9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770ca

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Size

1.5MB
MD5

daaa34aa7621215daff4bfd9469393f0
SHA1

95ce11718cc2ae82917b3175ed601804e56d52cd
SHA256

9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770ca
SHA512

8451ddc90d70619db134b46c1d95814be3d0f2573018c3faa4691c4f20b419bad9f8387d3ef173e8f81b085e4c0eb742f672056ae13e1cdb8c39d2b60ee50b3e
SSDEEP

24576:wDpO8P02DQpC/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:H8P0BYLNiXicJFFRGNzj3

Score

7^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

pid	Process
2468	alg.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1780	fxssvc.exe
4476	elevation_service.exe
4224	elevation_service.exe
4552	maintenanceservice.exe
648	msdtc.exe
1092	OSE.EXE
880	PerceptionSimulationService.exe
4480	perfhost.exe
3540	locator.exe
3332	SensorDataService.exe
4444	snmptrap.exe
2208	spectrum.exe
2176	ssh-agent.exe
3476	TieringEngineService.exe
2276	AgentService.exe
3932	vds.exe
1344	vssvc.exe
2640	wbengine.exe
2836	WmiApSrv.exe
2476	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\System32\vds.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7c429f3dcad6a2b9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{ACF3742B-09B5-421B-BDF2-BEE548AB1938}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78984\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc1aa597873adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb6fbe98873adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003446e97873adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5f74097873adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f205d097873adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eca58f97873adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7f2bc97873adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6586297873adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000426e3797873adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16d51579-a30b-4c8b-a276-0ff4dc41e755}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript9.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{16d51579-a30b-4c8b-a276-0ff4dc41e755}\InprocServer32\ = "jscript9.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "jscript.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32\ = "C:\\Windows\\SysWow64\\vbscript.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32\ = "vbscript.dll"	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe
4476	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
640	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1684	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Token: SeAuditPrivilege	1780	fxssvc.exe
Token: SeRestorePrivilege	3476	TieringEngineService.exe
Token: SeManageVolumePrivilege	3476	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2276	AgentService.exe
Token: SeBackupPrivilege	1344	vssvc.exe
Token: SeRestorePrivilege	1344	vssvc.exe
Token: SeAuditPrivilege	1344	vssvc.exe
Token: SeBackupPrivilege	2640	wbengine.exe
Token: SeRestorePrivilege	2640	wbengine.exe
Token: SeSecurityPrivilege	2640	wbengine.exe
Token: 33	2476	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Token: SeRestorePrivilege	2276	9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
Token: SeDebugPrivilege	1600	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4476	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 596	2476	SearchIndexer.exe	113
PID 2476 wrote to memory of 596	2476	SearchIndexer.exe	113
PID 2476 wrote to memory of 5056	2476	SearchIndexer.exe	114
PID 2476 wrote to memory of 5056	2476	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
"C:\Users\Admin\AppData\Local\Temp\9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4320

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4224

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3332

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:392

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:596
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5056

C:\Users\Admin\AppData\Local\Temp\9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe
C:\Users\Admin\AppData\Local\Temp\9d79544b3f99a62fa1d1cf853a4a3dfaf31444273cb963ad0364b757681770caN.exe -s -uipipe McAfeeCleanupUIMessagePipe7273
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
60d1990c4faf5c8031d90160edb22d59

SHA1
25252866fb9733fedfd1edb37b684e76e1c8f668

SHA256
cd5c171982725e068bd642c2be5d7fbf6b887ea72e17d35ee3268f51364d2f7d

SHA512
8b783a45389dd359fa757bfada4f141222783e683792739b0dfb87299a411eadefebff6b4aac3c96dd6fa9fd9f943cccdf678c73f355d0ba8df0e74fcf48a650

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1570d1302ce9f7cfa95864592313b6f1

SHA1
d5a0f2b0cf70620f8d16f452d68feed414f21d4b

SHA256
4ed9daaa73c570bc94544db93ca96f532f714f01ef3e5fb5b9d29cb4fb8aba73

SHA512
c2e5e80aa5fb36641aafdb2e0600fa34bf4b5515e78b9b4d644df8b4ce48e511774d34722795f9b64d45c7df275216debfafc2dd13fdf3ea56a6982a00f18c7a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
23a3695dd4ae6082971502c7c694f077

SHA1
2e864658950bef0b5527f5d47fe268f93b61c63e

SHA256
0548bc76cc9858b80565544d7a19a39bc4f4db5bec05acffeb987ac5197ec07f

SHA512
496a5277473521f0311352ff7067cc3e3a8ee5b7a2535a9ec9a22bc25e27318507078d1a2d65eeed1cc60f10c887375de89ce5d445a4f02fa5cf8c8fee75abd6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b7b6fd0a9584a0fabe3eea2d8bbaed97

SHA1
2490d2ffd4f4b62718f0eb8c7ca24ee2d935889c

SHA256
6e9f6d14e876ac4d8b3207dffca68ae6a8f94814783c846d0b2445cd33a10ac2

SHA512
ae4adb8ae77c8e491052e83c28a02642a6f48f39fd7c4feecfe2429cde379223b54695ff46a572a93effb6af4e67efe53f9fcca60ef98067c1c112772b8c7ff0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4ed41f81e64faea247ad50f00513d57e

SHA1
f503ba40ac866f2a907c267e012e806bc1af1cbd

SHA256
e3f3b1e87bba3477cf247f3d4de953f19bdddfcf6f0a477772cacc6bbee9e948

SHA512
fc16502a0378c31a605ceca7ec1b494483bc9251d4aedf5cb81f653950d42b9e5ba05a1a70a1ae91ce89a0b1f5742a6673cf2715a4ac1c125ff6ebd809a9e9d4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
eb1e96c05d18279d5a8f203e15a829c4

SHA1
f39cbcb76add81b7e145813dd4b823956c0e9eab

SHA256
2e575070419fbce7b08dd30e972b0819cc91892c95b1bd612924115da07cfae4

SHA512
61a49d621a431936d885390bd6a6cddca8a1caa2fa154b6e0f3479a4c2b5d3ca7f5dfa4ad5a8212fcc54447e34deb019c15820d717ffb79549501543ad38bbcf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
6a17b41ad2571a83293801197ac05d5a

SHA1
964fcd2d04c82bebb7c70234b2ada8496a46589c

SHA256
a47b9661f97ca1fe90b0c106a2cfe5ba956226def13e979bc4f81bce473b0ebd

SHA512
5511b72bf8861736946ac4bd7e2052535dad339b0d966e3553f5eafe96dc83b32492ada40afc07357dee45419c117e03dcb90f80ed95e0f0bbb41ea3607c4437

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
02138e953dfe0c0234208cdc9d9875e5

SHA1
e66599fcc2be4f880d1d4f243ad66b67ae1a031c

SHA256
4b37b72bea09566a1be9a917832af83f539601fca0f14c80b27d3c13505d95e4

SHA512
41415afe9131c8b2e5dee6c21ae1a23c7b8105943b7a8ed31cb7c6ab69ce5563003afcb3c38e9069ce6b52d943bc3c02095730f048b26a2e1b2883e3223889bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
9b0840d0ca45eb7668780e7c8b73e09e

SHA1
b8833062f611f3adef0665989d84f0b1a330689f

SHA256
45c08e4622a36a4a54bc9f72c867ab8e3f7ffb492430ad1bd799493a8fefb869

SHA512
a3534dcb461ed9734258bd9b4e1687bbf568ea145e445b276e43c10638c700e4c706082143533c16d0304900f1bd53ce0118f5153c5e01fd343185af401fd139

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b67af6c2f12eb6c6532907d395aae20a

SHA1
0a257ec824ec519d1e912362b4796ba9174088e1

SHA256
782b7cef167b8a052365816748d2db3dec936705969b6cc52cba5847edd0b077

SHA512
0cf4877e31e69b01386233ba0180aa5714b14f9ea39394f69972c9bd6e56cdb39aff73c6e7726a70763122588438912efb21b5c5ad3137c705d0c92ae9b789ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c79ab0968c4dcc6129c70e843dfcb76e

SHA1
68d41821d3240de8fa5fb6a4d3685c887b398714

SHA256
c5a1d67f81301f27cf4c0567ba25d314cef8a9959aa9f3e2715224c785699fc3

SHA512
2a06dcc412a29f6fccbb4122ba61848e10e20bc9acd8aa58d317bc6f940ff221431a0b7d23c575472c28728bfdb29745b0a7fc59a5bec6b27dd38023f787cb7b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
692284eb15e310a8c11d754ab7488883

SHA1
1eabcf9da9e0ce69b7c8b3deda8f91d09676f6f6

SHA256
2d64613f8a8f169c257bacbcf17aef6db7e2cf9d29ea9d492f9db47af8481bcb

SHA512
062fd8ef83d5f84a096961905372c15b867373db07fb62439ed9e3338ffa4bf53489b3f53b3f6c3ae3df862c0af013a0bbd56aa6671946e3bac0777c76d94d56

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
5844bfca11ff2ab94faa78ae61794f47

SHA1
754d4980d515fa3184b262c5af750a80f5c5a35c

SHA256
51d0cd33d219825c7af313797c03c5632cb619e98045392074d00903b31677da

SHA512
c3f619904fc8d6f13f137d14d540e01f01a9b59977ade6902ec80f9110b373339b3c4f970193adfdbabe802f061768e76f8e8091aaa0d284be84e40e3b3b8d89

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
8ded3559102f0a9e3e694869a2d77d5f

SHA1
6f5073efeaaff0ae8c48b7687bd5f88d778beaef

SHA256
d22a3708789bbe2a6625c2731c8c41623103651f9f664fdd406913d6e3d2f7d6

SHA512
df123a42c1116c0503247e4c631d210482f34b4a726f2162080b8c67ba8443b56b1b07b0b40ba728dbcd7c10b9001a727b061abbe8a4845ed735b0cd6d333a33

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
7fb3eccb8f74ef84d5083644ed3d7f53

SHA1
56992f68a65b2825d611c917bf62fd5276e1c0ad

SHA256
883a9928bf14d11d0b91f10971e0581f81f7f35870a0dd10273d47c81ab7ab89

SHA512
de0ed491ede4fef8f7e78b09d9f642037ab4c8646a6ddebcf4978f483cbef4dcda2e359649f7a2fc2408efc2f5f25e32e06aa728bc7f2acdb7e184a57f22ee16

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
503795f3531f6073122bc045955ade5a

SHA1
3621bd9c48068c74187b2efac2f16e80dbc7d431

SHA256
1f87a537f50a07be37d53dd25a6c938fa5558c762770b8b53562a3e833bb55df

SHA512
3e329578110b5792302bca6810f5fc9081878f78e8fe2fad1fdefef89577bbf36184c14bb267667574faf79cebb448af2ed429dddf0081c4f28e41ea1b02756e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
6d313c62156db649e76a0605fae911d6

SHA1
b799531edd433c44cde10aaa3f2ef18efc511515

SHA256
620dce14b44fa4d82915262640124ae862ce613cffb5f091889a7aa848426f57

SHA512
9b51429c60d725439f612486199a658aab57db013d2d7ac4c34883a545b38c42da4fcdb4bc2f0489008e178d1e2c1d8fe1eff36ceb1897f6e41f6571f213ceba

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
2fbf0b0877bb4988ce30eff85c17ec08

SHA1
9f39c69d42d0a01ded42c079f62ee0cb1d83fe7c

SHA256
1aa3b35e2e0b682095e272b53edd1b93e55406e7cc8d7f2541c31fe48c945b86

SHA512
81bb6de3798343d4017d5fcc1c17aa923d3219cc8b9614a2aeb51e200af18e09b54de596b84002cbc340e69a75a951c4655fc6b1625f137c39e0249b9327fece

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ce0922739c409705fe95ff9f994ed09a

SHA1
814d9f92de98c6dc9791c17f3f45c66d7ebadafa

SHA256
bf75720fd2a220b8161486e2eedf516e6c100fb05759a9ab6033a3c2305d4faa

SHA512
611abcb92d0078bca0a4404a09b418743df9502fe688c8fa9576c03cccf1c412ca94b19cba17fc465e26e72200b4d3e33a387b80dfed5473debf3b3c6cc233ad

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
93e3431400553e3ad85b99c4d52690b9

SHA1
ba8626d34037f98e6cfabe818ad73068a472654c

SHA256
f0c6969255abe463617fafb215c18854611738d85519a65bd40fa9e218ce48a5

SHA512
b4d766421bde2576b685c3b548653dfbb4ccde3ac0d1729cc974db1adc52113732d10b8568f171b6db5c1d53a4d3a45b69e2e21999d69b8dc3d847ff86715133

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
aecc5cc6291c0e65122bc64d9064e7d6

SHA1
8df712c3f8f780ae8a5f94d72b27b49eb78c5180

SHA256
0c163cb10beaee036a3da15863680e23ea3cc6a31102fbf0ebeeb5c99e226668

SHA512
4c7462537b1ade675fe6a8d4ac912361199189c452e8c9cc64575f3c2097f24c7b045fdf150083597d72d4862a32d15b543f1f4001fcde42b5811e55201eca2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
43dc084a58940e3136935bb08cd2304f

SHA1
f5ceec2b7ce0809f843d8987796ae4d47bf7fb42

SHA256
ced5235c1fa407367111ff2f723f27f51da24d0f780a35b28d6e421c52291ee3

SHA512
918b065d096b08f8e662b347c63f936944c204238728ca0a311ccb1a093439b34d89f48eadf3e69f7aebca3c7a6fe4f0468959436c79e79226db1398cfabdb3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1af1d48d3665d7b899a1576f1f59fc9a

SHA1
a55570319694eeb338d411706d04519e751f1e83

SHA256
9ad3e6f028cf5107f8400858a2e139f32a59db828335df382b3202ec4560d291

SHA512
26d7acf7a0da3356029844314c58889480a0767b6c06b4285859fe1e557ee997bc2aeba76145858692210ac6d51cdace257af953e5b8088bf9da8e241677a5a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
17663612bee6183168984eed970190a2

SHA1
41a0ab56a1d0d93382d862f15ec67fd5b3809dde

SHA256
ac671aa9742ed5c04db8e4504ad791e500c94ace9748fc8f97a983d6699c459c

SHA512
070bce5359bc7751cdc3c0f539a52d9f8debcd7647186ef92cb05ef0898d18489c94ddb610c96bbe6cf23e7c568422a2b9d5b33226d775e27c631939aab24f3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
826eb41821fcb797d29b45a6a89239cc

SHA1
ca9080ff985918ea7fee65463a1c8d585b9a1662

SHA256
51c164c477bad5df9aa9f28d0120aecefed648e646c7783ce0d954e878c72b14

SHA512
081b0e2ea7d98d947c2af21a53973d85d762469ad4ea56d213ea72a46eacff01eb0a91b710c635da5efcf43b0b00016b5d4013c8b8113e252ce8f9fcaf448e15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c6d48846a3884dc93cb1d76a673620ca

SHA1
d3fec880ee1af8570c002495d1181eb3ab360dce

SHA256
c4c395a22e3c36b058615d9295d47b782a1e2aa72adea0278b2ab3b05255acbc

SHA512
a8daef702f97c5974a60c496924df86a0c99207be40eb0e3db8d31bd606c7b5309c7dfad356b2b6ee7393ce383d69c69517d84589a82f0f46a0852586708d579

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
7449403e7b4aa41dad97cace1091149e

SHA1
34309389d5e0f915d791925c1b8c6a2ce097a8f2

SHA256
26d6d7b5be6be27c1bb01dd35434854f577033d6e71f7051524fa8cde4e094a7

SHA512
3c5f23cd17b959d0de7af94e02bd0937875bdf3ad772a10cae82413a4a88974a55ced4dacd1fb42faabee6bfc84ca721380dbeadef08988c9b5041cbe25ae44b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
9b7e79d66081bda3271de885b6e6347a

SHA1
4978c14fc165f9572708e093b6e0d10c2bc64837

SHA256
72f29fb3f53763cdeda6148f7047569391e292921cbf379bb2a4e1ffe3665281

SHA512
c936f01beb3cf938a0220386485537266a6b49bebf05f7ae9fdb342bfb9a670c343d5e9fed9f14cb50ea68a7057c609a3da3f58d149b49ee98a5db9bd9637274

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
291afc2aed295c5f8b9bb7707d928be7

SHA1
fb17534356e7fdb11291f26b24204e9bd1bad893

SHA256
58c89d262d71b557c5263765c579f432776f5346f5b3d9442067230b7f6129a0

SHA512
28f531b900d64895a63ad7827730633d19dc1bb7e58ac8d98612a95fe6ad0fb133628868d15031d8ec5bf717d71f4c87c7659490fc6664a2defef8ce6f2f4cfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
1c472d1f23e268610c6a71c55c87521a

SHA1
8c067606da1aaad14feeac6bfd011ed5150a5a88

SHA256
29f6969359bf45db7772fbbc9c59faacaa5e8b892ab6cb5d6e1ab88cd6a2f767

SHA512
b3d5c49b89576d33c9a885113c71f21d489820673424778fd183f53adc752f5b177e9aefd8e3d00c630f944f182fba35ee6668e452f58839cc98b4f9860c0b01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
6388bc602f526c45536abbfb939dacc6

SHA1
54190d20712e62aebc04654d37b63f774f28374c

SHA256
2b45bc8976e076bad961f2d5930c9fc022165726037bfc212974830fce4f2854

SHA512
a961920c737be6570b5b91ad068319630569c53ac08caef73e0f0a0eda634f98c917dea404ca7a33be18d326dc3f7895ba347bb84ef7f0f4e1364b3fe4357ab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
36b127c93ae37ab83f25589dedb49dde

SHA1
248287eb597ea2b68835e11396c5e75fc7514651

SHA256
46bc764a1eecb0a6ab0cfd04c87f24db7ff6ef21b1b7a41341c43c266c0bb6f7

SHA512
970c71a951be041f7135894b08970229650c0329e8b05a03860435abff2682901ac6ffcc8dc85b08c58f29d71239658277f0f0feb721d4222ecedfd34b4a0064

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a762b6394ac013208da775768f3534ba

SHA1
ca16b4b4f14d95a57ac6f84b28c8f964ad07e548

SHA256
9fb8ef5108f90b8d8611162455a04af5f14ed63d6aa6823d4d00807bd5f827f1

SHA512
0c7e0d436fe83410917ad7b506cab1dd1f4f6fdd1844f0ab301b1b144eee26311acc8a4acf1f31ccfec5f993bad7e4ff5edb5c35f34ef1c2d9ea32ff080b1655

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
cb92a0531278206e9a18f1639c02d071

SHA1
14ff87bb7e6e83b63c18df8fd3553ffe377dcdd3

SHA256
cb9ba83c6acd2f1c5187e2110429ce322d7b207aed0e0bde58cfa9a4e805a9ea

SHA512
716a170816ca8ffad305da4c41ee458d363c5263109d9602822b59e220b7e53bdf226d0d0c51f077e316f3f4b9b57a18b7484b6fd628f875ac40671c7f7e6224

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
08d4bcd8a54ca5f01c51f1a4adde3c82

SHA1
74edcf6256401eac51a888168231832e370d39d1

SHA256
215f7ac29f206b1c8afc417e9476bb37ed5218c7dbb7bdfbf7d7993ba1360155

SHA512
c2f0e82b54b6f0210f555545fe7a50a058c5e0a01907da71b7f7c42f755bd3e2557c60ec73e5452d1edb9c511952c4187107b53ee6cf4afa2b51417659089008

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d88f9cb56cf680daec0fe949ec7171d6

SHA1
c3df975fc8d07acd016bbecbe135657ea1c87520

SHA256
54a5ede518200b183633e708d312ad58618e2a0a69272870d9ee322338b4a19c

SHA512
2f75fe12cf762cc3a087371e0288c17915c3ca3aa2ee04b4b008be7b341904db85e63c3467b3780dd068c2f4b369f841f6ed847b7cbdd509b0c43933a6cbd061

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
e49b7634b7952c14c49b4852cc3fabfe

SHA1
7be730f58b74c8af45f439571e67baa20db5d6d9

SHA256
b52c6afa12f705edefbbf545844c192f80d4aa7a092ba4a7c7328d3b4c502b0a

SHA512
0ba03f24137befbe3c12aa775efce06831073445612eca1fbd7db1d543ce347e5e8b9dd21f06cf828863cfe3c1c81e691ad88a2e0fe6750c404ba8ca5ca1d933

Download Submit
C:\Users\Admin\AppData\Local\Temp\mccleanup.log

Filesize
361B

MD5
ffdf135965632b17fd53b9ee6b22a743

SHA1
45ab8b2389d7cc32e51d1b2fe2c34dfc380db35c

SHA256
f71331ea4dbcdcfb8fde39be3eec69e357feafb537109711c589931ca42b7e38

SHA512
5a03705f3064ea5e9fdff21bc3f7291c3b11cf5cce1d34ef92ecce3a0726cc360f7bf4d9dbc554338cd9cd2236dada99da305594649361d08dfd695d64bef8d9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e0284c30895d930a9cf3ea64b64e169d

SHA1
61e7061c3ca74dec733a74a9d0d048d51366da57

SHA256
e715a0fe349250048a53a129542613332e088d2c01910b1d7681d3fb6d97b93d

SHA512
ec45180b5715e1dc2cd118de36df5ff51c3cd7a1657473d9befe509a28873c44e6483ce934847eebdd75dda4d1b3e575670e80e264e449bbbcc7fd63dfa3c2c8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
864f0181347ce19f648bcc8685700e45

SHA1
acd16174efde0df4adb94fea3675ca0a45e3b37d

SHA256
60c5ccbc09b2d1873906225c46ef5712a434faee58ed5f639e7870ef53e0f159

SHA512
263583c22df5bccfe108c205a68599eed7ca1c333ab4fa8f4d8cad13dfeb18377791566a750e8aecf2600784db9853d2d62dfb8a192a71a807e807ae5ae8bedd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2c4998c59468a2e7dbbaa430812768ca

SHA1
e19a6177fce32a019f01227f75b0178d9a6c6644

SHA256
aff462a735601bf4216a46383623083583dc6dc901fa3806fbece76f5909daa8

SHA512
d8986a0f9bda2eb6d8fb8bb0dad73bf73263a940af7d773ba8b99243dfb4fe70c22f2053ae11a3f413c87b573978d21b2b10ff2642c363fd210ea1c476679bc2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fa6489f747da0510f9e0d75149d092be

SHA1
128f449ec503388a2d92d2dcb658cd341cf37159

SHA256
db059d06ce6e22e5e081f94c0911d63d200804cdb6d0873fa712cbe1cc8acd00

SHA512
f7ef3ae3af1c9b0146ef3f79c82649e8afb258b75cfd172291dbbed2f81e238373aa8634b301c726dde9df9c634078c7bed4d3b62f103727aa9bbc5206210347

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
da1b8d0fe94eda991c83838663c96497

SHA1
cab973fc08f4633ca7443226d1958025291c50f7

SHA256
9ce851404c389720124632315e4d52fac2ed7a3076e3a2754ad18ba7bf079712

SHA512
d73295c45b5f7a360d5eb55306ab39d3d96d0da1171eb2d879cb733538d4602484978a320fd64d5eb183a174434c3eb183e98f65c17ce5c4cfdf6fb591e4c167

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
257d9eb2a10d3836ae7396a0d9dac89a

SHA1
5d8e1bc1dc5b57f24c002ac7aa01147a952bc94b

SHA256
87b44d74dab36721bdfec75803873db3f7dd2bcc79b52f9b3cb8f30bab80ca09

SHA512
f3bafb687f5e785ca4b664a9ca3b3fd26de42a0888b933464563c6c2655f0209fbe4cefeb0cea0e48c261dcc666f8102733b1c913c4e96f272038d9b30c11adc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
72902f0db6d07e24ab24d8500b7678a4

SHA1
802e17fd19557a85a6cebc92401ae69d07066ed9

SHA256
ea8d229d4d06249f14ad53d7cbbadc7aae5f926f8c3d44f3c44edde545f3c575

SHA512
90c250e9ab70bde745fc41a25813b4942e797aabb1c560180a4d7a476820d0aad27bf40d3746fc50b881f71d7e753cf020a12d2a083e0f71d284c5bb47d9478e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6e8132591e64d3d8b932b06706ecd88b

SHA1
83c81f1ae8bc119168e1363ca435b93d2319f4da

SHA256
0b1140a29b4cb27e7a72572ed3ac62ec1affd231fb440869a581491a3c0b6897

SHA512
91a635dce79bf6a5b9291c436c1dd5da4857cdd4cc288200e0d51af3bfd3d2ce58ed42c94748735d27bbe3ec964827ccc9719563e6f73b3e656b7b3750b61504

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0926dde5a9cd9a42e8c0786f17e657e4

SHA1
caaffa3ebabc2d90591542b41457fb7df44dc467

SHA256
28711665f0029aa462dd358e1aba5d1ab9c51c71cb31002b50e6f6676babbf35

SHA512
a9664b1e18e306471ca1fa5b2d32f14095547d751af24e6c7cb979afb9e1030202c959f407b8a3986e62b5930abaf1138a4152808a678ba2f217b46ccebad76c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b5a415061b5e03febb783a8a698ff548

SHA1
365d129d480da2724b4c19849dd0113c17b5f91e

SHA256
51536235f5cf42856bcc01b2865e5c13a174f5b67a71788d7c608b0db3010dab

SHA512
376c10bbe2fedc57cde9d334127a51fff8951031e0b89bee748fd9d7c30f827f553d894075fc6097e62e9c17744a0581e14dab5b02656842537fda23a3be4249

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
706494e97131440db9a20fa7fb035fe9

SHA1
1835faf3909dfbc96f09487eef2e5d79e75552f3

SHA256
2b35c7c509d1c1844f4642ea7ed607c41f22208f68be868d1d67186ddab4be9b

SHA512
1e35e660ff25b2730a4cfdb74f5c1b4209b5dc88b5773b2df4ff4e6f17994f189f1c21c161a2ee7f18f1314d02eaf22fa4b6641af21e0c281912e301e2f7c9d0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c45d8879a7d180a63ce2bdd5b73d868d

SHA1
27a5c7f6af23b16feae0a920b4a2cdacdc7c6e1a

SHA256
00fafcf15fea97276040440a19acbf2624d84c559cc50788327d566804a415ce

SHA512
f68c4f435420ca1cc896f3252e09ac8524a563c39ed406f1304248e8fbb2610c58f83db76d7f057d926d1d5fd68bdd1a7f94f4282eb5d0af1e6492e5e3341ae2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
24cfa2b82739dc40c1de254df6470c79

SHA1
972848d567afe27224523b5013727c3ab33eaafa

SHA256
009ae6608de5c0781d623707b8c99b5f9d55113e9287672e5c3392950dddc7bf

SHA512
fe0e621e3812d4c982dc87f5742255851711436a0cf031cc7b5cc8c57bdef2d35d14d78f8e95ad67027a0852fc366462bdf6093eaef7c28280ab6bd5f0bcd18f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
d046dd2c9298201243a7ed88856250c7

SHA1
2d107a476c2c60e06d9bfca4683562fa738b4148

SHA256
d26fea90f023b963f32f67f26048c07334b072f73f8973d2f0fa0b9ca6401f25

SHA512
6b82b355820ea4128464520be5d8cb13e8b5f3761c555049215a96347177e274a870f41b68e89481d1334de22b708fc657dea05437d432611ea8bf9169331f8d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0472ce970dfe62832e71d854c9cc5b11

SHA1
6be826ccfaea904ba78baf43143f823a8f5ef759

SHA256
dc0603e828a62e9ce354b76f6f51e2f5e361791d983807d02851dd5686ca7007

SHA512
95abe15bb1194513072de43694327affa1779fe3eb948432861366e21ee2ebb53908e0d6480dd018b8240fa53376c2231fa94f12585c7319ecf2b74c80d1de6b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
957a12add8afdc7958a66535f0528601

SHA1
577a3fec32f1adc757e9a21bb8bd7b4f7961467c

SHA256
6e84439369ae991164bedb1562e9cdd0ea47e1d74b484fb62ddacca47e4a0b92

SHA512
160eeb5594c846b6ea12955b2986d654227b426562a68a1b42d64f06cc280ddcbbb741f50c682c7654c9156945540abb254965852137a51f50cc5f89232885a0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
28c7856b47d802cafeb4ade933f071b7

SHA1
1e4839da057fe85a94b9175d25eb64d97b4a88aa

SHA256
8d1e75d1987f76359bbb1a2d21f48fda2a4f920e00bc46d1cbe702c319981ec4

SHA512
140f8f07c3b0e76fd8edf0e31d22c2ff9698ed7c2d82c1dcfa6311bbc232d3d3c4ad313de991fdd2eb5ee603d44ff1029138343f2b0227aeb39b7e2e75644e7e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5312523c9447aebedf1c4f3899c26fc9

SHA1
dc37e3f481200205d9009b96344c372cb77c20d4

SHA256
4eb91996e5d7a7ebe1936066c6ed621d0161f8169ae147200657c7e565d459ee

SHA512
3fa32ea1cb90fade30658debc75ed68d4981ff9cba85c1632a67c103d917f5f039d79d130238e253901104caca95a84f341bece16dadcd4f9b5c630a0c6dd020

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
91d0263bdbe147efbc5cae00aa670956

SHA1
3bc5da9ebb4fbe8b719c4b8b0c40088bda9f7eda

SHA256
d0dadd2af4a1cca3c7f040633980d1ea897e8ad4ffcac1946b3d35228e398bf8

SHA512
52e38723e2758487c9f7544bfaffb51dade76d0d14788caa351d9db636380496b5bec8bedcbed819a4c98cb1fb1ef94ce1a4d655dc022ec715d9b7420576457a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
57d5fa9ac0358d047744b11cd89a061b

SHA1
e3f716e0b6739a68ec928916bd22d6253597716e

SHA256
fac9df060ffce99b6ee1fe2501e0db33f808d8579de66371917d0825687ab43a

SHA512
dbc8b78150b55ce90c3860a47324b47c2ad5f41bdd7a5fdfdad5c2f62dee895750fa62df8911ccb28c3e1b4a27347616d03d8c1a9b0e9197e7e9253fd4cb0ea3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
6e76be3491685b14d21c4d2f7db836b8

SHA1
91d76c291a5ace2931a3c7c8c531c4c384efef3c

SHA256
60cc8f98ad8ecf389778a16fa41167481e11d982e9691da70aaaaddee6b81e40

SHA512
4ebe27792eec7326c15e7e2ca10e547fc14bd3dd4092847da1a1e7bf7e0b34a20dbc676a43c5f1d064adff4bf4678edcaa692bacd7827f6e419a38e2fb374f4e

Download Submit
memory/648-150-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/648-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/880-97-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/880-160-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/880-89-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/880-94-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1092-156-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1092-74-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1092-80-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1092-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1344-444-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1344-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1600-108-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1600-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1600-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1600-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1684-8-0x00000000024D0000-0x0000000002536000-memory.dmp

Filesize
408KB

Download
memory/1684-83-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1684-1-0x00000000024D0000-0x0000000002536000-memory.dmp

Filesize
408KB

Download
memory/1684-0-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1684-475-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1780-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1780-33-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2176-358-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2176-144-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2208-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2208-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2276-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2276-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2276-448-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2468-107-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2468-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2476-509-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2476-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2640-171-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2836-175-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2836-559-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3332-240-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3332-443-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3332-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3476-147-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3476-373-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3540-170-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3540-113-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3932-158-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4224-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4224-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4224-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4224-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4444-307-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4444-119-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4476-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4476-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4476-32-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4476-130-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4480-100-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/4480-109-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4480-105-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/4480-163-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4552-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4552-61-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4552-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4552-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4552-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download