff9b06e7a9d4e092de56ed6aaa

SHA1
242125d393799198584f6c2d12ec488d53f8125c

SHA256
e9926b0cfac5e21a2b4fc7c4354744e691a4fc189e2b3c7c2f83299059512623

SHA512
a59ab1b7522dd1582a009990d0774fb3f5a40702b876c636253ea1784630c98ee6d7e29c4cbb892f32de60b2d1b9d86c16f6146183e415a572d0d68caa025f4b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
33cc6912a29686b242ed9e1ec1b89c6b

SHA1
596a46d74d2e91a0aa27b556f2a0105c32d95c78

SHA256
0954a4fa9416f16f552e9aec3fb7e62bb60d6c177ca8515580e94f55368c34e8

SHA512
78b48275828ea837963ad9a2aec5eac7009d79bdb73d9e08973a01aecf65f6f95a56e7a1de1a98eb06660960274619b4b84a7def10ee03a00ac1f8f5337a6de7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8d01b56ff8c042082c55c453cbe4e471

SHA1
969a90149c49898c4935dfa9083f59de4e62b743

SHA256
e6df2fa2e78ee233b7af1037ec093675b3cf11ecd3d8a683bd525083bc6a2df5

SHA512
606789fc457c322a6265f252084ac91e86bb2af5ab645c71da819fcfe3d25f759631f7f157b96f6e71e1948a141df3f77265aa975d60129bb0647233990e81cf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b054b52982dbe412b0407fedd39d4cb3

SHA1
c001f24f87a165d2db1ff63c8a744383303d99b3

SHA256
effe741182a000bc98ea0de59eff9eeb52f1ecfc35c351aac0777dad5a218e0f

SHA512
25fd278f6703354fcf1a5d56fbcce697df7831d46673c98f8b9e12fd85a032fa233eb81e5ed8494ca3ed1d1d08c0b0dd723ec62282b21b080e13eecffd8c66ad

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ace4cdf26f14d1b9e6f7311daff8aa9c

SHA1
86dc4d5d125be0fbc509cb9657ab14707d3caa8b

SHA256
ba5929973ca9a7b38d2cf3ec46339ca34bae6d277be97ca10fc33118d2507aa4

SHA512
9920366a80b83a6cb16da17fcf245d0506f2e1899c17f4ce94218ecd886669ed5fbd9a057b07b1d86437c00d1911e46a21cbfc9b19eb4e09e9d0d0ff4b05e9f2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
078fc718cbfbdd09785e17c2ca800df6

SHA1
6ebfaeb5c6fab3f7a4f6e6f8a90b9f6fb5b0e1ea

SHA256
b99bc47de3db5a8753607d29ab3eb11e5803d8b3ce5766c9273aee7e055cd62d

SHA512
4eae1013dbb023ecc4cb5bfdbe811488db352dcbd74ea301f7a2f3f685033c44a1e04588a7843cd1f20d0befecc45a0448a2af08a3776aead01263bd49f8034a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6043d5131bf4cf9c29c63bf7d3d7b542

SHA1
be778f762d4f5b73af675a6e3ad4d6d98c17adec

SHA256
bd4789a65b2746f3bdbba5860b7235977d71787bda69d50532f3a8b8e6a6c377

SHA512
3a51e8f1dbc28481703c18683cd8b1d39f2d265254ac99fffd22e92df8c9c1edb4bfc1d80057259fc404acb9d9ccfbd6bc7071460753023e0c940d9e4de2f91c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e1c0038a75fbb4ab9b4216fa2a42d06f

SHA1
018500879eb6ed7d220c2f968e9ffd42dc02a9d9

SHA256
2f8830d336c3843c685fc5c6313d55833230a0d0cf778b3094694fa60c4b33e1

SHA512
5a2a3fe76bf671f4701affc400cf757925abae615d74e4e64366f84ff12aead37738b0741a8039a6843921cbb02fb1e5bc0a9b399da4ad90f45e6456df7d1e45

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ceee76c8916f5fa8106620246fc4beda

SHA1
d49bdf953a304322f429aed4c5694ca2cf2b3ca9

SHA256
7fe0d9a7227331058f01f1f30d7b9b37abf4028dacc3ee95a368c9cd455c0b4d

SHA512
a0182b444afed45953ffd0a4015dfaafd45c1482f61a2982e042136ab4400394972bc06406fc9d39288e672d6fc11b7a8e0c5739b6a6c12a5bfdfb1aae41f73f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b4e5b8d023175b5f69eeb6b126507c21

SHA1
e58c44240f33200b65f613aafbf909fed683d1db

SHA256
df45df89ab0654c9095842bc043996f43c927ac8ce8eaace2dd898adf41cabc4

SHA512
bed024ee482d207dc2d938c08a030ef79e41b96755f1d3708d24063cdbd4ab3c37bb50decafb1f9c3e4a2502d81478ed5b233c52d692361ace2277e702bfbb1b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d92e71ea850b0d7047ff67d49481123e

SHA1
31b2f0faf46e31d18739cd63d1a6cf1931fd3786

SHA256
22026cac5f862a5cef106650bdb74758ceb7e22e335abffc2af66b909d3c3db3

SHA512
cd1d82f80f783f400a59933ee51e5f7d58310a71a2f046aa96d0805d3f526b222d1cfaea4c438ecc774bd9a483e45bfd3e95252a4eb1fa1437ba2d54faedde14

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d048129930f89d79e3606b88a0850309

SHA1
2f406d4273ddafe83bf7a54a17d719cec7b51c5a

SHA256
a4f6e6e730eaeabd5e12b49648f967fe4bb1f900e148cf4a0cd3a5d33479c569

SHA512
dab82667a4306c994066d3457d37fe7e1bfb0e27b7474fbf7900ca6f201245db59ccc75b06352ff495ccc91c1ec3becb1d32647bf577f04f2fe5116a7bf82c2d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e598f3a1200865aa5f5a00b434c1dfbd

SHA1
bcaf0c65ff8529647fac1a5ce8b9c59137eb72a9

SHA256
37e5e17abac2fa8c7711c11e31b04e9540eeb8c6c50eb94b3d32948ae9abf398

SHA512
4551e722248d370709c86abbb25b61269ff1c82965f0daeac5c87d74a4551aca90390046b62ea670744b563b292fdeaebbc7e3c56875c150fa6890abddbe42b7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c69ac43b27262ac67b1a3830a7b017e4

SHA1
0547bd1b8f59053d7662ce2567f70fad435dd19e

SHA256
5466f05695f4b64b20c63e53547a287eef30e23dc391fb4e4517f276fce04159

SHA512
8a883cf5dc682fc0706c5f866a4ae08eefcd8ca28b6005d8bd3a2ca531fc22f8c810ee555ef775ca6fae371d5e8ee520a4ea083b3323592570691af6a7db8029

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f331318072b8f84dde042cd0e0bd373c

SHA1
9c22cc78f86659b962f2ca89917dbb88f1e832e3

SHA256
1b3a0958e1924feec5502cae5a22ae3d94e719906545eddede47817639ea588d

SHA512
300548649a0ddfe9a1f30d7b2ba53e90053cfa846717632ec1232a04f9221480f403839d1c59139d86904f5d52d93243dccc2f4d432f83a47aa7ec9c3457d4d8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f5cbb36916290179b466a65d7b7f87c6

SHA1
af969f4ed3b77613e01fab7d7b29e66c5ee788b0

SHA256
a0d0589fee9ffba7e9af5e362c562ec0c46c9ceab9b238a523b851e5edf1350e

SHA512
d4fcfc808139ff0313954901f5922bd1abb8dc00a610437864d8d8cfc5da4c1877321c194f0d579cca2cfa605af956e9f55f9e55020f826a026d0960ede463a1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ec38338b84b63a438d5cd96c78f12458

SHA1
a10b55ba3ff8a7549fc9ac5259cad42d9498cd83

SHA256
cda47295f3e32a7891cd412cd37b360e4c2fcd55ea43bb3becec0e39add62535

SHA512
dd27486d97aadcb3132365db91a4f67003381367268f2d11eeec491d828a72eaab98118cb74ac9aa6f4f7df536a9e7989efedf61fc0114187328146706cf5e93

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
562fc4ccb5ed726f76370465461810dd

SHA1
974486956fba4451a031b4b1df196573938a2b20

SHA256
e617e6338bdd920044bcb84462e58d08dfdfd38e494391f2ebe714d2fde73b33

SHA512
a14ba307322d048ad1ca60e06ce09dd7a0d9b607b4021d1e493133acbe8b08e586569f9cefd9f80fc6258bd6599e07195d7643938aae2adce1e1fff525bb6170

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
102c467066a3b4c2d4c21dd93a5ddabb

SHA1
2950f481cf73d4e7dbdf74b5560b53f9ee5c925a

SHA256
f2b095b7964f2056280cea3c3058c0115a22600bd4f4ea9f795f4638349fab39

SHA512
a4f9e925804235057e30da2a24ea6c7b20a4566e4a5de8b39ba07c7b2828f4145964978c1759d30c9f2c3df2ae50d2cb664579e54d087cba569a78db6ab70af7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
79555a4c3024bc0b386500910e121eef

SHA1
3647091c0416279ad3e35ba2482f73e32f7cfbef

SHA256
46dcef01ecc61079399350f0c0c11db374310dd545247d6763ab8c4f7939d6df

SHA512
12cae9f5b899ae34bed1c965f0f4274dfb86052dcbed82ea86001d0f5a06168c08a8a58bf17861e5ed4912ccdb4d23d4e33c0ec98edfd72a6dfb60f5bdcaa4e3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1fa81af33c79192f866f6a05d7e8af80

SHA1
a6805d88903a23392c0f025d6a121aa473f7635e

SHA256
09fab0c6b8a875578ae7839dbf7c7bbfe09c17d691dc1ed806913c34274b1cc1

SHA512
d366c6aa8abf480ae99054676b1e9345287e234409d3ba8c1da93d1add60b3ddba7ad5670d6ac9a83d7ec3b3ff927958c62c1fbeb031af8b720531a141025421

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7f40435a729d43567dfd8b8cb5f0593d

SHA1
21e800c8729ecd7f85f86474d8a1f1357b2ed8c7

SHA256
7ef036a205fda5af2908531652241b3552bbda6e518eea353b25de264f906e09

SHA512
c30056d6e3e83ba44dcfd7492cc59a254f9cc3d7f71fffa2de11f4acebc20469781ea27b088154d968b5314b7ec29dead0c8dcfabe9ce094016d98091d23a825

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
aef0e9f730898f696ff391160149a808

SHA1
496591d8f8f11a78ee71cd9afaea3079e4159a44

SHA256
e47550537b749f476444a3f9535f8c1c37ad5d7111a4a9eb0879a2e4f21b2d62

SHA512
1035f882cb2768a90e091ca2162219c0b1587074ce4df711286afc2909d69b0e23c9fd62c2c3d8bfdb6ba7565526833581554765ab8ad1baa3171ee7d0f332df

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
997d5910627b8bb2877bc81bd37d99f5

SHA1
3a4c1ece5341c3d10f2c1e4901a58569443e4b93

SHA256
c318ad8747f0601184edbd89fd0d28768b50b4c3941c8e4690415188e7e89521

SHA512
97cab4cda416630478b5e8bc88479efb6bbd0416dfc9add3540879842192a14db83fd4e44e4b4f6d11af95e0bc0d610ad8b7ae637bf116e3debe4203a345e9f1

Download Submit
memory/636-261-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/636-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/636-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/636-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/796-226-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/796-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/796-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/796-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/856-212-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1676-206-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1772-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1772-515-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1820-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1820-510-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1928-207-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2036-264-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2036-516-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2544-203-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2544-88-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2652-509-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2652-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2816-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2816-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2816-507-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2816-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2872-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2872-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2872-471-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2872-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3276-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3276-511-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3684-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3816-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3816-80-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3816-74-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3816-84-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3880-214-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3932-213-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4216-204-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4532-209-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4536-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-208-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4624-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4624-39-0x0000000000F00000-0x0000000000F60000-memory.dmp

Filesize
384KB

Download
memory/4624-45-0x0000000000F00000-0x0000000000F60000-memory.dmp

Filesize
384KB

Download
memory/4624-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4624-59-0x0000000000F00000-0x0000000000F60000-memory.dmp

Filesize
384KB

Download
memory/4736-202-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4736-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4736-8-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/4736-2-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/4904-205-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download