4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
Size

1.4MB
MD5

1589682a4963f918bf6d074079ad4d01
SHA1

7d0c343e48afcd54947028c1a5ac767de22a5255
SHA256

4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb
SHA512

48b07e8a88b302c82e45303a82bece805fd868afb9ab0a30bad8bd6e56fb8382e0a3a81a9462d94b573bf2d956727ee7f11941f0f027c3ca40b188666ae6730e
SSDEEP

24576:18NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:1gDUYmvFur31yAipQCtXxc0H

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3948	alg.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
3756	fxssvc.exe
4212	elevation_service.exe
2284	elevation_service.exe
2180	maintenanceservice.exe
4756	msdtc.exe
1548	OSE.EXE
228	PerceptionSimulationService.exe
4188	perfhost.exe
4044	locator.exe
232	SensorDataService.exe
1528	snmptrap.exe
796	spectrum.exe
3756	ssh-agent.exe
4876	TieringEngineService.exe
1172	AgentService.exe
3192	vds.exe
4916	vssvc.exe
2780	wbengine.exe
1992	WmiApSrv.exe
1816	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\locator.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\System32\alg.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4b642cccb36a5b05.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030ebe2a411e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010f644a211e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000440677a211e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000931a6ba211e9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0cb7ba211e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000153ceea211e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f75cda411e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f0939a211e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
Token: SeAuditPrivilege	3756	fxssvc.exe
Token: SeRestorePrivilege	4876	TieringEngineService.exe
Token: SeManageVolumePrivilege	4876	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1172	AgentService.exe
Token: SeBackupPrivilege	4916	vssvc.exe
Token: SeRestorePrivilege	4916	vssvc.exe
Token: SeAuditPrivilege	4916	vssvc.exe
Token: SeBackupPrivilege	2780	wbengine.exe
Token: SeRestorePrivilege	2780	wbengine.exe
Token: SeSecurityPrivilege	2780	wbengine.exe
Token: 33	1816	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1816	SearchIndexer.exe
Token: SeDebugPrivilege	4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
Token: SeDebugPrivilege	4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
Token: SeDebugPrivilege	4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
Token: SeDebugPrivilege	4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
Token: SeDebugPrivilege	4032	4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
Token: SeDebugPrivilege	3948	alg.exe
Token: SeDebugPrivilege	3948	alg.exe
Token: SeDebugPrivilege	3948	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4184	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2936	1816	SearchIndexer.exe	113
PID 1816 wrote to memory of 2936	1816	SearchIndexer.exe	113
PID 1816 wrote to memory of 1736	1816	SearchIndexer.exe	114
PID 1816 wrote to memory of 1736	1816	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe
"C:\Users\Admin\AppData\Local\Temp\4c5393cb8bf408cc6fb1cba7a79a5a00efb3f971dc8359b9b589e106acdfd3bb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3816

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2284

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3756

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2936
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f0d091b3404037636bdd844dc6fc221a

SHA1
235e00accd589fc3e4e9b6605c13d4e580bee83f

SHA256
7b4a3f16a7888281084175a1015ef873aa4bc6131690125f954eeae7b4b9598f

SHA512
e4f03a0efeb4406040c917225362a8db88de570976ef59be42ea308e39e2878095d43f1c90f92922b945f66afbe1b8553eddcb5a48890849abc2cf0c63629135

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d29ac8dd79bf3c9a257280daabc52add

SHA1
434b0ad4f3f8f2d3d6fecf16d980bf70784ffa35

SHA256
aa80b43e8f78bc063f24249831c9f3869d198b3bf7279973804e208d47bf5902

SHA512
09b3e996848a5325c84eaf09b48426668b6b88879fe294956d140c7ab76b1e6182f6c4d9cf921befa8ab687a8a0958776658449dd0696c75114113f2f5646f60

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
56d4e69127bc98d6abefa3f82df71014

SHA1
a9164dd17da6ac6e4a19dd46ce3bc41d5790540e

SHA256
a6ff9dc2471bc729b38998bccd687309e8eafdaad8ef0ebe1fe0c46f3b5e8462

SHA512
a981eb2c23a76480d78b8b683914d2f9280565ed3379d6b4d1d58cd811e9084ea54016e6f6de7185f7386c56ca76119ae3f6ab5b8b68383e2fdaaf32e47d6829

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7e7422f43e823dcaed3a795553f8287d

SHA1
eb1c8ec8d6dacb41365f39e42f9622a493639ba0

SHA256
8f5ddca4867244fd85e4a8fb7c6207860f8a3f0bf30cc7dd8265d4908e1843f6

SHA512
76e2767048bdc090ad3bd266f58f86bd0414f35e72e467d7db99e2831ffd13586d5bd0ef18a3931f08bf433044a87d01a94dc878d1fa85c41d467006fe8d2ae6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a5fe371024c71805f01b6b83dd8606a1

SHA1
87e84bfc44993bc4b050c54d0fff76823ecbad84

SHA256
51e78ab2ec1f6e99b0ae744211db96b60011c0b869ac56061a4fef72a4ec9cad

SHA512
48dc54f9b214f84f7884a8e17ba3ba0d094ee01c07d6ddde927a1500597c773c3853a3635ffca173e05ad4789b978ff0a4df7c0400914f85381548629e150d2b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
9ea6cf13636d6acbc342debfa56908d1

SHA1
76ba97365b8370087ce355b33d619abb998cb58e

SHA256
46980e022b6fff3b03628730443fdc5794cf0a375c5bc63fbaee05f0c82f2c37

SHA512
72752dd059d7cf54125b56c1c4dc45f67ec1ab473a3e2cd850f3037c250aa593feb3ddd9dcf1e687c4346199bfcd2097e9464530ca944c21eb10ab520eff2ed0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
18a83ba5707f6ee55e7889210732efa1

SHA1
c6a1f15daf048b324af2cb3f2243d2edb2b96313

SHA256
8baa4eb9370546538490740675e235d4e364da157f0f0e386d587fff41473ea0

SHA512
0de7b8d4c9466afaf93e368d80d4bec2396e5b45a6f74920d19da423317d9b92e4a076480c83d8dd47a683f79ec69e5623d9e7722da2e153b7fc5dfb0672ad53

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
113982540ea96ac54d9cdbb7e0b06da9

SHA1
6bf597f92e7a380d49c049209877d2632c6ca061

SHA256
cbdf875238216b9149f661abca0a99ede47863993b3d4625a8877e23602a4c75

SHA512
712191d02d245632eb92fa0759bc611c64034e7a01806e229ec6a42e37b4925453bc201b1de8e11a9f00cbb3f1db27942b20dee165a088d02e280a821bfba143

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
04bb1c50e8e266e345fbe09841bc4250

SHA1
2134b71d0b3060228af3c181d8423d2adc8740f7

SHA256
c5ab20857897827aaa7c6068790f53342699804004566d781633e76abf1d9ecb

SHA512
ae287e984f2254b3084ae88a1f258589607c10b221176e89a9660e1e52a27f87ca0c6d08f513cdf5ffc3404ebc4e2b493dbc1c6d0512956d5be777688da9fdb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e3b1f873d579628430ae93aa93a0b362

SHA1
779225e653e01fa91012ce0f99bdc5d794301b7b

SHA256
826431a4280a2e6fb76cefd2b187403161f3d4cc83d3c453f99efef90fd1cbc7

SHA512
7c7a227726eaf6d23a25ecc2606048c8b106ff4e9e284a5b82137b9dbfd3b5b908ae428c9c3453eae6547c22e7d42badd2fd51467d336ed5bc63fe5f9fac6d7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
82c52a5c4f14e63432bc9db529a91148

SHA1
85f409025132d9b36f6731374170fb347b789d67

SHA256
4c8f01f94e936fdd3b856fda50e3048c8e2201f7161b0809098034e80e23379d

SHA512
c123b586d09c2d41ed6bf6de27f66522ca6a32feed2ee864b657345fdbb88cf133f8b58bc7ba63e19982e4ddc4d896600d8a77c85f91449387c1e20be3be813f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2fbc227be6bbaf7003332c0e4610ec3a

SHA1
ca1c7f83546f6538b6826460e3a0e54de924eb60

SHA256
74060ad83fcd8c0ee9fe2e2ec3eb4a48a38162e3565d38cab3eaf728fd9a1b8e

SHA512
b2d956055d6ce25b8d2bae47a1ea8c53b0e0abdd26689e5c33b22ca18176d9a3f70debb0539dd2451f35e6c449c8d24e8e40ae61733674d3684aeb7e4ff8ca6a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
8d05abd8fb818dd22db141279fe7b2e5

SHA1
80febb94ff570f281f4886ed0c049889dfc9bea8

SHA256
583ff1effcd782cabdab00b75be3a91b6d29f26a550e2c0fad615cd093f4560e

SHA512
668aa6b2bc56a9b31b6621d7aa75bee41ec2be536b09876b1d3eb6537c0cbc28076f1b2aa21b879cf445f90a741beec878768d18b011897b35ef77e68ec84df6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e5e6d95ed18119fa8fa4e150064538b1

SHA1
d40c45ed958794fb134860323f0c0d2988ba1caf

SHA256
9ad333ee96583fd934f8eb968c08a9fbca155841ef56ab9d299af6ef545067fe

SHA512
cc6cce474d222f14388e3514489bd2d90364551d217d2cbcb5bd659913e931bd04f0d9eaa01de7f06da68da2e75c2b789fb87d938ddbd7df83831c96ea90c328

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d4531e5dbbc1fd4f7a3b0663977d313d

SHA1
917eac1450f8645eec634dfc9840ed0558ca4ad1

SHA256
2c9a8b0f5cecc4af9a9f45a080662d0a3c1a391d846b779fb72a7ddb082f5c72

SHA512
c4875c13bf9871a0acc20fb87ec9bd7f95c1bbe9e6cd2c2d69544f6bd0925e9fc76480cb2389607ec8168713122661e6820efc9c9ea0f03a40544723675b218b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
0c2ebdb84cbabdb6057e9035a84a5696

SHA1
4f902b03a018433a5aee3593db1e7e26e8612144

SHA256
17405cd1915fcb1dd6e45f40ac1b02b0ebf07c203699b2cd8e72e52107231c88

SHA512
b6d38f49af915bbe77cbc5611732827ac6f5039a34dd8982198f7cca173aeefc5b3518098c5754d963bf060699938558106cfb5150c980d5aa211d02b4f0aa5a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b77a336047f1ce8b2ff462228015eba7

SHA1
b3a7513e4553dd2b5842f9a3391e037e21bf5e2b

SHA256
c36cdd7373cd7f558f58dd4190b08b143e478d7f2124faa886a031cc6efcb800

SHA512
2df9e0320f8af4dc628a333acd9d5d3c5c4565f0d59411f427473567271c361194b2708e7fc52fc50df9ad60e2206e9bf396150506ebbd02bb8f7b2717beaf1c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
90837a465ed4dbf8372aecb90c5c9b7c

SHA1
6bff989622f9937cf7b2f1ab7637e218914a9f75

SHA256
7031765012e89fae4ce0ef6d43d8c452ceadc69e5f1d1c066a7332bedeb69e9c

SHA512
52b477abafe9794bafb80636f14fa225d31fa4e3f04b663c9beb78f0e230431af26ad1f1bd088e1e46250bc01e303aeaa2de86c6132a836f6f36b436168903dc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
fb7c9518346e8cf416e379ed773e761d

SHA1
03171206b4385f19d93abfd422a7dab2ead9baed

SHA256
58cf48dc31428290c9d4a5b7afe40bcf69bbacc5fe1865cd27c1fc5d97c538e6

SHA512
2b6a487cde16223a7927b98fa72fd34bd0f8a33d0b9b9831128510ea046e593f68633f10c510483f968ff70a9d8cd06a11f201a0f160c62378b269ab257e3d08

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
83e01ed9281b49b13fae96e0e7a87fee

SHA1
7c42b56a2881c86b57df7961d90ee8906b1a54a5

SHA256
15d3315eeb9d80185938f6a663bf23845fac8ab72d640bac278b4c660fd2c8fd

SHA512
89d375a8f373118e414e50bb7d0ae5acac85fefc1da9ef4c211e9dff64a68ac04e3cc7fe4c94a82a69275627f414d0ed30fa18c65a3d4188f3ec3e88723beba1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
3f518d9ca03737d0841a8656507345c8

SHA1
e795e76383b636e5272a05edf23ade730453ac15

SHA256
2d9c5e71dec4ab4624b70d91f6d32c93c57b5a13f2bc8a5cb28cec8f04528816

SHA512
675d21c7026fb77c9e22105c678716558df3620c6cdc20d13847a3200fcb35f1fb0d09cd66a1e5deed077779191be95ab91e908e1bf56ae6d511b2fb7c03fd31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
be1591bc31e8bfee0eb2c9e7aee60be6

SHA1
d443e9d96144182a509b4a34df0549e37580e892

SHA256
49eb3742c732e3ff9fd0315c326c7724d0aae062b297eda83907e7010c2d5e98

SHA512
343a60038a1c13a4c5f2267ea21bc6089913c9a237c5a0e57dea95f9386ac4f5afb6763b4e5683b52979fa2715a0b0cdc13a9d1bedc1c02bddef87db978a2029

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
972140c1261d15461e006258650862e5

SHA1
95d4dec3773b3354effab1f28fb40c8f096535d1

SHA256
bbfe11d4fbca1ddbcdcf7c279b6567ab2cf2cd0c418e2a45a51993067ba207d4

SHA512
a492016fb7ef51b806bbeb1e5e352de6e094dcc45eecdb18ae70ee46527bd388e9b573d34bc5545da7ad856a979591f13fd9e0828f43a69a38fb4c5dd7bf49cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
07f380e052463e978993deb6384c54c0

SHA1
fd6b698415546cb973fedf3003114eb1b1b149ce

SHA256
66be4dc00d8c05efec4a9603ef4aa6ac580926f0696001331f352b43949abf46

SHA512
ab1b2820139dbeb2fe18ee525f5c55c1ef8619ccd926640f3fafdd4bcdd4d4ad030b2ff2b9440b618356a430350b954e05448f2a4d9e99c44be781d84d53f28a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
4b264380845b77d08245f1c25cf440ca

SHA1
ceb48d9769204361527d670d798017eb88a3e17f

SHA256
2a70203cae05f0a4ea3c7534ef0bcdcdb55a9170ec87824e7ee9ae48c40b08b7

SHA512
fbf544c3edd5ceb8497ba1c04dd4d16027f2178d845f83428250bc75cd628141d4ecf2408d2152a3a6282fafd8ae7636faa1f4919e68f25eb7ab8d712a6d8964

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
d16003b47c7f1a924a63bc29ca572f99

SHA1
b56084a42368781d9ac38ddb1fc598e6ba2249ed

SHA256
e219e4475f561c282a89eb65d1d2af9389475c9306a4b2ce6d77f6986d8c356b

SHA512
3b06fce70d635d3fb7f86f20f4528f9d7f2d490313518f690bab1d5b9487ca9e76c699d1aa9d5003bfefd3d18449c8274138e469207e5f6bdb8fd1e78d647317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
dd22a924744c3b9c039312fecbc7d3be

SHA1
74bcb7da2b1cff1ccf1fe93eb04138e0dc970924

SHA256
671126c5e27de7707e2844cada8505210da7bfe25518371eb5310cf23e91a566

SHA512
51a15ed429a4545cddeeecfd3b2f4abe05761c05140f19c2f26b660844af7a90d01b037ab8f537ecf5922fd9bf7ad346c6fc3deb682d1b952fcc30941ec50c87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0efe2dbfe6ff852e7ca894e2edac6b89

SHA1
a4adedafa0c3ff912193da2a14081f6dd9ccadb6

SHA256
9773b70b3839467d02643f9edac2e4c9b8c19122a6cc8535e1b29f970a00f3b2

SHA512
20a832094cda9637bb8b2cf25841bda40e3190b5693a11094b698fae2bce0b28eb6aabf57e07c32c8ce8f43baa66c909b2341756e1872b2fcd8714d85e44be90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
3f550294270d3583a82cc131da60fbbc

SHA1
8cb6e68c892b9e1450ba3daf8fc4aaf652c3cea8

SHA256
7bb45de091d767b99857164088fa51ce1b2eb021c233fe201e5237f3de4ddb11

SHA512
107bf265673c1f265b7d0d89c99807d086521abf96739fb05066df3b42e92861ae90d684414dd9ba36ecef92e43572b6affd65ed2e62aea6ca32179b62c7625d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
4df577306c144b8c82336ade026754d8

SHA1
d6dfa55acbf083210384b2a0a21b14a7d003f94b

SHA256
2a5f97cc67428a7b4110df087aa27468fa15f0f59dcd1ef8929c4c1a14784b46

SHA512
aa5d9a7d9674fa69e32cf94d1905ce0439da8962e63007b8b38d53a2cf99d31a9aa20def198bccddfa7839912a252468a8cb01ec0da1185cb9e69ce7e87636f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
926dfcae26fd357981aaa62ddd0b6440

SHA1
df7de217fe338f125548d86bf433894e947f7756

SHA256
84c64a48ecc539651d89ed92bbc6b2dac648bf80ef50df042c05cf1900e924a5

SHA512
722eaedb74a5dbc963ad5207295035f558d417608c4fefab43b6f3df631cf38ad34fa9803bbbf9de229f1aac703f1a32bcb231991b7fbc25d5d2b24874a05f65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
3aaa6bdaad5ff3f271640810cab6840f

SHA1
a9b30bb299fe4677a97c5dacbd0fc9bbc4bdbde8

SHA256
ac6f06ec12ce288a5ed8fe88bef1930583be8dc375445050d491fe0db055e311

SHA512
c94a3d8b212bb112c862fccf1e28727d9b90d591e4e768004defbf66a0319e0c366e88f8a197f1c51f61eec0b83bc92e35a3fa5ed8552344f664cafbce8fe5e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
6dee9e31c873d632a895628aec7bbe11

SHA1
791c6a5ba92437a213fcd82d591cccffe17212aa

SHA256
5f09b816e262794a95b46c6ecbc2910bf675f490dfc0208df7502827baafbe3b

SHA512
c5c15052ca2df362ce9d0c19a9386bc0f5b728026d183968968b33b7e63404a74d2229166fae40b8c90990a10a866e15ee96ae13f44003fea21f9d594bc34a95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
2062dc32dacd63553c21f08221722b42

SHA1
7e76ee27303437a8bf24812dbad0284050d395ba

SHA256
8ea713c82a722561a66c598d8d71fbf84ec2e629d7f36f5cbc8c176b9350127d

SHA512
bf0d331000b7e4466e615bb48e82b52f8aa0c44efeb5a43299ab160e2a45f263fc8f9b616b90a4edae31b93004b4e9a31e3f8cab06d32b0bc70819bdd0d924cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
4cfdebcfae1f1bca785ee58b1ee4e84c

SHA1
43a5f22d06660e2147c36daaa7db0c6dd2ba505d

SHA256
7498a94146550168a824dc38d46029816e91837f0db5b085c374a938d6fb5aef

SHA512
baf4904bfc5c8d94bfb511ea3fc161e75228428660a06c98c4b33890117e5608419be74a60705518a68f42c0bb0ce04b31cd680f82143bdef1565617b17ad987

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
d10f17c6472ba1ba202fab32f7880e9c

SHA1
f6dcc17c356d106695ec8541977f48f6d4cc2962

SHA256
ec20b051331a6866afe63dfb9be3e19ad83f168fa90e672198c8f90cbc6e7b5d

SHA512
044314e79fcbc361c0eeaa683e7d0784497ffd5002b43b464b02819627e67fe20050db5770f436c59d0b4aad2c4548a09a6f106cfcb8188d79af39348f8c0392

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1cc66d464542e5d60a3f1614fbe8c8fb

SHA1
91bb0429e11dfb4e049be505ff212a2ad37d8fd0

SHA256
d09f72f0e0cff35ca85ccd2906bb3ce61560d91e2a5f5b27ea6ea2959c9307ca

SHA512
2f0be58c032c555e2a97a183f3820126405b35eead0b5a0ef0d0a6cef8139100789e4336a84ac0dcf2323a59421168754025832e5c4813fb218385cd52b056dd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b36b6f80f5c1fa6694878bea54e43082

SHA1
603450f0c717e0d8e66fb491ae9db4f62eea2400

SHA256
55f018e1fef6ea1376d06b2d1c38193a0a940e41aa15d3b475f27f54982eb01a

SHA512
63d90e488d8d22a36569e3266703584f425f7fd5f9c6cf62522d50a55cd0ddd0a53198f2eefa43404173186dd9c54637088ada97265bb8632dd3c765665fbb15

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
5ab119e404a4f6677d220308891ad001

SHA1
32aa333dd13c698e3822914da7ed58a8985fccf7

SHA256
9e90ad1e76bbcc855fb877db6023927155a406f7e93e1bec3b20de938fea8046

SHA512
1dc77d3a28e333f20995dae21efeecb6bc66a41449f1154188d450115b6a7a57eb86fe8676439fb17d5ab1a539338f5943433d4970d0349a55bff0b4b8987a2e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
81260ff2d42d88bc5b70934eb9b939ab

SHA1
ad59fc8e1eef8caa3152ac95aa9a3aa844f88fec

SHA256
ca959face5c03833616f0ffbb28fbd08ea7365d5d9d636c6902e080a00c52543

SHA512
92d0300f9db5ad950458247555d7e33f32ad864aaab6ec192dee626e1c1c2f81719fa42054b0ab77cb8e780abe7d2c6cb5e741b5c790d635e0522dd6a258c8ce

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
d3dcdc1e7e4afcb6e273d04c3b82afc2

SHA1
bf72102518fc5d642f8f283add0ff80448a38c57

SHA256
e94b60cac0c95a9c594294603da6557b0af33435ce50fced415858ef1165e5d3

SHA512
84ce3ae462c32b335db0271c4d5d72704f2310b56d26d05b2062db31a0fd9747207d69997a6edb18c43f7d55bfc012d66c4b40b0e6421ab35ccc9593f292fb4f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
349adf6d6eedfd076fbcf5b669467062

SHA1
9311891cfeb853c57579f4905a672b26082d014a

SHA256
69d06dbab92147625c08b381f39ded5d3d5298be38c8c6a39f1e6a86dfe06349

SHA512
908c2f1d4a9d49edef27e7be1142629fd3737fd42fc7107290e6e710e156d3ca015a6887966146505a1de79ac646a10e03ccae5c8ece180a7a3aa45a51542461

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
21a3216b3efc3615d3442ee685828edc

SHA1
23cd1723f4b3e4314912df5ad89834f9494e997f

SHA256
24e2a249bd1e89513a76c0c734b750d41e1353d3ceff0c213a2d3fbb6f334b90

SHA512
61afca6511ce1564dc5464936b672c628bad60b39c0698356f15cd8143b977eb30e9cd2d745216a8b647d8befa42b98c48bd5e6d160db0119f65ba5a5a3114d6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
8d20235c9ca3413ef6f5f638663ea666

SHA1
03641ad1811d9ab3fa3265f7d1113808f0a3587d

SHA256
913afbf10c579ab67b8e8b2ccf425a5e85564d84036448d6894699cbc1ef2a7b

SHA512
560c33b78fe618e45f58c901ed601a6889fa27ded76e530ac574e39b1029698b1ce563a7d26e5f128fcfdc5d0174c46e39b882b299276567449f365edaad1b7e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4379ea0c782d90ed07a6dc05ebb352a5

SHA1
39d30f253c7736fb9ef80d7ed269e6d13ceeba58

SHA256
863e8cd7b5a756ee650ec2659f00f9bb3d65ab77fd2307b219d387d439da5b7d

SHA512
0fdf2c9a0a67b2494769f885da28e33ed0fafb7c7838b9b69ffc1b4b9528f8c52184216712962dc596d4fe137d574772fe0bd96c82c1ac0f226ba4b62ffde40c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4353a4eb69fd53c78a114c2e96058b51

SHA1
20336964053a9176319bf77175ac32988c98e0fe

SHA256
df185197a2cf17d019e13a26c47147706902cef00e199dfd0b02fb6b79a0a0ed

SHA512
6551d4beadcab31837999fe67d2e4760d133d782f41436348e628c1125f6ce00903dca97d75412eb941b431c1b1bf292a12ce03e92096f21b5bd4f11fce82f88

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
58accf0fc8f11da11783651a6e6d6d39

SHA1
a7573da258694278a432c903f1ab57ea88001d3d

SHA256
8936319658ef023d03b32c7db02d7bb25342c8b4f20b6a059d832b3653ab7829

SHA512
21a4acc2fd2f6f982853722aa56d038becbbda187dc36640a26ca419f62558debb8830c6a417a626423ec3ce526e373c4f9bd1fb4f5e5322130f4eed9a943b0f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b9c043abf7d74407261b12306244e87d

SHA1
b6ab9578ceec392eb86dc43b0782d3dd85d0e776

SHA256
cc02605a4a0a7f096a8c621a94fa57929f09bfc4a729dffb4837308a85b87cea

SHA512
52bbf178d3fd86c9db2c631ea03f43a5bb4c9122f78167cedf3015b55c78c3fe4f9c38cb0e0492e71c29585599c4ba3535a85d5fd8913368b8ff6c2b520f9307

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
953b51dce10aa2fada7cadf073a032d6

SHA1
0d7b98dbf494e3e7b7fb212acb0761f6c97d1fb5

SHA256
01fdc62d4760bd20363b32f7bf8507b84c43ab4d4bd976e32aa43c8562aa2164

SHA512
f55944f9b81b6df4d8bb724377b177f5abf5ae39531fa609fa02620fe7bfd6cb69a89e44a377aea5f0d6bc4d99bb317dd97ccffd70bcb0d0cacc8f0ef06932b3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d670541392c2d3848abedbc51f739f73

SHA1
52b87ce6c2e1e3c781001e330f7041606bd03048

SHA256
e8d29343629a8862a2f2b616a39ab041fdba6e1855b5aea06683b93ae0f1ab01

SHA512
5e560aa557d9f252cbbeb3ab4acf347fd775c7ace317a9f33499c3b353e6c2b2cc73662d3b750f1f68b1850a8529d5f0a3c2d3384fc7ce895848dc641c43b846

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
316f0571f2cea53370e3e4a580de32f5

SHA1
a34f52f9ee0016d822a9b3c5eff96290a386cea4

SHA256
386ad80701aebfd7301cf715f1b7337d88754a8ad1e43b125c3472f133dc3e8d

SHA512
450b7e5e0785449e2c119f5cfcbdefd017d6ddeed79f72f2bf71a07ce7ebafe17003a64eb84bad20d4a8b21dbe4653e261bb4e3490d49771240496d77a05b545

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
070ac0dca0044161b04088de838c534d

SHA1
cbb317feeefa813b36d5a9f46a70fbb1aa09f6e0

SHA256
0de57bd4b2e6589ba3c490d2135148495dc5d93a9be950887669e0c94833b50e

SHA512
34f26af24d193eeeb38febc35d3731951b2edc26801361b7f1c68f24c253e4f2d3fbba824e0338bd97136f3dcdca68bb74bfcf819bdd009e750929a093badcae

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
f9d900a287e85d010e48a44ea1fe581f

SHA1
6e3d798bf440237bdeb040488cf7519f780ceaee

SHA256
0812f8756b114f2ebc6bb1afeed158b2f6e6a914d6cd42078b0df60e1db0724c

SHA512
d5033fb30df92bff9b0e214e2c6b7da27d087cd669fc25aae1b831f16397c6b9fb65f14b33ad49747b975c2a46ffa248f5ee40bd3f44edfd7ecd05f7f943de97

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2a0b72100f5473cd3c460cb91db865d7

SHA1
01201f86177b607d3c1adbc990f346cbb1099843

SHA256
04b160232b505fb5de5a47cf33089842f03d5b95d61fafa5e451219364e3b166

SHA512
098678ff24e95e150e5c947c84b18b667533b32f2c49b80419f30dc6c8ac74336fbb7e048c79fe7a45ebc91f0e6a1f5c102bac1139131dac8286faca72658a8e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9ab27ed1dbdc72588260e84cd4e9fe82

SHA1
67cbf67665a049590c183ff07da2df843d17f89b

SHA256
32a8634521adc245fc26d9b1fd4e217f80962be28394dfdf305524612ab2bae3

SHA512
4d951e34e741888537b696e8d5cabccc0f32b9d0e31ebffa84b05d6f3b90fd134f49c556726ebaa8ff28cd0ebebb696554e5471c94fc3176009607b63bb8e33a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
148d2bd10e53905927eb004395aea104

SHA1
69a38eb1943fe816250c2c68e77f1a6a51c13f8a

SHA256
cbad1544a70c6aa9719c937d8d88c673e3bb15bdf635fde66dbfaac39e96ff45

SHA512
988649b8776ed720f84817bc6294647ee907b0e69fcf4f69654a70fdff399fcfbeb43c18c5108963d8d625f2457d3392ef6f753dab14a1e536712fde22e13e0b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
197686ae9c16208f8ea00f302c077b39

SHA1
29435c86d7b4f9b5405ae9b8e08253e0ede08d68

SHA256
d4d3e41955bca518b2e9a9830eac0cba3cb6f4b1242e9d914b8bb56b9050632a

SHA512
e5e19e8230a1bc48f831b16ed86287f740c7f2b5fdcffeb53bc84472ac6a9e38711de74484c620357446143fc91a0925a16eba35db3b5f18ea6214a81fe40048

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
04f5b3710fc939ce284f38c3ada7ff20

SHA1
76537f2df79ffa09e92a90ec307bea7d73f56506

SHA256
02c5d33d0885d6e0b258ff4ea3ca07a2d5c09a51e0f2393c9071f1a5cd020eae

SHA512
5e3809cde5c4cd4b15515b7c2a1812100a0982530137d6618a070e3619abfb891f214f36bcc93a365a64741ed99040cbd42552283c6cb617de8e70c5c0c8a552

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ffa64cb2b47a9d70b2b64f5821632554

SHA1
2a6dc056ed4842fd4233da6f14d2ca6b78288929

SHA256
e62a5c222b7cc3a636add3c0634b7d0166dbebdb357a741a6f9b32ac04f8b7c5

SHA512
f1aca69302f434481fb792bbc57586ad9b7d7bb0628954aba5409f2a9caf46deb0ec497e06ca308ca5003c69ec1f97cadc14a9bb42b1a0b45c29658b1aa47e54

Download Submit
memory/228-115-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/228-234-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/232-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/232-638-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/232-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/796-535-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/796-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1172-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1172-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1528-168-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1528-400-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1548-230-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1548-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1816-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1816-647-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1992-646-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1992-259-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2180-72-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2180-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2180-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2180-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2180-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2284-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2284-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2284-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2284-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2780-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2780-645-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2796-31-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2796-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2796-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2796-153-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3192-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3192-641-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3756-639-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3756-57-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3756-43-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3756-37-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3756-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3756-185-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3756-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3948-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3948-114-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3948-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3948-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3948-17-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4032-6-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/4032-1-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/4032-0-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4032-102-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4044-136-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4044-258-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4188-246-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4188-126-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4212-55-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4212-53-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4212-47-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4212-177-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4756-207-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4756-87-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4756-88-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4876-204-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4876-640-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4916-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4916-642-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download