894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
Size

1.5MB
MD5

0c8c4c4e902579c7036ca6c05f6de3e3
SHA1

a4200139f0bba4d0a96447fdd5e15a209edc685e
SHA256

894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6
SHA512

62167021d6bda8eba23bfbf43d74a333c134846122ed7a0bfecfa27382da3036e2fb18f3e90c1bf701c1a63d089063f8d5d0352c13bbf0cfb0f04fa6621bf7fa
SSDEEP

12288:zkswYeskMjFvm0qKWjr/pMoVx8JX8it802q3LZj+:zkRsRjhm0Ijr/eax8JXO02q3A

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1300	alg.exe
1532	DiagnosticsHub.StandardCollector.Service.exe
4964	fxssvc.exe
3988	elevation_service.exe
1012	elevation_service.exe
4780	maintenanceservice.exe
528	msdtc.exe
2444	OSE.EXE
1932	PerceptionSimulationService.exe
4956	perfhost.exe
2136	locator.exe
3548	SensorDataService.exe
1092	snmptrap.exe
2772	spectrum.exe
932	ssh-agent.exe
2376	TieringEngineService.exe
1400	AgentService.exe
556	vds.exe
3368	vssvc.exe
1936	wbengine.exe
4040	WmiApSrv.exe
2344	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\locator.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\System32\vds.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\spectrum.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\612507fbc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cb62298b6c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067805199b6c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000637acd99b6c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edee5b98b6c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007287698b6c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4cb9d99b6c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf6ec59ab6c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0be0e99b6c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008683b99ab6c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe920a9bb6c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
Token: SeAuditPrivilege	4964	fxssvc.exe
Token: SeRestorePrivilege	2376	TieringEngineService.exe
Token: SeManageVolumePrivilege	2376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1400	AgentService.exe
Token: SeBackupPrivilege	3368	vssvc.exe
Token: SeRestorePrivilege	3368	vssvc.exe
Token: SeAuditPrivilege	3368	vssvc.exe
Token: SeBackupPrivilege	1936	wbengine.exe
Token: SeRestorePrivilege	1936	wbengine.exe
Token: SeSecurityPrivilege	1936	wbengine.exe
Token: 33	2344	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2344	SearchIndexer.exe
Token: SeDebugPrivilege	1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
Token: SeDebugPrivilege	1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
Token: SeDebugPrivilege	1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
Token: SeDebugPrivilege	1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
Token: SeDebugPrivilege	1904	894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
Token: SeDebugPrivilege	1300	alg.exe
Token: SeDebugPrivilege	1300	alg.exe
Token: SeDebugPrivilege	1300	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3008	2344	SearchIndexer.exe	118
PID 2344 wrote to memory of 3008	2344	SearchIndexer.exe	118
PID 2344 wrote to memory of 1112	2344	SearchIndexer.exe	119
PID 2344 wrote to memory of 1112	2344	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe
"C:\Users\Admin\AppData\Local\Temp\894f3f507500393f12b57937398b79d69f9f5ed480dccec0e60a4f68a32607c6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:528

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2772

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1108

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
1⤵
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
9b53c12a186c2efab2820d780e2514cd

SHA1
d84ba539a935131e0909ac5427bdaf6044862460

SHA256
5f2daddc5cb14519f683509852ef19499fe50533c1ae5d7df75e8c55ebbf8a49

SHA512
0b1ca871458d5561f9ddd661330d2d33d4e30a0b2b80eb9d51178d5a1d94c09892eff05bb5086958ef6d9488fdabeb164eb1f4dabdd6a2c2fcf1bc48f0985b21

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
9e3237612a9e0d96e8ee856cb316d1d9

SHA1
903701d2bb44d44ea95735d6cb6b68f6cf93c82a

SHA256
9f8f9b5b75bc527e657821c62b6d2e11002640425ecc4f6c14abf7b2779928a7

SHA512
15313b02e0e77166999c680cc7df045ed9cf0d0e9b7d62d854f461f6d530583f2b182f5fb2486d0b5fc6ce775ff94fc5c0a0db4481d39d662bebea6ff538847e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
3da762532e9695be577b80ab17b3d30e

SHA1
e1618d2b82a45537816e7bdc46306225f8f76d5b

SHA256
e6adf7f52478e317ff2527f9b1da0140fe212211efc328d311661aed0ae0f722

SHA512
8bbe19dda6d6b67d05090f20578c71a6a2bc0ccad2c5d0b5828c710d166bbb77863a7545c20933a7727d54be748818e8016c059c8bbad9d92c3b29e7c98e4e6e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a1cec3557ffe89018594bfe1d3d69638

SHA1
42f9598b90ef375de099823044a8bed161ec1025

SHA256
0c9725b1a0d26bc317b661e3176c71e8cc4f68dc1c08879c8c044aab68a2826a

SHA512
95ed086ac47d6b774e68602f03ea6538e97dcfba8f8c84e89a24dc1424e412763666f576a1e784b58134f05cfbc93cbedeb12b6c3f8194f5f11fc890350cbd61

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8978d031bd442e4aad411bb7e338f91c

SHA1
48e71e4a2f95acfd1a9b2f75c8fc6d51ad375d59

SHA256
1d1c936243e041c3141dd026b5499e2098966c28ce915148249519ea5a937766

SHA512
ba9171d72094f9ed88980ba259ca3c935f46380719c351e11b23727b761ee40767e3aa04260e9cd3ad9eaedd9d79c9a5ba7a06a01a6baf212cefd75fcb4c2730

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
5d05326e1adf93aeb6471d3093d59dfa

SHA1
cc31f0130323f2053fabf14cc1e721e8e6ba7940

SHA256
2250dfab2220b5f9c044172f1708bba113572d62cc7d1fff92d91fce47c195fc

SHA512
274c43a4c6a94dc8aded36594e58de192a0f479a6899ab0334bfe7911afbeb598c7d6cd41a062542d55dcaed9ebf70bdeb52e099d2123d261bb454118ecf7ca2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
cad0558d598d9bfcd50a9047509e6225

SHA1
9aa57977b92f9b14adafd67c54e9b9f3129a86e0

SHA256
c0a34dfc33eabaeac8a352153f230b1ceedf378607f3d587e53304c71c229adf

SHA512
aacacdf40e12712067287242d3f2a05e69d0bb4b8e6276f1622407c4a17d125822a5680340514502c492dcd520049a7db9f62b4aba07701f2c7b2495e608acf3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fa58727d6ade05b4da0a5f5f34c7a1e0

SHA1
7257e8dd33723f9badd43a1b425db676496f05f9

SHA256
17dd8b6665a6d2b632cc70857b174734979dd0d1c2406c6eca0e38e5fe8e6635

SHA512
22c03dc3432629e1cbbbf337681b53406e541ed70123d5dc4143eb4c35e8dfa5e99fcd957b38ab85ec28b9f6e8ab93c738c372c7aebb0540e5f2a2023e87b44f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
d4b1b1bf1d4729a6e0e43ac39dd54b17

SHA1
a1ec7df604d362e18c85551c414db960054098ab

SHA256
93d28a44e0a0eb2ed2d337c2f86fd41c9177b1037bf6e16af68b2f8106f65081

SHA512
51098590be5d1ef4fb1e949a093b5ed3e2d3ff742d681f8c1e2949eaea956bcf89f8fa28ffe62b372a0bdeb90502924e9482e3d2cec5e36f8e1d2f3002e8c157

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
94ae9a0d634dd8154a7222b714c5acf0

SHA1
f563a5071c893b254cd928872ddff2f0cca74149

SHA256
0d493d8f5e068575fbaf45e703e47d77b25647429b55e9357b6b7616130a4ab2

SHA512
d4c0853c1c2bb14e85a72c129ee67d81bb0506a86ca13368655340abe4728fdc191faaef080d8fdd2792426d5f166b1fb11c202297ece2d5acc9cbb6bc4d59f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2bcd58f19fb7855dfab7eae14a2103f8

SHA1
1e1dcabdcdd9c2a79d0ed8b65acf26acb9a43636

SHA256
a51f8c8f098ae3cb00996646b3a6d116c89cd873a76f98fcb5ff2fc20f209ac1

SHA512
038177c352eb1b9f856a5067010c2e7a550c44914177ff19d6f79ecb55732654b3bf07b3c4dfa8561b2bff4582c6ff3fb1b1de227e9edd678285232a64b59f51

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
60ba7cf0fdbbcb3bfdd9d682b6374359

SHA1
c13e74e22264b0ea6086f6e889a549bcd893cb88

SHA256
dd3db57637c708cf566572a78ec923109920fe1601817a4eb4ab177ab92dca7c

SHA512
2569f9f5fc71ff0f41c39335221ff04f1a050af6073ed99d6cf1e01cf9d1e25849d5ce57ef0106168a083e485974f9cf8277fcbf5264c12623d318bc8bf2f996

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1e9c587cad45277ae4ad1cbff26ef0ae

SHA1
55a32b82a9ecee9cfb3f9206cda60cc1cb90f069

SHA256
f0d24a85ae43eed41f86f9f24cc428d843fe5bcfd643364d900c3e80910c50d3

SHA512
770b2456331705e8b0c443b5fd6a14525bba1e21fdafc355ca83f8eb7346e8607dfb02abd8435b018770f0621888cc14db336a172e26aee77e621a40da455b42

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
01162f17f87657c94b804eda65657167

SHA1
0d1719f321d9231c96b9241b81a347bfdbdc01dd

SHA256
96c6f044323916a606509682a68d7d24947e25163f4286bc52fe4724e2cd6167

SHA512
aa13b2b427a7b80f4d55fe6bb6bad0b123bb8ff3d7396f2a8e807bb79ea622f867ba5396d338c9372897476407f535845e84ef19c1f34b1c340a572b0dc40519

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f6553aeb6af6baa9025b59d424e1fc96

SHA1
80a5515be21b305a601080b1c0272a86616f33ae

SHA256
5fea90e6d77c4fa6df6fe423f4bf9f256f1c6a47d9e21bbefeff148c2cbdf0cf

SHA512
5fe22a98f41c62d861d4ddea8ab5a1850f451d97720e649b733da7868ecd4f028f9cd8cec94450b68f2a90d91b712a70d1a80962da5f095f3624c1569c483915

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
81186dfdfa33a3eae3c1647d5abb3482

SHA1
d3b55499ff6ab8ce6a75d94997635b64041e3e64

SHA256
4a4327c7424f33a23090b761573d7eeb972757177b34175a75f1f28f6878b3e1

SHA512
5dff75ab1031fcc3320bc9fedca5122a77b5460c217f3beebc87e7c5e539a7aa89125b5d231a594ab5cc44cde7d48ba21687977a0126b39a2d2ac57a51a51019

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e0ec2eb167aff4aec7dc5152fe210c7e

SHA1
b5588836d828bc2faa61a84a5cc20ad5a278e1dd

SHA256
f0c1d35ebd7a4fb79c598ec6e73b1d72ecf51e1f91682ae0c72169f6e82a93e1

SHA512
834621521c5830acdf4f48f7af828fff1a66060cec7966f27be6f21ab7383e78aa45a1f56d7867db84c3d0c5ae9d4163d00facd648d7913ebec5920da1b5c173

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
690166e21060e4048f948b75191eb8cc

SHA1
b69b3150a76903b10faa367ad3cb26a96869572e

SHA256
87b99c2fc8f5782c337d907ec9e4cebdc34a050d7c25de41dcc2176266c91633

SHA512
a65819dd71cb260925640a5e56c471997a64addc5100837d948a2fe342592267dea112674a62dde4fb3c280db18072c3e6431d922153646e26a2e6eda3b04d77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
91f4b8c5d0e129900559b33b396ffffe

SHA1
1d51935f9595b464b9074f8baa42d77ab6ae28b7

SHA256
69ceb1d3f93cf68820f831661abd1e60864b812a6efe3f2094fdf7278a4a9776

SHA512
841ca917e04e8a4dfe18dcb07f0053feb202bac7ecd0084327b9650bf948800a3706a4089ed45c60c47f9a6678d5558c48707aea2325e7dd5a75b2cc1e651014

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c3d7bd7472740b8161c724244d382984

SHA1
a5d1e9bafe9cfdf13db0227032e7455ebf5e1ef6

SHA256
06ff31e273cbb420f4961788beaeded0c85ecad52f28d66024e8e5f3b6e19b1b

SHA512
8fa00052379796d87bbdf4d37a36dc2c02675f0958c82b36689eea287fc24889ca6d3ed5b9e23ca1b49c384ce0f51712a7e2e87e97dc1b12b69c87496567cef8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
b8388c58b128807b3f708ba6fd67ad67

SHA1
54bb9a6ba212b81f33e7ebe2dae4756e5bcfa8e1

SHA256
d39e6fe5a9d6b3d5ad109d034bcb162f98755d3be1b7a085879a6695e18c2d38

SHA512
1fc07090ca200340c2b58639c20f684deb45d1b5378ba5b259f089bd57a5c79febe03994121d1d0bb55f37188dd5aada9c10cb0af150dc360d60880fcd19f8d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
2d58273db996a9fc937223e0dc88dfe3

SHA1
97b31c07f5b0b99f38f37ebb7a4997f180279041

SHA256
3447a3d9c70148765b262ad3414633f1ebce69ba1e6329cc0662f54178f82ae3

SHA512
f2af6dc1bc2e989302ccfbed195f769a3b39ebb41085b009a3685bd3413d6c2aac4225b8a10256569723aa54d3c29030ed8467dacaea162fb5ceea7eccbb807f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
0eed4e02e580d3ac834ac237f1e2ff8a

SHA1
8b451e890fa674b2ab07ade649fe419fefdeb223

SHA256
398eda4dc2f4612f5b553fa3e3476f6d813227a8ed31ce7c29895a9b6776302d

SHA512
5062873f4b18156315c5aac4f2fbfbb59b5b909518366003f065c2febf7e18d359215cc5026622c0f0d983f6d8d116fc1d36ecbaf547c22801ac3196e809bace

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
dfd60d108000d9331092e287044a5729

SHA1
b61929adb509e7880b4f7083a31741076c2bb377

SHA256
929b0e185116b7cba9fd1aef364aafcab468ae56343b37238f8e340fc7b13803

SHA512
815920c333ca57563220a2b868e292a0ba69fe7bf7e7f826f899b6da5a75b28ec458e13367f5535a98b0c1107eb40eac6f7283df2a109f7561850729c8035200

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
2c1ab102e53b1b80a9b3802edc165298

SHA1
de182f47906bc9f4eb7e2a853ef59eb32069fbd2

SHA256
dd488aec25dc2b94fc1ef656b7618c8d6993ff4a206710f0b6402fc33e7ffd5d

SHA512
6f73bcb723b660f2c1b336302d3cd53127885b652e47c7b32fcff2cf4673aa34ddfb39919945eceff854d8ec6b0f2d2e30cd13a5185db13fbec49939afd0cf48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
a7d8e63844c4d725c5bb38aa11695c7a

SHA1
28351c418faf0a909a09d25ca3dcb9866cfb0207

SHA256
33c971e163e2b151a4c070a711fdfd101a3589810a068df7977b03687a4b1e2c

SHA512
1fe2e1b50217e4a261e66598170816c1cb47a8b93bcf050b39591bfa4b9609d2a90ba911da4f776791c98778cbe5d4d517a0b988d5a36ae4f26b7ef1c22f476c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
a38194ef299fc9a9e8cd32ef10e9d220

SHA1
39e9fe7f17f673064e6b06ed2fb8857a283e194b

SHA256
a8a93d002cca6743ee03327c1e1a272217bbbddb5b58d4bfbbab317c98b9e729

SHA512
cfe91f92b56ddee6c227d108fb1a8023fb644b19a66d511a1bc57fd05c509bb2bcd8131c96e6531ba993223b8dbc8123104ce3afb4eac6415979242be2a31579

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
55fa72cd21aea016cbf23327d69a9cd5

SHA1
08044dbc3d42ed656016b8b78b5691ad87ed61b9

SHA256
ec9f3ed5c490694880618f02caed7feed483ca395fc6ca11d1d0fc9577e55a11

SHA512
5ea1072836bced0e5e4e37060afa5dd3d10aee05b07d146cae60e37f5a019f3502be8db0da36c510ddac436123a06c5719bf338872ae95ab8df7aa701db0f5e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
45df700bb0247c31d850b257a64089ab

SHA1
dfd3456e9cd8b4a8bd2ee901e354d91a0b9cf190

SHA256
044809052bb3cb0850d96091cf8548edc71e8cef8a87b6f4a24c014b64cafb74

SHA512
2e4af714e12d3911656e8b2c5734c1b08f64d257a9d505f1e4ce40dede493b971b3dbf6ee01104ff629accaec28db006ea17784bcce7ce46f8782473a40797f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
2db40abd474e10dc59f2a37db4f6e505

SHA1
bd99dbe4f839dee3e6c30d81c3ae7f9b3c00c268

SHA256
0f82096ddd9b6801f0a699c7cf229c97969fbc3199ff364482323162cdb97538

SHA512
36740fbe6fc6c8bc4c7780e2b6868a82f6c1791b92a2f303d0bc2c2603952f8b151b5919cb3fad435ce3ee60e0fa2060ed5c869d2aff9a7a6ae161e98d7572f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
8cf5ec16d0944f1c1f609ca13d1abaa5

SHA1
8a09cfa20cd422fda53d2a4b68ffdfd8de11b36c

SHA256
3fb750b415a1ea2319751ecec06556098a7c7552792df1bb8584f2a7d3babe82

SHA512
bf258001af7d12f4747b14c081bc9d706574c762d187e7b7d7b4d76e0a0a008255fcfce08c6d4b13c3a06d9d7cf3c0e13342a330dc94218d732d991060d302df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
08ea402df084643b0582828d1eec2679

SHA1
8adf9d3178526c376ec096e25d9a71ba0b88e8b9

SHA256
9f31b0f8718af57cdb5ac11a5f4333026e2f536a92fa6df70c170b1d4ee60798

SHA512
48a20c85910c296b83b249406e6bc4cfe50be6a4d2701a9d569d87903bb3ca6ea3c617999c0e51456ad340739962e819aef6aaab18578005f9334797b6bf17f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
d77d7b5e22d6613b619b92a7a219ae91

SHA1
a773f9688f40ad90df096416811c33f14a99f00d

SHA256
8b96e4ea42433c51d0e59d8f14250c60f90d5f35646a3fa4e09da3298873ba62

SHA512
568b8bd9acbb662b0c6a2c6ac53fa0f3f9bd8b9d30a2f50e9a85144cf4404e411ff51fff8223cbd27e489ca2b2dff6fc46ab0ec92c56870959b4b126fe71a6bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
398c97088756a69756b2b2f1aaa31d6c

SHA1
8991c4e9c9afb7067cebc622ec0cd4bb53c65093

SHA256
a80f0536f5c912f612597b721cacf26c95c8358da463a21c355c37a86dcb7a44

SHA512
fbf2163d64febe21655f16cb222a1f7df3c9e683ea372d6c6d2f8e490c21d34f01ed18a02c9ece58ec622516e80bf709b75e3509eb9e9aabfa1b9fbd37c2ffe8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
5a749abf0cdd08c75c0416c0bd9ce230

SHA1
055aa59670b36ab76e047298db3a319e84be5150

SHA256
9e444526eb70917bd3342759c54302d28d09ce074aa90dbd853dcadb74d9da25

SHA512
54a2bdb189e96e3cb27191a1e84c95d829612f12845b53c95af3815103c6552ecc1c851c434a82ee685a570d4b1537d6461d45e9b56f9db3d752554c1f250eb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
b85ea722c579a5e19a009054f3b539c9

SHA1
130df426dc579ba4c4e05daffb1b9dfc3ac058ab

SHA256
fb8a3a554114b81804535a2fdd5eea37f17de2ffcf1b57094bee2b785fcf670f

SHA512
2ce495e8ffa042abf6137ddab2bb373d1ed63e93dd53a9bff8b33b8d649770419fd26b3543dd9062ce21f4249819e147ed10931b8675913a8a7ef61c6fc9c6de

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cad7605ca616b5a0866179c32a334955

SHA1
3288fdd0920ce8ac0528e75979be64a9711787a1

SHA256
7e70a9a66c3d212f209b617e3f74bbdb43d3c18b8390efcc9689f6dc20840e24

SHA512
868d82d0557d4d90a370d68a32179bf2f23e1adc4b6372dfec2655c778ee5d76b85407e7f64da7c2c6af9abacac8269ae938c68397bddeeac108be52b705a782

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
d541da361fa3d1b440bc8a5ae6b66aa2

SHA1
1e7bf71c7b64869ea28d46da47d1c6a67f5a7b9f

SHA256
9c79b8c672712f2fbd182fc1895ed841169d943c88f5be47d5b1c7c75f047865

SHA512
32e3234146a870410ee5ec6ae254f73d386395a5aebff1cb88cb680e8216b1a80abd56466ee70d99f128faa163fce8b0ffa653c1f69959e6f8face3f7e8fad31

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
b1694e99949e6b603159fdcd9b9359a8

SHA1
8b008c03f10705d92e7a88cc143c70bbaf145c8b

SHA256
10ca5615d51e518b6d501a0d3362b2666f343a9cbf9425ebfe81e129de393ed7

SHA512
54994ff187c01b89f19bba43343d20a02a0d8f9ebeb564d929b00109360130d30bed4f379ea41f6df7c1fb8a3573652d4c7ebc6b76034e396792286a9d634e76

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9d9ffa64fabf42e668de9f4ac8d6af85

SHA1
f6d337d5b471c8182be3f30e6900e11af8c2f09f

SHA256
08c49f3ea37533b3c3816ac82ab3d8d447e9aa8a58021831d8e3176a20a1d405

SHA512
206cddf96d534753ea158471f7aad541ae35f714142ff9eec54196da305077e580e3c7f75aa03215a5d5059a437fe5d7cca0b7880b13f5cb1784c32a1f917d72

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
17be299588666450abbcae388605de26

SHA1
a8aacd568187cb6174ebc3a98568d65eb88a7e89

SHA256
778dee96692204187b671ebbaf7ff2315a928c365de0c33796ae83fdf6fadbad

SHA512
3c577531132ce1f5a17ff874b5daba8c9ed6087ea1241a0d59043a23c4f3900f0700f86513ae019c456b6082b32c738aeabe0b5c1d0c8c374c868be0e9c29dd3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3a178fde8e75fc24e6f52cc170434b11

SHA1
03f9c18816d7d59966be9423b64e6722414b0625

SHA256
576dd213935d81bf57a69241e3e31ce5e1bb24770c58c2d58e7499d3832c6f0f

SHA512
8df4a56449cba968b5787bcdf802fed2422691ea236b0035fe5e258687fa9c6b6fc325d6dff67602e4652034208c662e0d72aff2157c788ae7e90e5e58bc16f9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ea0495b3597460803009e760396edfb9

SHA1
d0f7c2d29ad20f000a57691942332962b764b0c8

SHA256
ec577692c4cc3b907a0fa17b89750620f29754ea496e02cef24fa3793da72904

SHA512
21697a71c273877e8412ff3415a75a2bdb8ebf47bbb5124b6cdb217a2149a227a3a7b8de69b222a07c784593a921eecb66917f3c14c0376cf5debe66aa4989aa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
39d9ee73df3f41eb735cd40fceabaee1

SHA1
fb204c991e9cad4dcb597cb1c5137e09dcb35a36

SHA256
382501c45569a17815c10094e5328c5ba541d5c1a00b198cece5bb683850b3d6

SHA512
0f1f47aba7b632c80123b31507c6c5fd51c8562e1cd6f731f9265b1008ed36e2319e6f600d012e53b60638452cd6991e757ef0da349f7c4739150a8f059a3711

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
5577f3e2c7e5c4e466da63f93c604ca4

SHA1
1bd1d4e1029f282a8960a81b75ecc188b54f81b7

SHA256
0008a42d9f9750424e7e57f6a8042890c47d076021799ea7575c8d140bd4dfbe

SHA512
2652cb8af04bb0031909f8eb6040b0c79b35281fb5c726d11b5963067d09078fd609b15ca6479058d804fab64552808834e3bb12293e92e4aeed38a7ff74063c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6c40c95192e786bcf6d1e8923330b6b2

SHA1
baa805188e164db02308ac8bf636445676aee3c4

SHA256
98297366e20a84b446bb39ec12f93646cb0639beb2667affc840119895bf28b1

SHA512
3d63358849562898281c692e30546bd45f3316f26e2ea1990dd77d7e6474b5dadbf95fd494133fc4770c7ca0fea36ca2f8fa8ce5bd0368dcfb290a4c564e08a7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
930c8392fd01ce85396029cb2b0bf638

SHA1
6248d6e9b0e0a67f6030a28b35ceeed9da2deb32

SHA256
848bc4070b8ce7271f753e3c73119dd3f7c2f472ebe576719f43529c789567fc

SHA512
ff00f7d1abd960bb26691bbed863bd79e7dd269674a6caac064ceb64818b52c332a1f020e7c9d283030d773f14a66f5b4698bbef4b9afb64ad37c17624b34ce3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
789adb2d353e3c48a6c7351efd1cf10f

SHA1
a3d7f9a47783400605c9cdcb6a0beec00c01df3d

SHA256
4bb876d39a1f5533dac4fee117fec8330c7641d3481928616ad27a81e5d3ab69

SHA512
6a5b675c8c8ba7d846c75024486ba0da3f131563059dc096f8506a03092f1c67fac19e9d066fb27a08246ce7ca829fc424c3789d31244a5ac055267d6b7f2784

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
a639f27e1878906112e0a08aa8fbb84f

SHA1
7958f1a79a04159ab9bdd7e4591d2790133ae4ae

SHA256
d80a0d05413dfd8949b22383a5cd5790e15968bb803bf492387aeb50d4be0d0b

SHA512
62ae30412a9263d76e44a3767ba2f8398cab6cdb761350c37bc61db06f3e0df0e3391bfb2303642708c296078e10513e95fef91232d9bee996abfde63057af26

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3bbc6d4ef48c58d6126bbdd251aa3257

SHA1
b9489c86c9f0c8e6a282dbf23fb8efb3813a1186

SHA256
ab3502b0ee25265b9447ee873ca67eef5489f5f16bf71456ca1912e4e3ac9aee

SHA512
1dd6ba250322f90585e04447db8049bd599dca06b0729228fc765728c1413859bb5f8a3770c53e761c97a3cc12e5ca5066ab179fa5953bfa41f0139f5eaf605e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
a754a979ae3bf1a6f12ea72731557c57

SHA1
8be4392715934fdd62858788eea6c965c052caf0

SHA256
c8d489c783eb19d945c7dfbb2ca147d68333af059b59b4d91b0a19e2915f0cf2

SHA512
b474cb96759fc42a16c570daed3f0bfc66bb9aa4b9038440bff3da5f244653a75c1afeee3334ec0e23717b6b8d07203e3a93eb4d462df19dd4225a84f2b561b1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
0023950c46c803f92b7b399401493e6a

SHA1
287ce5ddfde278e64ac0ec5dc479ff4417bbf59e

SHA256
325d1b4fd3fed4867ab739b5cfd32ba6e78cb1ba6feb4e5da684c4d0773d7ee2

SHA512
9d7f01df3507cf9186ebdef54f99d26c10a903a3cdeb82bf85c0f7848bfd50e68f85c40028561f32014c2782dfcb5a355d94d3454afe059fb76ac870cc34f9fc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
dfed3deab0e085e35a88a604714db76b

SHA1
03154f38fa4a19225f484295555795f4049e2854

SHA256
1272a0327c087be06fdfc15de5d3096ee28055914e65066f82aea1b73e8ba862

SHA512
2db791e11ec49bb1dd788abd3bda8d7ff9728f16b21f4e3bcf3d76954371eb1f854ec2f4d147482d691f01a055a8ea796f5f424bf7ad4657521bc13a74db3ea7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9c52dab8159f3aa57a49929ec2823a67

SHA1
8c8948e71bb192269fe7ab2236bc1a73a621afa7

SHA256
c98bd1026c1ff992769aa615151b1bf04527bf16d72d33fed891e9caf193cc4e

SHA512
5e2acdda77831ac4c528df7fd880f7e23850201c24b45a22727dda0606a35ffe0adde69b2f829ffdbd84a2277968b81a0994edef350e06521fd1918baaeb412a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
57e4d326f503c8783bfa342a36c31bab

SHA1
bc7b55fd19df19caf3e483cfa73cc2eac16a49d9

SHA256
32e6e23c76364fe1bf214390c2998acc03657dc2b7682519761f777dfeda4888

SHA512
29ff8d467bce65c35442c31d9c4e46d0f6752e2f2e0a9326bd474275ccb7da035aaee43be209badb4a8c04ffee9ed68757e6e3205066e9efd6c5713c2c8de81b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7f98fd33a45f9eb67250359c17434c09

SHA1
4fb831a6436717166d3f8600f9df34cdede6f81f

SHA256
07b25ae40314690c3ac7003d23548b39284f47c7ec1ba8be65f2fb76cb83191d

SHA512
ba6a9ee5b5031fb3d5d5baf16afb76191b21721c0f30feeca5fa56d946bb7dd3d0c53be6fc94c7fb6686a8f35ab40374a932debebdbeed5fab8f630a67c9221a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d522c2842617d9a0ba056fa2f9fa9d03

SHA1
3e963649ebd711bdb75d3a516b05cb9a205fd2e2

SHA256
75761d65a9fcd85310c8faa8a8649504d2ac10cca077d332924128b76c44fcfc

SHA512
03cd6ff500d1064bf7f9c683ab29cfae646d0c3d4547f5c92e11ce204ff6d6a2fef3d69a3254b4e618eb38432d6fde01013433b5b09891ee658b5150659030fd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
89067130b9f618708fd17fddae3a9ad3

SHA1
e108918ee5d9f0da4979ce766e70787b31adb51b

SHA256
dea8aeaeb966a0b9c7527bdfd0ef585a90ad9fb8fb1d63ab315730158c945e54

SHA512
86a95c3d938cdb17bc011b31b1d34643ac81c88536c58ba07b2576253e7f7ccf7854f659f46cdd32070658bb89774d77702508c0a42fa98028c2c30d74c83e0f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
760d44c9454d5591c36db6495ac53221

SHA1
a031fd7560e44382ee1f039fcd71d2c187b80d62

SHA256
70cb85627407a93d973b4b212e5c4175d4bac2dd5e4232198bfbf104294988d2

SHA512
0f1ee4f2232d01ef8df1e9d25fda15d4c7de72a7fd1feaa30b07327f7becbc321ed73cbbd18c5fa2821e11c750e831fec846094abb5623fbdbbce712d8d74420

Download Submit
memory/528-88-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/528-89-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/528-199-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/556-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/556-540-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/932-532-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/932-185-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1012-184-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1012-70-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1012-61-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1012-67-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1092-384-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1092-158-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1300-11-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1300-114-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1300-18-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1300-12-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1400-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1400-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1532-32-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1532-30-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1532-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1904-6-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/1904-0-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1904-87-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1904-1-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/1932-226-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1932-115-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1936-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1936-558-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2136-129-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2136-250-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2344-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2344-562-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-196-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2376-539-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2444-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2444-222-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2772-475-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2772-164-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3368-557-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3368-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3548-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3548-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3548-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3988-53-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3988-47-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3988-163-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3988-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4040-259-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4040-561-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4780-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4780-72-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4780-79-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4780-82-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4780-78-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4956-238-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4956-126-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4964-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4964-36-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4964-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4964-56-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4964-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download