cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
Size

1.2MB
MD5

0b2fa493e4942053ae933d529424cb68
SHA1

cf1a1ca589e9956779ad9515753dffa92fb6282c
SHA256

cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be
SHA512

1653111d98f7aee5ffb1c134ac5e07006972d19c0c2cc6dc2b12212e20045ce6c81351471e63cd04c6d0e3edcf924c3aa782e4e305d7f63597d9671bea32f374
SSDEEP

12288:VHglMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:VHtSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1760	alg.exe
2836	DiagnosticsHub.StandardCollector.Service.exe
3952	fxssvc.exe
4880	elevation_service.exe
4064	elevation_service.exe
896	maintenanceservice.exe
1128	msdtc.exe
4028	OSE.EXE
3380	PerceptionSimulationService.exe
2108	perfhost.exe
2744	locator.exe
4316	SensorDataService.exe
3540	snmptrap.exe
4668	spectrum.exe
4416	ssh-agent.exe
2536	TieringEngineService.exe
532	AgentService.exe
4512	vds.exe
1756	vssvc.exe
1244	wbengine.exe
4676	WmiApSrv.exe
2712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\System32\msdtc.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f4ea1443c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\msiexec.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\wbengine.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\vssvc.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\System32\vds.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\System32\alg.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\locator.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000586e31a3d3b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ed39ba4d3b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000519357a3d3b3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003967cca3d3b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ba92ca3d3b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016ba9ca3d3b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000259619a3d3b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec3a41a4d3b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
Token: SeAuditPrivilege	3952	fxssvc.exe
Token: SeRestorePrivilege	2536	TieringEngineService.exe
Token: SeManageVolumePrivilege	2536	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	532	AgentService.exe
Token: SeBackupPrivilege	1756	vssvc.exe
Token: SeRestorePrivilege	1756	vssvc.exe
Token: SeAuditPrivilege	1756	vssvc.exe
Token: SeBackupPrivilege	1244	wbengine.exe
Token: SeRestorePrivilege	1244	wbengine.exe
Token: SeSecurityPrivilege	1244	wbengine.exe
Token: 33	2712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeDebugPrivilege	3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
Token: SeDebugPrivilege	3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
Token: SeDebugPrivilege	3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
Token: SeDebugPrivilege	3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
Token: SeDebugPrivilege	3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
Token: SeDebugPrivilege	1760	alg.exe
Token: SeDebugPrivilege	1760	alg.exe
Token: SeDebugPrivilege	1760	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
3884	cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 5664	2712	SearchIndexer.exe	117
PID 2712 wrote to memory of 5664	2712	SearchIndexer.exe	117
PID 2712 wrote to memory of 5764	2712	SearchIndexer.exe	118
PID 2712 wrote to memory of 5764	2712	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe
"C:\Users\Admin\AppData\Local\Temp\cf1a23be992f2f8088f433706e0c16ff8adfb0860c255597ec79a5f435ffd9be.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1128

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4668

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1980

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5664
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4404,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
1⤵
PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
1e9d84eb7c95bf4805b77917f6d3c3f4

SHA1
6ab0c1b1270acb141c078bdea24a7f6ad831db49

SHA256
1fbff729856f9b768768ac2714a138391b77c5aed197f2b2572698bab48d85d2

SHA512
68d43495d2717fb9220efdd2d91854064644d597471c58bd7d7e2bb133b3508e49ee94804d99d43e3928068dfb539844609579dde26d29f7aab297dfef74be6b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
48daadf576cff866d469dfac784ce43e

SHA1
b7832038cb0c3d0bedf488c52f0be92f795c7c24

SHA256
b52e7b0f2b72542de84a2f2c084d88d15b01150c4153f2c206ff2d7cd44d0544

SHA512
93e4c6e5fc781bc33ae1687b93ebf3b0f178e4fc23cf2afb05f121248d7a75cf8f73d658dae82a2d60b4c631598ae736ef4e9826363d4e50946355bf707ecd16

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c32e15f0beefa9652fe95f48df79cd4c

SHA1
f3af16f9e9a9c7b97524383432ade575255d6fa5

SHA256
81328231d44c6ac5e606f04987d283153ad2bb522490ad4edf19f870317d8499

SHA512
90008708c27ef71872866c3e60c95d49af1deda3eb75939a81e4584ef3ce650dcd06792a65fae966ee8efc261aba8c9b4087c6a0b9f2d572e1c8316f0361c33f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
92e82f30b0c82e5c0fa53df26a5662d8

SHA1
9dba4c06ad081039759c178e3583de87923a1277

SHA256
970b7b14d16ff82591b56f0ec7057412aa30ec0cbda3774f1fd9cd09b9d049f1

SHA512
9f13b1337acf9f9249221000216230727ecfa6ceae914fcc2f7ddeb6aca4b149235779e7361f790e663daa81431382fe089362485676977174a94c34d6a7accc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1c8da023583b37e0195111c806b67482

SHA1
754553da93cb72e1595623880935fe8a51ccf7fb

SHA256
9887b1bfaed1b62f824118e335cb0ce2dcd2b1f3e5848fd0b64cf796dde424e6

SHA512
5d20f7fe87606d5d8ec50939bddbe5849cb6d0d4373df6cdb348ab0d133fab68aea22a8fef66b8494f0f361fa0f814e0e1c33669d8f8d8f9fb49f067aab75bde

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
575cc26d2e66f6b9e0c26994c8492269

SHA1
4e8ff5799e21b0b8e35415e2368dbf13716f3d90

SHA256
5eaacbd2851a8bab7571d8a0f7ef063590f0fbceb44a7e9961725ce8af798489

SHA512
07b4cec77ea9082f5c5b9a8e946dbd97c74cc9dfd24cbf8feac87d5e44d4e1a43d1cc54d00e343ac58477daf2da3c044a9c5904b3f4ff2404e352c7ceff4c986

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f5645c5d4f6a235e39130694975a15fe

SHA1
ecbae4c1fc26a45cdc71fb3cff11e6f494259fce

SHA256
52caa5e52c3b12990dca64934dc78de5f811796fca4e39db5202b46acafe60a1

SHA512
22177e5db7375f782e2c6f43c2ad7f766051863e25f1ecab9ba99779d740d7c69e6292bc3d727b7cbc117f9d2f389aa5f08bde038b754c5242afc8aa90a2a9cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8ab4ac0dcdc6f00cbc794d3d2b3aa6f3

SHA1
219eb292f55675dc5e532e1c0c545d8902fca351

SHA256
d9ec9d2fddb7f4d978c28979a4b6623b79fa28109a68e591ec38ccf3eb06fee2

SHA512
b3d13bee8e805e013efed9a4598211e6f88370b18a317faf9df5d2cc9913cac6f2345012ac0d56e3b09f5fa5a60c1cd9c7f13904063fce5c2cbdc12523ab4f7b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ca4be9a95d3f0a8b45ac3d663f8483ce

SHA1
f17181c4c62101ec6ac34f6edd6dfe03c54c8c6b

SHA256
7e8dd256cf5ed5a7f231470af2be95bd72a016dddcfe82cdd19a97347425cba2

SHA512
0f4c0bc68ce40f1d2fd2a0ae1d69f908cb322bcd04cb1b9f874673685b431ce956104c07238c0b4ea5d5889f5b87226c6ee1797d98de20faeb331ebb7025e2ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
18c6fb5b9beb5f122c9cb0eb605bc6f1

SHA1
f6b071708866c63a55112ecd7a0a0a44e3a74289

SHA256
3ad36908eb7aba470f17a89c67070d25577bc90167944fd2d29f7ad0a0601d06

SHA512
e6567c61fbebe8fec4c57178ae49e5f1347f620711527da59a2603750c2c02b7a2bc0370a6d88c6b2136f73b279b653781d24c022e1b2d22f8de21a2838ff068

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4a77869443a5caedfb0e2badafd0df1b

SHA1
46b7ce80dab47f0c19105cf31df7c96e27b558ab

SHA256
e7e50798070f0e7cbba12499392b336037ef6116eb5fb1375acae85a6d561dcc

SHA512
5beaa36e9a3f4df9b80cdd838d8720de385ddd90d2f1b32df8f7c4d501b7014f020bfcb4bd9acb3c41add6b72ebdf2dfefed542bcba780a5c01af91c46fb290d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ef1e004b51b42ed980d56c6346e39466

SHA1
0346332e0112fb94612592a0a38786846d470960

SHA256
c7d5144c7dd81a9fea033b24c9610fadfe80ade478add379d26fe160abcc7333

SHA512
f217e402019d403736a3a26584cbc9899edf113b6a6ed3813e3d53bc4d815e4795056148a1d22dff0f6962f3074fcddd180ec7716ba2a202996d9121ecac542e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d7bd883dcc4f24000011a6107df4f8d8

SHA1
9f3193af0595bd4b4d9db2c99b0d05ed496f93af

SHA256
41c3e5fc1df356392244ef51f81ddfeda47bfc0f47531967015330e6e346017c

SHA512
fd57696624a39e2f296fcdade903410baad356022b4ad17b99afd4b2e1fbfe484e4ec6c6b24dfb42e3e0ebaec90523d9642cec595f05a208d655e7e869aebea5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
ae98627ea6d32511b505c5bd983cd77d

SHA1
7705e05a43949ee8f9f81834c5c6293c2156f117

SHA256
152192961d13a09fc365c0498a07bf46f2a4b629476bad4ffa189fd681abe3e5

SHA512
52313c3356e2d5d87c3a8119698264e0365564e3169c48cfdc9a45c26d65c07b6b0bbc9e4e2df4aa7ce71d61c7d66774d681c5e62c1ff6644f4089b86107c339

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9169f1dd4bd4ff370f6ab3a5c127f2af

SHA1
4d5ed5e542314e00862bd49a0ab744149461a2e8

SHA256
28f2e6a83d645bccf0eec2ac04cb428cf69e1c44faf95c70ddcbe16ba2050ffa

SHA512
cc63943ed281fcd5d11633fa408e7acf1fb049edfead7bbe1240ebdd6cdc4d7c9134ef29de1dd28da807e143da9f6b3991c15978b6b1739b62bcf40d09b84dce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ba5f444361c4c051ea2a95de4c92e2ef

SHA1
edcecf3a952583d26314316f6e88dd342b067ec7

SHA256
9ce1be39d03c2933f4f06bdd4f579910f6550b695df271ce785466c15b10fd4d

SHA512
1ec32d95571cec58fea5c45f108c4918838d4cc9ad10fd67157b29277e927dbb9e35b908d9494abe916a0d497d496e15a0aac96b23101ef7f77854a3b177be0d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
58a66221625e843ccb4a7770eb46aac7

SHA1
c3b1db31c906a7fe6c4ab62356db554ede96d10b

SHA256
e78059b518326ac30d241416536fb180c0c1967424101e342bb7a7f1c5997aed

SHA512
e1f93a40d1c342667bfed6ed7ba28e6936c5f0f8a10d3be410449a4eb6c6ae167e95f7a89d5af92f3ccb6b1419b921440d79131e38d060467b2f7857847c7ae7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
88e0871c9715817739b128528f8227d9

SHA1
c7ef8ec5a209b1d348fd27ad7077d29096f7f3e9

SHA256
94b4102870f3b05a56370555ee17d5920fd7e02f4d4fcf340bdb37a4fd710e1e

SHA512
cbc802094a795b4d721c5897fd41f87f56002434dd84c68a961414bda23b75c80b3ec924cbe14d6e6660899010f7c1dd97b4999fa2b5922bceb5f221f09f1062

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4c6848d9acd6b1720c857098ca51a63f

SHA1
fdbae46258ee8e722a599cfbde1f6feca44fb021

SHA256
2b4adcfe68b4999dae27ced98b08d534caebb14d30db807ea163b59b86720015

SHA512
11253232e2ac2757e18536ba89641bba128900384a96c8d34ca3146896106d24fdb104b0b33224612b86ba4246024243f760779176fc4ee8a7d960464c287835

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
801574ee223cdd40559e93081e9dcc69

SHA1
52a806c2403ba484b0d2c094bdf16a57e7bf4986

SHA256
da0fb9123947bd34761e4ca3cb5aff52b289d09f94b9c093f90d223ef125c067

SHA512
d9a78849d1c88afadb0637cec4b61793dc63524819870b4ede4c611dd73d3814b14398e958c0825b14149881c42b31e185ea2b26912cd1d974498dc9dfafb5d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f18787cd92a8768cae1f9f478563c4cb

SHA1
0514f582b126c187ccf092bd6f732dc237de3bd0

SHA256
ba43c7c03a35f5c198082683f5babd34532c9e31f7d35fd5c41d8a73a1cc0647

SHA512
6aa841a880cc28c52936fd984feae4fb71206f1ffa4c19dfd89f616874c4ff6e889de031dd54e9f2c437e7983b7a2de9e4c34a9f47073df0c347df6c98d633d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3a11038fab19d36ab2f8091d53a96875

SHA1
1476f52c291e60c872621c4a16b5b96148696c87

SHA256
9b83eb5e780b00b96e3fa516b2abfa06bcc169ff3b24efc450082b2b78732195

SHA512
3ecc5ab582f42553c3019edc97aea193117a446e00037ed61efb052d54b4c25e51e19c1fb545f3752713180d41d8981db83f2e9073e469511957436c60395884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
2640771f6806af7c9a9cce506a8d3f4c

SHA1
39b3e148e0f1de54dcc60ad6f7d47aa825591d40

SHA256
a2cb7b26764680ba022a4555e96ae226d3d913aa0df9eb7932e067eb3af42edd

SHA512
819d900cdbd9e50f2498cdac9f0d03c2b1d51176482018885955cd3681a059aee0337806d37ee43bb38d9c48f846cf844e327bc9154066f1d16bb1f049a69a3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b3a259a4c99b9673a2e728c6918aad17

SHA1
e4785a6129dd33c1f5c4f326763a61f9ebc5985c

SHA256
d54821ac28214618b11748803b68c3332cf5c81dafed34cd277734d56659335b

SHA512
5754e4a17eba65024a335b11a34d5f4bb55629ab443a4218703e7e4556129a5b8e0e5925424d05f17b08773d0262ec42f6524d16d6ef38d0764dc8836615b228

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b7e4f8f72825efa64eb05490a011834a

SHA1
b135ec5618995269fee2249e0d7a2084d99d0e3b

SHA256
46976e41d354bf38f0ac1a89b1f5a6a9a596dad492d66744b8a33c3690bd4d57

SHA512
7bc5e48d1c9712864de491fc90441756abf5387038964707245518e1d4515a2a71acf94c8c54d7add9d051f4014e8298fc6cf284d7dda65a420a7ceb6e47d3a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7de6cf6aa2b00aa1b0bfd2b2e86a183f

SHA1
bad80c3b24c10fcda78ee993958dba40a9ad0bdd

SHA256
b62b12c0375659fec31cfc0633f6cf16c67c0b5b297eec4b460df805f990f23c

SHA512
49fcc123204e607c101dff589fbed7a3346085e8805bf1f4664e2f8b31c1e105ed78918afb91b0eb34e4c6bbc4c666a4f8d5f1b0708e42c47c497329780f199b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
1817771afeeb7591c656b2e76857fe62

SHA1
8e992b9e8969a7a56a6f007335e7bc0cae2b2dba

SHA256
93b7e98d1a0867fc222b721e72ac081f7d4b47d755ebe8ab4a607f455e3db55d

SHA512
80ce3f2edc977dc12ef78230fd5cd44542b1b642f8ed156f17115ec4a9034f051aadc51856e254a48a0b182c58fd80c62669322b92fb2cddc8a645e5b6ad9c39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
f9fc14d0f38a77e4eb8358dc1ae991de

SHA1
d603168511a1fc46e3d756baf4b4928fe8d0dc5a

SHA256
cbc6d9d30b954db02ee243aa921ee35c634e66eb87a414a17958ec728daa1c1c

SHA512
c87831cba33562aa2f1f49a2236efd2eec28707cdb2669a5859a594de31cc2bf51a3625672f3846ac31ae9f135117eb68e852f4e19bbb303e4a343ed7bc4e8b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9566b078d2af52a9d63293c489aeadd0

SHA1
7a0b48d6320624cf819115e58e5d3adceb766cce

SHA256
5e1b2f0e2549097061309b1a254a440d72948266336b1288934d3e2851742ad3

SHA512
4ed2cbeeb89887a69e89d21337956a797542f6590233e18935c462d9421c5b7d4eaebd77e4826dc396aacb686269849b95542d98230ed52f90925bffbf168916

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d84fdd1ca71aff6624a39ab772613211

SHA1
653001396dcba01dfced6ea2bdcc7ddbf0c7b625

SHA256
ef204374cca1d91ed8b2f18df3de41b52f86ed0d47a6d0c9f5a8f17a8ca9a3f6

SHA512
8694ecec27efeb009aa840287b413249b4e04509dce01d15660f7ce190593dd1860001b4acee3ca0c7a22d2d9f7691d25bc955abecc276dbeb8c807801ffc6b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
0377d1828beaa8b46db19e119f67ed1e

SHA1
8b625a9ae07d492a5aea8db96aa6683eb9eecec1

SHA256
44950162eb4a77a84560a22d320fc70cb57ed3687378998e5429f9f6667ba35a

SHA512
a796ca775b59b8dc840b7abab07202b02a982cb0deaa529f8ce79bc0e2f3e5ee550b49b8ffa47e547f495581c89dcc421d91970dd864512dc04e3c4d89092ff8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
1065bae6ddb13f7566fd189f24a45446

SHA1
5fb8ed327d7fba26a52bf9a17c342c8b23c36873

SHA256
999e264f7c6333dc9738500b7f0db9f00fbba69f124f720cefc580261dc9300b

SHA512
ba3ae63a82ae534eb3a4e087c8b86de2e5656121cb82127da340d1ae09fcb94b0bd6c2a512ee10e67b29339e39e83d004a1943c59f2a74259143603524a77fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
76a2ba5f94dfd4bc3e5a5e7b62152be1

SHA1
3a0c21af5d26c3fa649dce486d1bad56428ae8c0

SHA256
8cd64614cad42f3e88e5266df35d890929b02e2f3d29bd249d72780e92be79fa

SHA512
de4c3c7299d2a95bbfa8513bce7373875d7acaffbc20a36c40de1684a6e2d9960cb6b15e9b16c64652e0298ede01ebe69529756e715f88015b1e8095c2c0aef3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
83303e2a3f9862cb18e5d9f6f924af13

SHA1
883d18dd170c55f13c78c633931b21767d03b3f8

SHA256
24aadf7609a2a80c93f0711ea8386f5d4667d47557096d6ff58bbdec3c283246

SHA512
62b16228d6d7bdbb56bf8ce894ac779848aae0e545100f9fb6407ee3e22e19019feef899b278661a9c0d78177fea74180f4e8dfc1915f4092c54939342eab7b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
fd55fdfc19cea5ff3f78afce88bbb730

SHA1
f9a8ad604ee8866eac2646b27ea079c9b876297e

SHA256
68360c1c29a669e440c3c79515d21e60e1a7d4bd599eeee9a96958975005b244

SHA512
6fb1b6e3e0a57a01ecd4ffd1e8070c60e374245f424ea864f8213376139822eafdaa1911af2cd11f100a6ec02f86ec7ca726630630361b2de144c86be6d65de9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
845c8e0d90650a303fd7dae435bdc198

SHA1
8cf2abd85d67c5b51c5fa0db07bd428504c01254

SHA256
d2dc0f153ffbd4c7f1e14c4f721e3d98c4627c7cda80cfde1cc31c55e6e66492

SHA512
b5ff1021be55882015f90b38560bbe587e4ad6ecf70535bb9c114f811332088cf3307362b707df0acfeed90908973ad9711f8c30b18b7fb07f1579ee7c2dc4b2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
41c8ed06a578ae9df1ef7c022e505f76

SHA1
6dc460db92132f4a342d9a044b362bf8c35a2ab9

SHA256
aa40d9cc49de448a8bfce90cbc1b32eb22d632c2179e250ab377dc371afa79cc

SHA512
afa9c2b08b6a72badf43513936c1c1657257a97d30eaaaca065504154f47d4340ffbc48c5b41a9872e318aa2c2756929116cfb8ae7e78a5309113a36a39e4293

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
72585e9e37712d31a6b2fdab5fd61e1d

SHA1
083b8b4c9216f581485e531a8ec68a005ae979a9

SHA256
c3d53e00c229426fb7563832bd01cbdbc0b9c3d3d281206f732d2fa922e522f9

SHA512
e9d72326925b71ec961b5419f880fc1b803920b6e38f90c5af0dd78750b5b56b63bf702d5bd64afdce3be131c0bd29418154ced85bb59775b6117d302dfb236a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8a3920a3b99869b4d3ca357cc39eb099

SHA1
bd92dd57500559930aff66b05fcff84c96ee4a32

SHA256
c39719330fcdf1653da96ea847475ff8c31993cd1b2c158aaacedce4b71622ef

SHA512
5e98c0ba7ee74dd06f1580c1fe142acf7208f2241803c0fbca831647531463b5a1b9187e6f11f15eb2b83ed5e2672cd07de38827f5051e85d7431904a6cdb538

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d0e57dbf4f722f2a2ea372e3f4acc53a

SHA1
5ae336bda9bb54b7fc247d3c6058072344bd05f7

SHA256
8872000285df97f3eaf620b333bf2e3d9b7321c2799c185dc4edc62a1e2d6efd

SHA512
40934ed36967a8dd187a016f791f66f10f34049fb5e29c7fc19c1bd13889e86d30e4ffc3e0a623ccd8488689e591dbf0377a83158293a3d2a3cb0c6fa489f68b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
261b10a4ef5ee429f767e67e1517f2f1

SHA1
d3113dae8776c6d21f80b9e146432f144253c6e3

SHA256
c54ce0785b2d796a9df59a1273a4d3f2a0d60b3ac0918e2361047cb656862f84

SHA512
54fc9517f7af205357e174b8fd82afe210bf5a3597ccc0d23058a54d7c3067765524a1dd3d588b3d469976793a04abcb1ab22916714b46daa7cf84e7bf7d56c6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ffa5336a541b3497eaeb5e33ca3a88f1

SHA1
b47f6e2915c52a923c2c12bd6c46fce1b814f335

SHA256
8065909cbc00b692276d2583476a59b899c0c3cf58045856bbd27191cfc09e60

SHA512
e81af3f94f1ed077e8df7dd1ef5582461c8ed678b85720c932f35df4ee3af39cffa3384bb37b1d97478b645940f065ce0e4e95ce1b0b103a51273c19836e2df7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c1ceb5a6c68b54827534adfba3c301cc

SHA1
9377db862c4ba9637d1c2fc0594fbf3a3f6ebe9c

SHA256
2368dca8e90adc485815fc698a4e53f44967c0d02b1b102c27a95003828c8981

SHA512
7630a6448ece61b45ae6a77bdd7e742c276aefecc7ed6288e8670a246d08196e421b3423163090d751ab1f37659beb14a9444332c6361fb9de1b683df2baf346

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
245a203eed2d14c50b4ee506640eaa36

SHA1
dce059bec1b28df81cf3559a11b704333a0d2066

SHA256
75d5b791801d4ae3a59da44138bb2b0ff3a5e9c83e1f41864e24ad8c58707a57

SHA512
1d89a36523dbb1121dff027c11f325a527ac3c7ae136e2df1b178c1654682c1119ef78b3a895b5065a7b112e08c36daf51dc7dba55d98d48a613c27611b893c2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
95338f1df332c4972fe0c82895fa5c76

SHA1
e7ab3a02d354d0142dfb833f43e78edad5649946

SHA256
a9e5ddc505a4c4647f7d1fd9b48d734792317479b13c0c8e3aa91230da966314

SHA512
41757dcbccd24b877acce74ff2a497c91aaa05ee73070402071580606a138dc4fd4d0ff7d51ac969076c755bdfbc9cb015de226ab644b60b8d065a47b38ef06b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8c1f2961f4b3821babcd4e7e609c9c81

SHA1
73f585e6ece89bac25267194691a62fa1ae1bda7

SHA256
9ef6e0f1efb693a56858c4242904ed85ef0229407d1a8c9d837447dad50abb2c

SHA512
f9901d37625ba20e177afa4dbac4f71e08517e57f8b7eed50539d283d484d96e41f220883a34dab7b97361ff9d4431bf8e1151f02367f0df3ae4bf4cddd77a90

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a4686e917c1437ea03ce27f122623539

SHA1
447bd9ae04008c96fe151211f9af4ca5f54e2311

SHA256
8db1f73b7c4351d34606845f2bbfd49521316d7a5fb544d4a21129d972d41b1d

SHA512
5b024eaae40df590145f14e9ab041d26015c033078051ba14cd0017cc3dba780108ce2e2f40717f3e8c68611e5574f2fa607413a557af5eaf2d4fc3224509bf8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4631c88a0cce9142e8e777010b05ef98

SHA1
1069e5ebad457c7545ac6c1e6a1ea65cfe79a56a

SHA256
c9f55e66a166615498cadf0548becd1ac8c0a7e556b4a726a93d85e2c2815e48

SHA512
3a4f6e921a49a097fd046a003165cffa6d592cede8cc82a3f5a94ce090cb533f62f710b36b32c430ae9a829c6de8c1127bee0923d1bd103091dfe92933e3607f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f124f1aaed372367158e01048b37a831

SHA1
35bfb7e866a19f245f85b644cce3ebc9d09e6bcb

SHA256
18e428a3670c550b7cb953bbdcd9ace3a85b7e77289861214fdfa77c3df5c345

SHA512
359701f9514cf0372ce85e1beda5ac2b5ace7bb595fbc689301aa4fd392423ade9955389a5057625c12888c143c467e2ca16d55b1a74154f83e5b4a280b76b9f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
464a0524a9776a5352b3cc61509f2d1f

SHA1
669036687e9102b176862b293b569dec18b0b60a

SHA256
dd4d5e56576ac87f6c6917cafa6b57ac2162f55908999076c79017d8dad9f3e1

SHA512
db3ac99d13da2724d92d2470000e82cfdce54d2bccc8d15cf1e1b8025cfc59595e6470c87cb179e4cd3b60ea7b72fb79d709256a277666a2fc743451af298699

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d43de05c4f8e474f619f0e6e8814f7d9

SHA1
1fa186aba136ad6461a21da172fd70f1d97ddf7b

SHA256
3b5ef455b3cfce0e233c7a98e3238638fb00f3047990eb307124fb36d3b7aae5

SHA512
094b48cd5c91ce70a7cdd2c24b7190f9eb6e284d9d8324d0ee6e0ca8091ea1ff02643734965e04d1291ccd0c25deea09bfc13e7b8f01f6e4e8fda4839ac04a4b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
fc74b1062d1589e5d96fff50b3bdb477

SHA1
b32118ce8c946873d4971b4111faf181eda21cc4

SHA256
e7d82413ab87fedf955cb67d1a10e77f394ef24b55b61302acf8dfcaff1dffa5

SHA512
c7e379ac6ff2f6b821a25c222cc2f0ad5c46880f4704e6bc2f8d2b2a514eab445ead5e76e7154b63ffd13dcce357e600d8eac8f423b702ba360c717c85fa9c2a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ebd02308dd8133c51e4fdd1896b10233

SHA1
ac2d9f292531b985145305b778b28b9326aa10dc

SHA256
e21d34db4803c756a2e6b6453c610267fd3bc7db5a13502c73328f246a4e9d5b

SHA512
44647bcf16f3d0f2dec8fe9bc70d78d99033902e29964d1692c4c952f1fcb3ff2ee7e86d69b3ea5e74c5d4df1b63f0d5c2b4e2dd19fbe57484100391e2eb9668

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
12bb7d2dd5d65dae2cc6a45210596368

SHA1
069790441adca8eba1ea1f3bfe547fd44506178a

SHA256
2b1c7ac305c6e696eb794cb3d45b040c7667018aaa9a7c321837982fd0c54953

SHA512
6c36bd9a4f9952a31fb7ca06556b00d526656f0d9849a445032df3a36493cdc6ffdc0cad5559b2c17814ee8254bcea8b62d9f66d3aafd4823ad5e48bd68b8acf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
39eb8f665c1afea55d00b4f9c15fe839

SHA1
2784551c43c644c54375dd7cdde161a3f0cd5d26

SHA256
fc84ced8dcac465bd90726c7c2fea9e73992b51bc64bcea90e44596514909a46

SHA512
ad0ab963faf3cb41d9600931cdf5ebd26b0fb16e575d4a074c23eb0444de5dbaa6062c646938f88ee401e3f9e8a7d0e8e01b16d0d85202ee6393b4b41b4aab15

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d6fda727bd9ffe5435b83458c70217a6

SHA1
e2947cbee8e346d9d892f68cf5ab69d233731781

SHA256
0e499cbcce170a0fd97a58a521d2165054eafb8946014d82bce8cc35fde81b3e

SHA512
55766780eb19c14b4ae450b612a8c90d9599680285357c96477088febf1236cec6e242297c4f4c73bf611b62903556fb8dcf92c21a2b86fda7dea3f830a42d3b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4777f1b10a6f87baed29a16dab9dbe4c

SHA1
4151b6415c7b6956efcd6555808f9da77e120af4

SHA256
04b4711478152bb0da0ca2a30b29007c22c4230cba2d32c71618aa9235e69be8

SHA512
661bb2568d4dee9b48aefd88f241ec6ca1ac57d17ba2230b3be12c758db0f5f6d3275c99fb82a97f54203437ac23b9ed47bfd608fece4899099166cf83ea70cb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
1f31f78e4bfdbe4199f2f33cc497c68b

SHA1
373c1e47236e5d4a336e26a5b820e98c1ae52c1a

SHA256
c68103da053efc7520e2388f84932f1892c4a4ab3e9934a112c712bc16d6bb97

SHA512
4279ff49e549fcb71acd43ed8806021d66ba6172e775ff463eb52119182710e7129d7d7293c68d0c2fb6a648037509ff09f60acc43cf7eb73721a2b0a7bbc1a4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
d5d51214ef94c3e373dfb9c40df43783

SHA1
c18a6d3ffd30ca1f6a3d5856f59f36cd5cad9a61

SHA256
7bedba8f3496959887d6e5c345f8288d92403321c6d17926c4e51f3b15086904

SHA512
2863d8724ad70a50d2c505df7d8f6c27922c50c61e1e9f911bb76c524ec7ba6604fdeac55394da7c4a4210f4d1c230a4c50dcbc7bffc8291aec33b2c101d3540

Download Submit
memory/532-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/896-69-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/896-78-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/896-75-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/896-261-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1128-89-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1128-147-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1128-83-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1244-271-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1756-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1756-270-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1760-466-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1760-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1760-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1760-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2108-150-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2536-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2712-591-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2712-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2744-151-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2836-27-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2836-534-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2836-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2836-25-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3380-149-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3540-265-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3884-0-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/3884-6-0x00000000021B0000-0x0000000002216000-memory.dmp

Filesize
408KB

Download
memory/3884-264-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/3884-1-0x00000000021B0000-0x0000000002216000-memory.dmp

Filesize
408KB

Download
memory/3952-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3952-43-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3952-37-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3952-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3952-79-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4028-148-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4064-66-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4064-587-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4064-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4064-58-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4316-469-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4316-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4416-267-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4512-269-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4668-266-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4676-590-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4676-272-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4880-584-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4880-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4880-47-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4880-53-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download