00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
Size

1.4MB
MD5

30f06659b25037b2ff4f69cc47e94879
SHA1

9f5519c73598d551c2a27a0a8f4a3e3be3c56106
SHA256

00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c
SHA512

9e3c8c1dec4074c593e0df4c4a3e45c3d22bed38dc8ff62bc073d056dc0e05132356b261641a094a77995365902d34aefae6d56ea43db0b292dd0b4deeb5e82d
SSDEEP

24576:rwSYGTKWTdZ0aS0DsAJKAGLenmH5GGC5SYCQsqjnhMgeiCl7G0nehbGZpbD:rwxGTKWRWadsAJ9aenPdDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1564	alg.exe
2308	DiagnosticsHub.StandardCollector.Service.exe
884	fxssvc.exe
3428	elevation_service.exe
3960	elevation_service.exe
4748	maintenanceservice.exe
4916	msdtc.exe
2072	OSE.EXE
1652	PerceptionSimulationService.exe
3896	perfhost.exe
4484	locator.exe
1012	SensorDataService.exe
4000	snmptrap.exe
4644	spectrum.exe
2396	ssh-agent.exe
652	TieringEngineService.exe
2264	AgentService.exe
4308	vds.exe
884	vssvc.exe
3236	wbengine.exe
3724	WmiApSrv.exe
4960	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\System32\vds.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\locator.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4e8d9518674cc675.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c631e1dab53adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076b40cddb53adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000585507dbb53adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfcc1fddb53adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007982b1dab53adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7bbeadab53adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014e02fdbb53adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059f404dbb53adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010a7d7dab53adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
Token: SeDebugPrivilege	2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
Token: SeAuditPrivilege	884	fxssvc.exe
Token: SeRestorePrivilege	652	TieringEngineService.exe
Token: SeManageVolumePrivilege	652	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2264	AgentService.exe
Token: SeBackupPrivilege	884	vssvc.exe
Token: SeRestorePrivilege	884	vssvc.exe
Token: SeAuditPrivilege	884	vssvc.exe
Token: SeBackupPrivilege	3236	wbengine.exe
Token: SeRestorePrivilege	3236	wbengine.exe
Token: SeSecurityPrivilege	3236	wbengine.exe
Token: 33	4960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4960	SearchIndexer.exe
Token: SeDebugPrivilege	2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
Token: SeDebugPrivilege	2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
Token: SeDebugPrivilege	2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
Token: SeDebugPrivilege	2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
Token: SeDebugPrivilege	2752	00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
Token: SeDebugPrivilege	1564	alg.exe
Token: SeDebugPrivilege	1564	alg.exe
Token: SeDebugPrivilege	1564	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 3140	4960	SearchIndexer.exe	109
PID 4960 wrote to memory of 3140	4960	SearchIndexer.exe	109
PID 4960 wrote to memory of 3628	4960	SearchIndexer.exe	110
PID 4960 wrote to memory of 3628	4960	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe
"C:\Users\Admin\AppData\Local\Temp\00149dd4ae0d6538a7a907b4ee9abf3a3a36cdc9fe2aeb0a32165488d9f4080c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4552

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3960

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4916

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1012

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4644

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3140
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e7fc04171776b2bdf0c2f9446ce1e5ed

SHA1
c3862a9aeeff259def72cf7e1890392438f1884b

SHA256
69d5d0ce0fa608a18061022888c49bee46302a87207657e6c1dc5a7725aff1ba

SHA512
016b8b9e8072bf1c96718f083f6aa706a5e94b03839738c4a04003ac8c1375e42af8d806d079054923612fedee535f56c05b83e476d540e51b548aebd45ac2ff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9ffdc08096f914252bd85e60cf0994df

SHA1
c4793eafc9c081da4c86864e507910348d4788f3

SHA256
35bfe051f0edf0f36ea9e40d7b4fa315400de22738a64dae026afbcaecb61953

SHA512
6e98bd51c06f064d4746ee34346dd584bbaa17b60611eba3936b821c7b5805c2308b7912e037656018ec9c82f6336efeedd24cdf9096f914902898bed024f0db

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
197930030622a8d1d6a589c47f904299

SHA1
1056ab0ea1c9e9a0455e3aad3ce1076eef5eb31a

SHA256
7f01b9000a5c897e43e9a4f6320acf50c992ae09e3e4d83b78c129d0fb6af3a9

SHA512
c638615dc2d413b327dc02f5ce3276234c9c84b2f429d4696a4fbc0faa6b8db0020dc35703a4c6eeaac94bb585ba6ff2ab5c9f7ce6b1ad12d4a77545fb06dc23

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c0d0235b3fa74c0545657f56ac23815a

SHA1
058a88e3c967b0e1ddbd59c96bbe7e4934e2b9f3

SHA256
6bb10688c2e4c301cc743ddaf8b54fdebfa41dc48293aff6d49793e83a22e6af

SHA512
9ba0c17c0250ba3e2023989846dffbb0782383f39450b211324e78141e62d9000c4d294ddf79456ce7157bbfb83074cf86a4b14ec65535f8ef976e88cc53b982

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b6ab6c0f929ebdead3975c416af23fad

SHA1
6789aca35f5414c016e88ed9f90f09b5c56fed02

SHA256
13a9772a87127b9264c5359aa8701fdf4c359faa2cb00ef87daa55894d473e32

SHA512
7484a70cba250f01c5d7cf80a0c867af3d2d736d460753e204822186d6ca271a8ddfc4d15be77bbbb034aea6371266af36016d7d3da52cfbec97c8484a5b8273

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e8112f424b76037726dc63ac4261fe84

SHA1
ed163772a8a17cb85686e569ec44bb1f9130e260

SHA256
38b81200468893f2b40b1c8a89fd147b631c1ec03e46eb456b637c61d90f81f4

SHA512
1773095b2026f170930dab8b1fd7cdaad5b730a15765ec168680600a33ce9684be3be6e69b472aa557015af954d2a8a41570093626971e396c75ffb093e05c0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
eb08d52dabf793deef307b3ca4544460

SHA1
c17eed25454388f923e995dbfe57addda87d250c

SHA256
ded050bef802747c6d96e29c8b71fc550dd58200c50504127fc80d8b27112e64

SHA512
df773661c4afbd406d8b2d48f6260b6d7e0e068b1cb036b9cffb89bda31dcd983caaefb09ec85f999ead97855d42cf0ba8e94de1a5f9a53d101cfcc42f77f411

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5265b7e57b066df26cf32e647f100b31

SHA1
efbbd8f78f26fd5fcf1fff6f799553898cee1603

SHA256
b50f531c529b4e4960289bc71513313bffa35891be6a365e3ee387f3170ebb66

SHA512
deb90f296430aade0cc2d82196afe2a9d9ddf7bc125b538319c4cbef246770a9729b412551fb0b54afd7bfe78d384001446c20653f750d29b8d4640c922b5d16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5d1e81db78f86f2dddf01b8f72d4b8c0

SHA1
82d84a1352b8731aa1fc9a2214f0bf6a65b99cf2

SHA256
a2224e9a98d1cc6b388a4b40c1ac2655cba79b55b64e609ef1ebc12c9c19ac37

SHA512
72cce36c9c346a389e10e0eb1064a644112ce1bcfc97e7059f2ad67ba759af55d6456093cc422812529d39a4b784709b081c2d4b60030fe5f1c746a1e5363da0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c6d3e4a059e6b5cde9f2b3ec14930a0b

SHA1
8803d82f77d1fea0ef696db05b6618145f0c4f38

SHA256
f0f3b6bfdb948b91f543108463efd6e87840bd6ab5377a335e36c0c9cfc5a280

SHA512
6da8c386a239241ea3c031f86a8a67a654234743b0f376b689a34dc1d126429e29a5339e6c53867de8cac3eefb2b33c45d7c3bd73cb3816251cecfc7acea381e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d6ceaa7adca54c3343fa0cc0e34ef1d0

SHA1
072c524c87e8f6afb0408f01736b01d47351364d

SHA256
579cc376575c4456ccfc58c8bb1767eeb1cde746ff5aaa586c1e5defbdac4005

SHA512
ca12817524c324056d8e5ae4e1f48ea7a5ee9fb86bd44a56ac93543c660059cc27e1663ed2449d96abde5dcb1976231f23bf6746ad047011014cd40427c416b1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4cbae6e1c14d45fa6ce83b9d44db411f

SHA1
30816f32d59e9f173710d131369fd49e81567f8e

SHA256
54fcec84cae153c7f527d6a463eac4242a09318fd65143ea2bc278477b915161

SHA512
2046e4924b33e1355f2da0d79a620f0a42c36c7c80cc76f958f291127fe3e30859086a011d1c6dd09d78f4fa0afedb1196695ac6d7baba42820ae8a80d4bd20c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
905c4f4e4f949fc5cb9291560cf9744c

SHA1
fd2e7ba7cb119593dfddf3a4a17b642c814283f2

SHA256
e52413865588fa75be38a4eb81bf5f6ce264a171549da1ac1b0752afe26b55d3

SHA512
287f4b501d81f5afae8840b5d01725d66d9df63e13a75a8020a011f8889876508a443fcf1afd7753f96f582fe1ac1491d5bec0e4cc3a22b67091b14b5b1ea1d1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
3ea0e3e5c002d109a69c5c015e7dc9b8

SHA1
b99fe5e1d9be90f41a591a7580965fc4ce1e6022

SHA256
3601d2e3f72d88591be3ba4e316c4d7c8462aff0b31684413b5854f638fab640

SHA512
23845b49554823da36b37461735805380a143ca6487bb2998cc2ac7630e7b553af22e6752a3b5461bedf88b34db02638a50f7c6e8c6dc9d09229ac11af99fec2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
86137b0c9326c661c6cfedd10f974128

SHA1
28bb8984ccf7c9c1b6a8b3391674ee66de82ed9b

SHA256
b7c755142edcd45272f2c84e134e412628d4a9b99ec1f15b1298dfcd69a2b7a7

SHA512
fae10e6a5a564f8df1ec2b5fcba29a03ff906ac076f9299e176ba9603166c9457dded42e3e05e9279715878155b0999c6c9a8591a64f6186022b0d4758944802

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
f70b961c0532a120659c52c206003845

SHA1
283d9dc8a1e5928b5dbdd0ec1074f4988ea51c88

SHA256
05329bd731f7418df1ca81ef4b7c0f551017ffbdaeb4c8f318cc938d963a5982

SHA512
b408434a0c48d06beb33bd7e0e581f8c3d8972f34c2347dfd623327e865317fe05bfe1e54b62b0c18d5055a3174dfea3e221dcfd8492c42f609ba6f39d3cc9f4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
aa836f12c8b53bb10da3e99d21a9c36d

SHA1
3931f05e83950182065a4b79a11c188731259e2b

SHA256
8f409c9c1f1ec60863afa05e349e407af2f476c1630ace8fe457c00f8fb92dbd

SHA512
b26d0611a81885e20faa0b397bfa182bd46f14a6c57622f8cb6b85d7a678ca0a0c945e696d042f5140932a53ec714439ec706a0f06ce26f294853bff73908e7d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
205e213cc0e810aa5a8706d5901b04ed

SHA1
cc4fc6b4cb5a626896f884af77859a692c7c1be1

SHA256
d90ad234d2b52ca3d75d97dacc230b75ab23328f31fcd1c9aa27d8c62a93b568

SHA512
eb75869052012831738ed2999ee68dc36829456acbbeef956adf82165e8b418c9a8579231273376b5a11c2b10ed8ca4e950eee9fdb6c34e2b8201117a5fc3938

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
62770f5f42b9c1dee5258f0690d2c90d

SHA1
aa7014010bed720c8bc2902e81a7d16f5bef77c3

SHA256
6721cc4b5d4a36f3a0357609b7b600034aa9be416ae7a2bae8c865fc73c76841

SHA512
b8e8183036bbce10bfe6394a0d644f8ea39d9be0ada19fc4f6fd3d4a7fe77e479356d8fce8bdbcbe3c30970cc42dab2ef5aae52f24285ab2e4581a58973b5c39

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
428478847c4c51480f60813681764b66

SHA1
9ff4f091d9fadbf5c128266deec2a160a8b56183

SHA256
797a0b0b81d2c156e6fdf8656f98fac0c52dff504985fd0c6345c75a1419720d

SHA512
8bf6f48f1a57a8f9cec9c0e17bfccd8cd9af4944efff83c81045bc76cda7a2359f519573046daba5b6eb10f26cc050ca4e1215c3ec1f3e6f37f2542ee7bbf800

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b39adbe539e9cf1ad128a23917006bb9

SHA1
634356b81206cf5d87d9fd492f53b18e57c0cf9c

SHA256
cfc35e678b6be3a5b4680378a532bfa911bef7d171b74adb22e7c937a802c47b

SHA512
41ee5ba7fc7b46292d13a88a26a25ffb63758f0b74052d968b526179e2d2412766118f9062d5ad80aabb718d0b2f82d9a75440e21c14fc9ded4f5ff2db45e8a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e893cde2f12862b6f8b6a58cedbc9c86

SHA1
1e4b854b6ba771233c73beef3cec9a4487dbd5b8

SHA256
365f27fa566d3d0483094c1f90847ae2884f54e688d0a006d9f7e1b3187ed1d1

SHA512
45e9e3cf99025b3ab728d88d0131a7b14d50af8cf38b3734de243de43576a7fc9fc70701643c616ec3efbdedf2752abcfea08b9760d8fefbeb271c9ba0e699b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0904d848f24b8efdcd4158d6b8ab83c7

SHA1
4b5e9c926ee97aeeb46f5325957e8fafd50132d1

SHA256
808d7fcf0291896ce4eead5b74b1268920f5225c8e3d088288605a0edcda05f5

SHA512
0c751e268c6916306b34bbf89051a18f3ebc2cc5271102a9a12ce76d6ff87f871d8994ac9381995d2d82c582fee2fe3c42c39c7d254f1abc74f571c2867d8dc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b769af6fef441f0fed3c9309596e0948

SHA1
e481e8aa5eaf9608d1db8ed7c47f0b0f0fb8d6a9

SHA256
e4c6ea3c4bee831c5ea3604e8515063454ec69a5ec00ec9c3a0d65dfe5b7428e

SHA512
61205a8002f3dd15cd760100b7be2ac051809762e2d324b592af691c90b84a01393b0184e5a51a8543364b804ce68a57a8cd2abaef450a65233bcf3e97849574

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d073d172e32fd345bd571b4a0908b002

SHA1
a873cefcf429386e24c8f1d0c08280fee9c8aeab

SHA256
8f3d70b0367400a057334fd2a9ce2d498193fb7fed4ba66162d8cecb428d3957

SHA512
59f6e8ba200a154f53df63b99e414dd224264db2dd2cf21ce17ff60dbbaf1c5b713813acf05c7f4d975c3b458db1c4db30f6bf59579f2a023a6a554a37524dbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
89d7fdedb305a09020dcd60d11e0abdc

SHA1
b2778bb41167c6e09cca9c1bde9bdff3aef190f3

SHA256
894b37359aab4bcb6fc526489d154831d469d1fdf4511ffabd097c9e59ec655c

SHA512
4eefbb2e2ae1a988760569d8cbd2b2f8c193266fea25f9680087c0423ab5e16f75124bde55974812c5d57dc8699263f640d2dc44f88b2e6bccd916804e209033

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
aba69b3a6115f7bb04cf3ee3abc78e44

SHA1
75a165c33fba5207fac06fea1db38c7c1ce1ee10

SHA256
f66462a42ae53c5f4cfe07f696eb025e51b109f701d0b417d6967091d81ecd12

SHA512
341638717b922d1cadcdbcd970d9c4d4047576832688dbdc89f66a8232e0a6a167a00750669ac3108a434ad7edcf32c00aab06f5337af924f224e69cea54a832

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e0ad6335142132175d73c856b38db34d

SHA1
b420f5d997b854d26f196a6593888a47fdb28ff2

SHA256
b707f15bafbf899dd33c1696fc83b58ac1a413865920aefe483608130c18c528

SHA512
b37b3c57fa6c9ce7c7be3015668802a90ea6b019b20a74222a528595e5ace4900b4cbcc3bb82e40b9a5a174e72288ddc05f8a055ed780dd01c0cae2d23d50bad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
2d67e45b1d83304d1a14de5b5b9adfd3

SHA1
298411df0aae88edeffa37f2a8303c0a8e7e083b

SHA256
dd9f6e8a36bd777f18ad37428a9f9ca82ec20d4654869dd869f14eecb8b9dcf9

SHA512
00d28eb65486cbb489db31d65f6876e0a5e4e1c42e3f05570047c839feec2a505207d4f26eec52aebff4d2d1b9fd7e4606ee5824efaee8765e6b60003b902440

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
40ad6f801a6668c974ddfbc1f3e12bd6

SHA1
f367289e8366894cf44d02d998291e7b41032c36

SHA256
8eec0f4c4281f10a43696733a49d8473f12e134c40aa2e6b5c46d599f776c1b8

SHA512
26e7030715a97cf2623785b8d0d44c7eee891158a9546dcfe21e8951c3e609fa3c2d787dfc5d1346554a29538ba1ebb6a64e4834e1d14db5ec9bb64cd3120c5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
79999122e8a889289dfbe6eefd3a6f87

SHA1
f893f5a9fd1d7baeb89f6ca5d847422e12ffcec0

SHA256
e2fdbc6180e689df6c76f3ef5136aa29eb768961a27312c57b4c13089fd80d07

SHA512
7c9c316ac712d9fd36cf20798311295b32ceef8bfb6b7e85521718936fdef03a37763992a25279cc7668fde08a9ab6e678f399535fe36d83b8126d8fe618db1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
8bc18ea50e070ee091f9ab4bb8393022

SHA1
bf4233739d50101ef36940a36470779be5897e7f

SHA256
780aaf996cee26cdf74e5ce97d2dc6a06e7188ff6c4bfd4392a755d14eadfdc5

SHA512
0c88203e7ac2ce7f80b9020cb705f78dc0c0f9f3c029cf6a03b80a77132aee3212802f4f90350dd7ab128fd6b4e111161957db847dc95ada44583ee5639a26a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c05a37baa8174d417253245672f66311

SHA1
e8085d1f3ec0e50be90d1f0ab3a8b169b929d330

SHA256
641ffb5b4c927d04bdc132cc766c7472584ecf930ec8f1a0dd7be7e60504376b

SHA512
64fdf452ce23525eaca77dde46694337df26772407565bbf5b97eae9542688d0c772c4a383b03334d217b8dd4c84bcb36830461ea8ffcac0096887dee9f042fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6d336b6e5a8007d00ae7cc132dad3ce4

SHA1
89d7748ee303e283f4900060f2c16915b4dcd974

SHA256
f4aeeb7cb73a16e724a3c4efa3986282743444e7bf282e644ddd4f604320e252

SHA512
cba453a5f52f1c4f8399d96b6e7030ed4107e05c8cb05bb6b06a85ebd4957a4110844a00e79c7c8f9aaaaa3d6cec023928f4d3ea76d4136ab031c861bad07af7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
19d60dfcc16cd734dcf1a49bbc4a1b24

SHA1
6d1d8bc811290df6c76fc6b8cdb3039cc423bcbe

SHA256
a3759f9a093efc055634f3b735951da1cf98b8820a049201a1906cc0e88d8d95

SHA512
2c0efe97bf9a671cbb86a6dc066377fbd686a1632029b89feebe0e4d4ba36b23a92c75b50a14b2ed8fcbba10e83b44de866bfd38d580d4fd6e36e12105c98a69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
ad9cd9352d00ce05ef46915f67c9d960

SHA1
34f5c1c88e328d82dae473cd1dee0da8b692a8be

SHA256
d14160e2aa43bb07df31447dee814588a99dd24def7af55ab671e6a25a756daa

SHA512
4aa223ee35c766196c0d0de15fc9da29f4125a7757b66900e1f2fa52e930812478abf0b5182e4347bb25a6bf719d8d767bdb8b0b47a868c60902f00d9fc3343c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
223d214c52b470121f9fd82bad68f63f

SHA1
3d14dd2f2263f618f44348793654105e5c01f7de

SHA256
cdc5562ba63db981c47a0e35ca177897df9678d75b6407a044ce6f04b2d55cfa

SHA512
a03e46dd69be7b248627dc6e9a973502c7628cb2c8a82606d35f3c279e4e29c395de6a670b61711ebe49026da41a6f07768f7ed3c711b1cf137d861762447785

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
4f9edadbb5da390429b90417d1d877e5

SHA1
079803d5fadaba4623395d8112c4ffb4b8deea14

SHA256
8d3de66c3efcc8fbcb32a23d64a6f29a1c83ceafaa9fb68a92722d984ada2b13

SHA512
3cf417dbc75b5df30c554aceb8e3036d4b28a47ca6dab52adaa4f86973035d14d6be3cdf634ec1157b53cfa77c7053f39fe319701c206434061f187fdcfee0ac

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3eefd16c3a346a9b4052d8af35341f46

SHA1
0500aefc940308ed39be5525bdc0458e1d305570

SHA256
8ce13e4a21c23c3583965e57acb10e9765d3342489c1bda9049ffb49ba99c57d

SHA512
2fa32698f26481bccf873625b96fe6f028cccb8162b4c0213d06fc526878e7c2e8952759465fe5632c68cbe05f6d0e0c9ff77a6543a3348d4248754d6d63f957

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c08c8a6e1647a10671618cbf5cd88abd

SHA1
2878dd722c59f673c52608e5211850922ce5e23f

SHA256
81ac58ff31d8dc33b7871671592dab30147f01722ac926aca91ce86e288da814

SHA512
c5e7701125267d8c77ee5e58af7bac147425ff3f7164b0e10115141b9cee02ec548549712473f160952a94ee6afc9452c837fb122cda927dad300d90e3e4c7ae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9e2f05cb6b83268a80a9339e30f66d67

SHA1
773b1fb361f188eb6deca46bfc2fcd1896b3aaa2

SHA256
9d7209f2e0f62fad0ee207fd7e4fd4b63a3e3f88442f965a5043cd56b36be2c5

SHA512
6426dee03e56de510fc8c9e98abcc753c85ea8c40913e6dcf803ee18209418f648e99b7bf2d7959bee9915d8adbec2af2924e112c581496cb7fff83fb853edda

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
04b4d0188e65649e34a5761b0797b0d8

SHA1
9fd8451977242678d98ec844870c052cd2bbcbd6

SHA256
c1d1f6053776fb42f23910ac2d298e1898209b328f82552e3c252583f701b4be

SHA512
e4858bb03fd3048e269c0e8f1dbeea8b354ff45ce9e28711020a1248b7bc9fe52a9fb30c249acc1597a03de71c983f80e4a541d1915579141555546a885c06b2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7403c801e04b8417d7a52cc0c60577da

SHA1
00f8418ee450a8cbf0efa65ceaadc533f8a62936

SHA256
fa4da578b46c9b62672ed8ebb4c301d48731cf9ea87b13ef03465ac10108216b

SHA512
b9f833c5c88020fbe7dc7b3d12124f5038c90b739c76f80cb5e879051513dbace0133cac4e0eab643b4261576dde7af8e843388ab1cad76dc49dd7cb3a4aeddf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
4b115a4e97e9981e7820967a99cfbe42

SHA1
a84b7ac9847225c7592d1056b4685fca6bebdf7c

SHA256
95edc434e3c27d6e94a5a8abd2d5ccfec31f0aa3228fef99903eac8c5a2b70bb

SHA512
f4194ef3c724fccd4adaa4418f449e0786227c29cfecd6a632d861055c79ce48d06551bdab576e82edf46287f421c4077d95a9a0347f8554066eb5dc15886c85

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fe1cf5dbcc2d0179488d494590750a04

SHA1
0a32e982b0ec3197b3798bec7e84d23ad4e9116a

SHA256
6611d6b297bc2327cfbfee29bef817457cb866f4b2a3d846097dcaa62b39681f

SHA512
6b0fd9d7a12cefd54bf1edf9f522edd9740576a70c5ba9816683c9fad9bd2ff399ca0954ea16557e8ae0badc8f6b366e38c66852cc33c7fbb71a461401865017

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5fc7da19e630343b938090bcecb4d1b5

SHA1
7a35226b4118379a86f941791951d14bf6449083

SHA256
f23c7800b5a465e28adf7fd65c9b949167800d0226b8ca33a5dc9c226284291e

SHA512
fa5a92e279f508d5427f2e6ded72caeb98aca5d70fde6e70a016858d2ae9ac6c1132ea4a9f5e9162ce6edfba0576983cbad4ae1c88caaece60b928d1a26a3eb2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
967d812e6e91680a08dd7f8acbe032ae

SHA1
122de5abf6cfaf3fd675ef7d0e10915a403ed5f1

SHA256
a97e708ce90060aafab16b937a0a459b6ff04b1376c6457acf016b3f11d8101e

SHA512
cf016236fd4294a7cf6a0dc3757f88ed3238d90a7d5e7240a4be49f1ea53ec5049fd80a114464130d0c97045ab699c9684480bf98c66f916fed852e58d6c263e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7df408b1354386a061fd0dcb781e0099

SHA1
4a0e5c21b579b9be9c15931ba95b4672b046fa48

SHA256
9ae10ec7d119b4b7da3f3dd9bca108b32cb5033d3eb0c36132c4671ed87bb232

SHA512
132504f2b8facd4ab9cc684c0ab1f1a0f63e791b97f88207d51dcf3b2f061d83b6fca2a0184c98fa2b907b5e6f8eb457e0a0324fba36d162d82664cf5b3abe98

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
02b67459d08364eed4cb071dd5027727

SHA1
d7470b347e0ed0022fc6d8c8fbde2fa56b14d456

SHA256
111f2fe76ea58292a0041fed06f4b351983a72aaa258d8b1dbf439d3fa31587e

SHA512
d580e15c39f4964464583182215ab6e77f000b7e9dc18c7e6c54be17a4faf1387324341fa6b6e55f5fb1bb9764f03997a17f4febd708da8dc84f106a5249e7a2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f3b162aa2f28a582aca26de459175851

SHA1
dea8d08d72147a2328c2c158d2d22623b19620b3

SHA256
7e44edc0156a8d42607f7668fcead47b31fd3677bfdcddc4926be371dd186376

SHA512
b731f59b37b36e68eefc61c611892c0a93926e120e6a5d9afb832c54f7c01e8aee668ddb26f60b0af4621335fd50b998b98c307893c57cc61dae408d3c9c8a83

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b2fea006568a17c34f341799b483580c

SHA1
381fadcedf2c8298a549ab0118b8d30eadf43424

SHA256
4757b9112e356bd1d78966f3fd87ed776d2d5d3ccb6de2fae438672bd9ab8103

SHA512
c241d4f75be5e5e21da0c64286f71d82f934058ff5049b5d63767b0df9be26e6856961d92d44a41f3de89197a0540131a52b6b0b72ef2e25ebcbeb42de6a83c1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4ff3cac6b3050738dcc2c3494e115b40

SHA1
fded9bc3abd056e15b1fed4f9b13809e7adcef31

SHA256
9161be4c1427b764c0bce66fb11d3e165b985f1942e3546f54e7ac6f5a98dc75

SHA512
4b9f3317fa35fbbe4bd4f3eb66475641573125b603a391ceee9e167cae5d97ca2be221490192a019bc7ab8fde3fdc1ce38786cb1f0bf530ef103ba9ff78b8a46

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e4511089cee5b550ee360ac740b40ef3

SHA1
7c0e2dde178e842cc66be7df94f57ca2bba54ee8

SHA256
f36f3b9bc46c12f678c80828ebeddf22a084c573ec70438fb3aca03b69b79ce8

SHA512
6704bacc40c1771e2e035ceb53bb8e444660e59b42d21e210ced1ff57c3e3e8faa5b013fc469ed9a0a307a310e62bf90d85a21d118c2c00a7d9326439afa9c51

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
646ff2ab89c73717e36e3c85de8edd2d

SHA1
483bf956b8ecf00ee2b22c0d595bc5571b61693b

SHA256
f8106a7c6245e22d52faf1d0d393a042b392cd555986281d8b1e6a89cb15f78c

SHA512
90d802e28dbdbb09487bf75a9fb35f77904ae409683afb52bcb4501761be329a501a25ebe26216c541b1a5f3198be2db4e90d5906efb6eaf667828cd53f6bbec

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
aea125fbf28c12bac1d8705d7d24b756

SHA1
36083a1ae336058a5141dfb8a6ad2bf5d89e332f

SHA256
6156e2d54e5f7a9e3bd4bcc36bddb122a2d0e44f27a57d5209b588c417331524

SHA512
84ef76ab2072131628aed113305475a18a58a6c12793334b74c907f65568132028d22a046a7c905db96b2a6f0795bd4f613b458ab84a2810c513bfd33a9a2433

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e4c8a32ec7f1f5396069af468df3a821

SHA1
1ab9f0aa8fb30c1033d7b694b09213bc12f1a10b

SHA256
6fc206b1fa9523b0eefe8fb25f1de74a263ccd4e6aae24a7947b9996df975563

SHA512
e9c7269521dd4bf02165a7a0cb238cc0f7cc838bba6954dcd22c8a4b871c7850d24c7eaa94470a4fe0c5fe8456bc3cbf311be74c8363a3372e8810186d1cc9e9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3d1f5423ed2b3ae1b556c38c6c174286

SHA1
80471da692951081ba25e4abff0e438443a6d016

SHA256
2c7b05629d8471435342ec22d712d8a6a184a988fddf79e75d5802914086e697

SHA512
067b531a349aaca5f3685a84fa0367dfb84e852e3bfd6efc94760156f7d66dc6bb6224b5a5e72f7f90ac769bc23d5c20d1966dc7312d03351172203c44db66bd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
f15ded4736f56dbc7281f647c856cb1d

SHA1
5cf3ef2bccdd5714241147b3840ab7500a0bdabb

SHA256
2ef9db78d64ef76ec6b15d82678fad243cc83729c4dce050466d6a4ff92b92af

SHA512
0ddee7b247a04a0cbcf412fd62229795dbbf23e7b93643858b8a120feedc0a0d8d3f9cbf56d414286ec9a4728add99a0b001dc5442b3ba12551c58d16c74948b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
6c5c510eea0a9dcb5840cc6241c6c437

SHA1
d5b2355d7e21f21acd7da1ef48c57a4625944216

SHA256
da59b53859fc793999d1445ff774a8e3a8ca7bb3f7ceed24b641a9d08aafe8f6

SHA512
2595fb7258deef6b60a2cb40d3a68976d11a13812f11d57c93bff275db8bf3558cccb8a7224db3edbaa380c4954be596d91d3ae05bbc62f49589351c657cad83

Download Submit
memory/652-448-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/652-191-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/884-60-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/884-45-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/884-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/884-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/884-472-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/884-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/884-39-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1012-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1012-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1012-469-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1564-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1564-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1564-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1564-116-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1652-117-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1652-229-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2072-103-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2072-225-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2264-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2264-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2308-35-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2308-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2308-36-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2396-189-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2396-437-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2752-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2752-64-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2752-8-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2752-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2752-4-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3236-476-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3236-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3428-174-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3428-50-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3428-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3428-56-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3724-254-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3724-477-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3896-129-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3896-241-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3960-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3960-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3960-188-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3960-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4000-398-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4000-164-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4308-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4308-470-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4484-141-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4484-253-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4644-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4644-429-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4748-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4748-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4748-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4748-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4748-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4916-210-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4916-91-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4960-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4960-478-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download