76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Size

1.6MB
MD5

134f063d7cd47ec9ca2af5739d0822ba
SHA1

5ef164a30fc13d7681b809a999f202ce8b4ee411
SHA256

3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb
SHA512

3bd1092da887c23ed2e663cd211a915b19a974ef4b17c368cf90ef781795345ff0827bd7abfeae111a6ffc00d34b7bee5a65d535131b083e855d3c9737618ffc
SSDEEP

24576:6xozmm5K5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:e5LNiXicJFFRGNzj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2564	alg.exe
4176	DiagnosticsHub.StandardCollector.Service.exe
368	fxssvc.exe
1076	elevation_service.exe
1340	elevation_service.exe
4072	maintenanceservice.exe
3316	msdtc.exe
1932	OSE.EXE
5060	PerceptionSimulationService.exe
5068	perfhost.exe
3612	locator.exe
4532	SensorDataService.exe
2244	snmptrap.exe
4776	spectrum.exe
3156	ssh-agent.exe
3772	TieringEngineService.exe
1412	AgentService.exe
4112	vds.exe
1776	vssvc.exe
1252	wbengine.exe
4324	WmiApSrv.exe
4116	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
53	iplogger.org
54	iplogger.org

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\System32\alg.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\System32\vds.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\locator.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3eec61b7db05c3ba.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8A1C963D-7054-4DC6-AA98-9FBFCE5E4C3B}\chrome_installer.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\javaw.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003299eda46055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059d6c9a46055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001886f9a46055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d56e7a36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f71d73a56055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046c2d5a46055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b073c7a46055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
4176	DiagnosticsHub.StandardCollector.Service.exe
4176	DiagnosticsHub.StandardCollector.Service.exe
4176	DiagnosticsHub.StandardCollector.Service.exe
4176	DiagnosticsHub.StandardCollector.Service.exe
4176	DiagnosticsHub.StandardCollector.Service.exe
4176	DiagnosticsHub.StandardCollector.Service.exe
4176	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeAuditPrivilege	368	fxssvc.exe
Token: SeDebugPrivilege	1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeRestorePrivilege	3772	TieringEngineService.exe
Token: SeManageVolumePrivilege	3772	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1412	AgentService.exe
Token: SeBackupPrivilege	1776	vssvc.exe
Token: SeRestorePrivilege	1776	vssvc.exe
Token: SeAuditPrivilege	1776	vssvc.exe
Token: SeBackupPrivilege	1252	wbengine.exe
Token: SeRestorePrivilege	1252	wbengine.exe
Token: SeSecurityPrivilege	1252	wbengine.exe
Token: 33	4116	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeDebugPrivilege	1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	1648	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	4176	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4348	4116	SearchIndexer.exe	109
PID 4116 wrote to memory of 4348	4116	SearchIndexer.exe	109
PID 4116 wrote to memory of 944	4116	SearchIndexer.exe	110
PID 4116 wrote to memory of 944	4116	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
"C:\Users\Admin\AppData\Local\Temp\3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3316

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4532

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4776

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2360

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4348
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6174d9fa21b648f378bdaaea797a45c5

SHA1
36ac578c0984507a6c10ba38e58d7cc0dcee6486

SHA256
3ea30a47a75913a6413f1d642a5e7b85ef2baa4a61dc145afe2f42dd3986df2d

SHA512
50a7c57a9fdb0be77e7b578f7a4b63de647db52f7b57e171f3b9984a38b426bab14555aefe983ead63e3e743a706224710aac9cf9e084b11ab22110e0f9f7882

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a0f5185d51eedeb599bc5610c0708300

SHA1
5b1749a469cdebbbb98828060c83dfd30d80b6de

SHA256
ebea4228fd975f67461de3f6108257386d2d08e947d7e11d540b7869ea65a3a6

SHA512
61d230cdbfd29cac7814f9c24f63924ce6fa3df37306f7a5c94d1f56bb557619449497e0d7375ceff012e7e86a34905ae819fdf9a8c20769ce45f151652318c8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
f95f6931647cd529c70c5aad300e702a

SHA1
5cc0eab490a7ea6195f810ef77856a04125fbc6e

SHA256
da076d0b2b2976c5759c76bbe01a924fb2809443a1d7cac3e6f6e1a8bd35c415

SHA512
dd84ebd03ada58d5a27f6b38bbf76da998974d39f8c5a2e58c02859d44ab23da6f682a2c82256ba3b01d2221fdd8f7554b4f954db92aba768137897371b4d2bd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e2512c30568f10b447a696adb2e19dfb

SHA1
89590eac6803ae5a994dbb8a0b0470be72604734

SHA256
09e65925126a7d7cd543513912425e5d6fb896f20f491c18355e4ac86c89ea1f

SHA512
71242e2f585ffe7803fc2c362580c0edceaa58a33ab43fb20a013018ee924bd67a73ac37d6ee77eba091ec4ef2a0ef606264ba9f0d7d917674779c1bf541ed52

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2197a73970ec1c49add7ca4e6ebe6562

SHA1
690d4fc5942027a428923d99ca800bcda6fdd6eb

SHA256
2160589650c9b7fd9159dea2a2a033041f8a6faccf2484404d1d806a1c803435

SHA512
f0c6f5c2ee1553cc62d84bed293bc7235d1171b0b4914b7f9320e52631cb4271d40ddf0fd6a1209e355121abe13d64e6c268359ed1677a7950a4d11f4b206269

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
fa15024f346d7602c08fe109e0ffda14

SHA1
720bdffe1bdbcd3b416d67affb29186a42612140

SHA256
3efe335342d67bb915cb83609326fb881222b8212173f680c5a19f79dcf5eaff

SHA512
60f3c46fdc314fd414c686c92bfecf5158bf7bebd96ffa706c2083d37abe528c8f96c660565a2475777482cf39dca04802e37d53a30f0fc8da9f8ca75a0c04dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
d63823e86761b0323db950aaa3735d33

SHA1
25eca07f6a849fabbf04384eb23f8d30a00cf258

SHA256
b8985cd3f9afa31c3bf2ee73276f2e4c38d96417902a18f6dbecbd752a2a8aab

SHA512
768bae4d4b419ba44737b5d33e87a2a7ce63fe07e290bd5a18df6bb2c61f4d3967c2231bbe7cbecd52aee1d5cb9f12b5237ce373442ee787706c6f19af7d107d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
546b1e4c6476d152eba1b508e1825c0e

SHA1
aaf99bdf461e21d9d786c6931afdca7927700963

SHA256
76a4b8754237b8c88d9264b72c1e266f833b1a7e747381e91450b8041913c77f

SHA512
ae33d7b26bbf9232d19af95cc537c6614e029d2ea63c77b757c51d25ef4d6d4efabe5135ba4ca1bb6b81afeb6b2bbae5923174c48dd213263a7b05a0e552e558

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
4728612d39fd8569c74dce95e43dc570

SHA1
fb79efeb8f3edf064d5eb229164562f62e4b0804

SHA256
89b0ee9d417081823f53409f4309fa3b7a1acb7a4f96e0350f1290700c50a31c

SHA512
72f8ea9f0d69804aba256b6d59e531269f0de6f3273d9279e78cec344446b17736ecb127bfa8a3fe19b427734d1dd56afe64f51a17bae633c2309db6a587982f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
89b97d39d8d667f6a604b1c75564de3c

SHA1
9a7c7c23d63ffa25924cbb089042d2c0e5947e0b

SHA256
fd51f286062996d2fdef15b26583ce7bf761c0462a75b2e97cf96dc4c045c6d5

SHA512
e142e5ff031880a694e78ff1a1816b8784e362d97ff1188bd6c2dbaea410f1007bcad464153bbc1aa711db98fa050bf3ee310a48503b16562da2ffa82585c785

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2e5bc9f58753d369c727cb864818bc62

SHA1
ff31cf68f68bebacec6b1933ac309b1ea8a486e2

SHA256
c62d992d1c2edbe8e4ce22fc2db3918da6be96c9ffa46a90fb2756e6dc3d532b

SHA512
68c65c725f8f2ed516bc16ea7d9b6dfb46a29c842269c2256b1242d248b23de86141acd241959724f2ec0e717a836842ed7f73ac80b8925b0c592aa2d64288ec

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bb23953a33241c0ca9d3e8fc4ab3f621

SHA1
650f563fc2ad999927dcee83e92d1248a0577997

SHA256
ff6ceb7c6ee05f3e4cb6b45e36b589622c9a7bf6ba5aeef7c351f34dd0d84d31

SHA512
922ca487b5c71cc3162282bf06be8363e0ee820569dd102baf39b2827345e253070944100328581c0fe69dee520fd4dec6b71c8fd8b5af3319defc9f582fd5f9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
d1f6407de717d50cdd009d948d3305ad

SHA1
29afc85926f4e0de3e1237d1d17eb824e03d95c5

SHA256
fcf9d76b5452cee2c9f2d536ba64cb6c712738c14b81e99e5a188a2c39c207c5

SHA512
a28c79f0c9766968ed487cc15e4ebdcf0389bf320f8bc4299ca539361d16d42dc7b66f235abb413a4698eb9eda7231cd66c112f2eb1a61a343ad72ced08f6357

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e20d854512202ed2abda3d8eb20581f7

SHA1
2c50442b61f27adb202193c491b84ac1312ab7e4

SHA256
db9ef33ee9b80be3b308ec5b4f7fd335c2008b2c83bd71027ab5a95c14c902e9

SHA512
b3f91d119b0525829ee72fc2838924c6d775c16a99aafac85949825d9085bb835b6202370156d0376cec1b1374e352fab580ba516ee71b0e527fa24cbc8dfa88

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f699d56a98a5095054a17a681200aa9d

SHA1
07a695d22b199b16814f8e4fe5f504de2cd0faa4

SHA256
42497b1be878a0451cde5b4231d72e9d34fe5894ad18a32326c1a84edf1a4327

SHA512
d31e20dcbdbc03f505362d4a0d23c3eebd7af954ab43886b7ed63d7dcefa226950a816b5ab6de69256f56aed094f95e0da80cd2b320481967533db4766b799f1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
f12386322e960a03521772dfc84016e5

SHA1
ffba2c85b3f6955c8521f60e36786f7f8a0c45ae

SHA256
c46e9ca5edf1b263afeb212010ef348ba3294a045a889278d19b5e1efaa90f71

SHA512
d0797107e943a2deed77daad8e9e11caf43790b28c70b31b0d218659b1eb36e14de50c3c3b4e8b3dd28910094485aeb2ebc42a86a624a86618e12f9eaa4b1e95

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
bb28b9ceee0a43bbae7e5b215038e93e

SHA1
a1ab19351203d7d892ebfbc69276f5bb4007c2b9

SHA256
be705c31fd8260f58611c7fb4316b8f54e680d4dd78de3807769d628d484b35f

SHA512
3bfdde398b2dce7464f3cf950f02c2f10483a3a40ae1852dfbbf122b48e7c1d0289de8df334588eab89d01415dac04e4a2c764acf32ac93720c5591ce0d9f70f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
27ecdc3805187df395013a9182797c09

SHA1
40e6ec1501914f07460b1e2cfb7d0fbc4a58259c

SHA256
9d77b2d9570b84745645fe0545868545c73e7c2778c090008e379cb04aea723e

SHA512
60fdfeb59d0ddb8fb4f97de906d3d8be4f078313f6f16643ae213fd81913d0617016fe8429b17c19a295cedff3be08e6e972b59432603c39bd4403e4aa7c5a51

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
95ae989b3574623c6022144e5c440cb6

SHA1
8f05574c6afd85e2867d12b0baee94f3f5b26aae

SHA256
464fe533649b33380625e86d916e5b9e124f7bfa79edd6b07186aff33f57c5b1

SHA512
ecdf9126fafd73a1104d0de328d718482c357147a311511355a2a5e4fda320ddb2fb9a3283043533692adcc84c90fb834aa26496cba498b2c867417e27c31b04

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2e65fe3cca323d652a980136f824cf92

SHA1
dca3599a85d7e298c4f67a9cb165cf5702851f5e

SHA256
fd48d04a915a4464eb056fb15f607e5211d56c07a8a2bb1979f18c7e1844e065

SHA512
dc5cf5d6e557333ed25a671de1ca3bbd69eb73f00fbfdd43df82fd70104ea6e311f95a57ab1a1c6d3d8c3f736253fd11399a8f8cab387acc7c96e7049fd851d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d9e1f4b01e1e3aae38a94cea9364381a

SHA1
d2e07a96be7e7823d2863a6cc361b3f8b8c804ad

SHA256
b6c957be2d8414db7aa9199ce2a45e4bb4ca84f4053437f48df2bce706ea890f

SHA512
ac879dcfff6237e1e8f69ced97398e3b54089e04c946903f30f9d52e66dc6e0912a96e43bb7cac9e21327bc6597ca16ed89c275c494f27106d7d2c6f3255e042

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8b51964effa9b02f232b5e22db79e6ca

SHA1
aceb63295274a0d8a9061d29b5a556ef530445d6

SHA256
eba0448f64d8db1b4e70debf51e279e30d0448f08feb4f1db200b0545d89c8bf

SHA512
0d7f67606cabcf0f924baa011c98d143d028dc27147973626440b2c8fbf67344b7591f4c51b5144a6ea5bc589128ca153474a98165742d0b709a8d1ac9e82f7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9c809b20eef5d77bb33153bb435baee0

SHA1
78784d44bb840fcc1fec0cfa3fae8dabd9b00e3d

SHA256
78278f01ad675e4e8a60016b2bb7b2a6f6d28e1f9f50bf5c61c8a24c704d9ac3

SHA512
7edd2cb79693be9068f7bb7eaa83c1e8b84cda673c32b14f6bd8281565843b7851021a74fa2031fd686d871548046a8f7a9d09a6d032ee44e0c17598f5745172

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
c3df890158cf24611ea53fc736b3fe06

SHA1
a4e98f8d99cfdeafc9034f43c8271d8071a0a6be

SHA256
1934ba558b3a1dfe081cef097d5c86bbde36a94be7e4424893c50eb9ce0f848a

SHA512
dd821ef9d4f65915a138f5d3faf203a229f221cb6cdebc4e5b05ab3315cc1875b1d06aaf70818aefd294c51b48afb4b07ff5e0e5cff449bda3886e4b1c8a4ff9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3ad70afb4b45c770675a98488e349cdf

SHA1
527b0abb954b36dbcfb03f6f7d2b5fdd40f19e96

SHA256
145c252b3964bed6d6cd99ac0a1a077b4bea2110160c8e2db600caced0ac35dc

SHA512
1f522557d911a59f6382afa8ee2d67f5ae5d4cad4034d6d11f3919067cce53efa9b0cd8e787898b0a773f43ae5494bd4698de6afe6300afc7ea8a38cd5ab0422

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9229a6d3174a0b37a954bddab63022db

SHA1
d1b849a2911b6b96aa564ed7cf32046e8f650a22

SHA256
2af79794bcce7dac2a34f6db48b6d4a692c9d88e4d94e3858ff4f5dec721bb33

SHA512
58f36506a5a21b6b28227ad20fc79eb588e223aa942bab6817e4e35ba6276035e9efb6df2a4c722602319db5ebd885c5d62bdf69f41df5fb9921e24c6e067266

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
c247598352cf1b4239f379b7bbce1729

SHA1
909ac9706e48e79c4a04dfc1134650b20ca8619d

SHA256
d5d8723718a20c22de212ac514ad2b6dd745f74f703674bda9df187cb3930beb

SHA512
502b08819f2d1e81f6d383cbed122716e76656a4ca453b5a0e3b1073b1fca4988b48f3abe7a20e2f8b89405417c8d2df4f9bc81358cf5b6d8ac99c7e2a2e6419

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
ce0a3df6b776da53307d0e20e957d55d

SHA1
8f22479ec67f9a1f522b9a17537ea741c7d31671

SHA256
f1dc4cddd93687b20d8d8fc2d3cb8d68a429aadcc99120e8d44fca5eadd589fb

SHA512
f73de5ffe0c54215cb4ae1349937d986c274edba169cf126e262e1ea7fec376ff533a4c1d7aae24b402d8c47aef160370bde8a2595edb3f316ee83a1e5196a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
243f5aea3ffddd4a95b056c4b8e89a40

SHA1
483e1365f0e995639904dba74cadc2df53633dfe

SHA256
4232199a8b477647b09c199d13724021c5900b3d09fd1cc8cd69c59402541cab

SHA512
687f59046d0c4cbe9c5718ecf9f3717baf63524a6782bf3be772aa5fe50bba6253133bd937e2189101839051c0d5192c70d0f4274ca901618c69eb8d9b2d354a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
04b7590e93a4dcaf795c6ad7edf277d0

SHA1
11489621958edf7624855a0df20777d118758fb5

SHA256
c02d246fa6170162c8afb4c0d23a4008331d4e80d6e433fb635b18e5642b5927

SHA512
4dcebdc7eacf8d28b39c7b9f6edac06faaa984084d8eaddaac5aeec1bf2d7f6b8cb9292f4a329d9ffa21500263f607dd9d2a5afa1d1189b5fad0a1ab4bcb5510

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
3fa361982e6dfd5e7f67a002b87d666a

SHA1
fcdba9675cc440d65603793be6b2028af54b505d

SHA256
868e6925ad38472d86d6b1709913698aeb4d77a98d15f76b942ba18b73715fcb

SHA512
69bd5d71705278f4dce7135023a4588341dc6ac770e71f831f8ecddb3fb3ddc60fd9b74e704546eef15a6349d84b6376f3f784ee69d53b7ef969bff27e9da21b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
da9a6783e736202fcf99e35034978827

SHA1
8f73be577224b7d35be98c61f4a30d96e896f14b

SHA256
e881ee269038af0c467b8972761f1dbb33db846b9c322437a69899059868e154

SHA512
578c1edd5564f9ffcc14fae242071dba8554b32eb3f5335d7115606dda45c52bd31088998e735293d7d9e0e93435f217218f712141a4f411cafd856d80121280

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
7450d74331597fbd4c3121752544e122

SHA1
dacf561ae26471baebcbe683cee36a6d1260040f

SHA256
4e0f90772ff3436d566988a322bff072b786f4fbe8f3948f5a221766af6d69eb

SHA512
3603f6543f04d3139e51ec94ade5f750b43ffb2264554115c8adf9835399a9afb2d979617411ad6724075865cdd81f749a8e3b4d18422b7685585307bd2260d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
46e137782473ddcaed78867adbff7dbb

SHA1
0f16dbd24c2eb280517b70bd99278bc061cc3dc7

SHA256
cff0cc8261b4c7b7575f890bb3851537a7e178ab3a2528da498e387cf6631694

SHA512
242368a0f3cabaa06d550e35f2a6c79a48a26d6f182cbae3145571373f6392c39edaa680e7a01abea1033ace0f859038020fa040b859e7704d563b39aef5ce05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
0fff6dea3b0fced835ff47fa0ecbf333

SHA1
c649563b17d1824d10b90138e5c3193e481b2a33

SHA256
85b06b37925ee07f70eaf1c3d58eb9cc0a1af5798debb66975bd9a5be49e4644

SHA512
aa80baf3afda32b5103dbe504b54efda7f71abbecdbedf340d84dcfd4ef35fb846408118487e994e92178eec5ebb4a0b57abea653e183a3c035957c87445fb3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
8dbb477662b932f96a64275357b4d91e

SHA1
d4405611096b27eb3fb098f6ae0f11e3f31f3470

SHA256
5d9d06080d4f42029b97b48dd30f92663fcc4bc267f3ac1ad0c4709f8b513b30

SHA512
09895fb611d33efc4a569e3ec48e298cc80b20f4b84014aa644b3940dc9243ad5e47bc825c40728f9a3e35c013d9152ce0a9c36e5e87c2003c85645cb49faaff

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
58db811d36098e339e2f8e207c4c940c

SHA1
49d9c5b23c546af5086b7116c3b4620ecfad1c16

SHA256
6a9709f5ee61ea44aad6b3036927711974fa72a4a048d78fe3aea9ae4f71a775

SHA512
96fa39a1435b840f813b434766c7b30eb08047efc05162c6f59d3182fa21c9f1170be3f40d90bf40a7d666ecb1d7922c51293711aa7eba71588eb88a3c07f1b6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
79c9ee4f7d54ff7bfa412bda7105efb2

SHA1
b776eeee179e4cd27c88cf5699bcb9dc023d1e9c

SHA256
0b904fe71185cc45be7e98bd68bf6e870551c517cbbca9eda0c96a5f4f8ba261

SHA512
ebf69b49e3d7e988a484885745ecd262b6336f9a1cef9b80eaa81d0af150d2bdf5bff1511a8ba188745e672a3c4c407fbec662684ae1a481bdb4ff4ece8a9f8c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
aee2a36170c6c7f7af8c78e7ecaa2a9f

SHA1
4856a8fcfb8039d3cea45e334b045e78ef3373d3

SHA256
a55d6865e9569f7ee2ef5249e4e1621a367c3a6914c68909b0f55721a2983bea

SHA512
e28861232c11a6c363b4215d5328f1ecbe53ac867f37d968869dff6ec692086cc987a09e1b938813af3959db497b0c12804aa80a6de5703c3fe085401ea65785

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7821d32cc66e48f3765603bf96db12ff

SHA1
9fac187545511c49787bab75c356a3f283ecfbaa

SHA256
354cb55584de6b295d44c00f61e464ae208bd5220c696f880e51f1e214d2d294

SHA512
2e6b1ef75f2e69e522ad4c23eede9ae7d533fb1647dc598380aa5d1b4a141de36b97158d310216808bab2cf4ae1d4b46c15541241dd1c729f59ab0eb91f43166

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9d18ba767d2e7a7bdc58728d54dc9520

SHA1
2394d9c54f95598d5c285fdb29dd0719e1019dd5

SHA256
9277d645d457139127d1761d873ca6af32a49672de9637590a6d953e8632ab5a

SHA512
5f12d7ae0d3a6541d9846547130b0cb109abb4ad61ae044ad6d49acd60e81a9bbf91361c4f336be3e0ec19be9cb7657e92fd1354660c30d39e24b69214a2e5d7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8d09f46059332704636939b61df0da99

SHA1
510cf14134b9ee45cbcf337bb1702ca9272e3531

SHA256
6fbfbb235fdc48ac4163ffd07cca410b68192330d56cc4118e6f421e3b56ed13

SHA512
7633f74daaebb37a2fb65316b601bc9ab876abcf29988be6f4f77aded361f13e790701d8e1ce4d5ff7b1aa5b53bcad784eab466e63ffb8e7c8613a8aec5c1228

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e42849808f3389ed2f781a8cbb6e22a2

SHA1
fdb1fc7f6f78e8c252c5f27e3435b3875eb0d0c0

SHA256
9aa7378961efcbf815d512a845aa492acce143487cda2cfcd1f683db7a88e7d6

SHA512
67790a3cd04b3a088e4d2134446cf1722d8adb78cf65e21d3dd1d93e9cccd5badcb9af2cac654e59a6819ba0e3ec2e09885c860f2f2bf07ad1de1b767358ca1d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
64cd766d97150464b267dd467696d1d6

SHA1
84ec4b9245aea0f1816d996b85a3cc0c765b2387

SHA256
6e59818c5a36b7bb36089843bb3fe992a1097918b698a12ece61a3892895d7e5

SHA512
7475311819be6b23f569188d477ba292701c1a5f6a78581f32b042825d6ea4ee0002d7c6cd695e8481c247ac2044b8994dd28543045fc6d593a4e5ee4ca8635b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3aa9fc45f942eeaead476d80fcb04f44

SHA1
33885668888c772a6350f17692a77b277a1d30db

SHA256
1c3522c376fddf80d702987d22552db87a190c467bd91ea89752216fc30adbfd

SHA512
2ed46118cba63b027417242fedd800943620028b57c6e706de6343ecf668db58012a5793a92b568fe81df0c4edfe726f6a08ad2a0ca541d4f45ffa9b6c339114

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
af758912aabd4f0efbd0eb03b9879427

SHA1
9160ea4d243c28a6ea7ce1a59fc269a6e0b92fb1

SHA256
95b400ca9dbd8d7da0845b388c3a29205423e876359004f21224e74fddd4db40

SHA512
0af12ce4650c3646ded1f2cc7df6d5fd06e4038c9438b77932771b3b1a04dc51e1714613d352a9c11dd34e1c78165fdd16ef32eb5071e5527ae7f46ce3e8caf4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3a46148542337680097580c0883a9473

SHA1
ef31073ca58ede83046adf6c3c6c401cbd76722a

SHA256
626a465f1946009bae45b8e97a88d25e01b2e5605998df949314849c493f5f6d

SHA512
f6401372c5d2be5ae099fe4648d52e51ee261f1843160157c1c29591a9459c2cd0aade848f1e46c35245c869ea40707cd04c379ebb0f7ee5ee89b4bb8ea44fa5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8474705966e581e6e082248a8430bf88

SHA1
b45e847617ea1ad92908ac42c3f36ef79be4d29a

SHA256
ab60da46a1d1a64d5876770ea7a50a9f851ddffc43f8703d83a5368f52483525

SHA512
e998e66bddaa98b7dd0ee6a7a6eb35cf8c36b3d48520eaf359483cfb5f3cfdce10194cfab5c3f842182e994efd56a66f9823f0bbc3cad37f170658464ea2cf89

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6fc15d8f439b6f6d3fc5b618b1943c59

SHA1
d0b6add72e6637972a37861e907586b69b0f0945

SHA256
06a85442c139e608bc8c67d245ac0453c9f5276e8ed9d3f21d591c93bf6294f7

SHA512
83dac6f9189c62c7cac18c070d40507e9fc07e2246bfc3bf301d3a74c5ab7dbf31d125000420079e7a9426c8d5bdd61014335bd17acd5bfea1b146ee0131212d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c81956d682949ed7b795ebf8632d7941

SHA1
fbc5764a2349dba6a919fd2c482d5f9dc82ed4d7

SHA256
cb6aaae690ae0585084c71c6c1de8909ac96f2248160d6b51ca0dd3687765a0b

SHA512
7076a0a2ab5ae2741714c4ecd7ce8e3b2b395f2c58a2cff722adfb6e6d33776a4411835168ba25e6b47410bab534fbed3856b9629187bad9747ce954dab285d9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4a1044e71184a9ece08d23412d8dda80

SHA1
d4d703b3c2436e342151c1dc658c03ca2f6c7e4f

SHA256
ae1212d376d2d6a6e66de4ebda5579165793f51a6045a454890d79d5d15c1913

SHA512
f69411fab602ce008760d5ae953c2101197d5d4dd55ee9a564df0de311b41c439ddfe7396eedf4e97cb2542f9e7a6b1ab0f44d84b83aa2a8b56185e8ac889cba

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
282ed3a94c410db82ca9940f811839b2

SHA1
545b4ff6c9b2222dab8d7fc70cc677385d7cd36b

SHA256
5c19b981d451d62a302059e6612bfe72ff5d2d6a99f9e882c3e92fb94918692a

SHA512
86a76a4060505c925af57d9168ac9e4d33d3c199f367228eaa568f09d4e71c4f7783509de4245009af578c2e4d7af8e18888be85c402f67cf953ecdb613bf87d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
869a97987f93db17630a32aa0a6cef6f

SHA1
fd911cb7f43ee6da4b4dece588ea5991cc3d3ea6

SHA256
c90a651735d40afed307aed75a4705d935d8a1042fc274cc4832fdac7ef4ccc6

SHA512
ad8ad1c0098aba476cbc1ec0bddc7aa9dd9b315cfcfb9440a1e8339121ebf010aeb7bc0a4c9ca937ceff26fc7c932c2b24504562ca312687d88ec350df0907e1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
708378ca7fc1a279decf65ba1c7311a2

SHA1
e9612622b16f314965abed393102034dcfb91270

SHA256
8405ea284398e86abfa20f546f62b25b4f50bdd7ec30523d2934af4834b6972b

SHA512
06b7d50b41824d237b3313dd9c962a1841cca7dafe1750c6632d2af25f21deb257facbf92390d1e539d7cfa4448ad29dfa4ec261719c4ac5c1170c9469e3bfa7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3b5bf7760acef4dc344fbcf5db573e79

SHA1
4bb56f9a85653907a85a408226af3929c476245d

SHA256
f47410768bec294497abf7d536d9021c6a4087f2478183cc1334382bcb4506fc

SHA512
d9c91ac625a7e4f6ca0c9e18c6a106e70d1e110cc07ac6611ed90c0dd3cd6b823ee11841e5221ac7a188a0041f61b91fb8a2847177d68f2dbf0d8896e1c8e1ae

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3fc4edefe013a8b2d38e3a5b48b69316

SHA1
ce84631eefb8f451c7f1278c319c36c10b7e41c6

SHA256
a21f6d3b018db6a11ed77103d6501deca6380c074405dc6eed274a4c2d0dc53a

SHA512
9f014ef7137df4338e7499bdd8bb2feacd1f9a2d4055f9e3bd530b8c1cb1f18133c2f9133e2903e0f6e5a346cd23ba8e680ba630b8bb41dc508b546ee5a53117

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
731cbcabdabc9acee38105ee9afcbced

SHA1
b35d5fa9e532f9310bc2219fc675b91ca68bd10d

SHA256
a68a28009bab7bfba0941d4f3fd74365d0a9c8d555170495ea4a43e23413c0ed

SHA512
bd7f73c982965b3bb795903697ef82b2813586d792486709e5ce4aced6e2158ac01a5ccc770f7a6575ec43e0025e0575252eb31d65a5aa3f4bd38aab40571622

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6b69a1b8ed009ad71fb1f8e32e62bc0a

SHA1
5ca4ba73ffbcdc0bfa97660dd643b3872a20944a

SHA256
ae13edc9347145e1676f6afb54cd2f4d95d63cf5c4bcd9958b89a89e7342e672

SHA512
8333a2f32d9d307f892fa3af3bf8d6ddff582da0511bde7e00e1865432c7fcf8b380b92c770eb1e07af1efcd2ca82d8c10c8b0d17dadbac7c5791dbd892e4a67

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
cacb1487215e78b3c401b48e7e7bf695

SHA1
15ddbbc6e666d735decf38db3044ef78e951b84b

SHA256
7f5741acb184a4e87145e557d23f70fcd7415496b83b4d72ee908e62d72495cd

SHA512
c83159ce6f5070fc18f0a6fadf3e65e647f233a069251761ebb6608e11812cfe91c0d5c09f2bcaef0afb3db4e101852044e28dead5eeafbdb429f1e8ad4ae504

Download Submit
memory/368-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/368-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1076-132-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1076-39-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1076-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1076-34-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1252-526-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1252-169-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1340-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1340-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1340-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1340-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1412-157-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1412-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1648-99-0x00000000030E0000-0x00000000030F4000-memory.dmp

Filesize
80KB

Download
memory/1648-156-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/1648-553-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1648-2-0x00000000024C0000-0x0000000002526000-memory.dmp

Filesize
408KB

Download
memory/1648-152-0x0000000005FC0000-0x0000000006052000-memory.dmp

Filesize
584KB

Download
memory/1648-0-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1648-168-0x0000000005C30000-0x0000000005C80000-memory.dmp

Filesize
320KB

Download
memory/1648-82-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1648-8-0x00000000024C0000-0x0000000002526000-memory.dmp

Filesize
408KB

Download
memory/1648-122-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/1776-523-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1776-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1932-74-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1932-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1932-80-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1932-159-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2244-272-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2244-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2564-101-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2564-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3156-404-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3156-146-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3316-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3316-153-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3612-113-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3612-172-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3772-149-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3772-406-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4072-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4072-66-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4072-63-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4072-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4072-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4112-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4112-522-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4116-178-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4116-532-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4176-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4176-109-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4176-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4176-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4324-174-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4324-531-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4532-177-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4532-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4532-530-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4776-360-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4776-133-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5060-97-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5060-163-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5060-95-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5060-89-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5068-107-0x0000000000840000-0x00000000008A6000-memory.dmp

Filesize
408KB

Download
memory/5068-110-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5068-102-0x0000000000840000-0x00000000008A6000-memory.dmp

Filesize
408KB

Download
memory/5068-167-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download