0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
Size

2.2MB
MD5

166504658070522b69a8902522958a4b
SHA1

12bbc744924216d757e92817b65620a7f2f3d597
SHA256

0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a
SHA512

c2a596a900e039cca7acbea932970b430104429fcb1a031776aa02b83ce1fb182c0e6dc73ed5bf0159ad9ae4ac5d394bf533fad063e16ab480c4a8d50be80e68
SSDEEP

49152:n6PJ7HeLg3W9uPn2u8PhS0A08QrW1hHvDNU33laduD/dB3dW6bUyuFlIAFQmd8WU:Pkn2qduD/dvUyuFC4Qmd1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2904	alg.exe
4460	DiagnosticsHub.StandardCollector.Service.exe
1512	fxssvc.exe
4188	elevation_service.exe
2768	elevation_service.exe
1844	maintenanceservice.exe
2108	msdtc.exe
4872	OSE.EXE
424	PerceptionSimulationService.exe
3464	perfhost.exe
2536	locator.exe
1280	SensorDataService.exe
3908	snmptrap.exe
2704	spectrum.exe
1272	ssh-agent.exe
632	TieringEngineService.exe
1540	AgentService.exe
1276	vds.exe
4732	vssvc.exe
3840	wbengine.exe
636	WmiApSrv.exe
5172	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2bfa7cb9c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\system32\locator.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095d857a7adb6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f2752a0adb6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cfae5a0adb6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b571bda0adb6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfd862a0adb6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbc54fa0adb6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003185d0a0adb6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
Token: SeAuditPrivilege	1512	fxssvc.exe
Token: SeRestorePrivilege	632	TieringEngineService.exe
Token: SeManageVolumePrivilege	632	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1540	AgentService.exe
Token: SeBackupPrivilege	4732	vssvc.exe
Token: SeRestorePrivilege	4732	vssvc.exe
Token: SeAuditPrivilege	4732	vssvc.exe
Token: SeBackupPrivilege	3840	wbengine.exe
Token: SeRestorePrivilege	3840	wbengine.exe
Token: SeSecurityPrivilege	3840	wbengine.exe
Token: 33	5172	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeDebugPrivilege	4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
Token: SeDebugPrivilege	4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
Token: SeDebugPrivilege	4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
Token: SeDebugPrivilege	4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
Token: SeDebugPrivilege	4600	0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
Token: SeDebugPrivilege	2904	alg.exe
Token: SeDebugPrivilege	2904	alg.exe
Token: SeDebugPrivilege	2904	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5172 wrote to memory of 5896	5172	SearchIndexer.exe	122
PID 5172 wrote to memory of 5896	5172	SearchIndexer.exe	122
PID 5172 wrote to memory of 6016	5172	SearchIndexer.exe	125
PID 5172 wrote to memory of 6016	5172	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe
"C:\Users\Admin\AppData\Local\Temp\0b38905ddfe7e82cae15d759c8ee4e7dfe2baab5f47c3314e146b9698c23933a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4424

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:424

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1280

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2704

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2056

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5172
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5896
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:5192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
e383fe0dbfde7e8ac1be0af5143b9c52

SHA1
d481e35f066bbeb2364f82f2808978232c5d31ac

SHA256
f6cc21a3976d8d78d557e47494dfbb1818eb5d3ac17946b44f42b79264f63813

SHA512
16839e477e391c5af88fa2691153d779bb88351f547aab3df0cb8d06ef7451be13b00797600fbb9843d87f759fe474528fb0302716a94b1391c22210c396f393

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
3ff4648692417188d952fd2661e44b64

SHA1
c55a6c90a3adbd60bf0d831669c42a20f7ed2d94

SHA256
edd48afeb13048fe2546e129dcd48d939b23d6fd1eedb51bdb80bf54a959158d

SHA512
a6d339c6fb98916754e7f2f2978ac6d0d74642ac2c3f756b37eaf031d97dbd4ad69a31864ad0699fd8e19964f770e15b5e2f7d8549c36c5edd3f5c9f9e0f5cfd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
96d67a5ff35f5a8b558e6fe78b43cbde

SHA1
919bd478512efd4b86fdf9a5eb94734d77471fe7

SHA256
b905b93e5b50d1cd66bf38a2112f09705cf860097cf6d880224c893b2f252fd6

SHA512
58b50448cfb41baf6ea68aba76ff3e43689066c548b4924180ec449993876bb866594aa3fec2ff4cabb488380322b3a5b93e12ff3c11939ceb2dea1e1462d4d6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8a07e127496732cf7bd422dd2f031500

SHA1
b980c875b7f78e22f7708d8b2f6c6d973fa72751

SHA256
59f57342518835004cf32ac6209b8aefb23e19677b13695a3d87f9f0f8a6f2b6

SHA512
9021c565c14bb30c4109fd3d012f0a0a62d5b8945cd93777ef42a267bfb711aad612843c05d1a2ab87ec39da55efd6c881d68b55b7dcdf6b39cfdc7ecd5227d7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
567e056463cef2693a33d53d7e920bb7

SHA1
dd502f9a228fc422aaf3c9de045b08547c718313

SHA256
1f431318cff182c2ab77ca9c12707a322f0a64cc2734177490d9a5f8214b8c55

SHA512
110838a0a720579b81048fbc1fa3a716dc7d2a90562138c535213464571d1322765d6b07d89a2a87cd9eaa2eb18869d409dcb765f6b6820b372a3bc405162bd0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e1706b69de1f915850f8a2ba16a05869

SHA1
75afde915f7961fa6f07d2e0a5f700223e5d9216

SHA256
1d8df7a86116bc62562584dbb44631656c5c7cfc0f7e68095e304f94cd5cf7e2

SHA512
61cdd161ca2c328d6f4a9ad83f3e508dd92b1d1311af7203b367af1edcefa0351da5a674046b1e4c3cd0fcba83315775417e09b1f7565f3dd5dad03751aa16f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bc0508af978dc8416eedf3a941daacd1

SHA1
189540e322c5435db7a8a85b5e61a401f818cf07

SHA256
7561c070b0a258aceef7d27ae6eb9ec5af721f981ed419f05bfb819ba90d45e0

SHA512
0e288620f8c905890cb4166890589aa312f16fdc66d9987b9dfd8be783f76b77134f734adb0ac1a81bc08438d4fa4a52020b3ed07a5b133300bea02c7a722fc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bac879c78ce741f6f6fe19eec7d8908f

SHA1
fd77178ab4f3a12ce5ac626ba0b6f3db4591449f

SHA256
1f66fec5a9f45054df9fd4de94133e7eb00f956f10661e086a1203c8ecdaef9c

SHA512
002bd8879a4b4cd86ab1e13c28961d641629e83da50bbb845c5fa4b7899bd150b162c7903b8c769d1f81cc6cfcf06d161acfa4982aa7b239982b0f03b5e9b54f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
cf2dbc7089bcfadca0b77e52bdd8747e

SHA1
97aec270bb92cce7fcbb0244995334f9b2090db5

SHA256
051ac48a350597a0ee8b4ffe60b12f9d20a264dece3b6a7a6acd59e77a4f7cc6

SHA512
10beef71b6e1d6b2a9672b6532a198aeb826cf65be50d1e8fb7669856d30df52ece466450651d129ff9826c88792fda327e46d4f67f74a7176a84704755872b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
47652bf344f2f9cb2a1b2749b0c58019

SHA1
b589d8ab987b2da21c5c74eac1e8b91be9180a9d

SHA256
107596faa0bc638de9279f63ab2018f87f9308dc52b98b08761508c86af7225e

SHA512
9b46d001932dc3448197a7d99abf0ee06d35791954f80c165ef568f25217f13c6ef30678768007cffa4e4c1b71d2b058c8c142d102ca099c5705e8ed70ba3bed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
23d5cd337b9fefc9f27da465ce2089a2

SHA1
615e688cd0ced963b15efd09798bab51d20d4cd1

SHA256
bd2b8eaa212699872a34b872aa4598646f75568ffad0606b4eea06efd4db8fc1

SHA512
da19556f11a572a9049cc85d38597f44da257e3aa9e5af71f2fd18a27b15df3a2980c55c692cfbe384b12f77734ed88f35a4c0bec64e5d9677e21f408e47de66

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
801b5077e99f76f22933854bc2d77cb4

SHA1
7ecf9233d85b1e06e8cd1746f9d62c6650b2b9b0

SHA256
6f8a8ef78043200c56e32b43a7a71dfd768cf5f08962410119aec3faa406d661

SHA512
0f93d5fd5d183ddf10d7c55f27b1af90c996d51c8262e3102309653bd61413e184a192840a8a9d91bc7e1056abfb575f0a9d274495bd41beab0d746228e38fb3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ac6d5e85b6e9e8223057af7efe3b34d5

SHA1
a2a6ff8b3d41fb80e4d5da5a6184063d7f263875

SHA256
0621fe2051098aa5e73f6598f9b44046d9ae206e4f935a4cc8ff4a29d76f05dc

SHA512
ca47ab5e940e648ee7816826fe7809e2e58a0b202e0f2a635d9d7a1c6787a00df1974c3f1c1789bc18db58b713b641b84d7604796022104bee15ef4b73efabd2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6c2396d4d857fa59c5f6d1a8458e32d9

SHA1
4e4f1ccd50f224883f09a8ab8659752320c5808e

SHA256
4ef25385ba00dbb067a461dc033dc6cd64299fa6a04d3d0c050d2e0cc46fd65e

SHA512
39a3622b2fdfb88f49730d308db95181a774ad597aca1e080c0cd83c02429797f01b64ec70ad61377ab1118fa6eaa732019491eb70cc31e59e80a3c0e57b99de

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9d4adba39ba8cb1dee1ef9a4efa4e5c4

SHA1
c7afc96321195289f56666eadaa0b43cf42a855f

SHA256
bfc8278208e68e74941ce60f74a2a3cd88ffe2affc3bf0734969d57cda03c0a1

SHA512
33c9a902f568440b7dbbe899263a728c981316591c280916ed01f9b3430ade6a375fc67431f630d96ff5508d9ac8ddfcf35374e24026db00845a4ea1e7f92a6b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f5122217206d0827e095a5e67c6c463d

SHA1
ac77f402913b1365ce1a15bab0aad2db94f3c69e

SHA256
2d559f77255febf1975243fd2bbdf1d721d3a75d86945ddabaec5f2792b59bb0

SHA512
75cf9618550db77cf93c65659ecced04445af2363ef5e445f5ef1f7f7236fc581a21569bf86732d9e47d34cb9efa5e8923cb4376492ce4c88f1b673ad6fbd0d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c9c18374d47b80a696721c642b47e9d6

SHA1
d3b70fa4c3ae6d7e3009cc9348936d00fec3963e

SHA256
a9aa69593c7a6893442011f1f3b7998132d82792f9cc4fbd582c772c214dc277

SHA512
63eca6c77c9143c851201a6b91570221a8e7a20bdccc22b3ae9751e48258b94cb9466d6156dc118fb2fd48acc7827532a2b77b5c4ebd72d9ab3d262b69f0c379

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1ccc5f018d55f7925b57ee7d6192774e

SHA1
d09bd2692776c87f71db136e3a1a17d8a415232c

SHA256
67159fe1ac69ebd979be11224e3aa27e6d134a61aa277b19c23bbd477c173fcf

SHA512
126dd444ce700e463ff45b1dbf739171770b2a3cfc67c8f3a6c528a44aa3e763e5bb4e239ba738241628a60ec657a198363135a7ca29d6daa13c0de2b5f44dcc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9ef8e2a034e1af3890662f7a7ee782c4

SHA1
74e62f58c87838060f56949873bd71b4811ff16b

SHA256
f2d815e10f5cbb77eec9d8a4e755215f0b97c75e6be74f561b7aac65bdd160ff

SHA512
67513a406b156fca6f003743d6547560a7025bd5838d2b95bd523bf22e343cb698f9c9f5de3b424a91a4c274652bdd114637a98dc180e56b25d806111325f00b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
74ce30838069748727a31b292b747a1a

SHA1
d20f2e80bed9867841e7ef7c33e74c55a55a78a8

SHA256
70d2da0ac90f104d04a4bf347118adb4e1b60094a685a540b6a53f34210c6a38

SHA512
883c5f14d10887f42981f58f0cc20d7711756baff49d29fd38b0cd0d187fa94f5649bd87e6f3ae4f92bd7167acdaf690a926729c238a2e3809fedd1fa98fdd27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
460ebecc168a3c1fdc3b1cc78f690a44

SHA1
cbe9ddbd917c24158f302e05668f5989ea0ec841

SHA256
ec4e2b1db9dbb8674e90b9b70478d671f4774bc4df18acbe96c9a6d3fa4699e9

SHA512
7eee9a5a6fe5e6139c7bb23112364deb0131aa37d32cb3abaf7bead7502d9457ca40ba2a90c048bf05c9b6520f835d33b40a2d836ec986fb8cf80d2752dce724

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
73dc1ce9211e13f1576560da07efe372

SHA1
f7c0977a82475b833078a79086eda02bd297a61e

SHA256
3987e016625f3a40f6528eb45dfed0d125dd604b979c7f3fdf08d1482c787b62

SHA512
38d66ebc4c40ba852e56001c821b8f473618e9c099d4f9f82f0e69fa5104fb561afe6d450b686525f02222932414e93b2703e48bb004881ff9b1d6db37234164

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2b76f9a4cf719f2ee2d227d39ad3aa41

SHA1
b69658d6992344897fb3e7e70c0ca7c53f4145dc

SHA256
417311669b01a4c199a2b63154086cd63cae41acf29540267f21173729b19589

SHA512
6ea4dbede21304ae685dda749a401a83adb9f1ee77c3bf19bc6e7c6decac170d9c7c7fe436f439ee2cbc577faf437296482a28c520b28596a593942b90773748

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f879340183a6d082b06cb315ed616bd2

SHA1
90e85634b10fe136606da8158c54116c017d293f

SHA256
6d7cbdd5041bfc6429923e5e34161e2a03a7aca57e9eeb90916a5ecc2e3e6e6a

SHA512
a08617e203c2c331176cb9923f57d2a208451b2571a50a8e126072140a19e206e67f3909b9e924cb53867359e1b40b6380fa6033be5185f547818a78a22daa36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7ece17e4dd8dcac060ad61dec048901b

SHA1
6008ec5af96d86f3ff860d2e255d4888c52e216d

SHA256
67d66c8858cfa148d8f06bbcc0fc87878ef90c33addf7d4478c58209e13e1713

SHA512
cd39732d4206b5a5cf7e07576c08edb68873fdd2fe6066464377cf550b7a71e4fbf239a9bd6721edf4a5a3b6c7d682f0a0284f954888c4d9eb0a5ddd1b2a4c2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
68b44c916e5da60243b5d88f0d70521a

SHA1
4b4f91722d2daed6af4f6f46e2e8155eeecbdf33

SHA256
818096fb3d5aeb2e465050741f634a2048acb2bfb6102afe7e14395394f0a7f3

SHA512
d25d9617cd7b2c4858cb4b450991e41982813338ebba36db282c8c010d6819682c44960a65e85103c0efc7304621497b4a3b795f9db97647efa9f3eff4fb1b16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
37be142437513061078266b118d58171

SHA1
39ab274a04220f7089fe7f04309221c95fc3156b

SHA256
25f51ca94d43b65caed607e22cdb469471a35526994c6e3f6e59a9c9118638fa

SHA512
44bec0d601538a2e32d880e769479a0386bc27edd65fcb5eda439fcd883e9fa2e2bcc75417e65d9232eacd8a41363a08fd847da2ef8d90abc9055aff52fa4dc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
07211e599a6ab91adb3587645161cf7b

SHA1
1108014bb6eff14829eb4883fb0ade6d38ce2b78

SHA256
66a3460b731c9dbd614a9f1afdebdacb961a4477a283d330c18bfd88beb23c84

SHA512
774c77d2f43d9fa70efafd36144349e23b483fb9216988679d8bee7045400e613235b2249736bcea3b34b8b36dbb09ce138b59117aa7251748c56839b0281740

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
52a7e2a8b17b9fd38aca56e2d666e246

SHA1
cc8f2f71c3dd40bf103ae4abfec97c9e1f373d44

SHA256
e38b74dbee2188dd4873ee4faf791f8aa27b44752970edae01eb26863ad0e6ce

SHA512
d66c488c669f653eb2406504916904a1c6d4172839b523bfcc2a2cb2c3db22aa8c86bad4091557880b7e0f6f48093310667d60a8590949e817407bad8196e30b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
877160b25eb25a3f40e9d0c997db552d

SHA1
8dc27f0ed885499a065f51ad07113094e92cce01

SHA256
453a22114f8514df2f799b4e97f053cd13a6337749f11df44aad8ee99b925c78

SHA512
7605a3b775dea6da26b2f6d63e7d0dd15215ef504df9f088a224a592a2bf48b024d2feff12766def9449ec9486dec1fab6f6e6af156a574fde256f01fe8ec726

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
23ef64deb82f6f846c5dfb3acc03f784

SHA1
4d562c102bbfe06cdd13d4d93ee3f5d843447f3e

SHA256
1c4e4e9c0f54c4dd519b8d14575f889456b9b6dc64034bfde291a7d6f6088f47

SHA512
7e755cf7743638582e317a68e09e6008f9eed8e800869e158a9ac9bcc0e63ce89e14feea89f430210d461f97444a3b9dd679e8d12e49a8fe9dffb26bb278af5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
a0a967f0ca39de107c79fc1b7b542b0c

SHA1
63a0354ed61d265d5004f9f442eef9f31d60c0cf

SHA256
57f991d6238061f73e7e4d73c5c966044774865526366c00b7194befc6a9aa99

SHA512
57497ed6b50563cf860ce72c5febdd2b1d8ad33d3a2928e09914cba5ade3ce127045e5478c9cf4364059bdf904c8b911108a23a23163f17dcd6360b98b334823

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
62f046e75fc45cca646b6c1a2d09652c

SHA1
3d6f9dc7f12e4698b12edb36f59b21231e23922e

SHA256
6475d91c82730ec1b54c5e1c24f80d78192730a61022710331e23b69bd39453c

SHA512
a7a8afead605ce94f87c2f50ae65eca9b90dca4fe92e6aeaec4487a36008d24e69060bbce5d7dabacc386f29819c91d4c94f859357c1e47f740cd37fa33d40f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c25b88a0961d780f9e63f20221599829

SHA1
f1be94baf55b1cc02de544e6b744048203cedf77

SHA256
9f6e4911ffdf18ab5a2c8ca10ce358543705d0b51b12cc0cc52b9df3e22e2dad

SHA512
e978185a172bac81d93bcd7f68032e751836f5cfd051aca81a9260247d4cf20f938b4594d8c8616a0e3e3a0cb364f2a4e531168b950c316c19072e03608c29bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
eedb30ee3945352f66a19ca5f89c05d1

SHA1
ee901364fa6d899d58f17f8a1a411802facc2782

SHA256
b2e05d942450b9b9a2d00a59d19f4a92e6c197a8c9afb270a4916ff631e0b6d6

SHA512
3c9e8bc79968f804a6a21d5fd96b163a2158330120a32abb641daf0f2c3a76f20c8399136f9d12444564cad0cd9e32a516f3336e8c14d6ad1ab28ce7d0457e4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
14bced1250a6e4790a47ce7110f106e8

SHA1
e9e04503ee4ca967a3a06d392f62149d71c364d6

SHA256
4435bd80e4415294fb4448ddcfc984646fbf2a546d9aa39829fa282416e9926c

SHA512
6ad5dd1daef8a8e496de9820f615df03ba55209e1ade58ba113c4839b67f5a6ac1857073f884afd22b16104b51d22aaa983bced4a1c6d4b9ea027c866f4db195

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c555156b0e09c01b322ad57d5b9ea757

SHA1
5fe4716eb6e26a0600fea5547f575aeb75c3c659

SHA256
93e29344c73886d1471064e93a60aa96afa84a86dada8b82a04db91386aafe6e

SHA512
a166a27f452ffa93257aef104611d363ac1a6cae4c11c03f50e7474c4cf95cce603dc24b21ef974c8f045cce0557e1457db0ea8dc1234b31fe7deb04c7c0b801

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a5611f8b61839d5aa301801803391680

SHA1
5cb713bfbd464d00f3ef2a149bd90689329f7c28

SHA256
c9b5b241f0935a7712aacb0643281fd0d621841ed0dfa73f83da78221356653f

SHA512
38bdbc86464a4e98d9949d9a286cf0980f1f3a58c93df23f94a0d6d1064f7f2e8cc9ff713758e282f9bbc4863e947709779abf830e4c9ed5e484ae156e52d1f8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2872ddae769ac67f0ef8e360cc3e3647

SHA1
a2b0e5689ea5a770fc83ac3e046dbade07c53bf7

SHA256
5533e3a68fb73ad154d839b4c8b8b75935a79737dafe8dfeea7a503287c23714

SHA512
3e3558837e8dfccef43d43efc1ce2ef830100089b6a11579a2f58ea7e97c88c8b83ab30f2d2bd0109413bf828168e428d5fb23bd7c14f0c30ef4ad71cd59dc43

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
28fb7659a19b33d08e07b39483c86c87

SHA1
a2623805adf1f210cbdc71e43eec4d5dc0af1fc7

SHA256
a844477362bbd73f1659cae362db91466406347391e8178d04ef61331b24422a

SHA512
c7d50f5b1e2373edac526cef458a9ca97df35adfc6d09611226b3d56245ab588a1e5bc560bd04a47db3401bf6a2e647aad8a81b3e132fff2560fed9e20a14fde

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
efb58c99c9d061efed508ec29d74905e

SHA1
351ef403a2472487d00a8e3f178297cf7f138016

SHA256
5d722a0d04aab66ad91c42d9346af15314ec05c0faca5dd8c91a23882393aaa8

SHA512
bca70fd46c89982979b8ff20634417caab5fa87fb16e2f70e7b06ab7bfa36f887e991ca93745af2258f47237818fa97219ff06795feba21f16536b4b52445f08

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
97ac8cc6981f8085af8e25ba23cc0cec

SHA1
9697f96eeefb85a0e6f56d2ac9506fd77b6aae96

SHA256
1ffb50bcc315503539eab8e43511a6476b00f60782d097e6ab9149901ffcf283

SHA512
773af334699f03642759acfd8872e853314f2ea2983e762446db813cd742e97b83e4a36ad877456ae9abe5fe757f4ed587420ed7e79a3408ffbe6c45c2123c9a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1943baea82b3fcbd733fb6b2ed0ea83b

SHA1
9e2a4d8333ba455f2c2246908c5e8acb8bcee7b3

SHA256
cfc90ac4a2b253a1080eff33036bbb78eb43dad84a3833f3006ad14f879ca52d

SHA512
dc28feff7e48c069f3ef981aaa8ae2fd6a5f9f9674cbd4e3acf9234604a2f4792b7f88114d4a70fe4adae9b71ded401979224fdd555d76f63267b3e1e4e489a5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6c14207ecba994befcaa7fbb24cf61ab

SHA1
abfb24ebcaa049dedd7813b08b2381266d49893d

SHA256
80f80d4619a6fc35eac9538c132e71c528271b72a55ea3660575b1950cf24d3e

SHA512
3659053f408aaebc452a3c2ba25e037b9628f82bd0160786ec5a189fb6a6e1f6dd9a36db48c5c2430239eaa3da87b04fb22875d61086446af6b798b730c5f2d2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
52ff72f33fda13993936954d2c190beb

SHA1
ce8315069c21b9763f1a831af47e844b2efdb4b0

SHA256
f9696a9cd4557fb910b1f10d8cf42bcfbdbd97c9b70d4a43691f98b18bb1f2c5

SHA512
775afcbeb266580b124723b3c6fd725278d4fcfa81c7b9a307328721815462d911bb70a3cdb73bffe33493216bec34598a7aad62fae8eb934116015bd0866dfd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ee92e148d3cb5ccfd93dd411f0b9d785

SHA1
3e1ce843ead5b2660a5d1545d92b093cfff4b2de

SHA256
a30fb97bb6fe3d369569966e8f1ed1e92b2310c589ea0b55ebfc34736c94a37b

SHA512
5bf919200e80393b3bf4e0d11fcff4261e9c4462eec14af4d316b27faf5fbef560a08ac3a0a4ab695c1b16e6dbe92c77833c89b77485fbaadc35923e5e5e0c4a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4afc234276737aa3fc77ea9b5ef9215b

SHA1
4916fb2debecc6b8b4f86fea5da76c0ec29d1779

SHA256
dc56d536b914ac0c3c5bee9ad2af9cdf218b648a3757464b3e0525b62e3e8031

SHA512
4b6c60c1fbde900dcd3006009849adef54105180ca10c48afa6c3208eaa9097d1389c7c9bb0660ce53f72ad359f7c65ca3dca6e6e55067ac37f511b5ab57193f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e08ab22ffe6fd91661b3433ec7d1dea5

SHA1
ade2645652f4b4c122a9c8025253761747dbec41

SHA256
9688e67b1b1c71abdc0727a338d1aa75c14f88ca90007430f9ef8a0f3a41c635

SHA512
f9a17bdc458275eb362ed3c23da07c46b398a4020485d1b598edfc52fc8518aa2f6b6153f3f61edc509ce2163881410fe2097f28b4f959369496b4178d2187d8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
20aa0efbd2c9acb9f9e8671e2608044c

SHA1
ef482b6d270b97b817b507581abe87606c3dd2ae

SHA256
4ca9075f958c27330e923f52d58f67e21bd90517e5fb3b25856c4877dc8c3269

SHA512
e51151632d5209292428e7d4a0064a34603c81a5bef920f56c558846c5576ef23192628c9bf543d19e3a516bd4509ab2e4a21e5f9ed236f6d02a483192087e9a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0fb8c7a7fa41a7d708fd5708b1c0a181

SHA1
7d1cffef9b76f4b5d1636b4d0d15279f7455ca56

SHA256
e5d7b19db85515bc8ccb67867d640c481c0c5eb2f89cb53d692490e688081da0

SHA512
41aa13b959a6a5af5ca0f4e6f0e1fe367f1ed72b9c6d2cfe8f41ef82821e8bddec3589298f599dbaed2752ced8e02714919af30281a2dda5dc60aa580c74b7ba

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4030988d44be2d9afbc708c683042bf6

SHA1
471ec843e709f46ea022eb57f02de71b08fdcf11

SHA256
0b69757b1399f4cb488c5dc850a8059b4c6a7ceb398f0767b36e5105a66d01c4

SHA512
ce13aefaa48367a5fae4c6b949a3bb18545b604914775d83197a4cf22ca0795d9205c381c83eac885ce573c4a9fad5b7cea57049dd5d887a33733564ba123971

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e5357114a9a9c2367b10997fa6914487

SHA1
c5c3b9a428e72b217ade7f08896a49ef284adc84

SHA256
33075c822cb9a56b2438ed0fb43750fb0118171a562cad4c8a732f5322c05bd0

SHA512
6cc16378979a638f2eaab0f55e1479c787375d67c957642f90c5a9227529b0a2150b05532f018446c54742c3e1896951e442b892b9ecda808bbf92d65259e3d1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0e66b8ee6bcac935dc03630a13a98652

SHA1
6086de257a300b301204209e37579f6882cacddf

SHA256
b28883082ccd39a3fb8f81f88979ec69101e517a27a598c1f2228284168c6c22

SHA512
bc78cc50c864a509e1dab6b5490299e93dad87254a8adbd321e3010e8723c6c4c6d47571638f976d9c7e663fa8d2270d3dfac8f738eeecbde59caefac51a3ff0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
786630e95345ba2276dc053344feb882

SHA1
31befb68b89d33928ffa55fc799dd0fa87914d24

SHA256
9a2ffd59d7d883694ebe2b003f77563d9f9d6423f6140c261c7a1e2976adabe9

SHA512
60c2c52cd5d5ad78c81afee64ff7bbc5f4537b24beb9de7ca15941f9ec3cc5944cd91ebba3ae362a0a634bb4e4f8134bfc9c77983cbed0641970e1e4c621e61d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3322577f2f0010a1efbe0bd3beb5d9fe

SHA1
feb94b34d0948f535c6aa08f095c9f82dab2c0f8

SHA256
f38d4f3f97db9641770a739f6062fe34503a2c46fb046fd2477ae540ffa98872

SHA512
2170c0985fd3e7eab81825c267d530b63dc0d827cbb02cdfede611396b424b1dabbb9eb9494c269fcaf8c93992ce131a326ff0f2da1e15b985b9a49d39f5a7b2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5905de125fefa4a669b515d535afe205

SHA1
575f3c379b2c46c1af028952a85c3be7f4f91c0d

SHA256
d5162e98bc05460c054386363aaa50078610a111ca340679a52acfcf0fe2938e

SHA512
bb1c762cee33d1dd2db497998208529a0050c9c9e29102a1b0f3961deb1899fe5778cbf414117e189b1c33000c1ad02736d7fbbb3ef0b82487c1aa553f4ad543

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c03faa07f1a5576ba1dee0c7c6362348

SHA1
d55f9c4515342ef6a6c94cb18b1b28d975728517

SHA256
3117dba94fec0df13cd045cf37ee7e58f28acb8edc918ce50957dd0b1dbfb5e2

SHA512
cc82dff3ba5e43cdd9f52eeadb22d5a306150b6fcafdb03e0b0b2ce9560ebc34000895e83f1e046af895efa9c7a429d4c1280818c698c19f890f9e984bb2c32a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
64d4e0156dd49a12040eb1a5094cb603

SHA1
58ef3de8fee24bb39cdcecf71fb7658ed9b2eb17

SHA256
217541b4a595b47adaa0ce8e30eeee75d5874f0787a32c602a767bb9ebaef1fd

SHA512
7da558b32ca25333cc9a7b98db32ca5c2fdc48bbd285901bc4ff0731fa51460b96ecaa0a1413f3ebd43298c8323d64bc359e15696a561270159cdaaf62a7a298

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ef75d939bb746c338e1f29becf6bc217

SHA1
cd63e3f341be560a1c5c6177d993b4e9a6d2c6ed

SHA256
9148b0745583ea5c4dbcab5e11616908936500ff6635a850f3b32517dcf392c6

SHA512
eea96437967a748fb960d242be33e43c2ee070aa6561e08b0c40c7b833f3fd690816576152c783b947334ba46ca002b69dd05fccf634d08c7bc8f832b605bdc3

Download Submit
memory/424-119-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/424-266-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/632-583-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/632-200-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/636-270-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/636-604-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1272-189-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1272-582-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1276-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1276-602-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1280-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1280-480-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1280-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1512-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1512-40-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1512-47-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1512-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1512-60-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1512-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1540-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1540-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1844-88-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/1844-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1844-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1844-83-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/1844-76-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2108-211-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2108-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2108-93-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2536-453-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2536-141-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2704-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2704-581-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2768-71-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2768-188-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2768-73-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2768-65-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2904-14-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2904-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2904-104-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2904-22-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3464-131-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3464-273-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3840-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3908-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3908-577-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4188-51-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4188-58-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4188-182-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4188-52-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4460-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4460-130-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4460-36-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4460-28-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4600-0-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/4600-84-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/4600-2-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/4600-9-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/4732-267-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4732-603-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4872-226-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4872-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5172-605-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5172-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download