0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
Size

1.2MB
MD5

fb8a18b37d9301e84766a9d53f898940
SHA1

dd4a40a1ca3035c9420c8c6ec22aec377262e486
SHA256

0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6
SHA512

610934a12ee1f0b3c9407dfcd57ab15d0c5fd8922c3029929168660a13c630a9eb264b5ac4ed13673b3842714cbd01c7a4c013bdcb04d0e4ddd5d1c4c241383d
SSDEEP

12288:nlnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:nl11tmlNQ2OnBdFQtP51llPup33kT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2124	alg.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
1600	fxssvc.exe
3808	elevation_service.exe
2212	elevation_service.exe
756	maintenanceservice.exe
2116	msdtc.exe
1980	OSE.EXE
2976	PerceptionSimulationService.exe
3720	perfhost.exe
4936	locator.exe
3168	SensorDataService.exe
864	snmptrap.exe
1088	spectrum.exe
3124	ssh-agent.exe
2584	TieringEngineService.exe
3548	AgentService.exe
4364	vds.exe
4168	vssvc.exe
4848	wbengine.exe
2384	WmiApSrv.exe
2488	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\78518a70c8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\System32\vds.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000233a45359ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006458435259ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c6b565259ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000352d7a5259ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db44305259ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6cd395259ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d27fd15359ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4840	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
Token: SeAuditPrivilege	1600	fxssvc.exe
Token: SeRestorePrivilege	2584	TieringEngineService.exe
Token: SeManageVolumePrivilege	2584	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3548	AgentService.exe
Token: SeBackupPrivilege	4168	vssvc.exe
Token: SeRestorePrivilege	4168	vssvc.exe
Token: SeAuditPrivilege	4168	vssvc.exe
Token: SeBackupPrivilege	4848	wbengine.exe
Token: SeRestorePrivilege	4848	wbengine.exe
Token: SeSecurityPrivilege	4848	wbengine.exe
Token: 33	2488	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2488	SearchIndexer.exe
Token: SeDebugPrivilege	2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
Token: SeDebugPrivilege	2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
Token: SeDebugPrivilege	2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
Token: SeDebugPrivilege	2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
Token: SeDebugPrivilege	2492	0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
Token: SeDebugPrivilege	4840	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3176	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 4504	2488	SearchIndexer.exe	110
PID 2488 wrote to memory of 4504	2488	SearchIndexer.exe	110
PID 2488 wrote to memory of 4352	2488	SearchIndexer.exe	111
PID 2488 wrote to memory of 4352	2488	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe
"C:\Users\Admin\AppData\Local\Temp\0e9399af190f338ac2ffd389d9b8e7d780ce8db59284cb439110adc611f982c6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:768

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2212

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:756

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:864

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1088

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3888

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4504
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b14d2a556aded92e3f6744116f519803

SHA1
1a8a3d2f431a5c7f5c06c27180559f0164f38703

SHA256
e2cef40d8bc84abaf9954912aa5dac0acc36bdfcfb035103bdcaec16a585300a

SHA512
5c1c43e730728e946ac4351e1cf218f6ec1655f4845e41d8bff36a6b63ab4e22b7789f02ed487234d303e991c2e97abe841a2420dcce6e0332abd4fb3344d5ff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f16320c12938c52be86021cb74ce1448

SHA1
63006cff3c8d6b6d596d15844cb811fda3463d05

SHA256
73e20411915fb1aed52066e96121f5fd4a7afe9cc5b325ea41b383e50889ed6d

SHA512
949a08825d84140ce7d9ee3619045c180b3cbb82af681fcabc6886a6a63449357c8d4ca0d26162f38b5b37f086eaa71f246856bd738fd26850d5d192c325ee38

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
88afd6ae17bd6f085fb80397d9c60396

SHA1
51fb3d2166e50d8df4abd403a9dd5997345977c2

SHA256
1b0f27ba35e25bd1f9f5fbe0ec39eee04bae62b849eb3aedb3db4ef81718cc09

SHA512
e6099ebb64f674b1d84bbdcb2211c101dbdbd55d18825d88e1ecb085c78bfc601b85658d23a7be4a85c6207b17af345f7dd4a57a051cd2dad7daef3070b9e3a1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2a4bc0d468c09b66acb072f5250cc933

SHA1
ab6c4c8dd50ce9ee1bff5ab2f989d044c7b6afe3

SHA256
23a775dd164438c37b135bf7f5de91a7518567e4e3de91583daf51fdd6077e5e

SHA512
478eb917ac24216f8d5b9d2d2a79776d22d15b14d4c5d7746320db577a2950d523aa6a26e5c5ac2075eeee7ec775aaee296881c908087dbe2c6302d4257c4a7f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a19f3e2b022dfbadc663c4c59ae08d29

SHA1
7075fa3f5f46751593ba0178c294eb04aa246db8

SHA256
f3d44b642e6816167da8233da87e69960d2102830ffa57765eb420795d80a184

SHA512
a8763415a69cd302e47c200ccc098a5cf1129699688018a8fc0df7921d6ae2be8063726399abb83578e14a15bc6edbcab5324efc9e1f8e604a9cde2508afeb83

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3b2a23ddbd1a5035143b13b933a100b0

SHA1
415dd5ca815479835dd7258adf1a04d53659d687

SHA256
88a285ee44dae894b93b7b545b18eb63faa39bc23fabba0f3b6389e9531418b0

SHA512
8bc99fedb4175b13e78c5126fbf6475949e2b2f3a372c5b9156fae3326a71b63b9e43dae47f7e9a135f5ddac7d63febee9d674c99601f30c8a88c0dce8526473

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
77bd2ae883ba2922ffeb5d3d91e15b84

SHA1
24b65b46ecb82f7cf1d130ed8069d4eec7f9d72d

SHA256
51f0615d494d66cf5ac08a4da01bb9231a4bd047ddb91d3a7f4168343ae58cd5

SHA512
b10a9fb3a7bd2d36a8d29496a1d7c1dd107ba5ef64b5712589428bd889bec6485c16e78813632a9a726dc9e21008ca9d2e05851e18714e2455782add9e68c259

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
84a2fe3b76f53e909efc6e0d6fda3b09

SHA1
a95cb3693e54c74377cdcf2e37e80c05b417b3d1

SHA256
553f751d7a5431afb203b591ef71da62c3c09df6ddda810cddd476f9bfd89004

SHA512
bd2e6cf1e618f2bda6f2f57e02e5e034058efc1ae07e679edac110a4dfa23a3836e02d224644f7128db86d2d6814cce6f78c042d6b517bb1e0b5df5f4ff6d2c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
35c17edc86e0c38f4dd4f35ea8135ad0

SHA1
4f1c7c47774504a9b0e3ee64dda32a425b35b00a

SHA256
2466d9d90bfc26812c8113515dbb71b17a9ff1b284720977b1fb197ce1720951

SHA512
4780d380e696ac155135189da55b865f2016dbecb6a21069d4bed0952f9c8d2ee93d27e1f3fc766dc69c7265f8167e2716027eb2385b9f6f6122af38ad601d25

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
894f14c374b609fc3d787c00cd858dff

SHA1
a69742adf1f82fc1d848752c467cf2cc1c10c18e

SHA256
65e650a33f747f04a60020e286232758b957eed944194e89ce2db3dfc5e39214

SHA512
92bd36c823daab9f517079c2c069cb96269a50bfd13f50b893dc2d06b994e5a3667a01ec787aff1ae080d44a0f9fc2bdcc09acf6fd509a6ad79b94bc7b7b5fbd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8a5fd96c6065cba9ee7d3003a7aa9e25

SHA1
917235540a14bb54d8bf30716cfd11b22727afc4

SHA256
701fb4445d116087a00185c60e10c7f8e94ee13c3c5d941e47fc628bc119ec12

SHA512
6e83faa2c8774e0d7fcbc7ed7f04b4adc2306791f59e4e75f64f3e09d18331d9d90b3c9f280b584a235843d66dfaace350df698c2dd4354aa004cb91af0f03f4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
808600b1e0d45f9b8d54105aed2f6572

SHA1
e353ce1a1797c68bd5b3e895a308f5124717c9d1

SHA256
3d3dac00a959fed1e709a161586e13f4857fbc4da877c88da958497af188f472

SHA512
2ce77348197d839543a188a9f22b1f2d3980b39e0b4ad2b681c39ad4fd48e6f9e9fb17a70e846e6b7443e8da6ddca28294793f79541dd5d34bb9851e393c3600

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8f97811fb850256430463a704e319b47

SHA1
91708f14494601f0c5a8ba18f22d234636420e76

SHA256
232d74227741b7deab2b5415edfbfe0f48476acbd7c7a09f85ffa35cd16fc9f1

SHA512
c33f284f8f7e5e949fc1b77f07e094c4675932e417c3b21e6f72fd3d3bb03b4fa89f5619abc4c8fc4816c5bf9700f835154be91f51fb7c1e0603d603f9b057a8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
28793c4f27b7d61518beffc6a30d993b

SHA1
300f84d3027c15b616a46dbde7f284567c7463c6

SHA256
87bfccbb00a258eae5ec0a529389dfd88839de9d799bfcbba384f6c212053c14

SHA512
701e77fbed0ff607bc8c46359201f5729ad10ddfafeab3e52af9fb8933250cdc52a3045caad380e75c8a173d11130ec146ffd9878d581324b8b27cb551386fd1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
de31f569b9035d6189a37d08e958cd2f

SHA1
dec42902b2935808971344e6bc949bb4b78f991b

SHA256
0e77867723c04a8a05d092c161fb7b586a08614494bc59660bd0fa2a86809318

SHA512
d32c77b357035a01f75d0c1feb8653aeca6f4a875c1df0c8e9b134305e66ecb17bada869e4a8e5630a6e0c790bb651258902bda5e534d4cf26c8129ff5a3125a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a5bbcf3c30bc587847212f51bc94e08a

SHA1
734f6d2f30f19397a78d4d25ce374a88605dcf19

SHA256
1eb792b538df1ceb23484d1ab7c0b59cda7d77e77d79e884a2601058f12bb1b5

SHA512
63ce728a56121e11208e936f32813b2218e42a0cc4df8fab387b6808dfe3a6ed62290120c14230cebce2808f0237b6cab41311d298b16ab5e7992b8c5579c993

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3abfc818082dfaf17d5df925938a2d5a

SHA1
7ad8b595898dba18736e73d35dda0bb762680927

SHA256
b55faf67fe6fc4016a25fa6de5cadfea445e2e05e463b1dc9e570d88e7bf0f40

SHA512
2590531069b73e79cb50c1e97b37d8f7f3f52ed06fd8ddf404ac90afc7adc42ffcb414488e302055d92457f3fabffc189b68e5b5f209764b654e4c2f9a27f7ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
721577b429a8c0e4b450af6aa160cf2f

SHA1
282bb94e08d2eb8a4803a8caf97e253883fa5dbf

SHA256
755090b7379104f2e6726c2122af1eac5413c0ffbf58ef8deca651d84afa6302

SHA512
8adcce9c5f820ee942d631a8dec1b9ca648a4a3101ee652c8b39db3ae879ee6c9631485894cc99702d85686ffb8215b831315729bc3b08748a5ae9338a3c2b46

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f5d52678ddd68d3ae7d63f11c33efe83

SHA1
31b648b9fa161b12226c1dda2bf882f0422f9f6c

SHA256
915a718ebb72233727c2cdbd38fdb6de8180872e781bba1994e10a92f1ab6e1d

SHA512
f44abd3095ee77e2aa000e97ac743dcbcc1db5fe3a5920d29ccf49f11c2c62c2741a54bbabda9ceefa9289a5f774184dae40c5015de08e7239c5d7ea818d72af

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2b07e8eede31b272d9ad472061caa570

SHA1
426b31b1267985e627d4491c800225cdfacd92c8

SHA256
1ae95489370c52cab878c4d79d380590b778ca23bd9ef98c8acf74b3f79de182

SHA512
91778afbec48411671af8af80580d0e8b9d430b0f8dd26846c9f57de89858797b17adb6bc4d1e404288be33f386810839af4f1b9eb201711038327f6d3bcc060

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
1920ed4c8c6c5b2090a808605d214be2

SHA1
86fa5f2a3be7dc1e03970a3440cab35ba6984ba2

SHA256
88bbb27c62117a2504be6b999797cbf0acbf783309ae8722e3e31e824b6e9042

SHA512
596ef3358320a97ce35a7349f63916a463e7bb5b8fd9ea7e291c6ef7e97dc6a6297c35cf69e5cc79cef988eec21b22a1f2056ed8eeccfee32d612c0b05f9b728

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
306709a03c46c8eee2dcbc3d97997387

SHA1
43d0f5bd79ee43eabf691f3ffa9c5393bc5191ab

SHA256
1b2f066ffa98b9ed7ab06bdff697d387610f5cbb5116aadde003ceebe910b9ca

SHA512
7d942e2b660170662e4f5a81e19376b038b069f200208f7b1edeeb8fd4cfd2dae47d667323f9dc117d79cbe9c2773b03ad8a5d8656e62bb818e8bbeeb55812ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e221c32b2b4940ee2f7ea149ed8b1022

SHA1
ce8ee21a828b0cdd4530a9909967aa93ec45c21f

SHA256
082d0d579370931d522faeda4e27c8eb6549827ee938fb892b3843e36e5b1858

SHA512
b67711b9c50f4032c58a2f13cd37ef08deac0d97df4a3cda75bd20b74d5533fb33e5cc2ba33349345a59cacd888819868d942bde976533332266ebe2582a1749

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e6bf8d883bf7a330bb239fdf873c5ce7

SHA1
6abe34bcf8e81d4c61a915f79cc2c63bccd03c7a

SHA256
df464eee8c3f34bbf8f7438e90aa43f06fc11df68583d4052596eff96619f97d

SHA512
6ff55a8608b1da4c42a247fc179e9162b27f7fca9ddfd3eaf2b9ada047cb8875e4620705cbf6c5fda1f2dcc32bd924b65d6d7d2a76cd3df8dc45349572cea81e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c5f90803bc02260277d7efe9d5987227

SHA1
a4a5aacc9b84036e742d9b5988a0181472873161

SHA256
a29fce35d9a119629975b9ef0fcb2562de738affac22d5af6d692831fd1b8f21

SHA512
8a3d3ac6c943609d2a9057641042ad9b11e60d2599231d390d0d7701f7771730d5c4b2359ee4d10929f3d5701b326e02afd6d622d991b1b5057e0d9e9fd9f65e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
16225fecb77bf192dcc58e9e581f3e2f

SHA1
fddf9008dc8dcfb256cac106163864d600da799a

SHA256
2130dfef0b4c11d380c422b23795edaf954e351031b65866d98ecb361c008a19

SHA512
bdb8fe959d70995eb0753bf384ebaa148f38ee4a38f8b9a716aaa85debb26f17df1c453788fd06d107d84893b3b2983dedf7d96102a0e7cab4b3e22424d00ac0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
be45dc8100ac75381c420ceec320b336

SHA1
a2df09cbeb2b45245d908fd7f71b5dcc94100b6b

SHA256
8fac8e52e9710b8cc2b0f4f48ff42477c97f6523f81558230910ff9e1f3e66aa

SHA512
5a0fa4c2224f9ebfd456b852ebd7c9056490030ce17a463db42f673fcb18ea485b8672ba0c3b1bc65d8d8a2decc4136afbaaf93a60b2cad8a66c96a1f679b222

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
3b9abe378e3ab3d5d7dec5204fb1c97a

SHA1
e10efe37c2edf1ad9cb1fd590cf6d926850515a1

SHA256
000efdcb4f930b11c9182b46377e8b4c8cd5a6f6ecdc7008d7e181aa06e57f7b

SHA512
5a4bb8b8770b6a228fb48f70540521224fd81e2160488a4c8831a6f966b3f352ed3bbc481902d862332eb106aa31935894ef5f1a83d37fd2c45d729444f16f1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3158791d62b0db1ffd1b3f773162964d

SHA1
3b17ea2dad83b69abe0c555f793525068a5d533c

SHA256
eacf3ac11bfe581d8e5f0fd6e2c7009f33cf2080b021af067e4e6959b5cb6f6b

SHA512
a85a90641dbbde0fbd9cb676692943abb2eeb6f8698046c46aacbb2e340da0ad2aca1c8daf52af51b957087dd86dfd4cb2f8353943207e45f21e5d55884d20fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
414c870cfb0e81cd0eaffb862b0a4554

SHA1
e403eeb350b9970aea7410424a270f3efbed00b7

SHA256
fd93933d7cd985d9f6633024c806655d766774c3856a10f39e95e57e7f52b452

SHA512
1056c1a05cd3eaec496def07f1596274e45b1f09fce24343d76b25c07830ace82b5569c5a22e85d627d6b44923a17a3cba88e2a81ccb2c407b29c1844908d822

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
3ed5ba935c4262a51952777c15f897fe

SHA1
21f48a674775bd76f1538144d6cbf0a4260ac53c

SHA256
b598c6b9f618a934fe18c90f8f0b0c91d4e99dbd03bc1c6aae45093835532a92

SHA512
f8d89d815e175fb4985f374ef4a2aa28ab84e2498cd16d47a07288572ff5c65b317112e3bc4be1d76c1f779122b82be7bf6cb5751cce2eace418a9e182954e99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c77c0f3e4967bde3b1256165f8971f90

SHA1
c4a1ff35e807f50d0288e7b454eaf894ad907f61

SHA256
69d1468ecb596f643dbeaa5ebe714cb3e1398225072b3e9fa0a3dddf2ad386d6

SHA512
052f32d7d4a472494c9983591f8e2de6b1550cef49dbeff6a6fb13f060319726d6d621a51b0253c43794c753238d44be5a3a734f58f0f629c33adf4c07ade4f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
71f7f8d433298ff6db9aba12e0534cdb

SHA1
0a3dfd1ee0b759839942a71f58445169fd476322

SHA256
4fda5e65985c93217bdabe2408351e5c3ceeeee2c6b658445d5d3460842b5f76

SHA512
8b5d08fa83abb72a086cbc4ed5dbaedbc2d36be5dad0195184fe36da74817af3e7aa2870e167e66e05cccb19cae5067f3c00838182564dfb2fb7d7d7e978a724

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
4637d1ef76b8876c970ef7be89bf3082

SHA1
24d279c8bb3bd623eecd7fcf3829cb78792d15e7

SHA256
15a25d972b28f4ac0d2ef47a5a7598549f4f1f9ed6488995f34df627df1fdf1a

SHA512
f8120b68b68709bb54481540d84aed55ac218c8d5dd80aed15e4dd1b291338a592118d27dd5eac8eeff2dcf856186e7f76538744b06497273e6aeb55d9239814

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
a62029e3096e9461815748616c2efb9f

SHA1
19c40064ee45595f0dd6e4774c3c93337108849a

SHA256
45a0a906085081164fa303d178f353550af272a585160d6d64de6239d34efb3d

SHA512
123deb9aa684e40b5db5d9a3ffdddf3acc89f797141ab9c6cbbec58b4c4cb465c1537bc3028b69f5381411ae2963acee61ca3adff5b2f3bd95987014efe1625a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
53c881c7d783bd0c390e14d380dfc0dd

SHA1
9dca67b0544d8ce249f538ae5479f1a9957e8f67

SHA256
efc4a3d8e6609affdc1b8d7c5cc23528a14657760214709241f7b9cde00bc1c1

SHA512
faf25954385ca0c276d9864dba2a770524e7c40075debc40a75d4cd6aaf6b936aea67b7d29253b02e81319888a8be94a0b7b83bd0a02a545fd63f22a89b26ab0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6cc029bfd910ecee6711c0fa9a76763c

SHA1
b5e08fa13cc8aa5dda3309f7fe5906f473d95153

SHA256
93d3c9e8b5bc4c93cbd7adf0e4d21bdc9bacdade1c3e512ce703b0ab2b61b034

SHA512
2a37631b39a065f9a6a0fcaafd6c469333566800d8592a086fe96faa3c0e8448aff7c6d5887d4c3310130ce35692bfc76ec93b48783888242510f11700653a5b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a4b165d3a3c6d268e96355ca80957c03

SHA1
d6fc4c1785495ce0b061a107f4265a07292483c7

SHA256
62a259aac11c5e1bfbc9585f5e7226a4bad3528333ff676fee5390ea127ec71d

SHA512
a3ebcbcff0869ceac197bf15581b8b03206cfe69edf047bace2428a4acd05f58daa194b199e3c08b2a89c29dee2f9950f4ff349eb606d46e7f5204a8262351f2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3509cc9fe2c1bd7980a4503956eaf36b

SHA1
57f82e5e99f8f8f342a579286d233dd510ee0502

SHA256
487f91199e5346d33fa8d0a5f3f14f54671576ba3b80cc346bbe14025c8e518a

SHA512
e47ba2847cef54e9abeea64387a0e2402d0b78f1ba3280a90e3436fc000a89f29f488ebdb5b4e18ce2cab57ff55fcaeab5382081f1e9940701f74b127022376a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a4669d082e6f145ab632fa29ea325a5f

SHA1
1e97ec615f6b76fae167aaf877f091df555347ef

SHA256
2a0106bf198cc9217c7f02483f1a1a0c03d67f921166eccf788af068253f3758

SHA512
b75f3a0c435700266522a9887bd32c29984ee96f2b3491a1fb36b5565895811b5824c13ea1c965e54a1c68f29618311e2577aa314b8b3d99ee4683a7c54865a7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fc221049b7b45bbde56ad5e7c6492b8c

SHA1
5d979992e3daf83c8b86500592fedf817158689b

SHA256
ccaaab15a489c2d8bc4987b9d167cc53f490873410d409da478dc8c77429a24b

SHA512
b0f62381bbbd551c1acc93c305f2e595a0255fe76e484eb8190fc8d1fb07636aea76941e59eff56d59c8119465c473bec8de0c55519b879c8786c6858d5e17d8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ac9f3db1baffc239bb253f02e8e6cc7b

SHA1
cebe11beb088014ecbae37cf771173d82a2bad6b

SHA256
4447c51dd384488747537a05cff6b8e760172ec6df210c3473c8122ae4cdf805

SHA512
82e8e1f77418dc968f18ef14c0448fe357a37b81e5fd6a2f60307aca4e425df0fd71dac13be1787474f1558d9c1bbb366f07106d2b21bf4aed74504fca304f23

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
448bee660437586fcc0e89d4fea176a5

SHA1
9e264630ab4756f7a6b1376ae8d7d1fe61e61d60

SHA256
96eef3a6c0d542d0ba3ab5dd595d5853fb5bcda5232923198dd3018c615a9467

SHA512
f3e6825e34acf9e0a4ac6bc85f69536448fe61c9261e548202a090b9e1db859d8962cef440cd9c5953178bf2a1a721a8a38edea90012514d8b0431a462887b25

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
09f9992e96b893c916d7713d2f88d127

SHA1
425897c0e703224e2f5eb3ccb07e158702c1148c

SHA256
c5ea29db3eaa1f74c047e4de340b5d5fc65d35b5c6b5bb085b1837eccd06fc39

SHA512
b1dbd96f2649a0d39a03bcf5f54ea1500d5a7618e6fcc5514eb3b98e4af89bf5c11d4847fa271fb2784dd19e10277f710a9dc07337ccc1d37320d5f1ce80d3ac

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
61274c3c76e8528f716099554219f63a

SHA1
7d36c6b5e6e87802300c148ff8b62768246da4df

SHA256
9c600a11320463da33dff407be16ddc7434dcd52f5b1de31ba3e3929f6e6aaf3

SHA512
62d663cae191a430198fc7696864594b9991686b24e517824816d6577ad9bf94e73ce38a0c5a77e570e669ad7706061ee52665342a42439a22f089a822c6e4fc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a03bb8a8e9b042a4c66dac271d2386ca

SHA1
37ac3a7d5de6fafb91545b8fd01a825a1f302fb1

SHA256
d90cc82a3616a7f2950ee2280e1acaf3631ef61ef871ca82b6f52b00f70966a1

SHA512
1a2512b1d2ff3673045980755ee370ea63bfbc21569fef05a13d564e587cb58feded6168df72c89070c851777fdfc0c1f0111840a1d99047aa5818708c0b5f0d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
07e16ac028e1a497e7e3bece77f272fd

SHA1
02b38595c61848acd111f9d8616194e5eb364bde

SHA256
f921e91aff503436f7acd1d95b86536eb7b4f81dcd6aee591fa3a6bde59aed97

SHA512
13877692068eccbe7c309193e70bc1d751b6891cdaa2299cae67be66cf8bddcd51b12dd72d0ea035d63a623ec6077d1a2f8c99808162f96e5515fe093df61da0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9acbef8debda33a23b1b8e030cae03a4

SHA1
bbeaac590e78cf46261ef9e29ef64dfc40735442

SHA256
9c34cafc51daced2f4eed58a4e4ea3f0294cfe8e0588ab5fff6ec05bc030d350

SHA512
0f0c1e3dfd731847b36ff81a35554b123d4431a62d995216b1f4d6073ceafaa011772e0cd91b03db008c23b36288f5fa193cd4d18266d24eea9827a93927b3f7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
510dd88e56ad1e2004d4c22db0eb6695

SHA1
2350901fec228dc1044aee4b43e7b17afa95d40d

SHA256
281edb32f903047e44deefd2ea7a15fb1f5e468567d62ce8f4e6fc18422e1d11

SHA512
318092f43e76f7383271dd5f514c79f80d13b78c5ac51231e8d3751b50e127a3956c582322e9c6a176a2fe44adb63b521353d46f3b667618422a098d440146f3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bd659973222e1594643cea0faa85b93b

SHA1
a0df7c25afadc9c0fa686e473ac3476ae5c3e0da

SHA256
17f7da40bc0704107757335ceb64c7dd6c1512d7d9365664cb49ba0db53d01d8

SHA512
a609e91792780f24f295e5a570d71ec2721f768879cff34e978ce20207f8ab6e1712e9b653bf607d9208ff5840a0f1ef16d754b2d5485d0acbe01977769da7af

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4f58c69c6391c9bfff6add4ca7c35d5a

SHA1
3062c9fb9f5749fe8d7e6feab376c26b935f1d14

SHA256
e5c0afbc0da2c706897dbdd6cd67a43e90cd278f1977a899ea22eef22c9c0fec

SHA512
73e4317556c26f414848c6fa77b10866cfb8495bd3b3eb1aa20a220ae157ed44e3bed69a73f8ca6899eed2a72c8643a68d98baeadfb30528efceb2df709ee29e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
76dc901023757e8f127173dfe8e76856

SHA1
dd55056f48b75f2a083d94d2921851dae8031d8c

SHA256
8c04318e1094f960ae09e7b06b2bdd880098d01761bae9efd2efba770dcb519f

SHA512
e5efdff29fbf1b050aa43535ae9c246a6c17ca94ec3f9a6b5bfe01f4846c27f914cea3de5cd2de4075150d763cd45599917e1b91d57467c453212733146d5e89

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4e976fd8648c21ccc2413a68bffb58c1

SHA1
223cb5ac4ceb436f0822232edf18697954217153

SHA256
6dd6d528f452f881d45c7e0c69359bb6850c301436cb42792ee0805d1a709a7b

SHA512
6a71eb03956f0e82c7eab42f5e9672d9456b6dcc0a3bb282014010ab345ec684972ddecaa4af84e74ebb42bfcded763fd8ce4f86a5c08bfde667975bf8b3aaf6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ab7361bafa2894a2199e800ef46bb77c

SHA1
35e3e4f88c7057a8736eb3606e3fe0b7f3b84926

SHA256
0be3be25aa27cc729f8389d9357ad3370a862361f94ebe8257c00e8ad627df17

SHA512
ed9d4c7ea7161be1776384f48c8944792d95d97f1b632fe8ecf2a0d01c82c7aeede16b72d93a91b8d22e40a5c549cb50e4eed665284e4f8d285d24c5134841c0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ac4acc27f6c8e5e36caa647c678c9ca8

SHA1
81ec3c323b4ede41222b46606e637df51eede052

SHA256
1053ff4ce040c8f645df6d024400d058d22fb6a073f6e151680fa50ef975a6b3

SHA512
75b7681af21b53152ed35eb144a02380979ce9bb11795767f408658a8a60a6b6ed4deee78c4c068caeb0ed9df367ff0aa76fb2f1c35d23b3532f4cbc83b266ee

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
751e6897e9986fbb3b1b909522940254

SHA1
2ca724f0345f7733a0a6d4cea42aec7b1adcc317

SHA256
13a2504400f98e2007b9c2fb1b957a36214d51add400056bae6d59dd31719a01

SHA512
3ce9af5bb863220263fceb23fbe7b995371b40385df424ed4f7e77e73ac98a33bac260af961347bdce100c8914e9ee710c06fd773ca588ed346c25cb490b5b3a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d5d2447f1cdd1c39a0c7ebaefce1f186

SHA1
cdd51a636c539250b0025ecd42f90d330c07715b

SHA256
516b87e8b890db4cdfb6d650d253978bfe1b68c6ccd84f35726ab3b272519325

SHA512
38010740c039618d90ccd3a09203229a07095fdf9f719a0827794c02f882691d4f91d9ef9dbbde447fc666ea0edb89ff5b13a73a099c210eeb6782f3ad920730

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
42056d677c4d782ea002d318771c3d6a

SHA1
73c3f95c66b207b2a2ac7260457e44fbb206695b

SHA256
87811d7fc033314407579078af3da153a6caa9f7dbceb477e2541ed51d05c913

SHA512
e5f2d50e394f2463e557ce935901735f73009926a342adf0b063881b38e1e03d5be640b492c03502fe50f01eae669dfb9798aacb77adcf1b0035b77f7e5d7e5a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
356b0b5d7df3d9a392ffe220cc21f545

SHA1
4e8c73a8a505135134bae8dec5358956b8c22b3b

SHA256
fe0a76927911b20228f501f6316704db84cf01736ac640edd431b3b55702f437

SHA512
eb0bcff045dc185f72fd2dca0b158c23100c78e86248c7ea8128ae1d650f495b3e8d891817aa88ac6d309d4d1ee3bde01547aaac74debf5b29a61128a87a2a53

Download Submit
memory/756-62-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/756-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/756-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/756-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/756-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/864-194-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1088-195-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1600-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1980-82-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1980-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1980-78-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2116-81-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2124-441-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2124-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2212-447-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2212-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2212-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2212-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2384-207-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2384-448-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2488-208-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2488-449-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2492-1-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2492-346-0x0000000140000000-0x00000001401D6000-memory.dmp

Filesize
1.8MB

Download
memory/2492-0-0x0000000140000000-0x00000001401D6000-memory.dmp

Filesize
1.8MB

Download
memory/2492-7-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2584-197-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2976-90-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2976-84-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2976-190-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3124-196-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3168-442-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3168-193-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3548-137-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3720-102-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/3720-191-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3720-97-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/3808-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3808-444-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3808-31-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3808-37-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4168-199-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4364-198-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4840-22-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4840-23-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4840-17-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4840-443-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4848-200-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4936-192-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download