6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923

Analysis

max time kernel
119s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
Size

1.1MB
MD5

4caabc8a73a5805df21dee78aa2aa550
SHA1

9ac85773b33a08758a2fa16c1c0cffc4834897ce
SHA256

6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923
SHA512

ce394879dd66b15364b2ccb618c9c73ba71262493cdc26875e862f64edd127ff644fc06e45fc08133c11fbe6a26abb0b807a20651d6b5a0f1c8ebb2d2e2d90dc
SSDEEP

24576:0XWIDSG0qIwDE1j6tsqjnhMgeiCl7G0nehbGZpbD:0nDKKDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2684	alg.exe
4348	DiagnosticsHub.StandardCollector.Service.exe
1744	fxssvc.exe
1920	elevation_service.exe
1592	elevation_service.exe
224	maintenanceservice.exe
2952	msdtc.exe
1196	OSE.EXE
4880	PerceptionSimulationService.exe
2036	perfhost.exe
5096	locator.exe
4424	SensorDataService.exe
1936	snmptrap.exe
4300	spectrum.exe
3040	ssh-agent.exe
1340	TieringEngineService.exe
2408	AgentService.exe
1804	vds.exe
5024	vssvc.exe
4172	wbengine.exe
2416	WmiApSrv.exe
1564	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\498c027c240c1bce.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\System32\alg.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\locator.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\System32\vds.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C4DE67E0-347D-4E90-AF69-87B120456F47}\chrome_installer.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C4DE67E0-347D-4E90-AF69-87B120456F47}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f5898357b17db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060961a377b17db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fea968357b17db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac9e7f367b17db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000958b4d367b17db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a40406367b17db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000deb416367b17db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
Token: SeTakeOwnershipPrivilege	3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
Token: SeAuditPrivilege	1744	fxssvc.exe
Token: SeRestorePrivilege	1340	TieringEngineService.exe
Token: SeManageVolumePrivilege	1340	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2408	AgentService.exe
Token: SeBackupPrivilege	5024	vssvc.exe
Token: SeRestorePrivilege	5024	vssvc.exe
Token: SeAuditPrivilege	5024	vssvc.exe
Token: SeBackupPrivilege	4172	wbengine.exe
Token: SeRestorePrivilege	4172	wbengine.exe
Token: SeSecurityPrivilege	4172	wbengine.exe
Token: 33	1564	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1564	SearchIndexer.exe
Token: SeDebugPrivilege	3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
Token: SeDebugPrivilege	3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
Token: SeDebugPrivilege	3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
Token: SeDebugPrivilege	3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
Token: SeDebugPrivilege	3008	6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
Token: SeDebugPrivilege	2684	alg.exe
Token: SeDebugPrivilege	2684	alg.exe
Token: SeDebugPrivilege	2684	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1092	1564	SearchIndexer.exe	116
PID 1564 wrote to memory of 1092	1564	SearchIndexer.exe	116
PID 1564 wrote to memory of 3092	1564	SearchIndexer.exe	117
PID 1564 wrote to memory of 3092	1564	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe
"C:\Users\Admin\AppData\Local\Temp\6ffaa051a29c8c68dfaab7c210613100e5724deb06a4061495adb3787d7e1923N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:540

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1592

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2952

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4424

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4300

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3820

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:8
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
a4fc1570f64ea564ad6bef55951a3288

SHA1
45f208078df4c88988c565d4b562866e252611f6

SHA256
f9ac6541af437dbf1e0d77534d3b23740b41050d9647c363ec5919bb0ae4b5e6

SHA512
4959eebe1b8f4c0088a5538a17ccb04def73e9b320e4668b0ee1ac9f1bd093cfb7c153157c881e7be34d5a2b03c2787a1c19047357708d6d5ea3621f820d3967

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
09ab344f23aba5bc30ca0368e9d2131a

SHA1
2523e5c0353c083eec4102b9e71a904e7c175e9a

SHA256
b1945e12cad3ab4b68cef4cab2ffeeed335de8c5b39dbc89d373324e2524e1d4

SHA512
a99e9af93b1514d706e7a289b0bdf48d3ba6d66b876a44db4063564e05fb7b93385509a77fd840cbd84084158fedbd8c5b38d2a226ab04b17b55572a09ece902

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
83a47793c2db11b17ac0cd3103394ffb

SHA1
958c3be1a27c06871af941eae034296262c23ed7

SHA256
944655fd6229a5edbbe735ad1f59d4432de11d11b603d3301480faf45dc6397f

SHA512
5b790b5cc54b51b97036b1a279d555dd9613e006f5140b317055cf52536610d5a465707d6f7b8e0d75f4d4a0a4d032c772318257980b43f4f4fc80630e1227d1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2512549dd6edf69f10aae4f9fbf949c0

SHA1
22bd898636644949f4a9646da240067af63fc1c1

SHA256
efd1de574595083a4a0384723b6b3cacc7e11e4d40131c0364d8f95e8bf2d20d

SHA512
2188f7c790e021ee74f9a08f626962b5354db91397034b119e9aa941401c8d07aa3b17c2b28f72ec509fdada34c705246d06dbf340d5bf979cf70449644378d3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a2e77abb0ac1764e90849f900b570309

SHA1
4d521d5994dbe2002f724ed5a06dd1ac76cc55b6

SHA256
ba4aae2cd93b09dd9064cd5a8ecd60e35c2005785609e2ea75a8c7bbb223aa7e

SHA512
8aa1714894504597c8252e433cab5b9d9a2a771452481daecc7250e4cb026c8eb8e7bd59dea55a7aa2d066069d58da3a8fd70049bcd525a7256e6c36da175a7c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
8a88cda6f889c3105d7df6e824815db1

SHA1
89ec670b5416705bc7a0d223f990726ad7ab2021

SHA256
99bae83f95c79ce482764f4dab20cda095499cec071fbb59b977880ff7cebcaa

SHA512
9c27b5ca4bb8f27ceeb864ca01c60250bb972aa1232839b62507874929dd3741aa0da34192dba87150910d269e7994492855f982d50cb876f1512fffc851ae89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
cf0c4f8b342dda63e434435190a3bf01

SHA1
ba206c8b3cfed55687e412aec32c8fa4996130e7

SHA256
8a6a0e7bff47a3e873ab6a2fe0eef7c6befe9b5123227e90cd3cdc1df1ad7a04

SHA512
f6c80f9811de5b711d5084179101138fb5413acc68080a5dc1d565784fb6f0f01a62e72bd34e53131eed3e472e0763b3dc1a78ee112c19eefd3f6c8844efd716

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5486dc13ce590ed0bfff908e8580571d

SHA1
2032fb584c16489d90e8e0e95b87ab3e14aa3bb2

SHA256
a16e65e2ac248af0a28f3e15a47ebe4e0e0d98af7a800204aa6b18ba15efd58b

SHA512
90a443c006c5233a38e36d3d0c0e9820f758547e3576b75a9fbf858471b25290dda2645d489f8a74c6408d136370aa5456067f149c587d5b85fac25dc5acf0d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
02c7acb9a82854fb799fc58a1cb82e89

SHA1
74f06dbe07062bebcb276d6f675dd466a0b48919

SHA256
3f53d573a43f4d48cb743eae142db71a90c02ad0e918a83ff6cbfd5c50f25071

SHA512
d32bf98046fe1aec50da755ac1b96ed27275bfef8594486e8aa059dad0d62557b0ed7b54ce09751ce118bf0409afc4aba308da9703c68027a35cd26554961727

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ea9bc90fb6410910cb11e3a7d12a4626

SHA1
fe77a345413ea96ab3d1eef4b61005bc6f78eb09

SHA256
b26fc6449c6c1ef46df5d8cc3b8b3ba4dacee7aea0e5d5bb3e821367b7ff02f1

SHA512
8115f5d2a51e1b94b63706059a7a8dfe66108f4f5a5fa5e6f6c4980e2a46811ac93ff693c3b57012a805aa5ef3bb23ff206eb5a5785d80f6b623198b349a7768

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2ecaa2ec6a5133e6a3e75c763ccc2b28

SHA1
469999850e20a9c5b4c04009937fdee7913e0ea6

SHA256
724c16bb0678ea13162b0c88d4ae692a4023e789f280b10f445c3b5b40123e32

SHA512
fb08efb0901ff44d55808b9ab665daea7630dab07aed7418c0a0f972e9aab294db2f3fc1c3a292284138d06bb76ae83db57b00dc861be5fd01dff18e138af6db

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9e4c380686b6a4947f9bb0d49aa8d069

SHA1
3892dd95948d9bfd3a41c501ee1ce00886a5b43b

SHA256
a131df87d47cc3abbf45af2d29ebe38250786af6b60333f3c54f9aa944965061

SHA512
0b19482a6352073e9f5625e71a4cf8af60728fdec36b65500ddba41b52d85f289bc669ac35137f2cf8c7500e01ae6c0f38a7b7f09a95d78f1f729cd3626dc889

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d17e63bd9f259550137fba0e0cd90ecf

SHA1
22ff7321ac5eb7bfc9a8ee2a640c20984c5735f8

SHA256
675a8c2bf10420ae37dac9298a56724187d6e3355b381191c32dfc9dc209464d

SHA512
4ce1adb73f726f3942e5d0396e0580e4246bae9ee242983629c108a26b966cd22117c8f46a748ea28d7c3ac61ee26e020e62161e3654214dfe799678ec26d9e6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
77495baeb2affc73a0b23f33b8ae5f9b

SHA1
232bb8c67ab4bc8680444cb88f5ab0c376812079

SHA256
fa5009f310d16298d6ada64fe9051a3fdd7346b30a676a994ebdd189da03e920

SHA512
8d1ec2875d1cd82561fbf78dabc60fb4fd60d0d26fbff37090cc4fe91d4d57dd45f9eed22cdf8900dfd3cfefc43d3f9b3292c919c04503a687a499635bc1d2f4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4b6758d02c2e888757cf867f15cfd259

SHA1
2ce6b95a9960b0fbb556135f0886a3303affc7f5

SHA256
f8ac8119523fddae8f77fabde44cfa1106b19e7fab27e219d5d1394b5642dbfe

SHA512
06ef200637f2f717c94727851e4bbaa124ef64c03c5a64698bd03f2dd27a0064c3a319dfcfd100fbf4e9475bacb19c3bad28e0e33ad4883acf343265afacb0ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
69a010a498fe8d675f96041b19dcdc0c

SHA1
abfeecfd545af2ee00e9c5719b97642dde6e925e

SHA256
0ec481e67fd1a6e05369201d71e522742a5a359fe5216d6219f61bb24fe5b8cd

SHA512
4369471790bc6cd0e10f8eeaa5878a375bab0ddcf80f7a63a116e8366c087782d9cdd374dc3859b04ddbd8f53d5b5905b74d16080adda5ae1027240c9cd45678

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
2db32b31ed19221581ddbab0a4a0be09

SHA1
5ad3e7ed418e30d631d7289909d3a47b090cbb22

SHA256
782bb06dd5f89c7ca090e140ae6c66f26eec965ba339078c54618ce3053481a6

SHA512
57b2bdad2c195c9135ec95edb9218ac7ea8b237d60ce3fdc2f4fc3e198204806f963ff715d60fd06bce9a54f72303fd5da12b65ff78be3807cb3732be550c8c0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
69ab374b7302fb97baf16ccf952f7976

SHA1
5dd01a6347b3f1d83f40656de05191ee623cec7c

SHA256
ae091c70fc33e75140ee117e02e369f53771218ced526fe2973deae28b4d4a62

SHA512
c9962b5d1edbae6161d16006eb0118df6836c8e5e6879a88fb34392b2bb69455cf891dc26bf0311818512214b7ff5d4726d5b14509d45b7a7370a74ecfc3f58a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
714dd3d6998d78e6458ea4bbc872db76

SHA1
e4059051b3f22931446374d68307f5f9f2f53417

SHA256
046fd646465531e776f573faf685df4a2fd74605f45210f803e18d3f98e449c9

SHA512
f3a8c9f8f8b8a5b2f38f54f13cc15b0f1c2c2dcdb70ca38f4384dbd09e81a52c0908e53967d2d9944c7a53c725b9fb35c0e181851520e0dab31d647e653d5500

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f3b362a0a9879fd41561898d9014f170

SHA1
deb525e40b167560edc9d338ddef411584fc24a5

SHA256
d2428967fa0ea94c7757ef19150299631d4189b5f47fa616518283aa53f64c49

SHA512
0f159b26cbb75219f3beb76430504c769e99c8f01a953fea7cc6f06c767312b0a20966af3841ce6b659a19fbfc9b89be8f5b3dd16fa96e45cf25b385d50ee8a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
2a39dba9058b283597570017285420f7

SHA1
edb04ce345919e858b66db59abf692f9124996a4

SHA256
df831ea7a072e13b5d04281468c569573485d853884a0c0438d291ebd01e26d3

SHA512
cd35e34f8a6649c2ea4e51631f2de13711329b586206ea27d99782a7ec183aa3e0ab090cb16f3e3982c1b89dae83020ed1bb8422e73c46a06860bee256830a4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
df0c78986de1ffbfbc401be6fddd4de4

SHA1
4c5776791b307e90481844756ab2103297d7e2f3

SHA256
6fede8852a1a413fe30686ca05fb5d45c0a1f65d45260921e13b55be6cf52161

SHA512
3dbf1c897267da0b3d2ea6d9a4956c318146c9e4b726907b2f213a6744ab722e7911d0f7500ba1f045c0c41bf670685237e0957fb0be0ce197d928bd139b7acf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
01ae0be157ee2bea4cb9c6addc7a4300

SHA1
30822dc06dbe2026d9d4081d4146dc6ac42ba1d0

SHA256
8b3068a3ca38ef0d9f07c20ba9703dacfd1ef9505411fc972dba56c92c17b8e3

SHA512
f9a38a5188c1a51e2fbc66d8f5a48272e21e90be50679cfc3989e74b26d8373e749ef7da7bcea169c146dad133a199206333c68e9ece92afb9391528c8875ece

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
3a53dfc6176f4169fa12646819e3f106

SHA1
8a4c135d8ef9309169a38b45890391a586f37028

SHA256
bdf09ec100898372d92c44a63d3975d3619b3b53d3a9f345a1dcb2a0498211bb

SHA512
211d0e7ee52705d740db787d9a52c40fb73aa42b490778581964beff360816f0743e49349c80d3ff7d8bf2da92e82bcc0047de9b51a580219c3ad72ed68ae3d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
59332eb10d1a65d405c0243a2ad5e61b

SHA1
1262efc99f1ac27a375ffd4cdbec217ba9470396

SHA256
585a3bc16e5e2c47e7022e0ad9c3e197beb7e722967f771da4e9864a558e5250

SHA512
50148e04b056a37b79dff5040bc23f497ebfd613400698d4264c1e0e6a0e8296b9b1418d0a20dd2fe08c2c8946a9403554f7a47a806f0faa246fc83fa18c478b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
7d151958f37a5a43009f620198e8e931

SHA1
f53f9031dbc59e61351d13b29af81c87b6289613

SHA256
703769d731122cd3c5da7eea7e6421477b78d170ce57928600f3027019ec7657

SHA512
869415a9782b5c5f61d4c672ce0d8a7368e560e7d2c84046c00d7a4306a1ec59a99253e3cc6157c72b7bd68f2f60c7759b37152cc68c4e6dd9279bfb68607246

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
abdcd9ad610d9ea4871da841b3e1ac71

SHA1
ef674528abc705f8baa2628cc2a17904fdc8331b

SHA256
e368ab75b5b715ac86bb5df76482abebba1c458cc5ee2762e4c15021679d80e4

SHA512
5a2375ab9555435e0da215cb90d25a96ae5bbfaf00385910ce63487c5e151dc83f65bd744c903cff41e6542ca81f7fab12437ae3f575a4c0c982c5c23ea09374

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
8f55e52a88f15b5317823344bcb89599

SHA1
1bdfe18c0218afcfd02ce08e0f7b00d0adbd8a36

SHA256
1c54ee7bec944163a2995b742bad909d7ac53ab08ec94da0a92ce71acb325e2d

SHA512
e0a91d65f46997eb87c8d44b221c5bf42a87c415fb84ca0fb575055d70704c657842d694acb261eb96b925d3e6e965ddffef5e2098095d28d56f0ce38ab3a81f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
28789e0f71c622aa16b3a4f93ca4eb48

SHA1
dff0eb9e57b60b1b2c3726c6323cc236683ebad1

SHA256
5398f7138fc937b81a04c6b2309e556a0ad6f21aeedf4ce9d151948b80708aba

SHA512
ac81368ed0b4312d1d676a57ba5f236feb546b4b2162ca776694646c3e98246aa33243917db20eddf7c9fbc7323cc82bc4576f6b408c8c4acbc3235cc82c5ffd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
d072b5315fa0f59b6931556344132f7e

SHA1
2d3ff37627cc7759d7f006e3b1d60f025885225f

SHA256
c75b7670ab75d7f3f6f7102a5cc2278528260d96a9ab7c3244287dc3ae993a0a

SHA512
5251baa0fd1b0bebd18f51fa80bf00e2f69223983c27fe3b96f929b5a28826241a558183040bdc642e7833909dcecdb38b5168cbd480d62d1ffa1d35889e856b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
33d7669773a5805bf7961dc53cbce173

SHA1
1f2b5f582aaf3b0371c38a6f2773049054c6c012

SHA256
2ab85b70afcfbeac0f5b8385ed4ae2ce1d9e9fcdc2a7550888fffce069cc3cb1

SHA512
711eabae63cc274075d3a98b202bc35106803b4c15d33c5e21c22708cbda8ce0d28efc9ee8fca5241744e2b37fcbcca38a0acb84157164a5b7563c3141f63a37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
d65de6ae01d064eb00cb79e444f5d800

SHA1
ff8c5cf96223b3f6d1ac74a1761d6878373aef01

SHA256
8313d2c78e0059763c8479938388f03ee4253a3aee0b1b619fceedaa42572dbc

SHA512
0256c411fcd086176b02086bd2d54d70202062605bceb31781d0312e7d8dcedda7821b099e6c9860ca193a94323e717fd4acbbba1dcec9008df8f745d12b3907

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
093b0fcc2fccd28da02dc17c96fba3e4

SHA1
0a6ea0c328bbaa321e7ff65e95b7e14b49713142

SHA256
2a88789c3e242e67b5e0554fe7aec2e221b4226da96fa63c99fc0eb6dbaabcdc

SHA512
cde68db0e79549ede7b57992b8a460ef88622bc5d8b7479db3a8693a0f17a263c3b7147cc7d16dbbfd4c4dd7bcc95c9f90ed6cb9f40a5153973881ceda2c3bc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
2d98c05f6588dc6a494c123db485839d

SHA1
219a23ba85faa16b8613451f6437f9e9a66f3e7a

SHA256
730dc0c48aa496f0e4773ca9421e1a17e70f42606472ed1a8cca19ac57e9d49b

SHA512
728564c127724872c1d727298bb825a10d9d07c90b7557e278ec35779b3c965f655f2367a4bf7c2736604110fd66a2fde5e6d73923d4f133d49a64c456bc6c0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
68e12f86efe99a8982317066871b81d4

SHA1
f22452bde257b634c1208e85c7e0f56d8285d204

SHA256
a84e3cc7e230fdb88bda341ee41c228d3905f6f8a134e4cba00f0c19a4451621

SHA512
4d04d61d4d09b355e36b81de02aff3fe5c0ee1dba771eb0e09b59dab95ace3c400ab7eec962b29fb26e2f9933107e1ab1699994a7e7c220079ea895f21117439

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
11f0a92567b2ad0155b8e57ae93b321b

SHA1
a3491a6992ee92b8444f8b4aa82dcdc0f6aa659c

SHA256
67e88bc9f28e6cdb7d19eb5155ad84483773c9540b73745216eeed5c3f4ff466

SHA512
07c2073b5fa27fa57d7a99109f1ff24b01e926de334c6106f62502847c490ebfcdf55ceb2e506e86957193d6774897ebe3f3e063a2c0177819da5a58986600c3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7e876659c75a49d903c492e0a611a6b2

SHA1
af88780a021a261206a7961fdd92c7de19068d4c

SHA256
a63de1f37d1c869ba44a09f68ade8520c0ee07c36821b5d0aa795f1decc63e61

SHA512
61280597874ac749696be1f1aaf8520619dfe2171c657bf1a96eee64205e05d47c28d074a7ce3ce7fbefc461575a85b64d08ce3f4d2ce341522aee9f212ac6f3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
ebbb15c2fd464d3305aaf114e7e0cef9

SHA1
a47446d86d38879a98583b0be1e0e1e2831f5190

SHA256
040e8b2d69f2989e56bc4f29d7f22048942686157207f18b6ea5256c481f2ba2

SHA512
dcabbbf7dac2d774d384d5c250126f850bde7bb470150efd56a8506d7297bb29b67965fa59c3efe2fec8733f4036161eaa911f89be0ddfa4d796943fb89af505

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
04fc4469c70709023bb0992be8f5d13f

SHA1
b180eb8ccf654ca44a59d85cf8af26d6a4e18d33

SHA256
e1a6c87d4d7bf26298182dac27f9de69a0566c5b84620f51397ef556cdc968a0

SHA512
91840bb180bc4bc569f7164bbf1c017072ae2bff2c7ae05dc42c0ac30801aa8566ca40ba2bb392b2a29a2e921a365e172b4718ef72f1fc745475787716826cbb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
174c51f3da53192ad384874d5fd7f4ed

SHA1
32e6dd5fd532a3ce3a3708ba825fbaea1cf846f4

SHA256
7d3040945691b19fd41391acb87ab96eb2d818a44e2e4977c717ae10e4a89fcc

SHA512
c321c365fc2bb6cc51249232510959029c4ae79962d9ee278f9559a397688d7da1128fe9d91405ebf8bb59cc68469c6368d5f7a72971d9c22fb6f1d10f24efa3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
5643555838bdd3f0a618bc90123243e3

SHA1
b29a97bc69dd7cbc6fe57c818a345d0e96331bf5

SHA256
e2f575187f4a186def8f326ffabcc25aa57bda375574eef347e9f175210adfe3

SHA512
060842b1313129447ed6450366283cde8dbcf70f01c476f3e0221e1983d33d57de639d4e169bfecff83604012b0e935b33c8d4ffc4344a14da524d094fe57585

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9aa8d1db24e75a0c1e6ca5b98fd8b098

SHA1
8c71762ae5aad49b2d6c3f275c1fb22f14245c97

SHA256
3265cd40842a0cc49f4a30546c11cb461a2a74ac5d86577298b9fc30f013cc32

SHA512
edb08a9fd27368c66df3276e398b5d9479d25440425f31950cd6a0ad94810fe95fc0d8b06ad73766a02e58d177df4c5e740f8ccb79f71ae540b08ce642acd1ed

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
3f6d480cd1ad6338ec147dc5fe750978

SHA1
8d2c29001c8d15d742ad786dbcbc4b1ee8aa1383

SHA256
f31cf107b2358226ca6cc00f44ae2fe760c3de935e36ed943fc3bbefdca6e5b8

SHA512
00ef00177559c1d06daf12282e3bcbc798c3ce80135f7482e6f26691ebd6974de27a16e15c42b63466037019468c3ca6b88a9e11139fc3bcff28932baa73cb0f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
6a1132308b087a543f1d2b95090fa3f4

SHA1
adac7110a093ac1a3f2c288c541c19e0a8a1b030

SHA256
54c2ff449effd3d9ca4fa26a9023426994992d651c3a99067f10de13ac11f56a

SHA512
93a213e939058f3586be1f0c9bdae7bde1165b395a723ef97f34c25148b5bf3ad2e1f92c6651b211a777c2ec41e4ca28f9abdcdf7e7a40dcda15a69bccb9f400

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
ace218a0f845a7912a75bc2df85fa74d

SHA1
15e5f8b3ff7fa28e86ac55d2db041e8a74b7260e

SHA256
cb7ed9822d7cf82f2f28a1b5bf934d58f76e0569d4d730ae600aa3646e0fc3c8

SHA512
de074d677e406537f59b9058078defc3029098f6e175598ca7373fc9960c1835aae891937c59be16543869ba2880ac68da79c7db5250fe971a9693c6c22f2963

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4f6e85740fd998036b9cc4711ffc954d

SHA1
5c6cf94bfdf4c5fd7e1d6eb4359416060fd1c29d

SHA256
6367c73e46010201cd1bc5486b764f50f2ebf970a6e903ebc194a87e49818a69

SHA512
2434bfe0ecd4f0e68398eb83f6a6a53501f7bb38c6fd6f75776f0c579caf385b69926924e06a05edbad06f63b5d1ecccc2fcef796e4a14298086b9ff894a4188

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2b97ed4e71b201fb2fdbd6305635fb23

SHA1
8047ced31e15504d0f640c8f91ebac41ccda9ac4

SHA256
59adc5beda7b87161b58d909b9a5b43f6b53cb176f5bf3de1c166e0de3368219

SHA512
402beb6d81f2084dbbb612321a95aa3c78185dd2546de9e0312b44de2b806e9f10c3a86753f380d812c153b2202393f486a8dba25a0f3a222a18204edb9f3f3e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
424711e3ed0a64ccb55853c1a981b459

SHA1
f46aeca21a5ed8c9310051cfd5a4a4d568057627

SHA256
cc5de8d6cb5f970947465640847ca020853fd76da87bafe7c19c6635bb2a02a6

SHA512
3c47a4ccffd7c0d932c7fabbbd4efbf816696bc85da26eced7ef5291c6a5766b54fcc87c22c114ae001a7dbec6e1496d915a808851e86d7f8cd8a0c67587c4b1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
068dc13ed187bbf0f882166fc883cdfa

SHA1
b63942ec0e3f7094fbe7dc64e364f354515b909a

SHA256
827f494dbedcc2e6a0e57b8c49d4217c58c5ab0ce69bec7fb4fff94ba6c8feb1

SHA512
ff12852c4530bc992a4c078ee2a131b120ac326c6ea4e137688beaf56c576d3c701cb80b63b213018f44b5e8809563a842673db6c7320eda7a6b43532277cb59

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b4e32c8889933597c982a8cb68f872b7

SHA1
1314accd3a967e898636acfd62a120465862eb8d

SHA256
c3a673e466652708cd2657ee991d3b494bd75a21a1f1c7d1239e4c04d6e2ac23

SHA512
727dbfe100c98a7e9767bb832300e2f8751202b284a696f6053d26f3f52a7614e3995500a28caf56aeb86a315abf9dc9c04daf08ca3a5416b1bb2adccd59d6d6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
6b68518bc03a1511150167292f8a7cb8

SHA1
0dbf29c970cbfdb83a5d93c452b3fb7b5fe34dd7

SHA256
22d2c570ccad862ba8e55db1821412b8eb49205ba9f99aa61cdf9de444eb99f0

SHA512
b7965bb03830a7a5d11bbddd3a5d676d4e0b938e32a3f63385164df84dfa021d4553de27bf7d560b963aa5116a5e4489cf38572f905a1553917c06a1df9b177f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d95bbc078816a6a6d93031ea252e5653

SHA1
1a86c7149d2b6ae66a7c5c0efc5e6b825d091226

SHA256
2c7c16fc52962688cc483c7c5e2f9e1ea0882377a72f444c062d8ae35773ac5d

SHA512
8b62e1726c7b8acd42c572829cb673592422fd1bf4fb990a951cce5ef512c80123a20fadcaba54c13df46d51f40a362fb5026dff781ad75cc91b9708d7d2a0cf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
52caae3faf483c0f42c4633041eca3e7

SHA1
46aee7520531f5bb4c5fe988bb805eebe0250a04

SHA256
8d91d61028b1c061e8ec0abe37921efd1c3d6172ec3eaa53b44ca2a9fb174f75

SHA512
0c3932305ef828be81f5447d771566f18c4976e86337ebcf3af47cc0a0b1a4736cc82622c00c931f6062b35b91ad4fb23105cdefded8dbb7f9e93b78b1386fea

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fbc095ccf223f481083ea302b257d974

SHA1
d65010e4ce2bf09b0d5fc0007c1065a876066e99

SHA256
9625cede1e4df776f4d492934baf7c0182148898f99e037f849a06dacac67b9c

SHA512
ae88c9ea692d4e75da1c0bb54754c1877a284a18668b76b256279e93b4ed76132f0a10308bba3c86e30310efe9095750ecb337c49a0cae997795b693756ad083

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
5fe5a025d9b1b1bcce6fadbfe2f81b51

SHA1
01ad90e7fbf5f7e70d00e8cf22461aadefabe5bf

SHA256
7d1c832e27b1eb399400632e108927a9d49d5b1b175caee71a3b8f97621ec028

SHA512
bc8bf2febb436d1f6ea1785d09f5ec63dac4cc31f7a774959025eaab999608110a781d28feaa3f54e865fa63bc2abd82714575fa69c2c61199beda82ce3c21a7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c2cd4807c2fd74aaad2d82e1e2b495e4

SHA1
9fa0793e6dbfc15feb3dca9573b61ae10fe772ea

SHA256
142d451aa68da79953c87d669a04c9b5d18ffdc815945d3ffed4bea6aedfaff9

SHA512
62905f993242b5feed682de12477eec6e328634054f5000d98d43ed4fdb5928b7244be1e91865273d4589d7f5fb7ea5b8650b0ad1bb1231c84d0bc24cde8b88a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
792d6b3ea1832a095a45ee1261ab630f

SHA1
eb952ea35d0765c00ceabbd7871754c7987a49ad

SHA256
8af0916640bafbecd4836e74995fe4ff2fbe15e1d3373b88fc6a37096cf2b8e0

SHA512
a74d014b33f040245b16eaaebf481503ef06f647a9ace5ce33307232592ca3f5f6bf2004e36000db0a3bf2cd6e6709c421282e64703d948dd92791fe8bde3475

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
d885ccb98a01274a8094a41e13e932c4

SHA1
7cb0ec2d3b18984f303ba453f082700a5124b94d

SHA256
086def578a3ed17a870b1dd64153e3cfb9a3fc4a207ab728d5fa722cab1fe607

SHA512
a773ef931fc38c467c7b81567cadd69fe576d56b94f9c604ae84a220ff7a23c3c6c947ffa8dc47111b056477e3b645db8f3d58042c47f1d34d00d7f8c98e9d49

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
b32f61e5b4e2b4fb61fdb58adece8b56

SHA1
e670640df79c40a6f5a67dc82243b74e8db09c48

SHA256
e2de4c326ac982fb3dd71d41e268986fe4a90a738a0d46f2228b95aa8dc1dc2a

SHA512
a8c48a2a5e2bfde80df4642afea957a2d0cf2c1f4d458f95eed8a6253a37e75b87c1a413a15c760e1d5fc4a8f5b12850264a0c5e5f8137c7096368cb8018d9cb

Download Submit
memory/224-77-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/224-84-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/224-90-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/224-78-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/224-88-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/1196-114-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/1196-226-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/1340-200-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1340-473-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/1564-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1564-484-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1592-71-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1592-65-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1592-188-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/1592-74-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/1744-63-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1744-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1744-40-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1744-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1744-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1804-477-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1804-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1920-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1920-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1920-175-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1920-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1936-164-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1936-400-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2036-242-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2036-130-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2408-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2408-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2416-255-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/2416-483-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/2684-13-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2684-21-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2684-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2684-92-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/2952-101-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2952-93-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2952-211-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3008-0-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3008-1-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3008-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3008-76-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3040-463-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/3040-189-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4172-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4172-482-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4300-440-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4300-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4348-35-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/4348-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4348-36-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4424-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4424-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4424-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4880-238-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4880-128-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/5024-478-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5024-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5096-254-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5096-141-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download