f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
Size

2.8MB
MD5

96468a6223d135f7976a7081a98403fc
SHA1

0149bbf24872c9599ee72703bc92dfc239abcd4e
SHA256

f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391
SHA512

0ad00eccb0dbfd0eec8f8cddaa63e9486fb15b3ca4adc71bea391bf3ec40e2af977bc54b8dbbad85f3eee2d5eb52d44baab5cd4b0e2cb9132f72729cc34625c7
SSDEEP

49152:PYN2skpzPXDFBjWRJTCAIHuDeeaJ98mjRC9YC2Ns+/X0h54GEewKa6ZU6CENlc71:Pi2bz/5YvpI2eey98CRC4L0ZRba69CEE

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
1552	alg.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
3656	fxssvc.exe
1608	install.exe
2964	elevation_service.exe
3052	elevation_service.exe
4860	maintenanceservice.exe
3300	msdtc.exe
3712	OSE.EXE
3348	PerceptionSimulationService.exe
4928	perfhost.exe
2264	locator.exe
3812	SensorDataService.exe
1080	snmptrap.exe
2384	spectrum.exe
364	ssh-agent.exe
3560	TieringEngineService.exe
4520	AgentService.exe
2688	vds.exe
1112	vssvc.exe
4104	wbengine.exe
4924	WmiApSrv.exe
4504	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
1608	install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b1afa9f0c8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\System32\vds.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\locator.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f281d370ab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000271329370ab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4cd06380ab7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098077b360ab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001ea5f370ab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004af7cf370ab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d394f370ab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b160a370ab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
Token: SeAuditPrivilege	3656	fxssvc.exe
Token: SeRestorePrivilege	3560	TieringEngineService.exe
Token: SeManageVolumePrivilege	3560	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4520	AgentService.exe
Token: SeBackupPrivilege	1112	vssvc.exe
Token: SeRestorePrivilege	1112	vssvc.exe
Token: SeAuditPrivilege	1112	vssvc.exe
Token: SeBackupPrivilege	4104	wbengine.exe
Token: SeRestorePrivilege	4104	wbengine.exe
Token: SeSecurityPrivilege	4104	wbengine.exe
Token: 33	4504	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4504	SearchIndexer.exe
Token: SeDebugPrivilege	1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
Token: SeDebugPrivilege	1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
Token: SeDebugPrivilege	1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
Token: SeDebugPrivilege	1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
Token: SeDebugPrivilege	1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
Token: SeDebugPrivilege	4244	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1608	1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe	86
PID 1488 wrote to memory of 1608	1488	f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe	86
PID 4504 wrote to memory of 3880	4504	SearchIndexer.exe	109
PID 4504 wrote to memory of 3880	4504	SearchIndexer.exe	109
PID 4504 wrote to memory of 3112	4504	SearchIndexer.exe	110
PID 4504 wrote to memory of 3112	4504	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe
"C:\Users\Admin\AppData\Local\Temp\f3ebc45a0a10956d6ca7403a4c9fe428fb2e96244ce255e4bd1c0744ffc4d391.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- \??\c:\c4ceec7c28ed81ab44815b98fb\install.exe
  c:\c4ceec7c28ed81ab44815b98fb\.\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1608

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:320

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3300

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3812

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3820

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3880
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
96f9ef99b8b468aeac320a7a66d1b355

SHA1
8443323d04109d68c9e30d6a20b0ea6f31c65b8a

SHA256
aad4c4b870819253ee4bd87ac80e789c798845378e6dcdf903c30ce0ce915f6f

SHA512
1c1901a22658da5af59a6e4ce7463c147e6ed41cd78c9c95997d3798056cec3179ea4c6766af69fafebaad9da0f3eff9546978a075bf5266653f32157f0a5535

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
5681ee42ccc4255ac02ea9a11556ded1

SHA1
695f8755d05e6e9ecf2203a4780a38f5357cbb5a

SHA256
d1fc67859b13c2fb18d3c9f2fae23a4b761d7cdf4ae9375fbfe680d103f7fcc5

SHA512
4e436504043e6263f463aed19af525b29acca00d9127765c24bb56ba903836c008d936b4afd612a5f9669b6cca86930f468727aa9d172aa5f79ad0a7461c3d91

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d9b70a5ce66b715d46393504c11905f9

SHA1
fa44a4f19f8670214d327108566128c73aa8fa85

SHA256
c1a382bd3cfc762902ffed358117710692e830a9c0396a83d4e8eb23ecb14dde

SHA512
f6488a28736ad73eaa7ef9679c269719e71321218eb5e53b11cec37540fbc6a4706666dc07f2c31fa12a4f61bd0b9505cef9de9476a4e9371a2daf2ec826ac57

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c364b4f8f5cd9c4e892304b6de0f7836

SHA1
96779f8f2b56f2edcb96e53937ff86348779eb8e

SHA256
0abac2ca255cfdd27fc7990cbc6ea1169694bb7feeb24519100c5d09541699ec

SHA512
26287230b6846c52658025ac18a3e782370689dedf7d6426af279348dbf80465a840a84ab42c60675455d675e38b542f05286a8e76f13f3737ddfd496f3dc889

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
685f8cc3daaf2768ce9f324208887155

SHA1
88bd204e0f7c129366cc109937f0e9adca81a48a

SHA256
33568fd9f98007a9c3896e5f2b02efceed3087378c314865f8a1c404e7c4fe9a

SHA512
f4f82c99fa7b536c35b8ffcb5790cef323a0dba8769d5f71dff8a3018f13fb7cf493123cca509ae2cd9f47f92b81a1f05467da278014f2efc0aa2ba8d034f3da

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7720fd59ab3b6ba2e60cbf999a5f8414

SHA1
ef0c5fe5744375d36e1140f55ca834832bc31452

SHA256
a24617f088a6f0a6469480285a7bc7c7f150d1f286b00ef0f95717071b5b6d82

SHA512
74f92ff61090aa954a640dadf17f56ca527b98556e051492751aaf517e87c49195f873a722e3acd79246b13595c8b675dd8dea0ab0988d52449b74269c5e13a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d442a7c97a6736ffb6271f75e6f02110

SHA1
1dad5318bea868426e62571d7671de6fd2cc55bc

SHA256
1aca8e3f9c73eeef91e494e6e91d7de7ef62a03c8b0b836d9598a4cfde2b7db6

SHA512
e7e3c4be5ade08a519674e2659fabf6a4fd10ee41551425fd591669cd64f4ddf3f77211fc27c0153e83389a60eb59bc9756944668a61a6726048f39ed7994feb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
82e01d4785a91d0de8aa1afbc934f105

SHA1
c152c448eff7ed96aaf4ba4201bff7e419ca97c0

SHA256
404190346410f7e24e1154eec865388dd15bb2f487922408f9fba3e67b01e67f

SHA512
c44270081cb7311f684f20ef4f0f3bdb31a54a28d2c0ff654a1b8f50bd18852ce31630866badd7ccc2ffeee09a497fe5947293e7667a89f01628cef1290488dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
786e08ac5664a97b7c55c46052b31491

SHA1
17534ca3102a2ff169d9b2f8da4279202cb04ba2

SHA256
869d1ef85c503c290cd95ac3e0fe4512c7a8b58ae5aa3655a73d3f1955d43d55

SHA512
770318e60967e316cd0f6a082439dbe785a36b7a2f42c20ae76c1c861291dd28ea02d1ce49be01ffb5d837b0fbb3ea92fc2753b1067ff414ce6be5a45a00835b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c6bb6ad1ddaf7647594a7564afc5d616

SHA1
2be88507d1405b7bf04e4c1d72998d115a156b89

SHA256
09327e1712a4ac3b92a3f7c91d9d83bd3c6a17d75ae2ffee5df9c27adcffa9c6

SHA512
4a9be8b22ab82483e8f9b73670c0e82808f180cd4c475ff448745a9293ed8bf8a9b1790e31691ce12b1e497655c86ff7be16ea404263e848102e207d299e892f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
06dcfff8b7e3f9c52ecb3d2a432c8439

SHA1
e1e79712794a2b777dc56e96c9eee4dbedddb430

SHA256
181567366d9e6e3e2a0c0484d36b52a3feb91d00222865404022cd3797ad62e5

SHA512
9274b3e98061a3cb20516232b32b57b14814ca92470ffd147f0ff3583997b3e3cd1cadfda99ca4868b367528e332f6dfa77024f46c85c3af5f33f50b6d124201

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fd49a1f7dc2b95c51d0595948cd24426

SHA1
ad19caf3563714f6bf7f19ba5dd02324a94b2a24

SHA256
d8d304d0690a2b638557bb77cf10c49ebbfa7af0638aed1bf9d29471327c2fe7

SHA512
7c4f2e0832e98dc8d571a2d8283ff7fd40c1fd84a59f8bb9462dfe8c41678c67b0c99693542ae540d666d10605d68f414e483946e08a0f69889a5e20235ee324

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9fb326ffb403daa177dee6150f69ee10

SHA1
681919aaf74f585f05abe59c4a60c9d4ab6bfb7b

SHA256
65399901139a1bb498fc5dfc08733733de8c1dde89c90ede74e7c6e3a33dd4cf

SHA512
5f433dba0e829c365296e220e4b9ab935647d8ccf8b5ce555558435fbe404e4b4bb45fe72820f2a53a494982bb36c6ff46381dc45184a088cf1616bdc5e63a9a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b488d55d977ece9196e6bdd241210f61

SHA1
6ad48be5a3cbccf50468e3960f2cb6f9593f9d01

SHA256
1d2c5b5ed05ec85192dd4e9c473be7e818b22767cf3c430d4491cd07758582a7

SHA512
744879413a911e4dac959bb832f6600e9dca6a8d72795263f9cc33c40b90c09161890dda1ee7842c4132c6c01cb0268c4c90021a9e45ec804e3485f1c748550d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
77515cac9f6125abd01d9538b2ac31f1

SHA1
e3b6ac9af1cd1c236aa6641a3f7d39cc3c586e7c

SHA256
4c4fbbc453785a7cfe03be46d56601d0ee3f1fb7bf3adf927db7583939aaa2f5

SHA512
cb224fe9e45e18d34e928a1409d0d84c1e21bd7440afc9b77ccbf090587d78cb3b788da6429d0ceeccc05bfe8287261fcc998c7d530604ae37f2c666fe477c57

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cc8c79bf97148c2254250426e1e9b021

SHA1
41573b53aba8fe7989a2d7bf824d14053d575330

SHA256
7b7257aea4e08ed4411726470cbf798062d7fa585c408e2440448fb405d85809

SHA512
1ca4bdccd6b6c2b379937199bd921e7af6a7c705a4c15cc2e6827d8117a17262da91c3da0bae86ad310a4ff711d762c3dd95e19a5cbb3644980d31c49b2a1a24

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7442e8d7ab1c7bbee7ca10162af45bcb

SHA1
9d3970345322a3fb388b0fd90b03c6b9e9e4bbd6

SHA256
750f86026597a4fdc728daf96547d3a2f04d4c2ac4884ca8b9a832f262a3e553

SHA512
050cbaa3d6b197a6e5fad9e0cae4c0c939c1eba3dbb2badf06c9dfeada924bd233f4ad73da1447be89c63761677cebcd8b7b62be0d9c6a21560fedd94e2047c1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2c5f41b675f90e0ebefb5c7060e82800

SHA1
c479fa1ed1abfae5986f87ed19de58563c5cf8af

SHA256
7ab805e849efbeca789fc26acd9097f3a2df9e9282830db20e5e0b1aa3e1f1bc

SHA512
61b25189b709117e0b7766f46eabb6405afb91d5e71cc2eed1a112fcb9dc665bcfbf8d2247c54e7434d896b3046a02ac8cf8b77278fe1d3796ee5b35751430d5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
48b10eb092c7bf387c9d6c4b4188d9ae

SHA1
1e1e00129f19a0c1276a835842c80d3a87d22d95

SHA256
43e8760ed10a2ba3b1e8944051edc3265e631fad79e05b599e143110ac47bfa6

SHA512
d2dc38d9999db6e18a8e56b4696630820facdb06eecbbf6bae14cc42e514ade9c9161712e282fed3859c283d568dec6aaa9a494dddbeff993edd255ec46fe215

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
05111fe428f020550ead192ff14aad02

SHA1
8092a00fdb9842a8cf3a9585d25bddd7d6a9ac22

SHA256
723c181b7a24f63bef11a12c792bd248ccf6b28e869096dccbd70344be0f8be7

SHA512
1dd88e895f36aabd00aa8ad670af199d013739c6a55b7ea0a5d084a7903b1531b6f2ed5ff0ee85529a48f14f8e540ee9a8f9d61891bc943958dbb2947c03355c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f0bbfe40bba5cc8a10edc5f1c603dcdd

SHA1
ac202e1a405646c5e972fcd7b80cd640ebe12701

SHA256
692ba6231ca9a2eca8699eb8fb5e549962d14dcca8a882b906f2902f89fe1cb4

SHA512
2aa2379f6756f1e24081b21263e7a8e5157b21caf985c59131b44bf210075e80952d0033b523af47e0a224f703b8f3fa7cf66a3171d319138def6623c2a59dc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c2acfa3a9dc624ead5f18ff18096ea4e

SHA1
e16c248baee80d6607e3a65d16fe45ec241c1703

SHA256
44a3525ede945d6d19fe24398b2b2ffbc4a0eb5a95a861bb3df977df7265825e

SHA512
35d78ee9a5b57b1ef743ec278dacc7b964045e1fef6427ed0574320cdeb2379561b94d1ab0069f1d6848c1945c3990870586c9258450af682cf6a512b0aa1c55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
765381ce675cc40ec50dd8dd37e3090b

SHA1
38e664b281d7994c9c7cd5a64ecf8d3316a73903

SHA256
92d76ab3164a9b1253eac9e7b81efc6cf8df4b2e170add73aa1f9bcb6a0014e9

SHA512
a6a443d0accd84b24c4638a2753741015ceadf4445f762bac94b7193c068c72f3a48818265cacebe52a8c883236fabcd604e58aff6edee3d61c1cfec0bb9d797

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3a80497434a9a9bccefdb46d0375b584

SHA1
b2826f0786caf008c7c2b9a48d37c13bd8bb2b2c

SHA256
bf6ce2e798ddb7ea2eb16e8d4fa76ee119b81eb55c2f770bf948a344777b1db6

SHA512
cf2c57ef49818831b2e7d8ad616627cb78dd87c11d918fa73a4dca424ee3146e79eebc52c10613837f8e46647943b6eee15d727ad8db75dd9ae5fddab86947c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f01cded2e0bd1f8feadc3f710167dc37

SHA1
704aa45bd34a3c9dd52b90f458f83bf91be1bb53

SHA256
76e9a05a4790662c7e745ec4b7215d7e8d743b6b49504c003168b4e1705191a7

SHA512
ce135c72de7ac59b0b684b8658b0c0dc9c1264d9ec636223d286808b0a61f6485963ca151fb7b03acb70308147e3825dfe65ce95e529c876ce70b967320133d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0b5cf609de1a2a9fd2de2519ec0dcb40

SHA1
0cede7a10c33711ef8ad69c7590babb180d2ad57

SHA256
c28ee860db4d65a45f7b2761d1729e02a1920b3d9d9a2df31c7576b8cf7f36dc

SHA512
30b9834eaca8d53e191b512c2588b51d10d76b27ea78927715613aea4312cd3d80eb0ca096f7f7efbf97e860d32ee81ea4f143862d988557adb7fd6b0f702b79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b22334361d8fee00ee8adc17c4be3761

SHA1
7f48f34a273c2acfeaa662d1ff79af89b2f6db83

SHA256
03882111f7cd1248d1010cd82ed4f89173f37e08256d1b698dcac9ef6b332a12

SHA512
08080bdc7a4d150548027bf4de99b69e236f7d2eb6fe1ac4d2703488eadf1dc55f0f7134b4e56fe0917df06088306be8d6d4e0c04cb0def33d9cc8726ad4df06

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
43fd228857eb8103b2738cb1aab82557

SHA1
bd9f5a0df5c97ff1f1eb0ed303a62910fef9602b

SHA256
8c389eec7b2a813c8f28045fcbc925c86efa9842fad580937750c6efc8f479d9

SHA512
3054434869afffb894cf3cd4047f5a37a3561099db1ec4ea27e79438f87b65a275065e0ab77511610cd1b681f22dea959356fb6e394f34a30aa15e0b22d2f932

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
418a4bff99ab40ce33328ae0dcf5fe3c

SHA1
689322535f059c6c9413baad9161ff4f557c9e16

SHA256
7f4217b037a1e2a1054f1ff00cb4e45d7d646b65278e5e9c945f37aaf18ee860

SHA512
5a10b41b5e5cf1399658cb60f2b555b3daa2b7c5d1755f6013967c8d81832a7c3981fe0f177e61d575854f2a0b38e693b23d7a280b75bc01ad8d29efefe3538b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
049cc59cb0e79aa049583352ca85c7bc

SHA1
a5dafb8a804ad15b7046d70f9ee07e2c25180508

SHA256
cd546a8564bfe45510a7012e6a48253ac377f050cc1ba69154259faba0faeb76

SHA512
31ac9d6fbca321361746f3e6f3a79290c6f44f063e90e807c6754619ec3e31da3c1a05508f5f2ecffbec270bbf81c5099bf0060e2c7785afec5e41441c18619c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
948232ff13fed10205c743cd687d583d

SHA1
2bc4c9975828383c6fbb9be3352aa12d6c7f44f4

SHA256
f81ad05fbddbc06c7c64f88bf91b0f98140b6ee95d3dce6258085ee637d68f2d

SHA512
a0c0788c7243890c00071e199834fbe7ff150ffe82aed7d245bc9a6990de7f9e229c91b3ff0a1b046bd5ad447dd8d170cc9a6c1b990f15c293e34333972561b7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8f1848206f99da310c206daf3681524e

SHA1
d3e7dcf97ab42e7ceae63ad2fbab0b866a343889

SHA256
f0196c40a39b44626df7c160f4fc560d37daae2fd8c7acdb683eacf4f973c250

SHA512
29cdd2264928dcbf8ab332a6df46a6f71d02d4a750bfc6d9d3e43315e3c7f231109ef01d2322738ad6966fc22a69f08c36fe055c55bfd73fdba9fa625fd7e673

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
55750263b3555749b3b05496450cd503

SHA1
9762b6a97b59ae87997a546597f02801596654e0

SHA256
9ace38d7711f5e302444f432dd4f3dee8f22882be3475e23074016d111297e63

SHA512
5a2c136dbca9e29ee028a5f44b01bf95fc3e88ff03fe456d8b8f4aeee7694c5a5f95a8aafbf8a41f3aeaaa5628aef8cabeb2c854ef43944920fa804235dbe790

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6df9803fe4fa379f669dc630718d7f02

SHA1
b986a83b328728fd5618a72f5397c856b0857190

SHA256
9f9b35b5eb3ee2019285bd398cab3cd16a5d784ee8b0b8da2a533dd83d67c2a5

SHA512
886867c3221493c23d71e16bae4bc26ae43fa4b978c19cbb0bac87d1d883cfa5555000c409d0ad079a2e74467b47d4c2fa8ae595b6b408f5442ef9596d1c4ed3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2adb416dfd28d6cabe67e0798def92d0

SHA1
3444d937b3cde20b47324ade0962ef4d062e10f4

SHA256
881d7ab3b5a299a78b4005854f044a50d38997c13f69d28b61a2733e4aecc66a

SHA512
ed8e81c0a65771a7e586dbf249b7d07861436513757b2d3382f63e2b63272de57e972eb785d6a9d1ffe464d01a2d814b87adc284ff7713a6b763a25a81513a8c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4c4ec84c4d6489a120c7b3066ff8bdcf

SHA1
2dc41f5f3734c8b24b58889f4f92c2a8453c6e8d

SHA256
474c9b2ed8c09cdbb59d3322332f66781e4e65806fa993f8ecbc139fd6ca47e5

SHA512
54ec1c345e992832f3355831e31c29c86def78f677462fc22c0739de06cba86497a38eb2c4cf4071f8103045a981570590054b13f48d263a3e6dd8e93bd76eca

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0b4c03c623c7d21dba410af3e9586c40

SHA1
04925f4099a185018d474059c53372ed15314b98

SHA256
2e9f12678b0db369719dcef34617bd6ce690ad19467bdf32d2bbbd27fffd2729

SHA512
aa1d458737294f1ca4e753ae0cc0ca3c9d19647753baa1a3f33b0a2a3fd8d4ae5b9c35c17a9c585b397b383af3246a17e6f4f1d3a7476e083886818034947471

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fd1467c424983859f01da8eb4a7b069f

SHA1
9bbd1e99de5c8283534c58fcf2816a5501a28f55

SHA256
e328660b3000893f3cd85aab22953c17605a951e5a85e18ba8a7aecd28541d39

SHA512
f4d5e25dff28d8bf9612dcb9f8f6bef87e3ef5430317b9b9836d2f1b64b6c3ce38bfb8d1fc5a8c3462b36f86a0d2f36c0ace431da083e167518b642d35386573

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8cceb86b04af8cf44bb45cdd44d47db9

SHA1
de09e7d4271d6ae367194fcf3fe224434c8096f5

SHA256
d5f17ae010a22af81bcd4cdc4e9a1130e6b9532ce3333f6654a70cfc2520e49c

SHA512
1d6d14d5bea0e39a1a1014d621d89b0496760965f878f01cb8dcf6e1f80cff43162e588cb94e90fd5a697ad953ecdce1ed6a8b6230980f5935d9c257ac20b2b8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6fc464f7d989b3d3a567df70c4c1b09a

SHA1
d425aac2a92b3086b6bfc331c37bfd808db513b8

SHA256
2b791686507518816aa44dc17390bfea45a8ae49d70c5e486c6d6c408139f2e0

SHA512
2e9170e7b64e43cda23c0d38ca33c15bc431389c1c8bcaf58c03a0ca559277d7c41c189f0e8a61dbe032fe30f65588b71516102b3b4b15eb4de9bcbd163991f5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
55f3d216a617e329e09d8ce9fe3f7702

SHA1
88a7eb5de1a65de84a2e9e7f6164514b7af71e05

SHA256
e96b4fd702f7a36b6352cab8fa1b5e1138684e08bcdb24b468082663c8f4c0c7

SHA512
3b601c9cdf5a8573e948e605a06bda87cf962d6373287dcb48d61725c1fe01da58904802dd3f6b63efe953c0625e432da52b96e3634a96d10631becdcb7dfb1b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7372206da83a109d8ed5958e3d4acc67

SHA1
589799866ea92edb4a95e1adad5116667ec0c458

SHA256
096cbb1cd2c5cdf5d65ff94ec603144b6aa27cf3101ad45d43af4091441214ad

SHA512
e14d5df68c4af11fccaf20b990858e0acffb14843b5ad6a8d25dbdf506683413c2ba5039f368250e981c77cbfe347d5820d526ee3a78c441a2eb3eafb45c6b6e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7c3452911abb7cb81661b1db17e428f1

SHA1
ca104e083e6baa66d316aa293d9e6323fa4286a5

SHA256
863130d4ff199a85bf78fdfc72f64dff4a2ee7a9e19670b5c825bcaba492ea78

SHA512
5a147483b923c739afb7c12ad35ca55fd948004ee9cfbc0c7b622bf807d5c32ba13a59539a5ff9e6089ef38dd9b5bc5bdce6cf37f7eaab78afdaa1f4d0959b48

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3c24b6d036eee3f54b38d2dd1194c1e6

SHA1
488c64043d8502dd4eac8055c418fcd1f9a34f8b

SHA256
8b29114d261a8527fe13f5dbac8481ff2fd91ac47523e0f252d7d2487f9e753e

SHA512
182e5627f2782d1e7bb0859a779541d3b4e19e57daf0e3a1de6ca2135411615ba42c30d1a33edc2c233dbf71336198f736cde5ac51450442e4d8f6a00a520d2a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
132cd1893aa5467c8439dd23480cd675

SHA1
14941c5794293199523a9fa40a09202b2a98e5aa

SHA256
e0ed376777b78fb191f014eb33b00e8a6052f7bf5de95be112f6f15168dec2df

SHA512
94fec6dda5bb855e49205dcfc8f0b9a63a6a39cc885fa319b3ba7aed277546ab317ab678b1668e100265de6269fc83c97d953a1f196e18a4119e8b386d7e71f1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a24d7a05a4676f8346ada3b7cefc6f85

SHA1
fd6d1adb72ff469a7a5b3a14b123c9174b3649f6

SHA256
960341c592facfcb36088cde0061fd8c61b9ee0aa35922d781f44ab16aa62744

SHA512
41865d5fdbe4a1b14cf7278bef6409a85c84672805880365caeb6e822705604350801a6190a63427603698ea6cef1e9be1ceb403f28d9b8687e9db125f5c6cf1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f31f13e55a3ef385c2773102aee749ce

SHA1
f4982110e9b62827a900aadcd73835686f9cebce

SHA256
282950514fbc0b21b31664f9aef4d4fe2a6fb11b90aaa9fc9c9c7ca548096be6

SHA512
e2ae6553386621468f428b00097c5a98f429733abb84f29bccc3c0daac9e6f9bf7c8ebb74d91e13f36fa2f295e193d77d09c63eddd1785f2afa707ad6deb8d1f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ca70c02b3c9a8428960be91cc750c1cb

SHA1
e01d3910fc163e3aacbfdec19d9447aacb0eba9f

SHA256
1435fbb09cf58b903f4e1be29b9dc22bf0e5b1a55e4f0cae1840275c2d3ab8cf

SHA512
2fa4fd12600a2261fbff8a9aa16934c0e3c96cba7f96a7912db6b788f14900d2c29f1c750bba296a6f4de73484a0cc98fd387afcb05813c2a2516a19c75883ee

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
062601341efeab65fa09068262c492bc

SHA1
072ede40a0fbbddfdf7bf547b35927c07bf28dc4

SHA256
e84dc3b4869f763c7f8e476d05caaef2f31ec3b99142c7fe60336b737ec43b31

SHA512
22058afdd7414ed26e369c7d2e8c45b0f012756d052b839d914187429fc6210151f7b9791f86d34925b60deb7f63eecbedc01c2d0841e0c2a289099c23d797c5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
51ea8ecf37f3cc0b03a0f41dd18e30e6

SHA1
f342a955380327bb075b6a017697692d5829f79f

SHA256
1d0c4d60f1de5e1a95683b0c4b84abd060d0e710d52c949cf1f4f5501dc59f9d

SHA512
e7baa7773c14d1948ee39d86582a5cc556cb52b10cb0ec6322e73ca9528e4bc6a4b3aeed4985439e3671d76c5ee4ccfdc55fa6d4b1b30266f3d418dfaf0724d3

Download Submit
C:\c4ceec7c28ed81ab44815b98fb\eula.1031.txt

Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
C:\c4ceec7c28ed81ab44815b98fb\install.exe

Filesize
835KB

MD5
e015a2d8890e2a96a93ca818f834c45b

SHA1
30bda2b4464b1c41210cba367e444aed56502360

SHA256
dc1ba9cb15d0808dc2d80ce13acfa0b07acdfcfe2cdf94da47e0e570e7345f6d

SHA512
20a80b50486e938b92f3aef85e59307f644b69dc5d1edee38038182b57caf636f5f1909959f6fafcfc2e915010d2b3d230cba8300fbc0f63ee2ee3ad8ad64123

Download Submit
C:\c4ceec7c28ed81ab44815b98fb\install.res.1033.dll

Filesize
88KB

MD5
43fb29e3a676d26fcbf0352207991523

SHA1
c485159b01baa676167c414fd15f1026e3ae7c14

SHA256
4107f4813bc41ed6a6586d1ba01a5c3703ed60c2df060cba6791f449f3689de7

SHA512
ad748c63d912e194bb5be42f6db192b22f59f760e0536118dfa963fe29001e7fe635d035f31d86aa5e77a1d4f7ceabf27b03645d0037f147293af1e32eab57a4

Download Submit
\??\c:\c4ceec7c28ed81ab44815b98fb\eula.1033.txt

Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\c:\c4ceec7c28ed81ab44815b98fb\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\c4ceec7c28ed81ab44815b98fb\install.ini

Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\c4ceec7c28ed81ab44815b98fb\vc_red.msi

Filesize
236KB

MD5
d53737cea320b066c099894ed1780705

SHA1
d8dc8c2c761933502307a331660bd3fb7bd2c078

SHA256
be6288737ea9691f29a17202eccbc0a2e3e1b1b4bacc090ceee2436970aec240

SHA512
0af685e4ffb9f7f2e5b28982b9cf3da4ee00e26bd05e830d5316bce277dc91dfee3fe557719ab3406ad866d1ce72644e7a5400dcd561b93d367e12eb96078ffe

Download Submit
\??\c:\c4ceec7c28ed81ab44815b98fb\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/364-205-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1080-203-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1112-208-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1112-448-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1488-0-0x0000000001000000-0x00000000012E6000-memory.dmp

Filesize
2.9MB

Download
memory/1488-442-0x0000000001000000-0x00000000012E6000-memory.dmp

Filesize
2.9MB

Download
memory/1488-6-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/1488-1-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/1552-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1552-443-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2264-200-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2384-204-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2688-207-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2964-446-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2964-74-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2964-75-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2964-81-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3052-447-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3052-96-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3052-90-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3052-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3300-196-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3348-130-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3348-198-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3348-136-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3560-206-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3656-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3656-84-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3712-117-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3712-123-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3712-197-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3812-202-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3812-409-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4104-209-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4244-15-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4244-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4244-24-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4504-243-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4504-450-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4520-180-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4860-100-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4860-110-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4860-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4860-106-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4924-242-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4924-449-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4928-145-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/4928-140-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/4928-199-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download