5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
Size

622KB
MD5

b1d2559c34cc66e5989feb99c363eb00
SHA1

b57910ad12edf4eddf5ef1a6ef5025e37afbb431
SHA256

5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a
SHA512

ecc0e61bd00772d4dea22702ba4ad63479df2cfcba5ed45b432fedaaa5a94f622e0bc6e2e8d1ffc8a59102a0955854fa21c876a68358db195cd16fd30520fd07
SSDEEP

12288:RuBRPWX4GNscdB921r4JWJACmwrhSHVswKb3foE9A9T5piKw+9axA+:RuBRPWxNs298r3OCDIjG3gE9ow+8xA+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2244	alg.exe
2100	DiagnosticsHub.StandardCollector.Service.exe
3908	fxssvc.exe
3340	elevation_service.exe
1308	elevation_service.exe
4268	maintenanceservice.exe
4752	msdtc.exe
5004	OSE.EXE
3524	PerceptionSimulationService.exe
3232	perfhost.exe
2864	locator.exe
3936	SensorDataService.exe
828	snmptrap.exe
3164	spectrum.exe
2800	ssh-agent.exe
1092	TieringEngineService.exe
2680	AgentService.exe
3812	vds.exe
4632	vssvc.exe
4320	wbengine.exe
2364	WmiApSrv.exe
1184	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\locator.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1d25c8dca46faa3.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\System32\vds.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{811F7F23-828D-4957-9744-9829D7875C41}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_114093\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c553a2427cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003150b62427cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cde8102527cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001458e02527cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d84bd82627cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014a3672427cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006581e42327cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
2100	DiagnosticsHub.StandardCollector.Service.exe
2100	DiagnosticsHub.StandardCollector.Service.exe
2100	DiagnosticsHub.StandardCollector.Service.exe
2100	DiagnosticsHub.StandardCollector.Service.exe
2100	DiagnosticsHub.StandardCollector.Service.exe
2100	DiagnosticsHub.StandardCollector.Service.exe
2100	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
Token: SeAuditPrivilege	3908	fxssvc.exe
Token: SeRestorePrivilege	1092	TieringEngineService.exe
Token: SeManageVolumePrivilege	1092	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2680	AgentService.exe
Token: SeBackupPrivilege	4632	vssvc.exe
Token: SeRestorePrivilege	4632	vssvc.exe
Token: SeAuditPrivilege	4632	vssvc.exe
Token: SeBackupPrivilege	4320	wbengine.exe
Token: SeRestorePrivilege	4320	wbengine.exe
Token: SeSecurityPrivilege	4320	wbengine.exe
Token: 33	1184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeDebugPrivilege	1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
Token: SeDebugPrivilege	1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
Token: SeDebugPrivilege	1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
Token: SeDebugPrivilege	1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
Token: SeDebugPrivilege	1324	5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
Token: SeDebugPrivilege	2100	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4204	1184	SearchIndexer.exe	111
PID 1184 wrote to memory of 4204	1184	SearchIndexer.exe	111
PID 1184 wrote to memory of 3916	1184	SearchIndexer.exe	112
PID 1184 wrote to memory of 3916	1184	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe
"C:\Users\Admin\AppData\Local\Temp\5b364b3b6746edc819413c156785b4fa4124a721da1df0f14c65ee3e6acca87a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1308

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4752

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:828

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3164

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1348

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4204
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9baf7d983243c0b5b6885e69767b1ccf

SHA1
74adb8cd5ee0dce7e5db50ea835356d5105208e7

SHA256
2a9a999eb8f2ffdf5d3306b615bd1ba001784f930ee772f387826fcc79e38922

SHA512
50cdadfcc2846baf912cbf12ea27e39db4065066e1b60029011696f3fdd7d8ae67e99c3092726f31b25c6d1bc2dc41f87b0e18bb4e9b6d881520434000dd557a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
8d6d7f38aaa089de4adae39d1e3e0aaf

SHA1
3981696ea4c40c53a1600c15521c594816673208

SHA256
c11582c469d75b963082652de6de4967c0f735f61f6b291156a2a1f658761eda

SHA512
18ae4199aff797dd1cfe6178237c4e3b93bd08ea50a972bc9f061647626b8c23c077071231dcfd714e4cedcc947ac9941357cc97b6043532ffd6c90fe05a044c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8fbc0db8876e128b96d41b34836272cb

SHA1
a8206a77b1e1676d3785a2dcfbf479b5626a3b2b

SHA256
e763693160f71009f3f272f571be3369f1a29e6af18564c0a669723fd5976469

SHA512
67e80ce1bac44a58f65f83cbe1b7fd8c9f6acd9b0dd347636b02bcb17017a7d391da9ddd742f2ca0e9ca5a1b037aba44904711a1a755ea5b390fb6c110fef79e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b68e6eec2fdb2e07eba28f91a30a8fca

SHA1
97ab9052e2ba475ed3931cf3a6961875fccc7737

SHA256
06ab374f32dee8ad5e8eadf3eae8bc7dce6016afe6530a9231fc00295ba7a8e8

SHA512
55a747d5c5e79e9a99594bb10143e8a2b06f916a0b386081980465718d13db037e86f96813fd2c7f4a7a74ac1ed2c77854e0337053bb65e57cce33d0f1d202fe

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d8e4a4b4774e572f94642cfec580a4f4

SHA1
8d8c241f85ff40cfd261ab20dc8ab5a62ca75ebf

SHA256
2fb682d3c8c9fd831fafa60db4426de3fdf19cb5fad2c779c661c7dbb979d9e8

SHA512
26af04adfbc2fc7c97f3746a05c2b52c52b5f631ce9c7aa98cc2c5dd77fd9fcd42ffee0c7436f686b45c5d5c719e84a2397a10c1c6be9306a7261162ec32315b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
67d258f435bdf7c7b99224ad5f806c6d

SHA1
056521c7b3f864d38cb5334f7373375ff2df7110

SHA256
bd7da81d16046b5b23402f8eaf2d3cae6dcb23b2634ad4cf2de22977b9a1b44a

SHA512
80d93c4804194a534cde2bcbe575d783f0572683f55ff3f9f76aba61feb71f2e810cb16bfc5747437db303e06e47281d61257c7c515e1f369d17b8f7dc85ac4b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c454bccd9d1bb848881db9c4991ed33d

SHA1
da8e2cb6e96eab72ec2a24101b2636bd2d9d342d

SHA256
6cb2e50f96d424d4fb6995f55c4c040590382fc5a61d976cd9b82a4c858ff0ce

SHA512
d3bef51f22c59e031ec3a563b36e65d9e10547355c18addd571d4ee92cd1051b1c0bf37debff4b56719f2ab57fb94dd3200ee25ae3b863d6177318b1e891449e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
eb074c4a4f7d98bc84e61ec0745060a9

SHA1
79314036b393afdc03055250da57c2cb99f6ffeb

SHA256
4465c5bf9c91f5fb5216a4115f29e805b56cdf829c9911260705e128e37f59eb

SHA512
1783a7bda2b09b06f600d60dd076dbab7b8f820894b4affdd46208480d8e6365ab2502e6c038a7a04d0b95f6759752293fe7dabedf4effd5ce5d07b7921cf12b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b5697a513496e45f082ecc1b059e6ae6

SHA1
abb062df76ccdf7e7b5f661ff84a609b4f306b17

SHA256
fcdefc7c01b3df148a033da91e7de00d502b16ac301e07b3e7c2cc56a7129597

SHA512
d2c0a8578e1ebfee5ab467527a3ff59440e1971b84aba45795bb36c9a026a7fc0202cd9bb6d5aba80d4d564fa0958d49b04b4a0d8c7068aacd9dcb20d3176933

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ac2784c2694d4d1e099ce731ba660e54

SHA1
eb5e2288a98fcc39c69a2ec484109380c153db8d

SHA256
7c3e788b493f93a77c4f9ee1cd54bfad8c868f5ae953986865cf1f9e8fbf3d77

SHA512
b78aba6bdcdccea6b9aeda26f2de4b29e8464cca51a2b5dbb42c7066b82e3a9763049f75ac5b7fe4bb44f3ef5fcbe01670629de060330ecedeb62eeac8bdb5a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
70bdf85305d0d77edc9cc9a99e7e3f4b

SHA1
bbe7e3ee358baf64d34cf589a0a823499f494a56

SHA256
412ee2f66ea36805eb96b0820a4950fec0e94478ecfe3366807db1e6a4b1522d

SHA512
fb305b943c258c5526c672bfedf2e803fccc8eeca2e843992f239742ce037f46ace375c54db4006b726ba94f881b2264c19d960763ca2016dc105970051a99ee

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
46625018b734ba4669a3d81d8df26b3e

SHA1
c68ff77e89b68b37837d12a428fd3a979caddb09

SHA256
00689d5345a6f7abdae6c39f7e291e3403592e087e033063b5228453f7185a8e

SHA512
c50a483859fe18eebd608b0a54d892644c3397f10b413a74ae1ac2f7709364671279b0f349d9086b332e7cd6bb84d4f4a38a6c9e386de9fb9e18b283b48cf72f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e275725ae827ee9877adf7266c21c898

SHA1
8a5b6d23b3019ba29033331c62f6a0aa76927b3d

SHA256
8b8c9512dcb40592d86aa7e7cd43647d6c1af0c8ba73bb92e553649a37c8b60d

SHA512
621cbd68c89bb2559853cb6afbdc020b4030f40b9053bfe4f39adfa260cbc57efb963592fd4ef8f7edf2571fa457f1c58d45fb3119a3ca6dc380549da487d0b7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4c34983aeb247884b5495ed3995c2b99

SHA1
38c3f2506d7e9d43e9d2c2b1d2dc28d4932a6a11

SHA256
7ffb6b9bffebcfa5b460068f02000fb11603cafc3a09681e0f700cd4e18b0e19

SHA512
2dd4693ac05dda9fa334ffa27bc3ec8fb185628e7cfa0ae6c84c2879cea86461d91e9e960deb96e5c6e8aa5c99110e3dccd3d6cdf499a57e5a481991a9d69ccc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cddb0ce211be98c274c4f407bb4d5757

SHA1
c889573edd884bc7d08df07708bf647c569d72e0

SHA256
6a7ff75ae83b55e009e3d5a18094e9009baf64a10c452070dd0cf410dea35b5a

SHA512
1cb8a68f482e812d1bb12b23471d59f12bed08e7ed701d8f0f7a799db20170539d5ffc0bbe96067c09eb82ed1ec07bf76207b6875bcde3cc9903b1a7cf4bc9ae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
affc5747d2b1a0b31672aa6004b1f9c7

SHA1
3c8a0c28ec0d3037067b7c0a92d6c3d3c725711f

SHA256
3a3a0cbf5bb385c53b1b0857ca61a2d463bd36d7f78639dd58744351b23806ec

SHA512
b371049201109fbbf6fc391de01522c22770818936cb9672616aeab3f4953c94675cd550a52576d1a800903df9f57bcf88deff6a006166939fe0abbff0da4ca7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
36ee46d890b9abf7d59a0d434002b857

SHA1
10fb4a7c0e95293d2ed007b946e62371f6ffd09b

SHA256
f5cddfe66a22c8609fb1d19b21f2e81e828bf6f0eb8cfba5c7ec016c2336c260

SHA512
2100574b365ef1058192462a803d385c2c146c6e38e0f9b1d1c0449984e292a9f0b4d67cf2cf446aa5b6ae844a28c4e1d9696cab039f5ced594d1bc4db0db4e7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c6d60fdfe4bd29ee84a6e59471d9fa35

SHA1
aadadb06f177f3c2c83f71dae38f813c6fb88bd1

SHA256
1234b737cf2d0bf75656d6c07c23e3fad063f4a30817ebc58970e4703e41e83f

SHA512
c1604c0b300fcacc2062747aa998d109c3d09372fc508b0b07b38089b84ba4ea34bcf0f3d24faddd72e3eee66fbfd08b76e42a39c7f91654b44fd3cd889f1c14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
072454d18e6869315f61c26cfad0c17a

SHA1
92d7ff0f1f203ae71f123e6a060183c9e87b4a75

SHA256
fe416af8846d0f6a4205e58abf2070793bce2b6dfae2e6a151e7799c8c6fca3e

SHA512
edc9fc7917166b53b194c518ef1923de59dc0c700dfc32b2e1099d8e5f7ee8d587b0c6d876f9271cd9f9e3d2cd3d1381da81626a02361c156a0e2958528137a9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d8121f5772430b7a57b2188849024464

SHA1
d12e3fdc6ea1254ecd137ad93eb15a7b95690e0d

SHA256
4bafba938a28b30c4d7f73d76d931ec334f115acebfaa2b5a128498b0bd7bd91

SHA512
ce9f228303555f8a969df881037325bd1001f71f1dcf6921163baf9a03d6362ee5e46eecc89a86bd7cd78c4a2b2cabfb7144f98f51ed4bb734d7caac2315322e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2338ea6d471b2b39d7071d9907a0ba0b

SHA1
000462fd53b36b64bdc4b478bf770f7e751d9828

SHA256
7a2af6058452ba2ced42f80303d65aebc3cf4adb4e09f1ec9bdcf8c9093e68f4

SHA512
2be14b6cc4b5d94498c9c88c977633454e71e79a8bac232f159777048e3d33be6edaf38a2f7331fab0c8890a18be7b4fdc85f76038a570fc749bea91928775bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
18ebfadf1ac78c52448a1f2aeae12c89

SHA1
60834460566df12235362f71add8f16163b8921d

SHA256
9303ce200a2477d60b1333f7df8cd608992b69f19a2cdb99d426e539949e5585

SHA512
976504b27ca5eef087347d2c900ae84f96f896e24802270ed157bbbdcfe3dc3c6c9f53380750bc858cd16f074c62ca027872d2fdc5203e85318723de11e837af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
01482fcb63a7d5290cb2400846d5cbe2

SHA1
67947e6d827fc3f9a1b58b2e7f123b033e0d1c50

SHA256
8751dea7832f715727ca35624ad023ec472290e9551df89f6a2aacfd71bea131

SHA512
d00498dc2dd66f0391073b724b5db4bf7034b2378ee18fa9013f2a9a6becc9a5ab19176540384d78b3dab535fced004f84d5e75b3b5af8b5830cea6097705cff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a736c17965ab548da68cdc07ce9ba887

SHA1
9129865e2d5a93f645879cb8b0782dae6280885f

SHA256
a9563bbd12d403dcd538221e51dbe3932302d1ab1aeb6ddfe2c9e317420336df

SHA512
ab824d95e1c9c5539ae2fe268500771f2fb8d3f4ee0806b9e39c782f6ad792a9b78fcfd0f9dbb8cfe7f8c9c18747026431ba1877d0115ba4e3329e265aa21766

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
435eef793065f4eebb695540a97670c1

SHA1
9c5f4aaf90f7559c1e8924ddd6e31e315cb32233

SHA256
97cfe1a65f13a3ae938fd03282e42a6fc50c435b73c6d907d1664d9d76f40548

SHA512
4df96a194391e3549e2129f9bbb6711f0200935f97d1d81c1bd2337c9e0414ffabe86c87127e6ff96e7a8b79ba61af132cd0d9cde7e8e9f66ece3dd0ed80df02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d4f3d4360c6a0b790e3f6d3cf978db80

SHA1
4cf293bb88bda202763894dceaa31cfcd5d4ca9a

SHA256
939159d22e3b8c0cbadbde48d31ca634efd90721fca46037cd768552a780ad0d

SHA512
2f5fcaa7a8e7d65759c11974ff0399ab4cc9e47878ca7e57ff959dca0109c4f7420afdcb6ee58a56eec10bcb75114dc06e590af1a30182153bc55fd98278d37d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bfcd764b0a600696ae48bc33f5d853eb

SHA1
626fa368037f9972a0b7c258f454a0d5568d69ba

SHA256
0c420c444ffd95446d337d9c397bf5756caee23358754b45ed04923ab4b3c1b9

SHA512
962c863931a2b4abf1065b008813b6ed96b64c9819b1a29349defeb09c520db2f57a4d01e2baa375dc260ef4d3f13f1407dc9f6becfef92dc200d5ea24d8173d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9f5ffc7f71296cda02d313e634cda04c

SHA1
091a3c1374c6636641f92635255c91c532deadb9

SHA256
bfc46305f7186af6350da29bfa270a137f6f5257bd1bec5c4a743eafbe61a8fd

SHA512
08241d1c4d6a92f58d19415bacebc2997a8102ed6ea5ceb0c004aa6f741acf2e6a6c6dde7b657a5df8cd74905ee1d9491f6e0e16df2e4a37f6c4b79c85afde8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1b7693c10a5d8218c3f772becdc2b8ea

SHA1
e4d9574d1eae410d6ef96706a73de8136a11eb14

SHA256
1d54852668a52c6aa31731de0559b9e8b371d3b0402d0d175cb208b9ab5c5235

SHA512
a806486ed674767c0bd083f8d45bf95ef567356f4646e6b2ca6d100b29490a2b63f66fef25c418837e593492b301ca4c302e479272edd140a43e238ab9f5cb34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
bef37ee3edb12b95191ff95d99a0b409

SHA1
edc8be14098070765fe0fd2d61197e80195d69ff

SHA256
81cf066c0263465e1787e797415ea76c2f26ead8866d9e0e96dcbba4b0bbfe4c

SHA512
7b95d0c1c8955fcb2e98fa1f6b67f588e751efe697c1292a984e542a0b3c258c0601d3f26778195265c7de425ca68e78dbf328080c9b8f51227914c8eb615b12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4c6d081e1baadbe557b55d9a1317ce51

SHA1
7e752a851c41468c49cdaf69477c8a818a29084e

SHA256
34abffd0c7147ff60f42f7bec5581dfe63fab11ccfc80c0a413222739b77b16f

SHA512
6694f403239dfadea0593c4fac2880f6f6066cabcd42fe8cb3327d380eadcf9d23d5c3c1175903c03bf40ba993a42fc7117f582f47ab99222318aac3e70aecc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b2fdc8a730dc2584336d40fb3c7c2eb1

SHA1
ce0fd6a719f3288312bd91cf04350d86137c2126

SHA256
1e737e3fb0f028843b2c15022361a98bf2d08a3337059f0987df268e5afbac28

SHA512
292ea34c100003476d5a642fe66bd7ad1859fe5b554ba33d1e44ba7a422621aa3dc44325d570d251ba9e536c3b52436d1960962b6e022c79030d673245bd4881

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5f70a94027155f800fb79d7f2f72bdcd

SHA1
57940e67b1d628cc159741c45c762defb60c3a04

SHA256
70853f2207d16f564eb36bf3fa3c24d1b30f7644efcc09a7dcdd6ed7bfaa2a92

SHA512
b8ec1d742b816cfa9a6f9e2a54954585a58058a2c9d1f2521555f76dae70bf21dea875b76da82a45cac9d11f6fb4057aedb9257a055a6f2b212e43cef5647cec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7839899b247eb7d4d53ca1669b16ac1b

SHA1
493b01993cfc0e347aec76fdfa012820daef75b8

SHA256
a140079d7bc72245a09f570bc6f62d78f6ee105217b0c5b992faf94ccc2940df

SHA512
2cea3ecf42e1bb8c72a233b171673d15d1c477a38c10733355bdefa0fed7255f043d1c8d39b5a5329ff097afb74dd8b902c3b697dfedf9053655d1e5b429dfbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
56899b0a06772e3dadf535686d321285

SHA1
26051a7c00f038ae400d0c222d5c19c42bbe1fa5

SHA256
c5a279ef8635b7f0f52b4be562a2c9875e3928344e7467deccaf60429f4df0a9

SHA512
8acee83a57e0ee25f969ddcc56abbf0eb2cffccfefada39d8de72aa2b8917fc9d0e0910e44810a8de6e59cf1ca909e7c7f3bc0b71f69d0cb2f975bc293ca7275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a5085777f9a4f35e9bfff7a1f59ba40a

SHA1
1cf074b80b05ff4ca4389d19f9d3b2c2269ca267

SHA256
bbf663300c265c1e41f9215e97d53f710e5b00d21944282648c5ff44036c67c7

SHA512
0a24e957420556c0ec8e6bb61b4f12ce28abeddaeeb6f37e9c2d7380464e7ead22b90291e09ef1365529235fcb278ae18ade0b38681dba64a9c4ca9692563f25

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
bdbe45bda5cf414fe2d1d7d51681ca2a

SHA1
222e7ed02d9e7788af145a5514678e9a87b2a8b5

SHA256
02a2be0dfd1f06e85b0533ea98a93cb55550f6dd98839319867a82a539c3db14

SHA512
8333e9086b3b0ade825666711da49e49c45da36fc54d39568d88284cbf509b1feaa9d2cb2e2df7003b6fcad58927901dd9f9ece01eda3f3c71fb88f2fd80492e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
281bc0e7f28ab43c75d9320586bfff70

SHA1
457efcde27eefbf72472e9575419b81ebc6134c2

SHA256
cc81f8e888c2f5e385c54b879f0ff5eeade07dd6a36ff894ca06f28f745e2989

SHA512
432a7f74c5c6da03331fc615ad7cda008333b0a9862e47a5641fb867770fef528d2048396352a5e074eaf8e309b6b2d99c94382b2cdae6c717bb95a9afaf829f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
fb81a0eb3fa5d9f91f6de5a4b3280187

SHA1
1404b301885cfaa3325d47871509cefc99e1c90f

SHA256
ca0016b433e29b19f4a0789df1633b4f9d1c375049d210b73506485fdf741fbc

SHA512
2670b7fc00ccfa7a5ec33aed7b10669d12ec001cf5e39cb644b177b0269a702cec386960d96bae0a4d61b20d6e2087e9b2e0e80c8111a649aaecf0ecf649e842

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6eeea4c782ad7c1e1b3ab5c3bfe378c2

SHA1
00bc45b464d585ced9ba766f44120c157de389ef

SHA256
44b3dfd4748aaeb0e86e656b2a9adf60faef1e68c424725912608e0108ddeb12

SHA512
7b4a1c2bd967b917529ce930aadd2ebae3984cb25e90df211a234b36bb8a4b3d006dcbf4abdd98c0e919200d7aefd552c9f6aee5e25707d21135bf65bf77ce50

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7a802964f0203d1029c3085da64caf9a

SHA1
62bbf9ca984424a8826bd2985b64eeff434c7df2

SHA256
b33b68ea51053a6fdd702b45d4baf74238e80040735f6cce59b91d7f9193cf0e

SHA512
65edf9d350378877d158ded2f20c2b39e1fe41b41bf94f59e7c9ef2ea7355dd932309f83aa6e66f3f198cc2a41dbc044de56c02e13ab9dabac5792a171c2c08d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f3327b18f721e667acb8888f02cc6069

SHA1
b622759a1c1590d937b47484ca945eb9495b3b49

SHA256
551e633b438241b078e0800af622d560c62f43acc7815440b8730c7822dcfc63

SHA512
2fd49862b99a71783c91b87ac4594f2b6c27a3044c644449d155e50fc01c150ff92ee6b44862ca52d38adfbce0fb426210e2a1e1f349ef5c6f9fc2b64a10f879

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
86ffffa0487d20b7c7fdbafa4f2a78e7

SHA1
c4d3f3c60b7caa3151e6e5d764affc46e3e5b99d

SHA256
26bd8e4acc0f15c22e493827b5c912091d6e0085440a3f4d71b5acd97d766cbd

SHA512
4971bf2abc7900832078dffe5f0d87a381a5fb13673e45b8bc1298cc52c2bab94a059d45150118ebe36ffbc2d439ca35d4efcb0771695675944a9708d2922515

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
afe8d7ba375fb3a0c0704a14972b9f9c

SHA1
f1b0be1242a5c72c8d6fa624ef7d5f43c1f4e1f2

SHA256
60e44915d6e22151ee933173c063a7b730e32e69b03c51668dce4f55eff93add

SHA512
8d9f2ffc7f634753370a523e8ea21f44420bef37fee53c4856897dc9a95dcbbe3ad63e36bf3d2fcee3d91c65d7c00278d77f73c4687965bdac22d64330d9cb81

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a288c2dc982ec9b3758d4afcef74e158

SHA1
f2768beaf1e7853d9382e21e61701fb30c0c5476

SHA256
aae3c9bea74b83a4a4ab4ba68308acf2eabc3a3c7e1040bde9fbc4d4625faa4d

SHA512
5dc59969baab6c847e87f28f71170ca33a0124c2e74aadde001d09bd1c07e58839dd7bc3846e4f5cbbcf41797c3c558108e22ac4372ef76bbbcae590bba9b3cf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d0b451c2998195701ab33a9bc95402eb

SHA1
9ea617b20a97368ea0ef6b2f9647f65aa05a2731

SHA256
48e83ed625e9f62d49a3dc837878c7ec39d091b34adb6165429b8a4a03e4832c

SHA512
b56c28a967288297ecd01f1aeb533b37272050c002fa2696482c5c4bd7e2047b1be9d38243833f3d9b3ddd8fa8dc07b662e47db5253bca41c5f5ad4b174c98ae

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d8d75ee6b001304ddc9ee5dde42728ac

SHA1
f074a5b15e076d02c01cf318d7ec62bc5bd4f1fc

SHA256
7af1bf339cc37425139c976bf8c089f885e5aa2270fffa179746521650a47415

SHA512
adc94acbf490754925f6d0db24a110afa3c6738251dabdf9efc2f7d61b52270d7000c5a1605d3930dd8e5cfb00cba105a7492c34ee29dfe5b68fcc904b296a56

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
412a9e27d95b0885d3cf590b7b59c98a

SHA1
e75aef73fb7c3b98130633eea030a582d4170989

SHA256
0acafb6adb9f117f1697069cd264531044388ca4df29f049f5c6b1f1ce78d881

SHA512
05dabb49fd5d6c1981dbf02c23ddb1403fd87533c65513ebf526924edc8f9f31c2fd5258b07d54a69a3977aa04b40ee79a30205ad1cf13ce4f0c9c6201d6bc8b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2ec90a548f512198db824cbdfada5fcb

SHA1
ca740502f5432995dac5ef23bf4d104d89b6d54e

SHA256
d99f26ba524986de0ac1e4824ece9e7f6f2270b54833f517699ff5b2d32ab287

SHA512
087468e3196b818037f97c2daa50dc65b9cdc578777389e51dd063c7f55260831fbb6e9237ae712b3886a83163558c3edd8794b30426379d10303947081e5c69

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ce8f01076d0c200a519e7ba906cf1fb8

SHA1
b6497521d716c03b74865ac92416569abb1aec1d

SHA256
dfc17fdccb372aa49225ab4366a07be021f6d57924462af5d98dc7feadb8c623

SHA512
edc11e66b7ac02530f0774b1b7cbffbdbafc8c53fc023294880999c8d69bd7e8563e57dd904618c7b7bdbb77f09028bb18903774394cbce13b4e86dab859dbe9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
294fe6d56636dc112dd916a2544f613d

SHA1
a40acd29b3360c79c354f79f352027822547741d

SHA256
dc94c295d34d9c001c18ba3d9c5b6850d1c3ce2e792ca4d8f3dfef21f24bd139

SHA512
e5aaddc44955b0d70095ac5cbcbabd1492191ea37f5320308d81ccc45f23f5b91c6be4ccfe7c6fd696e298b249560afe8a6e8ac9f5366cf43e908922dcfff13c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3bbc5545a999340b14a62862a3f8c63d

SHA1
2c30b10d4aea1a73846070ae3e3a84964eccc1d8

SHA256
4f0d624a510e58ad55f49f86725957e8fae486312798fd768ab44bfcf7a45d87

SHA512
7f0d1774d00bd7f1f83a39c553f69c2012ece3919739491f0ca997e508a083dbe8f06e4d2b9742a4ec95d2e01593512e6d78db675ee7c9d5bd4200ce6e104232

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6ed2980d3c01d7266e55692f278cc96e

SHA1
3a2906691ee4dda246d668ee51820c5aa227cc3d

SHA256
bac665ccd50c4e27853cfd1b1046e84f4ceaf6b1f0b89de06a353dd7d25dfe2c

SHA512
8a984f35e50d6355bb202a5ad7db4dfd9afd0a76b45b5cdf79fb4c01e905609b81ccd736d253c563a7d66038d2cdaba43e4da85e20ce7f71336205784cd25396

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
92a46c89ae109d64ecc49220c63c521a

SHA1
110e4b1a3a76d05bd6b8eda889995f686ce15bb1

SHA256
642906e25bb3703f9e43b6e0d2d087f49eb954bb3abfec323b821c207bf3dddb

SHA512
aa47f5a8b7b602318ad7af0d1a8e8faa539f51266cde4befe13d11a105248dadeb0d9982403d34adca7c3b4cdd1636889e9c0b605106bcff7b86c8bdfe2591da

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d018414a67d2286b27f1a25084c8a7b6

SHA1
2d784bc56ffe200011b79dfa57cedbc1ad2a2b8b

SHA256
b1d7685ea60a5ec00a6c2d363ac154a971237cf329e059a6d9de11ecf0845f59

SHA512
9861ad75f000957abdcf24f35894245274f2c44d4f159502747d3a3ef477375bf065878d70435f00d166235145675eb51409a291f5b11222f5a4cd30d148d100

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b7a3849bde08bbe81d03e2bc75d631bb

SHA1
e06880add7042b0d4c7c4d841490fb472e20679b

SHA256
00f88612d7e17bb8d630c42288752eedce60733b5b8f6bbc0eee40e314c620aa

SHA512
558268fd5deb262e355ec2d49698ad45d21c440aac5a3840a8d6a31732ca7eaf3f007e03ae9459dbf1f996c3f7cb87d4f820ed697e7aaa272f953fdc3b246367

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1edeb76ce09cfaff053cb4e2eecc7eb6

SHA1
8ee42a541afd1e5ace421687d8d6df380849cbda

SHA256
489d1b2134af3882ad316313920aeccd3cbb002ac3aa46085d0b9b6b23219dca

SHA512
a8e7d4b21dabed51a9501413b06dfc26a7c0e02d5b8664a2206f6e3275404a43b0c20d7a50299d4c3fa5458920efd24979bf2bed05cf29808dc7d083c89dad67

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ad9144bf00263a67795f860ae70535f4

SHA1
6cd8f8d71f82a31e225490d47f4b2996779fe66f

SHA256
62b39ac1abfdbf8cb2b360474483a3c8d7e8457adb769e13f12289d02aef08ef

SHA512
cf90d89074878c658a89b4afcce50376cc85aafde1877fb7d23de517ada06f1d1c11c3cf73afe9e5c0f9f0adae91d4ac5f31a1e2fbabcc4995ec4e540930fa69

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b66769cf88b344fa9de8deb1f6beb6be

SHA1
a3b5babd8be9d98eba0cd799e59949322abf9ee8

SHA256
fb00dbb9393eaded1c4216521cd8acfbb919304966d120dc74e249a163be1f2b

SHA512
48af411d4dfd2303f2089e75175a2fb2697e0c9caf42ff00a7f6682fa3b08da51bc214bcb4fac6f5d5c415e7daae0fe99c408b5ba6d18ddbd781382c683bb3e7

Download Submit
memory/828-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/828-325-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1092-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1092-432-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1184-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1184-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1308-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1308-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1308-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1308-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1324-8-0x0000000002390000-0x00000000023F7000-memory.dmp

Filesize
412KB

Download
memory/1324-1-0x0000000002390000-0x00000000023F7000-memory.dmp

Filesize
412KB

Download
memory/1324-81-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1324-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2100-18-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2100-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2100-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2100-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2244-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2244-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2364-438-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2364-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2680-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2680-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2800-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2800-415-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2864-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3164-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3164-375-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3232-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3232-101-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/3232-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3232-106-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/3340-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3340-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3340-38-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3340-31-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3524-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3524-89-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3524-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3524-95-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3812-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3812-433-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3908-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3908-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3936-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3936-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3936-398-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4268-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4268-60-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4268-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4268-54-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4268-64-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4320-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4320-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4632-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4632-434-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4752-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4752-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5004-79-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/5004-73-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/5004-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5004-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download