76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Size

1.6MB
MD5

868bfdf4196d2b563cda87412e5f1c7a
SHA1

73068ee0a0ca192c1d3a7b48fddd5418a2879c98
SHA256

38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508
SHA512

0371555c5df19464b8c182165831efa60cbd8300cffd612bda7fa905e1d2331fa59bb59acd878ce977ec44ae032134ee9c24a9b29c5cf95d3b27a583d2af01a0
SSDEEP

24576:Wxozmm5K5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:a5LNiXicJFFRGNzj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1540	alg.exe
2204	DiagnosticsHub.StandardCollector.Service.exe
5108	fxssvc.exe
4100	elevation_service.exe
4828	elevation_service.exe
2872	maintenanceservice.exe
2768	msdtc.exe
4536	OSE.EXE
4668	PerceptionSimulationService.exe
2688	perfhost.exe
2296	locator.exe
4064	SensorDataService.exe
2532	snmptrap.exe
4288	spectrum.exe
1560	ssh-agent.exe
2844	TieringEngineService.exe
3844	AgentService.exe
3136	vds.exe
2856	vssvc.exe
3560	wbengine.exe
2380	WmiApSrv.exe
3132	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
59	iplogger.org
60	iplogger.org

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc48703d3e6c0d63.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\vssvc.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\dllhost.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\msdtc.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\AgentService.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\vds.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\wbengine.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\msiexec.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\locator.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaw.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001dededa36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cea85a26055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005aada9a26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020811ea36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000271e1ca36055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000188beba36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
2204	DiagnosticsHub.StandardCollector.Service.exe
2204	DiagnosticsHub.StandardCollector.Service.exe
2204	DiagnosticsHub.StandardCollector.Service.exe
2204	DiagnosticsHub.StandardCollector.Service.exe
2204	DiagnosticsHub.StandardCollector.Service.exe
2204	DiagnosticsHub.StandardCollector.Service.exe
2204	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeAuditPrivilege	5108	fxssvc.exe
Token: SeDebugPrivilege	3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeRestorePrivilege	2844	TieringEngineService.exe
Token: SeManageVolumePrivilege	2844	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3844	AgentService.exe
Token: SeBackupPrivilege	2856	vssvc.exe
Token: SeRestorePrivilege	2856	vssvc.exe
Token: SeAuditPrivilege	2856	vssvc.exe
Token: SeBackupPrivilege	3560	wbengine.exe
Token: SeRestorePrivilege	3560	wbengine.exe
Token: SeSecurityPrivilege	3560	wbengine.exe
Token: 33	3132	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3132	SearchIndexer.exe
Token: SeDebugPrivilege	3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	3308	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	2204	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4244	3132	SearchIndexer.exe	109
PID 3132 wrote to memory of 4244	3132	SearchIndexer.exe	109
PID 3132 wrote to memory of 4592	3132	SearchIndexer.exe	110
PID 3132 wrote to memory of 4592	3132	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
"C:\Users\Admin\AppData\Local\Temp\38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2860

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4828

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4064

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4288

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2140

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4244
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 812 816 824 8192 820 796
  2⤵
  - Modifies data under HKEY_USERS
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9c840f7b1be1203cfd6ecd05454bacc8

SHA1
4e57411b533e5a8f7e37f93922eea72b2412edf3

SHA256
88354e2dc80fadc422adc8dac016a21a9e3640861d00a811bc7792a227d13a17

SHA512
d623cd94dbc79c4a7e9474eb964e7557cb8fa00767dc2e35d0f319f0efee3b9799d55001ee59953311f9b725e0d220f886663beca6e3cdcec096426c7d5ca448

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
873123630a7acc50e25a9e50ce176115

SHA1
0fbd87e97a81336f178e19f5955e4760956be2bd

SHA256
86117b09ff9c67614232bba5a53511747df4054fd382588ccd0eef6459fe37fe

SHA512
705bf87b0e53d58a86ebb39784ba71d33860f9090903e34c8648d5cd775c66800c008b459106e2db2cab285d2ad0dc16a41ac6c52f903de398902bad86f0c758

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
96c5fdb2f66b6e9c234b9d82b5f56f75

SHA1
3a371a31f59cc6b94c9cc4889280c233c7deb958

SHA256
0e495cd17ac266e24bf9c6c5ae38669f6254683f9284e4a502dcfc6d33956335

SHA512
425e7cbe925518d8fbd195b9754d498c71e096ac7e058c78587d6b77e9c63b6f2476eeb54efae3623b4a07c816c7a0e6f7be16b49dde61eb886214c4cc3ab2f2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
74867132499a50f3b82994b0c9c02f40

SHA1
2046ba2997a8e4e76ccb49ce3aa2f0d7fc85ad47

SHA256
c27423ee771ba7b6b39260c620a2314291c75a6a1ac907739bf5e53240a37083

SHA512
804aab46467cae363687aaedd0e29f2d0eb1b5fdac24681364a53714d13804110d2ae915ce7e078762183ffbfde3cddc079ccfbdaa1615c8ef0c6d41b16ebaaa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
739cba98354f3c2f6869d5800b2d78c3

SHA1
202b9c5e37535f1b7aeead0c7a0ec0be89268822

SHA256
d7c704d9f493894f00172f375eebbb517d8165ad1ce258b22a5cf90ac95ae8e4

SHA512
d29b7822bb4a2918e5aa9efeafaaebaa13549aa442e136d2b98c50427c03fcc54c5e8c00e0a8422272dcbfc39d6b1270f6bc2dff9553f8f9454cbbbf27611a33

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2a3e0b2640abbaefe689e809b3c3d946

SHA1
5091ee1d2ec0beb13586f90322cf438eedfeb8a5

SHA256
1a585843e3bf53a4a62f8b826066bcfdae44cafd1195ea71fcd0e589640ba9b0

SHA512
77a1e89ce0cc2a5d47a3a8f7219b21f5c0e6d06ed4ff9e3856c1e371bd8df69213a80fbdf8d3120cbbf4ca836e664f00c526ebf1ead2ff44bb68f8a1fd9f4a9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
eaf0fb6c26d77d602f2854959488f60a

SHA1
2824274701530c3169bff7624437f92e5efbe3ad

SHA256
004bcb08a4757f6b1cefb4fd14b9a8c884f97f51983b0a2aeada63ca68be4c15

SHA512
e8c7690f1896fa206d065b7318cd5c0f32c78174ccfbbe9cb8de956aa810ae4c3626071ad378f6e87e264aad9d16d4a26a652c0cbaffa594a3138ff80261ba23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d3ad730ef73aac3a869d4858ad1e083e

SHA1
4cfa90b142770000b3417008b069f6017aa25cb8

SHA256
f80697eea1e31fe97fc20c04bb788861c687710037a3134ead0aebe8adfd8706

SHA512
9f117ecab0ed6bb505d3bce9d557530ff22210afa1551eb18218809071127cfab49215c7adefc9c47bda1af2bbc2ea5a67bc638d17eeaef05dba97d01e11ae87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
585d25f09db4756430897d676bafdb00

SHA1
3ca84cffcbdd02d1c91ff93ec080984e9fb8bdc7

SHA256
f6163535c091c84de56ec937463ce660d001b616ecab92b3566b9129942775b3

SHA512
6007d36b70246fe9c1894a0c9413c830000ce61621310f0c72932275ad6226a7a5dca98fa20be87235f71a87d102f2d969f2a3fb9367b81b0edfda6f4a60b0b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2180bef6c080ec4f0db044300fbb4059

SHA1
612c62c85ec3bc165b0c7140a60b1a808a4327e2

SHA256
045304fe97eaf06559b395b75b80dcdd9313717ecd64900a1e40159295431a40

SHA512
ecd9372935b396d48f1d26c561c4f516554757a8b04690f171f455c56293d4b6447faeced156858cdfd1a371e262b8117b3b4114a988cb6c5f784d25ac5a3afd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
afa3f2f51fca10045a4beee4ec4a49bc

SHA1
2d7277d8ee7d19e213e118380d28557546d4ac48

SHA256
df525609a2dd70ff26c56678fed8b91b7579a0bb2cd98cf3b958848fa5656f4a

SHA512
2ad722c998228b5dd9661b253cad96ff8081aab2390330589fdbd59d17d38126e150e8292c627f26283cbb95cf07d17c878a494cd5764403059dd879da3376e2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ea9b1815b0ec2b9b2de1b434a3eed47a

SHA1
5e536a59bb616e395d8e26e4ba63c850e912ecce

SHA256
9c19126f50623578c633819afd9ba8129272135abc2f899c3b7fcef29a635261

SHA512
c7adc91402d3d16cbecb9ff1dfd2842bd7ac9b81f756f4e2806c8a3af2afb7562867a5cc8848e1b7e8a75fceac3c3a7cd3e194788a6b5ddded6f077bd68fcf2a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
9c2fe0e9e416bceb4c46aed2b361481c

SHA1
c403c09ffa460f89daa0e2c9983c20a1e476ae71

SHA256
273ca4012650934e8710747ba74c5e3129913aab97ed3294da0c5e4b4569c608

SHA512
74e2ccfc9dcdf6bcd7419aaaf7cbc54a4af3354a8ea01dcdc95fb4e9e004774bea8d6e970937e28602799a597682c91878e8f9f97003093e2149dce4077efbc7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e99948ca1ef751ffafb268b4846ab404

SHA1
a78eea082f1e9256ac98d381f3915c37a7b58ec1

SHA256
4bb97012cb7c2bc8fe765aaa6b284bc34ffbdc3c195d4bebc0483acdf254832f

SHA512
5b5223b4e8c83ab8092a8baa786cf85c71c4327f7a4c4de10e799deba9d4be026876127e1ddfe0f1a50bcc31f7c219cde6eb753f0cf5206cc1760f1a947c8d46

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2e87d1acc4bf5205408e539b63b40e75

SHA1
1ff61d5b5e057e4cc987aee3c5456403a86d2b0c

SHA256
68d2c1526b6bcd1b8e35424ebdd34eea1e56a5781634613f1d14f9ddcdae5413

SHA512
29f1924b74a8bf7cf3e541bc393f6fe0cafd5a1b7e45b6e8ff23bbc68c2a08a116aec19441cbf33bb6f055833acdfc33471b3122433f504980b06125037e7798

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
8d576424c14714501890e6d016c5481d

SHA1
deef93f14bbf618c2554d163599b9ca77814de41

SHA256
d8c4ee7609f1d6de45c6cfc4f85a55d34c2129377f057d08a116d5f1cedb928e

SHA512
2e3df5f2d40da5e8e9af7b5a5e440c3a503d57fdb0daae2e53c88371799a725c6c28e883eabf696b2c781569682b9ce438ed17748f3c372dde93f99b80ee6efc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
74786d920bb0fd7baa9f4e17431883ea

SHA1
035097da2df5bb2e957e03469f087da0dd29c00a

SHA256
f468014cc0d8e50e94c933feedafdd5cdd0f7d60adb3801a840a40e998a1dbb8

SHA512
113918a55c3a551e1f513ef81cc40cc3d7e2e9a6bc9d075f3806ae87811bf1ea52ff09034402f85cc1bc08ac320f37bef08d51f71f8e523a3156a19e8cc38944

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
ef51d182f8c111060084dbb640d4e42f

SHA1
2010fb67c073a088fff340eee5b766889bdb334c

SHA256
06f41bb314eede90a6a27fd421684ad9de2eef7736b3e27ea09e56d69cfdb408

SHA512
8855e3729673d610a85e7dd077dbc27901e384964ce660c01219ef247b875912f44cff73e55758ff5e623fa0a8a24eb4a926d46bcabfa315e943c47cbff94495

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
bc678cc3ae0dcf809169a10b87e36816

SHA1
09cee941ba7498cb6c9427da6d480feb85bedf8c

SHA256
c3a0fb9e6b0831912537af62f60a04fdf98cae0a6f36a6ea5190f74f8068b37c

SHA512
35c68d532e230d26ac3bfd3ed25fa304ef800dad72842326dfa3f476e080e411f67456f6756bd314f7d816bece224c46e8275dd2e5328d18379872f8d57dd226

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
da62a2599335a6ac147d54dc562e0099

SHA1
790a1d366d5b52b28f6d5fc92da04c52dcbb024e

SHA256
039de0e03eadaf1d2707dcb3a99b15d0010fac42adaf9f82cf5c496b65246900

SHA512
cbbca874b31fa6e049c1b5732fb23c3b3aa7ca1094498af5a921cb334f1f32c6ebf5c113d1c53cdcbf7b24890ea17f63169a7f5ffd3dc177de6617ec539ca80c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
80f935b705d3624e7605ac2d6f573d1f

SHA1
9661023259a5ca9fbbf787a2da687dffc211971d

SHA256
b94817e4d27a3cc946f1c6cb0e44d2c9242e14999dc23ddb1286d90dd69f611d

SHA512
8d9d0994567eb55b8b6c2ae6a8ad19ce0d7a9ecc7d26455924debf922f60d41ef9e9b6c9b14b72df263e208619305a9b064d347099ab356e07dbf631d01abba5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a214bc13eead981524b92d4ba2d97304

SHA1
04fc9e8cb2315f0a0e9a76b06cc19c16d2a424c7

SHA256
b5456fc77181b8300bbf12ec71f40de091f939f5290a57eb1b53c86691367edd

SHA512
c6d259ef588db0893e1890fbab76c85293d5106f584d625fb055bb501224c1a9a08a6e67f57109c53979d4181592b7f1c60ce9553ee4fd01e0ec5c74b85163c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9a6f6bdcbb2e4363578212961e0ac7d1

SHA1
a162caaa2b3a90ebd87eb1f13e024bae0e5baff4

SHA256
eb9ccdb95cf5eaf2351d06e3f78624a257ff0a521219e3b6234e4c9accf7c814

SHA512
53026ed1329ea51f60bbc4606cf91bb594fa05219bda492ebba2c86286ae9925e4d11047c497ab4e3657a64086f8dac6a96bc40343bceab66532be130cafd948

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
48c95836fce16dea06debd9bbbc3da43

SHA1
f5fa27d344bfcd576b25f31a28bb6e2e84f4d7bf

SHA256
b1831b3bb865c672aa03e86d25e5b432167e5699ae1aba80937e5278b9015736

SHA512
eedf5f11911f9b0570d1cc394272eadc8e7ee76b29835ba16dead02f6ac8c1fbac86557580bf75300c9b324ef02f0e8f2b69de8b75c790ebe195fa43807eafc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
8b8b866dc06606543f704158b623e252

SHA1
144f47bd14439f8ddcd0266446b313a5cd3487d6

SHA256
b6065ad760ff3d94a75d0e19f1b69c788fd297b744efceb8fb4517194f22735e

SHA512
5a09412bea12227ba84d9b2b2876c1102f06bc0c4cfa8df22910cfe75dfb6fc93bdde70db1cea104f8a244c0ac52d1841f8d415cab6e7117a64bb729b4dc0fab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
6a7b17a1a2201a70e44f2b618410e894

SHA1
c95c656ddb6c33aa996b904f26edb2eaf81dc310

SHA256
e2d97bac174994c0e7a9acc753afd4adfa27da35490cc7dd0f93c7d1e6ff27e8

SHA512
7da9217a64b8beddc81e5dc44787bc35823317b1cfc2606ea748810723554f8292256f22297b2ce058dd4b6a4d013f42d3bd67b848c0b271c4b29f610b99249e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bedda1b75c7efcc431ef15593469bb9b

SHA1
8c2e6bafdd64934dbf4c14bbd93733d02b8e647c

SHA256
31b01080d3d0dfedf3929f85d7b731aed67943992af4e7aa9c3f08f0876a638d

SHA512
592081d79a86abcc670d2a34ea79644a7fefdefe37b6161e1903d8248f3535bceffbd290d3f4e8b5c1a63cad9c15bc93b8d44c2f1f1a352e521c5e86eaf4628b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
7aec33bf11e8b0189f99a932f1d30ba2

SHA1
353b00c5d0e5a33a659342edf1dc7eceb42fe62d

SHA256
cbdd6903aa18b1e7402253d4567986a174238dd19073973941a3ae9ebec4ba62

SHA512
3e77bf7b38ee5696bdede949a814d345185c5b16b37f81e805c02d8744eab1202bb2f54689790e7fe1a35e966b5a4754685225db1cafbb83ee54d941c0cd3f16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8166e461e837345e4c29866673da40cf

SHA1
937038bae44b41bf286f668a67ff0344a6ef1002

SHA256
6d236fdb8f3dac28361dd27426e1f892d15a76fa5821745ef0fed62f119345f7

SHA512
1433f7a797a08e63ec77c9ff19142d0289812a7313f804e71fe8f42228e5be384b20c711cec939626723790905f4a2ca938b4058136542e69b2eb58ceb551978

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5e218756db5435cc37bedb564e7c489e

SHA1
91cb38859c51d614407aad3d1f7c94cdac9c964b

SHA256
9ae224268221148f5ff90a260c650a206c6f4adcd6a97910d3fe9e3c2ba376bb

SHA512
1a76d6d8c02f7bceb119e9dff10e4050a84efa2876c017c7e5d01fb06fe44522fa01dbbbee3e45f6d24907348b910ba278405b25a3d625707c8234f941804615

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
d0f91df29be529fd7e97cad71db5622c

SHA1
1be4a1cc167a97cae9f4aa8c3ae2d6aee2403f7d

SHA256
a3d21d7d7ba76fed02e05643432e21bf13ea63b389b8fe75d5be883ddb7c54aa

SHA512
2469090c991b10d4c5512b17e05cda55d513755439666e4ae9c2d13d45248930ee8e2307a279ed366f1b05db344041e966fe40466aa1127b165a110a1005eaed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
92991353a470d1c324466e154ec5d6f3

SHA1
f18609050585c1eb8324fb210676119e2295aa15

SHA256
dd915f1a792e8354d2fb374ae277a5f802b2fcbde905a0b5f6f3af8a56d5abfd

SHA512
253b6b7e0ec6a81490483b953cabe1aad15305bac4b45b77582d813b9e1502ce4023daf923513945b7db941a637123a2bee7232de3a7841cf36ace2e080e3616

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
643d776f780174a73464edbe20ca1c58

SHA1
4215b1bd9564e29f13bccd57150459fd77af48b4

SHA256
bbbaa35c0ae9931ecc1896a5ac4d9acb9efdf032b0655479a90c440abe1a1f55

SHA512
2ad95418298412c6d4f58234de62d23ef24a43bf62b2d881df732f4032f64eed9856b70031bd01a15ac11ff96b104dbb5434cb07ebb31bb0a8a70355902ba299

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
8fbb3d081c2123ff99eab07277e9063e

SHA1
5263a19a7fca6a6a1fa2a621bedf3e696415ce88

SHA256
370d42afc99212f54d879c92586d5e1d68001940fce409885bfcbdc12c08687c

SHA512
907e345fbfd9d486ba891e47bb5d4175df7cd488825e787670d9577eb27e5f146f5cfef0924dfc03c85ec34ca2c57172b830ea915ba7e3d6a434a1b225a8d392

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
ed07f425595bf342655b13826b94a311

SHA1
b00dac5a5b169384dae5dc78905f9ec9402d9750

SHA256
c3fa85d072a5a61504c8660a35082646f00d8aa4cd062c1c4e3b9a44d8b6b08c

SHA512
e36af1e91ff4dac42f06121ee3db3dbf1d558ffa9e71a524c3c8e891851030cffc903262f1df38d407d5552d3fff072c3748994eae3a713ce692419b568f6711

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
efdb7e10fe5f0ba8ad94fa19cc245cb6

SHA1
3d71b39e802ba6b6b8d8a6dece67908765bea517

SHA256
c44b91973d42c6076dbe35b5db044cb0fa9afc3930691d2dc2cd8d6139f4b6b7

SHA512
520335b44ddff36c9bc9daca6371cfb8fb1eb174ecef8be54b095ae35c6d81ea4aff3d4d2e902e2616038504ab256538ed9da300aa9bf27109feaaa3c880e097

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9cf0326fdeda5864c24a3ba08b2fcc0d

SHA1
7323e87a4333f8c9a595ec2901e74f108e0f98d1

SHA256
e981b12356e98cf6da419b6b2be9df38b86c4e6223fb6ecf340d46490d17ab47

SHA512
642fddfb04044b4a68446edeb700547778e14524348b01af7e282cde10f0bc1ef766b43675df45be3b77ee9fd2b9723f54d42e4dbffd376914a7e28bdfc9bca9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
4b1d07d59a286da67dcd6a42b166382d

SHA1
fa847fa7573188d81a091a9f9fe5ee8dd4328ecd

SHA256
f848dced2aba075358c9f2c6aa83d61c4a60a1ee2497f98f2772d2f2d559b01f

SHA512
bf990a823ab01e8fd3286eb27b96711c46f4bcc6d9701655ccd0498531bdc4dc8bacacd8681abc12500ee0a1da36eccecbfc1c6d8931ef3a520fb85f4e174c7d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3fd9606e775f18d48c67c5308689dddf

SHA1
1a9366b9ec8d3fc344d43ac2eaed9af81a691400

SHA256
48119e5107e1bae87e207cce5bbeb4aaef392f351944a6de7906116cb8d3bca9

SHA512
0e811d3598f3809e87b5be27fe04d685d6f278e0b396664d4622c618dcd265ed9c5d2b609a2dc9cdacd385b51828bff1e534e0fa7e796abb2f68934db1494c32

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4a0af17573bcc6e9b94a94a757858e1e

SHA1
2be14cd18ada653da13854a31f09d8256e21e4bf

SHA256
33de3c5f95ecd6b311e32899700cec546568263e309b5a4d7d0b8cfeacf1d3f3

SHA512
7e25aacff807b02d5d0fafad4b6069b44cdc34009a7cf944d2809204dd5526f80743041ad891c2691491febb59a731484fc444cdc961819f9bd71858e93ae728

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d64a451b54126b1d19de5ba698956099

SHA1
bf5cb0068560c89d737a60a3ae6b6535f7e903ee

SHA256
6283392bed51df77c6ac5532756d54fe5ab4cabc6164548a4ccc8abe55bfd791

SHA512
e5f9db0e42383beb0de5f36ac33a90b341c6ece4cb60e8f43420777461cbbc2cf769a90aa0f52a06f9bc6432407330c07e7169f4fd6dc5a14c0e31612297fa74

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
33092566747d80857edaa40635f302a4

SHA1
8aaa7a19fd1c1945207b9123f6bdc65388557c40

SHA256
98643b73513c4a1df79ac15b3a30ff619357e32fa8c4f58126238ec3089dbdd5

SHA512
7c5ce40206510a5e6fba711c9b70a13f6536e554cd92c2f3bfcc3e2eecf1dd94a585fb41bdd3411bebc143757256e47741bb02aec6a03135b6a042071967efd7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5c455733cd27d4cf3d1f775b7b1c261c

SHA1
9b41bcc3e6e0ae699398e7c6f18aca6ec2ba5022

SHA256
3dffc8c43444c6e940e5e06621047c03b52e29ed3746a96412cfbcf3e7055224

SHA512
43bc210ed531dacc97cf86e2b708dea7d42b356d21d2a7ee98495b4693e4e463fde54ea5e40957aa0e246c1392877468084f77fecf9dcaebc7df61c6832240ac

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
d0851f0f9d703f74cd1ce7493e5d70ae

SHA1
4bbe0bb44f6efa4d0ce85ad5d4050cc0beddf7f3

SHA256
6cd3fac26ed4d9310b04636b83b1bcb54e165d124fb51bc9f216e7fe3a5bba4d

SHA512
c052087cf93cac5da1742381e477412da9c2726b00e50c89fc53603f5400f02329c81f78848a24ff2eb32d23c423ca27ffaa690b38e39b65c1f367a18e6c5a2f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
76e7fb00cd0720fae3ac35ba085060e0

SHA1
3f64d710e4eef55fc0d47559d7ceb169d1e6edef

SHA256
66091bdfe666d1615e8bb4019d9a76ffe7b4b7710dd765396b970251d266a386

SHA512
faf10e0d3245b0ec2264b26d632bca8b03c1750a36c00516bfa208c88d525d9467ff29f8873d24d2e3c9b2a93ee8ac09de3164ce437f8cdbf32064d28f0b3c20

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
885e8bdd07af6f1f3112b1bf5818094b

SHA1
af20a61f3cdbad5dcc39a88ce130fe2ab1c5f61a

SHA256
bb391a8ee371f4944fb20b0ac922d65cb44e8ec34adf7b8ab2cbb782bf6bed34

SHA512
9b32c2505ec036b7b0cd19ab8440c0511b2e5776c2e1ffa68254b7b8dce2b4e25896ac4dde194857b9317be0203fd68ddb1f1f0fc805297b5ea1311afa9e0078

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
50309e122caf40800be0d5b3c709916f

SHA1
8716308ab487491ddbda951ace9623d45b3771bf

SHA256
feed787ac7f2035ef442940d98bd2861f0c6771dd47d0573b52dd307d0939355

SHA512
e1d19e5f0ea34000a1a7ed4b741df8c9126bfc5159d07a6ca9e87fd5b1f60cab7ba6ee5e19c827e54f39b9a077346ba46ed7eb05b591b596f36dc86fddc72ede

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
578f8dd725b0bdb5714f9945332e3384

SHA1
443a1f364559583c9b415301507e00a83a4e9dbf

SHA256
9f49088fa7e92530863f5fe15de43718bbf9429db18a177caed11a4c41fcff34

SHA512
ffadbb73ef36e9a5787a538c554d7cd578a4da65735f06e1e20c78c28767da8dfa749f4033788c693d3c491f33b613dfe2739ff6a2cd4d9eee1f113c0274380e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
55db724acad635356e1df38705fc9e68

SHA1
9d0b78ce22d2b066725ad51eb31c102c4d95ec95

SHA256
01052cb00aca096615037fdb01e91a6d56cc3fc767312cd8e672f77a589aa0b3

SHA512
a2cc04fd37deb0f80a94082f019951107acc4f0b624197b70142dee34782007da6b90ecb11f000b50c422f7b092ac90f8796232ed4631e9ed0776c1c40002838

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f8ccc068f759505f79ee44109787ff0c

SHA1
118e80eb1f2ada688db5b609f664d0493924e646

SHA256
f1ac0f4c82e771d1668fce31a52bdc7cee6ea7a5fd07c9aa1484ad7bfcf10639

SHA512
39a9a21fa7e398d89a757b25458cbef5ee216bc8a0e034810c8c55cde96a285e6f7970f384569036c6a84f543a922b45bff1befaa31ef55575768225f65d1493

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fd65fc093599f3b4b08cf517051cc98f

SHA1
a5566f92d8e507c7aaaee35f9679df01d5cd1cef

SHA256
544197e9c5a72812082a07144028e0cfc39950df2db2a924bf6f99186b352dfb

SHA512
3654dfa8bf88d3469497bf4cd1d6cacf5eec829af22c471c1e22ff82f3aa11c19d797147b3e22483dacbabce78d149fb217c7e351f8cab2bdde158ad8c2ac11b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
f1702f020710cfabff8376d2c3a3686c

SHA1
883317ca7e8135a7b9da7ffc5291933a97ea00e6

SHA256
87a4125d7015727734542d944eabf0c7c0738b8efef9555b8cfcc456c60da63f

SHA512
818d4316b3d3eff75bd7c6575f2c756eafc1f2c9178bc97b414ecfe2b3be6d963e87d4175ce3875b130b098a11b79bcb2079c7a5d9f9bd28b9bf424057c7fda6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4cab42837592c6e3e992b5b2daf00672

SHA1
e1f134415b0edbd5975e845482ac7b93ea9886f4

SHA256
6b9581eb7338ec833add44ceaf40604abb68a87839c2a5976449e12c045a7359

SHA512
581e8fed5dd125bf7d5b3a6c2a2580fbc1741a089fbef4106f0a7cd4745fab2978d8ffab0bbc109402e18a55f35c21e6876c25a8e1ced5deba9c4964feb6354b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
00f089d81d43fb71ad28aa1103c0c16c

SHA1
21538cd782bcfe74fcf7a1144cf63318900a764e

SHA256
29119292f0783ed926252133cb4d8c3af38d711ab579ee7211499cd971ded157

SHA512
565a7fd7fdcf9a29143ca04ff7cdc5dfbc1883500db2b6ecdfd3309f435972bcb62bd8bf49c769a7a79af113728e1a3a5c8b278d52a1198f27e0d4b0b94cc236

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a08542f5911f7d64378923fb9c471809

SHA1
d6aee63228122986758ae26ef2985475b3b9b115

SHA256
2d3b4dd57da8a902afa5dfc2b5c8a1bc8cd99369170638d56f55c03c9f7e649b

SHA512
1d66b8d22053daab8062a3693f0ba3251096735852b7cfea3044e8d4a8e25041e5e3d4b6e92205d2df8006593236463f6ac0dcdebd7f9a2eb59ddb2f16fb5068

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fff384b5a1daeb7cb3eacdee6d19aee2

SHA1
e488afac5c6b39547259c0477f0aa71e4d6bf780

SHA256
502f6e3364221bf4a0e0be3f18ff3f2bb36d9a56660e0e28bbf9d3a8f4bc4adb

SHA512
10cfa6afd4abb693060008bf86074dd5df8b8d38e8976e9deea9e9ddd7fc458e6d0899acb59cf9aa2bff9ebe0de2dc94af113cdbeaa68ae6558d0d394370e7c9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0dee71737b9f7c85078cd0116a74c9ff

SHA1
d44c0f0755bcfaa6b85c1426fd8b9d5995052b6b

SHA256
24aa2c15549f6cca33e9f0b6b54367ebaed098a04a529293e4dcfedf319d3e56

SHA512
19e9ebc2a2d40a9e0f87e1493f57e8a419c78d8ad663bec0bed4544b10e7d567cd2fca9b707ad22d573259c48369909ff82c185db65ae8eaf71290e600763ee8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
a692a38ed8dd2fcce7d444912e4f8be8

SHA1
7c4a3d37da75d6af08318d22ff4022620702511c

SHA256
5b3159b3e56b3007eeef93f780cbb49de75b0b1b57092c36f14402fb301f48df

SHA512
2e63ffb640a093519827d5d75be58b3bff9b477bcb8f25b57401ee7db47d41aa8ade524ac20118666f950d7ba602bbb167d9d8262448c81c2b8d165a5892fad5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
b5db5c5f9498dd8b22f251ae6e159577

SHA1
2d3db8ed3abb06ee9974c916cd6ec643486a4eb9

SHA256
3e8af34abfc5ccb4d11a5b181973af57d0aba5d6f14c3d506863f9d2caf41dba

SHA512
fb241ecd72aede07baec24ffa18000746422578e3ff60fb9e7a365a4c3b85ce8fdf9431bf0ec285c076c6af207f351a63587ee817658e5f9ab900dcc797a2e03

Download Submit
memory/1540-102-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1540-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1560-149-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1560-384-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2204-17-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2204-113-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2204-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2204-16-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2296-114-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2296-190-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2380-191-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2380-481-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2532-247-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2532-123-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2688-104-0x0000000000930000-0x0000000000996000-memory.dmp

Filesize
408KB

Download
memory/2688-109-0x0000000000930000-0x0000000000996000-memory.dmp

Filesize
408KB

Download
memory/2688-186-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2688-103-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2768-161-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2768-71-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2844-159-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2844-404-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2856-183-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2856-478-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2872-70-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2872-64-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2872-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2872-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2872-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3132-196-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3132-482-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3136-456-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3136-179-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3308-499-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3308-2-0x0000000000CE0000-0x0000000000D46000-memory.dmp

Filesize
408KB

Download
memory/3308-89-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/3308-8-0x0000000000CE0000-0x0000000000D46000-memory.dmp

Filesize
408KB

Download
memory/3308-83-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3308-0-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/3308-118-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/3308-55-0x0000000002E30000-0x0000000002E44000-memory.dmp

Filesize
80KB

Download
memory/3308-116-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/3308-139-0x0000000006440000-0x0000000006490000-memory.dmp

Filesize
320KB

Download
memory/3560-187-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3560-479-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3844-162-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3844-164-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4064-119-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4064-195-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4064-480-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4100-134-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4100-32-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4100-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4100-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4288-135-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4288-309-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4536-178-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4536-75-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4536-81-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4536-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4668-92-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4668-91-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4668-98-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4668-182-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4828-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4828-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4828-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4828-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5108-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5108-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download