1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
Size

869KB
MD5

10a282f32a719259bde42e830363d4ef
SHA1

2b5cf071f99a8a1f85aab7b1a7b914b91b8930bf
SHA256

1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795
SHA512

dc206f3a0be15ed5d662448b0170d554eb0f5421157957d8864bc5553a7435f84344f4b00e58d4cf31bd98d68e5fe86a2994cd05a5182ed01360510018cbfa69
SSDEEP

24576:CGBebZjcbhouatr0zAiX90z/F0jsFB3SQkz:/ebOhTaB0zj0yjoB2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3172	alg.exe
696	DiagnosticsHub.StandardCollector.Service.exe
1676	fxssvc.exe
4476	elevation_service.exe
4652	elevation_service.exe
1084	maintenanceservice.exe
3336	msdtc.exe
4772	OSE.EXE
4672	PerceptionSimulationService.exe
900	perfhost.exe
4848	locator.exe
4164	SensorDataService.exe
1972	snmptrap.exe
3752	spectrum.exe
920	ssh-agent.exe
752	TieringEngineService.exe
3136	AgentService.exe
4440	vds.exe
3048	vssvc.exe
4932	wbengine.exe
956	WmiApSrv.exe
2224	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\199c2961c3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\locator.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\System32\vds.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bd45e326bc6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018218c326bc6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2ae38326bc6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e43661326bc6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8efb7316bc6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003accbe346bc6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
Token: SeAuditPrivilege	1676	fxssvc.exe
Token: SeRestorePrivilege	752	TieringEngineService.exe
Token: SeManageVolumePrivilege	752	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3136	AgentService.exe
Token: SeBackupPrivilege	3048	vssvc.exe
Token: SeRestorePrivilege	3048	vssvc.exe
Token: SeAuditPrivilege	3048	vssvc.exe
Token: SeBackupPrivilege	4932	wbengine.exe
Token: SeRestorePrivilege	4932	wbengine.exe
Token: SeSecurityPrivilege	4932	wbengine.exe
Token: 33	2224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2224	SearchIndexer.exe
Token: SeDebugPrivilege	3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
Token: SeDebugPrivilege	3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
Token: SeDebugPrivilege	3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
Token: SeDebugPrivilege	3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
Token: SeDebugPrivilege	3848	1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
Token: SeDebugPrivilege	3172	alg.exe
Token: SeDebugPrivilege	3172	alg.exe
Token: SeDebugPrivilege	3172	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 4008	2224	SearchIndexer.exe	106
PID 2224 wrote to memory of 4008	2224	SearchIndexer.exe	106
PID 2224 wrote to memory of 3960	2224	SearchIndexer.exe	107
PID 2224 wrote to memory of 3960	2224	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe
"C:\Users\Admin\AppData\Local\Temp\1cd99631e8ed6051a68e52ce32adf617379527a0a68296eced5b06e92c444795.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4092

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4652

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3336

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:900

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:220

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f80114fea2b98d66b431f75b9dc62ebd

SHA1
1316b4d376b78baf6a9fda1c8de26ae309912476

SHA256
012356fe3a53b7d8c5558def22b28ac82436f1507e30564150832bc4cae14d28

SHA512
9da2b6e7e40124696ac704a9adaceecea0d28b89bbeb708c780eb6cfc2237c42b6efbbef1355549dcfb53d565a6e6506eebb0cf3b86c979db7343fec2cb8aead

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2676dd6d52b0527d118d1106c904c9b0

SHA1
d2c4b1b91e6df310fdd6fce61afcc624e70c8788

SHA256
4916d388c75d1b75b3d22bf145e6aa88b8096e5a42d115851962ac91e111a825

SHA512
15aff4640d1e69c77e138bd22f3591abec7b9b93aebdf7f3ca4a7e9909bea0d8088e34bbeaaea5f4fa401de2fa579940e5116b41d205a434def4d302e961a175

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d164dacf383ed7a02149cc9c389ece7d

SHA1
287ade0778768fc2e2efcaaeed0a7d3c7ebb2475

SHA256
c163a5590550dd20981736df0754b30368347223dc30270ca47c8b6f30ba957c

SHA512
27f5f6b8da3717820b5eec24c4e8656f0f6cc6e2ec117fc6152b2e93c734561e20975a7b450993872b78f71ad8cc58b2371a2d34983e98b9010a9789fcacb2f8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
36b212fca7466693e3e548ba474ebc14

SHA1
4703a96f261dc1326da35042723c9fd8787146e4

SHA256
df406d548d4b9d00981fee8fe6b91f13c34cf07d31a6750cec84a0369bac8689

SHA512
8ca2dff797e93d2555966965628596eacc9a47c98df243cf23850f8f2a9e169d91785e94e424a4a79be69baabe0b311008b318c65b22de357ea11b808fcda3b6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e88d07a2a92323c311203229c21f61ba

SHA1
43dc0072fcf178197505c24716294feb09ccfc0c

SHA256
2c9979c63eba354e52d119b38f199a2623927fc4dc8624dd85dd40ea2c13c58d

SHA512
95b7662220211827f914e1a10eea9d7e9e9e638daaea255001cbd1dc435bb7d9ba30ac043611799a66f74af748c4fb658d44cf212d2c4a447eb429a7a884d873

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
329e84e7df8922ca7434b48a9faab1e3

SHA1
924f9b8a33ae36ed1786141b678824a92160905c

SHA256
1f5de42e9afb33246cfa1d87d5c321f08692dd0c242590adc2b81ccafd1900c1

SHA512
37c434a3524515ad7ad108f66b0b422ed11847ead865b710e47de575dc02aea3de93633c699022db9e05dca2dc663e988cc8d07421d07bd920c699f8c4ae11b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c6b250a6a63cc841ced090d70157a369

SHA1
6ea733c5c075d49693dae361734e2118561053a6

SHA256
e3a8a2f102c988f4de68098669e5024214e67b3caccb71a2e632850fb0563a00

SHA512
6d52ac39ea1f82886aa7d840551e3bad134f8b0a3ad220f47cdc96139fde968c0d6f38ae184da66ec5160e4eaab4cbf0e187c8135e1bf555b5cbe8877cdac51c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b8bf9ca1f88b20cb89a8949cb8f0db1f

SHA1
4850264136cb77797faa664ffbb06e6d8b4b4d40

SHA256
be4b9c9ce012a4efa80ab2001034d006e175c431b7cb667c1f9737c341edbed5

SHA512
d8b26cbd76d447d13c6d7b464a06ef05e202e61a6ce909c67889eed1561d9fae743c8835c85a05863b177046ab2892210e7bdd75cfaa77e9452fec25e7d5004f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
adf3ebc9254d58b93ba753bea1ba1ebb

SHA1
3f6e7742781be0a877aa60593bb8766df7a38506

SHA256
113320ffeed33e64fd5c16b57daa1c796048ef4cf7b0f6b0b96d2dbab5ffe19b

SHA512
af523eb83c7299e35d81d3d40a0d6b2ab1c8999b3b51805d29d2b94315bd5b404c2552ed05fbe67ea1afa3724abb1813247e74ba028502da0a83a01d1782ee97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
53f3d49473357d2f68df348b18ed6088

SHA1
e20aacb8ce181bfe8ad2bcd89a8d359e88778073

SHA256
e8f484ecccfb09be01103d9c59317216d33da4d14c79569916823be6fc4927c5

SHA512
23331dc88254f2a4140d97194f38f81cb60210a1b3d583bd7b63c2871419e00b065b04912078b8b3862ed09db93c7f60cbe90c1b5295af5eabe189bbdc01857e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bb4b36b81872c01ef100efbdedac38fc

SHA1
729cc05a3353e6c2e2135eb89995db1b491a2909

SHA256
11877932daed2343a015b62d7e349f8f357324fe1d9c053567198f987c38be39

SHA512
738dfe227143eee17138e2b4ef37275b40cdf98679aac3680eee9b822281f7eb0e01a8a8f732e75f169ec7b27a885c5a16ea926d1a4c66a4687eaef91f1c19fb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
02b54fc61f66ff634bf5839ae49c04ee

SHA1
73bf96b88839b38704c9ed26547facb26d4e7a78

SHA256
21b190eaa78580bb69785ce701180e1063b1bae659ee8b850710e90c4aaeee9c

SHA512
645bdfc11f0ac35b4b6e94fdb455cedd029608db4ca560a507e6677cc5aa95c20b95dc6b3479e2dc6563a92f4198b163b1c34233fee27352f86573f62347a581

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
33da75d90043782ba7678577e718537e

SHA1
16ed12dd844b3d93309c0805415a116ed5cb72f4

SHA256
f304c27e32229a2dbbfde8224b25a9f1efb2cad5f633f04547be42dbd4073a1c

SHA512
bd8cbdb0ef8382012515396ec000731ffe01d9ae82e09531c7a02017e053e11b7c51ad4e4fbe3410b51a9940d72ff59c98f58cea42b7b0057661d20b58db3a26

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
34a871f21536e0a55335ff7c92b1c55e

SHA1
5fafeed805c50f3257c0b0fef7575e0031f1f95e

SHA256
6cca8e3bf0645981f5cf0ad6443dde48f34bd4db3a8f45eb1d513df1647cb707

SHA512
14badb692c35a1cb0213eeff890b21c3221addba9d16dd7ac11650ed9d8930a0348ce2e44c35247faf46902997d51f612e3652b8b5c067966db17abb4a53ef14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
372853d1fc08f9c146102e49e46a5833

SHA1
112a09e224532b38436b5f78bb7f10a9877c5b48

SHA256
d10908be37cfff877a21135c42d1103c65254eff131f6467e3e00498998688d2

SHA512
ab99c55dcb17f1b059acbd733273fb25fbaea9daebeebd684707a2372991f04cd4c7a5b9c8791edbefa4a9aece62da36f30b3f5db7e501e5f7f70e86b9222d79

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
16ea51a3835e20026d7873b26a68a6f7

SHA1
f8831f38cf81a288499a92ab9163b15ce0c90225

SHA256
11f45dfd39be8930eef1ceec2f7e7e7f7488a64d939584bf208ac14c99aaff1e

SHA512
4d89c7059253f10126496562f330399d4105c94a1f32db1d6d6381c55cc03d1eb5723b2b034486af9cab17c7fe380ea7b63edb42e6932ac0928c2cec646c46b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f64804701ab4f6dadc7ac45feb50a8cd

SHA1
cfcea3c050556961cef30fed8d3dd806cffd8105

SHA256
38733246edb1e162223c05d84d665231377d2292ab8dd1c57fce727ebf1aad71

SHA512
f426100f8e82edc540bf5e23e69392c2b708c633ab8f50c98d69d2051f49d3387f2c6866e64cee6409326a124b277b659d605fcbe719e30c6719df9000fd96ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4ace7557234d1730ba7ba3127dbfb292

SHA1
50783620c80753acc082e9bada632aeded3a8f13

SHA256
f67b4665131cc943434789c4987f694fc95ce7495e1ebac23b91c6a55926c54a

SHA512
c8adab58d31201e30eb223aae70f1b991c7eea9f6b4561a694fce839e3873347d606c7a6f110416841bc3718ee17ac2de8ffcb777b6e489ebd0d0794f307a17d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7f430bca450cb0ae2d916b92a1371e28

SHA1
359e5cb10b8124ffab34ea4145c293dfa53b6403

SHA256
4a3e2d31383bfad13e86fa02ee0bedb8b2393d353bae3d203ee811953987dff5

SHA512
ad961f1cadd50d47cb1fe5c1e8320c9867da1a97cdc42c798512ea7e63e70c52fe57d55001b0b5446de37fe33588bd3e791779c4e89612a0d61e33ccc13962d2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
547c99307989269c7690ddf081c64015

SHA1
abc4d256ea5ef0ce6163d724d52e670a26660082

SHA256
929dd8e03ef9c5a20eaa3cdda9d092c860b5d3429d55cfb7247ee298d5ba0699

SHA512
9d781a2e484f06d4f79909833f4ecd7be3f7c5b8ed306abb785894c1bc1a28a334790dc05acfe7c4fabc8dd4c2133006640307d411bbae51dd92eac387ae9eac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b9707adb559a06d7bcf970480c886f28

SHA1
a33e1c90b54f81e063f321bda305df2cdefb14d5

SHA256
82e4d68ba67466bf657d9c334cb44c93178e85698929da3bbfcc99ae5a9a2f4c

SHA512
97323036ad54510efd7a19ee647783ff7976a2e0561d3732c5c1dc067e3201b83206647def71b211ee454e185d23aca5ff80f01dcc7e3b293db4096b40f8af11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f9572be6b6df09dedd5f5cba258a3482

SHA1
d748df8c4c6f2772de359667dc858b64b15a43f7

SHA256
b72a28450679db86dd9cb3b074bef515499147b26cbfc88ddcd610debe668c0c

SHA512
d4c9062ed1568569b00799ec55574e3adad8d9dfa0a507aaaf0953e728d8953b1000bba4f0dce6d3898cff07b545ff11d1d8c956504539b8c92d9c31ed2d79a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3673548a95c9044e8bd0389f1efeea5a

SHA1
21e07767eea59a575359ccb5c27ace456deb4132

SHA256
90fb80aa83a3af463d9c6b435d4fd7148398d60b1cf6c1b791432ca3334ee886

SHA512
064d7f665b9771aeb30cb653b7764cc0cd75914f0d29cf725d5bd0c142269a1ff44d65af4a82eb3a4adc0d148c1d59438e7b7808f8d67fb7d1c769b2ca134045

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
788e39dc74713725601b4b00eab9993b

SHA1
5c67c91b9466595584fa95114ed705d873df51c8

SHA256
502dccedbde498d2b035ebca7a8790cefaa99eb847d546193d951212c9b89b99

SHA512
f794c35c2bebe1f210981fa7f84e7fbec7038629dc1d2aa4f3ce78c8b7a6d708c9ccdba5ebef1fe66b9126d48fc7e2e5724c5f3b60a84607561ff544e6975951

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f575e2398d869ea3aeeaf1ea2fe1060d

SHA1
b5645bc7f7a8ad57bf3b18fe8703757f378caf1d

SHA256
81a508f8be0e5853537ce5f70879af3e81c174e4a089cccad9c48c4cb58280aa

SHA512
2cd776bf8e46907eda0e38133af735692a750caa331746a4896403e9cd2cd842f55936c6b49489a4a0016f2dfef91b4dd6784ba62f442ba45ec76a1f7d0e388e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
75fb683dedee93bc826e6891422103d1

SHA1
01a6fc3f05e93b8441cf78350da0f5e911c74d36

SHA256
f218861bc7c47fa69cbd21df54bae893f09d645e366f7cb91e7df13f5097975b

SHA512
4b27bb974d4742673d985538f6ee55e21cf8ed97e128dd85244a8d502084a1ce82a10ddf6ce5090c9381ad9d2b3b10d0833df625a6a563f1130e3e5a54d56ab9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f3e6802ca597f86e5d96ff5102fd1b28

SHA1
d049f1dcc84c892e2d1b06072b0e63543d90ee87

SHA256
59208d5da37b843c719e5498a5747703e075aa981b4af4bfbff5c79536fb808a

SHA512
3136d45bc832b2f71f0978908f262ba5baa3d1fa5cbdc9ce570a3aa1b071ead3df14c1b8b71ac048908305be3e9d1fdefd7259680730629132762e9d81ae9ba2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3a8c528e662bcd878a7c8054b4506132

SHA1
3b1b44e54fb717bb01f3940dd0ccae5c12596247

SHA256
a1b5989ebaac860c02c9e9917efc8c308ed43a5d3f54ed64d25932fabb6b0fa2

SHA512
d01cf696e9c7d6b39d5d7a45452cd8ccd0def5910d530147cc7254e8a25da991a40b76fc971200a54eb1d5d159889567b66f296f0ed2734b96afe9d0d8bd14cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ac530606d0c075c0d750ecc0cc5574b6

SHA1
630d7fddbaf89aaefd9b046f3ef3e16478721a42

SHA256
b78372e7d582b2ab1a3c4c214492afc24468f2b547789f123fdab837d5175ce3

SHA512
bece8786ca48d69648d7bc0b23e45c5a7eee1dee312844d0981f4245e362058ffc8188e70fffb8303cf701f46b7c9b3b663c10b7d2659b98907d1e0a3a5f9e64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c27680b34fe63f45bb87cfdb6d718fb2

SHA1
d412a0fa4f025b53b930923c614395a73892a835

SHA256
ae74f6b7c2deaa8b461f513cfac061e43d10b7eb5f287caa6e54d14c5024cf49

SHA512
e3c40c3aa4660282627ebccdf75b7961c2a5a21e49057a6af8db1a8315d7582478f6aed1fe8e503a34ed635a2d04e74fbe7452a13d33b469585b71487e4646b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
68b8a53416ce823b0cc51cdf233afe20

SHA1
541c8958591066da3615a98376622ac679f01827

SHA256
e734ec2d2abeebf1d5d0a375548681e6d0545e33c4383765e6c0c28cac850766

SHA512
8d7bfc6694eab27ca87fc02a85f4209909ffb9f86a5b15028108e64baacb44e6f772dd048c005b89754714fa4d297daa629bdf0d36bfa5434accaf060e7b5331

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ad0fa21e59a3494fce028476530a6e04

SHA1
5890220f569fb9b1eba34000249819cb44993024

SHA256
ab890750fe3e4cdb5f15e115ed5ce11c109c407282a4546247105ae61bdc95e6

SHA512
915dda6fca32995f660b92af4e02e951e16d8a4c65deeab5edd26eca453578cdd6ddba43e02c7799e359af9eba03375b67c4fcbd72ae6f9048642d5b652f0c94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e8150e6b6e12e2b7f1692577fc59f1c2

SHA1
98122fefffedf03902367d1aa2496c0c00539814

SHA256
196963987d82cf2a8dd5d8c732c223666568578a84a4331877b0081a130577b2

SHA512
60f97af4cffc1f2fce0fc5c9b25b30da5344f0d66aa6a016231985d71132872104e442c3bff73a9524a2517297c0f667525ed504f005a4d7e2206ac74e7304fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
0c60123ea7e1b32581579fa8a975d330

SHA1
ff00af4b31dc7c3a071ad1591d86fde8320b8872

SHA256
4605ab478b5e737ad00f0047a9e25e325dcd7dc45ab134d017117848a08bcaca

SHA512
8b29390e95349e434eda6aaaf09a3b0d2191e9831e9bf38196245ccc770e5f9197b0413632dfb88b44d51cb7dbe2b6808022078be94162a304aa0418effc5849

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bbe823b9f627565e537cc58b2d8550a8

SHA1
51acaadb63f73c05800cd5d56152c8054e497721

SHA256
2bcb85bf8025cf26dab2afb9196410ed997fee5e469634c778a0b8c63c24c50e

SHA512
6fad189e14bc891970107df37d939c854a97f1122dafb4496f19d141b853449d1aabf12131006dea7e1673a529ceff06ebb733e71c6c49770599feb6355e142d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
0871c5ceee1bf26cef935ea1668eb2c5

SHA1
b733336f2752672c24b06b0c62a5b07c8e79f391

SHA256
6de3f5f1a376384279c28a7fd9d3a2895d93f93ed953c01d8b56f7d29ec88725

SHA512
ceda50e86ea67e2f01d5b1bc11ed18ae440213962c7511cef6a0b3521cdba83f8c302e9af2c579b3d18b6a152519a7c489bc1091d9b74be238a1155b7664edec

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fb31b666ddb8465c9b89cbdffddf0d98

SHA1
be93b0c606037b0447ef43f3e97834a9df7212e4

SHA256
2be17687e139012ae0989ec98f39f0c1f4e6798419bfb8e1515d5aefb8848c7a

SHA512
3095afde9d2bed4debc450387a16b9e6cc0bf8829a976a4b48decda5510c004a4c957d7d7e91b6c8d48b9c0afc4cf46020a2ea2170859738c9e50462773e1419

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ba9815e6a451a1da2f2899212c11fc45

SHA1
28d660052bdc6afb45d164ccea4440236c828b24

SHA256
5e39fcc9960c75362e47756202e0c78295f6c3c8dff5d32da555bd5cdfbd9e68

SHA512
4fe2153cda707a2cf3132527ea0e7e3f1dd76fd39a0836041d8875e3112cf548e0bef1c193615e8bd7800c34e903d5bb98094ba367a7694a5f4d372bcffeab66

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0b582647db50677024636579bdf567aa

SHA1
8acab3c475a888c945ebd9b164aa2116b134d5af

SHA256
de7248b9268c0f70c9516d43d96365b396b9ecc439af31e44b5acba72d75cf23

SHA512
902a5e1649b722c30f90f730030ab6bd6bead35dc73765532b2e691652ff90d791912ae5742fbf422ddfc82c21674f275638d2e5a9fd61fbc552a7f8a0872e1b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1dc06bc26783268273191262186d8c16

SHA1
0fa03a9ca07c8b13002cbf2997cd7822afa93aeb

SHA256
7279a61d13b62a5bf1b7b56100e17ba23326342db0ed2f5d254998079cadaa8d

SHA512
a42cbc5203e8aed44166ff1294f5447000dc862aa514d0848248c9bef9e0fe563a1700082da1789c8ab53f99de1dfaf8c1c8a4f2328435d5dbcca1ba720a5e5b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
82c7dec392c3f9c7cf0c9f2beaa92568

SHA1
3f260c1c5ea69eec298f85f94ca219d1341a0896

SHA256
43ac21cf942ea2a9aa6e85c20b5f32e4e2ad5596a7650a0be9a3b8bb09591b11

SHA512
a976735a69a094363843f36fdda91c5f10add8b1418ad8cd367793b2667728c33b85b39cdbfa03f2a7f628dce11cc1ee83156a2b0dbd2bb580e3b7fe58487fd1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d442763a5b637aea65f6966d2907e7fc

SHA1
19225b871df7df966591c0f2bdbdbf449f4f024c

SHA256
32c36b373c8c6315ef4284f136ee79f43e305134bb55a8111a02037bca53c07d

SHA512
fce921619b05b57924c8d7ddd36ac6e82bd47f3b9b36f5c13e15d61afede48d53cc4d4ebf94f4c8fa297c64fd8c9d75f4019bcd918f3ed82f366c2a39032e8f7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4fe160688c0611177bbdc43ae743e897

SHA1
bdf93239982aff9148ac6bc23d8091edcf1a84ff

SHA256
c142208c2c284d8271b411c4e3aec0642540164923c81fc8d87774d918218724

SHA512
33314432c59cc633e973fa37c84c1459dcd2a5f65cc9ec5b5807200d888600f3c01b271629511564f361401e0b0e6097ad06fb4992916c8710d1e7b584edea3a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
13fdf43bbc6c4c31cf614c3bef2f9f46

SHA1
1d09e907d0e6236209f91bab841882b5f0152862

SHA256
41cccae925ee63f88c637bf076884c08bb786e14b69990c8401fc32fdfe980a0

SHA512
72fc27ba021912122895eba501fb7fb93ec4f092df9bda906a6a0d01d33888339060912ad52d04ede1546a664648ea4083c917c57aff504abb8e2b510abf014d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e653d58c93d142a0910373021349acc4

SHA1
309873cffb4476c648d5de764a9332e48a0b8f65

SHA256
b55d76c2a4537cb9349ac03905d01d79632c83b7fc19aacc32c12c00d59c2dde

SHA512
656bfa1f227bcfe998bbcd51f54577fb0b03de8531b55ffc611746117de2448ca58d113310811bff3e09cb1617e8a2f3f6d97de46dd48a5a1e21c9c985ae7aaa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
40a86d391e448f01ecde01fef1534bb3

SHA1
b97c4bd289e8a6a71321a5ebe8a16e9043474dd8

SHA256
ef3bc4f649efb14d0f0c299980fabeb069a06e446522722d375f4055831747a8

SHA512
160f94e4eb7904a3ed1dbd99cf997e9c3555b2f767c8ac5f0d67dcfa1d8f5c83c6f6440ba395ea1850a3d38597ea3fc85998831009cdf72681cfa5dabdb7dcec

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
02a10e2e5b2d4f45b657dc18a8d76163

SHA1
3ec4f5e4818d114bffe889e545ad985c50eead10

SHA256
ddfa7811eb06fcec885902072889b34af2feba1aa4b311931adb3f97cfc1961e

SHA512
e40c13e9e0cb79565588e0c3f9c64c5c3fe21c3115a0d732ff15f8ea1fda533ed7b9d66a11b554a3415a086290010b6529f270d18e6721bfe91a2144182ae3f3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
24d4fe249ff47c382b630052429d192f

SHA1
a4a6211f433f779f3287797941fb8b1af0436f44

SHA256
32af3399ce2ef792e243ad980096f9aff7c8c498ef7da444402cdb58691c33a0

SHA512
739a012b610a10e143a07c3949f3c7ed3edf2cd6841b996aed1d9cb889ac2e396c128fef6021971d6c27743b3713d6fbd0932f7f125d5258d303b9a46304a596

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
906d0c7cc8f87294a942f9319bc25fa6

SHA1
e13e2575d2e5c19efc1d06e1a87eceeb6695279e

SHA256
52eda848cd3e26ee185e52a90db7e309ad5a13880d1efe66404808eab0cb9d08

SHA512
3f5b6978a9dc4ff93aaec8176ebf14ecead24c2476bbf05c41a675c20cfd06dbd4a31807b124c3f63d763ae36bea65eb3b5c0a893d25ddd1e0d67f7c231ab8cb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e26408e07e449fcc2fe8a4e8d640bc1f

SHA1
5f349e41b97cd07efbc7aceacf047cedf25d4c2d

SHA256
a39c7ab312f8c2f86c103ea32bb716ed61f31b2fc7b9e338772269bcdcea2d06

SHA512
5c0c484ec2532ed3d47ad7ab4c4cf17c681a810603ecfbb241a8d8420029f89b1349df23d3de3beeca7a83c2b285f20d5e9da9dff8faaddc170aebba2ccbd1f0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
000f58cc9c8d13920f55cc509b3eed26

SHA1
b20813fa5785150f1e01f516a824581f3d417235

SHA256
c4f9891106220ad396715f41c917c6e2c5a72b063d5556f2a0d0f7a1b09555f8

SHA512
c4284cf16d8ec489381dd68c6a0e981da5284c5c9099d254b6fd546d70536ad28796810d83cfd4dae3fe1857ca85e43be707fb844f936ad58b3b4aef0eac1a37

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6b9aabd9d1725fcb411f119cb6ba7d9f

SHA1
457bd70ef24abceab78afccf033cfe47a0a7f814

SHA256
2b1a3d96c6ba5011f26abf969859cc3d9695b2659152b80577fb07f5969ff2de

SHA512
9e16912f08ff9b20f4b1227ce9ec9fce44f8854b7a1b4871dd3938fa548db19d0365ffaa091b4d69fba0385c261033e9b8509716ede2b9bcd01efd9b58c8378c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
57f5e530330e8ac2e954a422c2e0d47d

SHA1
fc6c5b65e2ea1dfcb401dacd3c346e487abf26ee

SHA256
53b7cbb03a816ee0aba1b99e82c6e597a7fe89cb98f51d29a6470bf6ac11abb7

SHA512
8bc2ff01e0ee14d35a13351a5f82c932829474b375fb5ec28fc36bf9e1ac01379ac0885fb5c933740fc40de578af3ca58684f0e341f83f9eacc8443f861b19be

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
41484cd33a035028787b45d79a50f406

SHA1
9a5e9e5f30e6f85a769be7f33040499a7a99b2e2

SHA256
21257839c248ceb7f19d083df54130ed0ea4d7a7b98241504e804076f5b5b521

SHA512
8c79af11af96ee1c545c14855c1f54ce12b41e9c5472af2cf63fcdfb4e9b0d5d0ef68f5bb02fcc3e4ff3ea5c88134e72accdbabe3529379a470f0771bf4c1bab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ed5a78b1e90414f7ff2aceea9fa26479

SHA1
442d919349f0b190f9d05191452608eba86e539e

SHA256
6ce8765e9c35b3061fa1e74d333d8cc85f7c6a66d5204edb7c5c5b14750cf771

SHA512
d505c211df95a8be05900c49017134e07bb499087c3cfe76f3c7362b65b089876b28c3ac7bbe36bdb4d6d46cec40d95061f4de4df539468027b2fd6a0b0e5ffa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ed0e56faea5e34d0cde7c82b5cc3101b

SHA1
5cc2626a21105ea08e98324db8aa361472533360

SHA256
bed56d48f886ca51cb4e379ca03b516822e3ae22ddbece6c23bdcfd8c131b55a

SHA512
faec43ae36347f136f79b23b9828613aebc399eba3d03309eedc9d199474a2691320e75d9a8cf2c549b40696593f4adad922c6addeebcd9d997b56659ac452c5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dfebfd61c08a0ff9263134a8be2b1bde

SHA1
e301d3cec146b4a90ba13a0cc8eb2a5c00efcd2f

SHA256
234e951861a09152ab53704679495bed95acaa25a0988003d3c862e75e15d62d

SHA512
695a16be2ac33483a5ca903aacfc9582b5097e695fd0a88ec546fad742ca9b922b009411177697138252bc31330fa9663360dd103848d5f0d49a0842e6e1d113

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
fd76dd2e350bb5a989b74ddb27ca5e08

SHA1
f487d897f13e08b0559e0c82fb63eef9a2c8dfce

SHA256
bc20df1ee09a29b7a1c4e60e75a2e7882c5d0e741715def8b5e4422878a5eedf

SHA512
3105796c2e816716e954f44276bf25fab5d1a67fe4244012d80e59cb79faafd9ced175cbb0a2b06c38c5d39b6c9c5418a34e75650f5c82700e9a5a57d5670032

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5e7143f5c6949b0448e39251f4734f31

SHA1
f72d60ae8d5e565a7b8b3cafe8999ad32182f79c

SHA256
f11469e5e09a40bbfb6f3a1d31d3b622ee552e9e91a22bedff340b402e8837d5

SHA512
907b839142ff6af7e1a7c411907fea88956126507c6619605e9d1484a812e032b1ea218faa5946b5bb3e7b2bda25f06f48ece4957aefe53edf690691f084e930

Download Submit
memory/696-33-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/696-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/696-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/696-34-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/752-570-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/752-200-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/900-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/900-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/920-569-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/920-181-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/956-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/956-576-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1084-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1084-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1084-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1084-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1084-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1676-39-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1676-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1676-47-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1676-49-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1676-45-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1676-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1972-433-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1972-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2224-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2224-577-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3048-572-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3048-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3136-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3136-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3172-112-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3172-21-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3172-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3172-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3336-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3336-91-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3752-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3752-481-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3848-6-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/3848-0-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3848-64-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3848-7-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/3848-1-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/4164-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4164-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4164-535-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4440-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4440-571-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4476-54-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4476-167-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4476-60-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4476-53-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4652-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4652-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4652-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4652-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4672-127-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4772-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4848-133-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4848-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4932-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4932-575-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download