76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Size

1.3MB
MD5

ad0a9b000501c5fefbf4339122a8c819
SHA1

0ee681e181cba463d7d0567885312df82cd906e5
SHA256

57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20
SHA512

eaa348696ed72eede5b91b61a9120f31887901c6806a530f4157a2370065f1ec4fc87c0f57552806b0042fbc21d36dab31642e1dcfb876a1c05909941cb54d1b
SSDEEP

12288:+cFUPnBfJ4yb+QdIKYKNCJKHZDgdVw8XkLavV2Q9yW+GGYT7S/:+cFUPBfJ4yL/tNCJPXUQrPc

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
232	alg.exe
208	DiagnosticsHub.StandardCollector.Service.exe
2892	fxssvc.exe
4808	elevation_service.exe
1976	elevation_service.exe
2900	maintenanceservice.exe
4860	msdtc.exe
400	OSE.EXE
4316	PerceptionSimulationService.exe
2344	perfhost.exe
2684	locator.exe
3148	SensorDataService.exe
4576	snmptrap.exe
532	spectrum.exe
3824	ssh-agent.exe
2648	TieringEngineService.exe
2820	AgentService.exe
1520	vds.exe
2020	vssvc.exe
3464	wbengine.exe
4376	WmiApSrv.exe
4396	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6103756865f51a6c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\System32\vds.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\AgentService.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\vssvc.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\spectrum.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\wbengine.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\System32\msdtc.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\locator.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c16a2a56055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c23825a66055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd8633a66055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccc20fa66055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c5f2ca66055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a63eea56055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d4957a66055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ac0f3a76055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d28d4a56055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070d441a66055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe
208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeAuditPrivilege	2892	fxssvc.exe
Token: SeRestorePrivilege	2648	TieringEngineService.exe
Token: SeManageVolumePrivilege	2648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2820	AgentService.exe
Token: SeBackupPrivilege	2020	vssvc.exe
Token: SeRestorePrivilege	2020	vssvc.exe
Token: SeAuditPrivilege	2020	vssvc.exe
Token: SeBackupPrivilege	3464	wbengine.exe
Token: SeRestorePrivilege	3464	wbengine.exe
Token: SeSecurityPrivilege	3464	wbengine.exe
Token: 33	4396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeDebugPrivilege	228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeDebugPrivilege	228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeDebugPrivilege	228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeDebugPrivilege	228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeDebugPrivilege	228	57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
Token: SeDebugPrivilege	208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 2464	4396	SearchIndexer.exe	108
PID 4396 wrote to memory of 2464	4396	SearchIndexer.exe	108
PID 4396 wrote to memory of 2452	4396	SearchIndexer.exe	109
PID 4396 wrote to memory of 2452	4396	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe
"C:\Users\Admin\AppData\Local\Temp\57e2f0d6a6007a3e90b69323108a192f3ca037ad2878547528e76aaeba3f8e20.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1396

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1976

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3148

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:740

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2464
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bb9d1ad7e0ed80566e3f81ee437a2e95

SHA1
e4523372e3666b032eaf8f59ca5512e11b057c73

SHA256
9c18c87079c3cd981bce46e0c56287750747756a3b90d3538780cfd61803d0b3

SHA512
c678fb258d739312ce5ca140d25ea90efcb410f896e52e73ba8209b3dd82849edaf5559eb4f65a5eb8ff90afc68939681afb81b4a0b3cfc465f3599eeee923bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
81b0bca2310e623bdcc850bd44bfe2d1

SHA1
7b0e9921a4036fc89b7582add6f124bd07a52b8a

SHA256
bf89d37089e77d82578af483ed1df4c95d7504664f84905f389b69c7b17d66e2

SHA512
e6cbc4a42c48f81b17b46ff870b71d554bd3c0de39cffd78ad6854eabcc34161ba25bb18b81741cd38ea2deb5ee02f372ea5ba8c1f99fd0b6be561d6cb0c9185

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3c7ce02d01e27aa3e25c3133e0649e1c

SHA1
8039d06865cd859e7dcfc54995acd1c65c44672e

SHA256
5e4bb4103801c1fcffc67052ba6252afca9875d23752bfe32071f624d5f470ed

SHA512
1e691789ef45d1fc6989470d8f83cd53883e48c52841fde9e7ce9f984260ff72f5fe76a935f2ca110a0020371b8814cbbcdbf4256e4173fbf9c4e0be8599d5c5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e87077c45f917fb8a60479811b79fde4

SHA1
55ad789519d8bb971d3353b40f7bee7ff64ad901

SHA256
3cf7c9d4a10bdfea33be0953e40cbdf773353a8470d2828aaaf7b48389622bcc

SHA512
487ce6b8a324b261b408be1b0fa6709c526f160e7c2e129b7a8e7a197499d09b5da5aab097d4022da57da68a3ee5e499ecae1e04a0a6b607502ccb8c29d5f07c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a19e1b9d71e8a24aaaeed491f4a042aa

SHA1
4e12b8ef38a4a8dfda879528837b7d2679e6b80c

SHA256
0e8476e4c3fc67184ac36c167cb4c35007c276c2285b4094227de7d6de86f41f

SHA512
0b392c936ce6808dded922c77966864b066a42a55bdff8190bbb04dc63b94df5298337b620befcd6f837ca695cae330d00b5dae7d1fb7347cc88189171a4fd38

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1260f84861427e2166027e5d2b316117

SHA1
036da38f08c91509ec7ef6c58e5fa3641540f8fc

SHA256
60212706f644223287e61ded4b53149a10991bc5f9b2d99122d8182d9e0bdc83

SHA512
0141771759b167fccc46409a3c543e24d21e1de9d94ef279131528aa583cf8fb9036a591b78d27bd91026b5338a2811aa9ceba0d44864abeba4422a6025c21a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ef066a6488b57e815bc7b77cc1427a1f

SHA1
b1b1e5463701904e7902e3a6c0a3ade9ac7c02c2

SHA256
ac8b9a9353e7a916715a54a00a40c05e91f3db88f6d8e47c342a974706d61463

SHA512
78723aac027023ba538808f47374efa660d09cc1ecca415a8e2d917d75dd05bbef746ac71b8cf39bf13ddab3bb9d39464fa658cb2873087c57c408b2c559f545

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
24529a7011b061410a9ebcd0c3b59e70

SHA1
076caa7acdaa4bd77db4b66abc67536e628cfdd5

SHA256
9a78f16f46f9f82ef755c6145724518d3a0d8734abdfebdaa0355b93052045d5

SHA512
4f95c221454bc2cc4fa7461a457a81a649cedbc0c9a06b47ae7a5f210f6e7727b360552ad6f48adea3de31f7b51d6a93a34babef29937fb554938a3c75228259

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f8ef6fce026490e368f58ba7f1d64e57

SHA1
ddf23322bbc885cd2a4dd0b706ce25994bf05e6b

SHA256
249b4b72c823cf5159c9886922ab3e9f10fd8a74033d4eb82f58720992ae84e1

SHA512
0d38a5437313e5830d83998f2eefb4d7b53ebc984a9da7ea487affb24f69a2e89b25e649bf81bc4cec146f1c1f62c9314540e412e86fcd4ba51896121541ccf8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1ae218b3b9ac9767cf285ade538ff1d3

SHA1
0ee8ab3b250a4e10be07c4204136e32f2e6846d2

SHA256
2fb9a195b4b70d11731283f3dbb3d279c9457d7edddddaee6dde40352f5e956c

SHA512
1cc3ef82289e16bd2fdce610ae54034b02d69e034078e1dd88dbda8e34689e78e9366a5ea505efc7841c7cd9d99d14a0ca535c9275466c7d0e478dea80d11e8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4e38ffdb73018539b836a365496dc42c

SHA1
2451980b58439f745584f3dfdd2ac7ff32eb4d0d

SHA256
466a3099112ef64537db4ac9addff963061f682d48a825dd3a44e5a3ee663d5e

SHA512
b22b7d5be9865188925c447cfc25eb48ca6eec992f37c4cba7f8a0bb7af6900a3cf651520d25f62b0bc16c64be0647c113f5dd89982c06390f5e8028f12ecfe3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e8fd166b70855cff1ade7c95a62a75ee

SHA1
222047a74b06a5b042899a65ba1648366aa264ef

SHA256
a91fdf229ca1df8cebc3a1c2f48b03570b235759668a5190ce4bfffa903e12f9

SHA512
bf91ee2a7368274f5a10a3f2b4c492665f491b00fe62a314924e687f1c25f743e087864601ea972f2cb3167e6d5d0c89a1bd5faa7b07f53ecc851736f2d7612f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
070f4c366476ecd5035fa55e85a90559

SHA1
cb27613234bf24f1d8a4745319cc8a3c736030c6

SHA256
fad8587d92d997e3641308701e0ad8c96ea543382eeda031da33555bc9dd91c3

SHA512
495293559ba1ac862f8bbde3999e46348494334cf1e836417ec07f98498ecf6731fb4920d099b53a0d86fd96466ba27bca9f758427dabb6466a64e306cc15702

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d4f5832ff34c553c5fb6a095bc6638d5

SHA1
7e02a855cfad9ddfd796ba254e0c27a742843ee6

SHA256
cec340f949dd4c03500e214425933311895c25f49ba2336cd9daa7cd8a66a76b

SHA512
5ed330605a996012d97a940eb1a0e94ced7301630b1203ab595def235fc43e90daafff93d6ef500dd1a0846ecf05aa0c47f4f6b2dd5d54cfff0b0a5a0bfa97ee

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5ed56fccdea4eb03e1b65e320778f8b9

SHA1
bc586fb676ce35ce3a7d883a7f6429c019f6b681

SHA256
c0b5c6768a2ef4a754c827d757a94ace0b60f299f7c4cf88339b1e355161707d

SHA512
3d92b59076a197415bcdb90fd9ba8d5794b1ecab866df48e493e6346bad56924d0b625119a7e8bba7e21e6e4bd6a1ffcee6b69562fcaa322b89d21fe23698c61

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c8c48b79a8e7db5b43a23ea43cd6d8af

SHA1
dae6973d0dffb91dcc4f0c61ba1abe6e0f84dc21

SHA256
05888f0348fc5e270176c24a285b734e7b5386eb4f1d5308ce8fb6ea7ee17973

SHA512
71c99689820a583cd2165424c81e647ffe383f113bd7b99a5df8c8cbafa9712166ff29ca8345fd5ae53cd0810c759fe9f9aa0f738de2efa0e83cb43faddfa66b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
f63d8d5bd91b4ff35603896f3c5539da

SHA1
0e393f2c4089680e0cd15dd875491fe371e2fc53

SHA256
a99a36432370d43c628f912bc67cc732b1de5ddf15a8ead9f049b015de4b75a9

SHA512
776029fb7d9dbd000f6d86dbe9c98f87c049d8683a9882deb4e35faf1ce6a07d82631daee7740408fe802b7c473d24ae4201e99f8a863dd46218692718de9201

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1b559b5b46a9e1ba7c3e39791033963b

SHA1
65ba91b20b4dda6e27ece970a824a428385b8528

SHA256
74a4cfb3e83b3400995fe64246c6de958d60ffb468e3eabf75c574b4fa19da6f

SHA512
b5260b12a03bb26f8193c896460928f6b93349deea4f5b189773c2eee2d5d219683b2c4284d3d95caaf96165e455f83381e415f54b29468334993e8362baadbe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
2dcf74b8458df242fa4805807d084be7

SHA1
dbef4330cc312b0cb078d0b37f6479656e4f4f1a

SHA256
7430bd408f7a6e5fce74b39d5a5d19a858773c96ad3d55c391d002c9d3ce0be5

SHA512
81c036fe8599aeb9ea09af31a65a1115f732861419752482909776794fe40f8e9307bb742a1f32205aa8e383091446c139fa0fbb4901ad515e04ccc6b097c818

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
fc0641d36ff3f1eece9d2d4a973865f1

SHA1
26fcd5d4081e747f977f2ec71daf5693eeda5a85

SHA256
ff95b3416b1493999dc6ae6ed670b99720c10377b50124d081a9a2f478fc3c2d

SHA512
9e8a3c8ff04d37703a7214fd605dd98a09035669629112392a0c83ca299039a0ef0e238b1071b4f15178b4749f9bfeff4119c34216016a026416d9dc481f7b78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c8909008c9cd10b1e5cd4cdfabff8e24

SHA1
c8592bf6c8615c9791958fc1fe580a28778c81dc

SHA256
0e45994954577d325aa29fdc4f73ee72b02dc9ca82678fdcebc2dc7501ee8ef9

SHA512
27137e4b9e229b028c987b2888b5cdd2e0d0c95736a1ab30f5fc74df05fff48a737c2cecfff7884e02afc8397c9cbe0f72cf2a617305295a3abe52ec7f2cf0bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
281cd7384028d06036317ac860f85f57

SHA1
4653841564084415ff2fea60b49c25b3c34e2cb7

SHA256
878f756c1067ea16d5860c975516ab1c727c39e26dfb80e5abf28718df691b8d

SHA512
37124c19a513f3c991b3cd45f26e9983b7b2d2638a5e2d84c8a4de731909e62458fab133cc11c7e433251c2ed1b787f6abeda83f76b6ced2b90855b60b9ab944

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a0c5345cc437ddfd2ea41b4bac02bc28

SHA1
35c77d941e4963067ad64cad1a6d53f36226ad15

SHA256
7f7cdc0247d9719fe099ed329bbbc5406ecb7f3f8304dd57d06cd9009ad3388d

SHA512
a2e78d914195ed92923a08b2b65aabe0cbd0adea5668481930807cf15402ee1aaa8842415c3d3759e969b178d4bb16be7be0856c6ff3c993ea4d399089a798ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
deb4825a99b48564a9e06c484a2c7987

SHA1
d4915edcc70d20bf6226c2b4f8c2ba19018cae85

SHA256
176dcfbbeee9654423d38aeb8c9457341ac5358da04e12948c35cef8c37b04f4

SHA512
75a984ce705938f5457529e973260fdbd78d71b90a81bbee7300d3a748c0efa1c3dec2f3efe722caa60704b4ee59a7a35fac905a1ac50a28a7834a3af1225b55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c4db93a8d4f268e016191bd2972508b6

SHA1
e8d95bad0479fa3b23935518e5d9aeeb5471e361

SHA256
b5933d148f05567304f47d7f7a02c9034c315e5d5e83e683d23ce871b4efe23f

SHA512
c7e8bdb5a9028e9ae0e5bfcbf5412903b2df6a84958d4acc0eef89071986e85c863a57fec60798850174fd45d56571919527ae54e8e71c3052c5d0b2387c04e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9d4362e800cfadad3b509aac5a18fef7

SHA1
d9a34dd2799b7f03ea1f2125a278e5745e4b66fb

SHA256
03d118d793cddb7f0bc4d9550a17c85864785456512c91841381aeee61f95b9d

SHA512
5c84bc675d32bc0d3fc22f2aabf8a0a66cd6218f6d2d00ba5115dc0108b81865f4d3b4c4322027a3181f2bc90b4a3178d09a89d2338c0ecd138f4fcdd729f395

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
defb9cc3d07501b031f41d10743494db

SHA1
1731e3b3e4f93c1995a75d16b67f322b799c3cf8

SHA256
24325df892a9c3be025b1b11edd6621f0cb94865e18ff25145a36a06152f4d3e

SHA512
aab71c0556d9f5fbdbf30e7f395bfe1bf7594785d3b34c9fffbc98bcb5982cd2d2f713f1f9acc34d643daf83192e8b085f9f38653f7d81eb275914d88db87fa3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
b464a64e4542791363e6a5ea9dcdf4d7

SHA1
d70a67c080673df153a9f0b73c8a081da4a79685

SHA256
13734663fc6b5caaae9e2f5b658e887660ee2b1da20dc167481f1424ff7d6724

SHA512
8afe1468e24e0a8046591585480ea9de3913d53f09e94518f78c89964deb79e0ee6eddf55b8b5ee80925d55dec953a3ca80c3fe69fdc3cd1aef7eb4b4db0a221

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f93b038cf5544dcabdccc8ec626778fd

SHA1
38fec9f67359fdf4089e49c3028364fb307cac6e

SHA256
9608e3fbc84c52faa4684d3014f94f13085920a72ecfb531b459322dbba480ef

SHA512
ab738cc5d19a6ecb4eaa95c88a520bd0198cd74aeeb12ff6dd00bd88eb7f4b38fb5d256c607a161839ab2c9da0172701e4f754aebf20981e80378e364f14f9e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3e0314a86e67d5f4b9ab9c3d1d879518

SHA1
931d04dff223ebed4e4b9d9062528f6ca3fd6572

SHA256
8b2b592f503eccc1489c3a311ab922623009bd743482e9016612e5c62eee2c2f

SHA512
6116ac6a3c7600612c8151b5beea346a2a12599f4d748d3cb3e9525a6a2423820a94e4b885d457f5cde838a668100fa045e5f47c111ee865e913ca6e25e46813

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a557a4747714237a65a42ed9aecda595

SHA1
a0d6402445dc23339d084f8eac443d6396531699

SHA256
3da6d6525159639cbf0e883e0da7f21a95e57ec35601036839952947e14031bc

SHA512
f1d4a857940cdfd57c1f69e765bf69f6ada153f60c10226484d40e714e0252d268624e935b5f703c48e5e979539b20ca1f1b42e21e7217af3b12c89003703e8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
1b4a63619fa0d8ca56e08276f168eda1

SHA1
bf49da453274cca9bb7860062e3b003f2416f82f

SHA256
1ed4a4a76a65f19e15a36a4a8acacbab789e56d0d6886c5c26710cfa655f5f13

SHA512
63247e4c4138b56a66046d28c5082ebac543bbd55a9bf6349b172a54bedbf6e8ba89bc5494f293bf5cd4646b2686c72eef0951c8450740bde79f0388366e17c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f86bdad6e97785a688f654750bb94cd6

SHA1
195c48b47c8b4ff00b8e38f9c204d24f8bc608d3

SHA256
69b242811609540bbdf1194529450a21a8a13e83e2e5441e6cf39c491971bd72

SHA512
a5853627b787e9c2d225591c2d761e5c4cef4b4dafb661f2b478524c19bc5c3f43ddf8bab3b4003832d602ad1b18c32ddf3eff0d3f3d90ef21e2b2848769599f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1a5116a0eaf1364e8e1684feb777875c

SHA1
b063933ce5eb3882e597d86004317c07889ebb19

SHA256
83c89e2647c9ea223cfa5e2694e815cdd341a0e825a8558aef9768ecd8bccc91

SHA512
55ddafa299eea35b96f826c0f8acc7f72b07635477120f165d70f6e35612931ce63c07ecf561cb405a52a201d543381c4540510e90cbf232c3690f7fdbc70565

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b3bf8d0aa296ddf91fc1d8e4a2b7fb59

SHA1
fe0ce94c7765b4753fd8b24b00a392c27e4b9021

SHA256
ebf81f046e385298f39e2c8ec2216bc98af57eb2e9485a9eabea41403cc30ab4

SHA512
dfdd4657c7b1acc729f1cfc8d802584be1a1eec50fc2623e90e17ea595ffadba538abdea4dd47f22e08f21d6f56ac3281b0d8776580908525d7531991a5e86b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
0595696c79736420ab0326253c77ecd6

SHA1
fe2614f57900b3733feb9a25606a38369bc15842

SHA256
17fafc2287e62a9466740e6bcf1aa595b17b7f6843e4712b2cf1d7ad6fbe81a4

SHA512
cff7ecd8b794665c8b936f4bbe62000e894decda0f2172f36df32d355496de0aad4baa85dfe62108e30ec7667f167691828d2d5e2191af14e83ad1c23124dc09

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d7731cc4094e878c0573037640356b66

SHA1
2ea0a3797c2e06d10cad8878243aa1cab9ef7e1e

SHA256
ddfcec59848e19bc57bef639da0c877a135b2dbb87e391a4ffa3a3f05c199027

SHA512
6b15d63770da646edb517808f0f81d73c276cc095ddbe022e3bc204bade56903f618707c265c41c768bcc6767d921f95edbde987350b31473ab925a1955eb09a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8dc20446d27fd0e6c1eeb7ff2f001dfc

SHA1
51b0d4b3145c09190adc25d455aed59a4fa45c0a

SHA256
11206a49f74278202553a0ca89d97619532ab0973a934449847367621c29ba79

SHA512
bb8ddc6abf50802ba27b0a5aa78ac3a7008b593ef4963c59fa8d4270504a933a3362eb1f2d4b24288e8c22881a8d23e7eccc163e8e826cd94a6f9e19f1da2823

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6f68856f145c7c1a1445ae78f39f5b3a

SHA1
21685d51c7533d17db417e0fe7f09232b3b7ea7d

SHA256
8f6e7f936fd3a7a01ef4c05ff606a69ac0ac246514f5908168038176a2714eab

SHA512
8a8b71102567e66adcfb86cc7bfef95a48802a4b40d73a4846ec491bfbc4bb0eb06f5a0a9356ad585a4dedbe294bf4a0ceeb10652eae7a29005ce914bd71c7cc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c5dfa1ae95df7562ece85e30ddb583eb

SHA1
956c4e5761f46ccf07ff82fc48527256bd262e4e

SHA256
9e3c4fc444f2de4e7751499037ca2aaaf6e68d596f9346c63520d8c77eb9e1bf

SHA512
3989caf2cb66d9c68b80ed0e4b797a10445415f58f1a0e1635353cc1d8c100bd88ff17f40f46a56e68dd545119d5b262f5053b41e5a9163b0e1bca5345ed88d6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
cbd621870503ae2798f5f0354016f2e1

SHA1
7707700ca5a2a4121581d737080e8df8a0467dfa

SHA256
2cfa02df0d070909503f442919b6c6a1f71e29450ec906eb89b78fbd4f130644

SHA512
3fd266e8e467c26a81efb8479b330baff0a7bb00e5f7f91b25964dfea95b64287fea16d3aead8131a9efc8c8320b4b3f6bd3c5ea0abaae6dd2dce63bf4c34700

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7e9612ad069d334aa9e15b244d3b143f

SHA1
9c711a791a14087528db01ba2752870507a85263

SHA256
79a495a7a665221aa449cfb5dc82d04105de0399ec2f07c3717b5198ea7a4fa2

SHA512
b7ece8b60d06db29ad81b24799a568f31d50602bdf15c66fe3d2d6bbf8496e398fe0b1954bca582cd75f3402d2038d6df7fc8bd6202697b3d4177c18415d504a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
51a3d8a908979cfb704bdcfe2e383086

SHA1
9078343a4d661fb98f6c778062acbf15e8fa5103

SHA256
eed2a55af19afb364879584a9433f766a4c97dd63c74e25b0dd11361d04a3e16

SHA512
add9d946b2463efc2ea91888992348975b274ed0d556673b7dd4b50855de55125505de9221e3a25768e9c165a7383ee6bbd13c636821b42dc1a859fe42e51b79

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
73a7dbe400d2a516824aa2d97d2df33b

SHA1
0fa18e09d21e922894974c642c8cbe6fa3217223

SHA256
879e45bc9739d30bae02122a0ee2db5e7e9736684dbc376c3debe8636a7d80d0

SHA512
7df8aad72a732e016058208e59e7e9c87a02a9c3a31a309d92602d0bcc33b458d27db4daf7fcd7adff9eca36285645c41bc24a3bf5b35a44b9e0c7ebaa5a3f32

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5097c0a3cc35c68befa02f87e5e0527d

SHA1
88220e2b2701aa83064f61ea7606a728040a37f3

SHA256
5853ebfe5231ea53e46c77b60272b2df4381e9233839f20b90a970c2c110e62e

SHA512
5210261445be26934aaa6e5e1d83c22c3b918fd5a684d0e7a59d11618d85af7147e23b2660c83196b72a88ed54e12571e50e10ff254d11a2029ea2162ad7a383

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1aca0d4ebc525861b6fde71586693cd2

SHA1
6683daf0584087299726e6a83689df28447ee8af

SHA256
0bc63f36e09d448813355645f554bb39c8f3924ea2423c27913f21569255bf47

SHA512
0d2b13e03a06c820f9fa2e6db64a5410a55654357319f713ef04406f042423a562c121bf47e52d40fd1f2faf74c3ec6882aa70f34f9d9156ac67a6f5496e3d1e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cd3897476a714af7c1c5062d06cd3698

SHA1
e0dfe58ac184a3e5750f846c7ac012677a6b09ae

SHA256
ac6b80e15bdabc9720be31282d0ecb74e3f6dc11f4dc2f8a1cfc8e54705a0994

SHA512
61d9af7ecda1aa8692c01c9f8e35c236f1ed00deac4da9edd897587d3816b2492c083443a92dbc41d7b5909c449a7908eb4d42ef6d14eceac7c41d9439f05e9c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
49509c9fb00d9acc839cc8a30560b095

SHA1
28a745934624cfe535b406a3f673af4d889eeff2

SHA256
862ca8d7c87677f8c5d6899a8b9c0143273a636bf272113a008701624858123c

SHA512
321622b7ce8a9359500e018b57c94f688d15f37a7f9c3200f96aab5060a9aea3b7a72739b288d3b5c9657ed5741fd55b4011276ec848a1ed3637fb709a4d87f5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
62950d81f945be001dea1b7a37f6483b

SHA1
c13278d805f6b24833ebe8aeefc50b72cfcadd21

SHA256
265eba0b1164db29b4ae398d1ba9a2bd0954c37c5b882d83dc288430b4a65cd1

SHA512
05c8df22112049115637aa3b8a983ef9c0918698c513a8b926f48859999d00ce01bf4331731c8c6980a3a92bcc206322e1d9f113097a0c5b136b3117886fb21f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
81286d00a289e3b97648c07352d96ec6

SHA1
fd0e5bb3845692cb65cf2a263b9796add049a7c8

SHA256
73e10ac453f52536c6cbc5ac4e5ad9132bb24181d34e6218e09f4e72b789abca

SHA512
411bd01f45c6d7a79d0c0a0f9f15c65bc8cdba04279fe1650916e503295758016eae0a85ab909c37462f683efc3fe4153184afae47fa5f81adf6d6dead5d6dc5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7db7792f6b387d421b4d32a12da58c41

SHA1
3d0fdfc8d8807d09c7d5cc5629f14d23f29ef02c

SHA256
e4724d7ad488d2535c9d6aefe40ef65cb35dbba1f396a0fd93e7930ad8edf2c7

SHA512
80a14bec839808ed44794b877a15a21d1b8c344ff042ef249864b1ec69eb3fada3eb8064abe13dd69c487d63fb8571170d3901593f1f784c5e95879ba12060fa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3470866cae4a1f4f10642cece973f467

SHA1
60d0a6a66475c0b31b649ca42c06cb3483ae3b21

SHA256
6f046ea15055906e577ed30d2d413fe9f9ab5dd6e1c1e2b21183cb2dc3446387

SHA512
ada69cf6451b49144791d4e28585ed89f8bb48e4e2cb316bf39bf1970d10fcd5be9d2d10d44bd5c3d0dbd70b0bee385611f34792b83fbad6dc893cc200948fcb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e1383ffc7ecbf923ee401da0347aca71

SHA1
81556717efc0e4ce35fbca95142ce10bbb026ee3

SHA256
6a4edab5c33ff23d5e26d4944d813f483dbd35dd0500a46deb5edba46efa1d56

SHA512
5dbe10c5027f0017b9f4530afcf646c1697cd9fdc0e9936cfdb3e6a1188bca6c1b7881d69891247f0647c5ba35c66816964f01d7433113c42a7c7db5bd5995db

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
707d4aa0522910baed60ef03321b316e

SHA1
64931358ebeebfb2650f56ab073ab13640d0a093

SHA256
acd826bd7e6fb09ff072b8ae888b7ac21869be6fb9161be3e16c50b23a53df93

SHA512
a9929341ac6d15ae5f8d0b6d14137df7b5e09f791014c7394ae1e00d976400014fcfd7f0f14668e2b1065978eabb008239c87a07b28ceb2fd9282ae9bc0c5877

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
db0fc1323f1d8a12de3c18d2ca7c6796

SHA1
0e1b70afeebc2d669166b1c183fea7a539a32ca8

SHA256
ee871b16c73e8daebaa4c19c0a2f6b2b92959fbe4119a38e3931c114f6cfbfa2

SHA512
dbfd648b4d8286ec6ed3c51df6caf966ad24aa36b304905a3335dca3bcfc6474b53f3b84c55b2bfd0390510eb0c850b5a86a83d78771290de3f87fd4673df707

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cddb82d5f6c2c31c81a44ceefa59bfd4

SHA1
f315fda14571d3fde5bdc9930b7d5ffd73a15f8b

SHA256
0b15cd8c043369b58c49dae8be5aba9f195d0c3b24a046957f4c14581e3939fd

SHA512
de448856121b79b836c00a1ac770cfe94be10e89a807cb18fe8dbf4e9fbc0b52b2ccf18894b4dc9bde698fdd8e39fe2c279d3019caf535d7f0abdeb1813a1e10

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1971078447c11d622f53fa3c12ac4ad6

SHA1
8d8ed9eced01c9610482ef634465c324d6f8aad2

SHA256
d10fe26e27733fd30528f094e84c12292fd38308287e9524e66e322240a66947

SHA512
c3f2956bedde6729d59ea3e7127f3b01b2b810aa5a5c554cb04e9dbd69858c26abe44b0d162964d142ef8a29ac8122790812e2bcb7e56249a91ce4426e518b0b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
0d66eca986c04b1a135379b13e47a2ab

SHA1
04718bd6df87c8724fd276ad0554288e8533e3f2

SHA256
5b40d42287206481411a0c5cee3ed9428bda0466473249c080ce6a08e4d24ee0

SHA512
9bd23249aaf5e7bed1962a04cbfae2ff66016745ac617f2c57780c0852e0db0ffb86f2a33c19422420e7728913e172851c6dfb7cb1bef34e738c0c9147bd1e8f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
fd39e8a53559c5f4e728f922caae896d

SHA1
05cf14b4486e411b348ba4026bbc1daa13a400e4

SHA256
166bf1d51c5b1762902911e7c44a6623597038ea1223d2c4c5a870c251b526fa

SHA512
54c7a3e109e9537f9acbb301099a51e7fe033e06dfb0da7bf4ede9bfa8f35d39211a1f3cfd1f6a4d5688a9e08e33e3f3a09b1f8c165a617dbab8eeee1cbbff92

Download Submit
memory/208-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/208-110-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/208-16-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/208-17-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/228-1-0x00000000023C0000-0x0000000002427000-memory.dmp

Filesize
412KB

Download
memory/228-0-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/228-7-0x00000000023C0000-0x0000000002427000-memory.dmp

Filesize
412KB

Download
memory/228-8-0x00000000023C0000-0x0000000002427000-memory.dmp

Filesize
412KB

Download
memory/228-75-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/232-99-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/232-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/400-76-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/400-154-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/400-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/400-83-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/532-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/532-260-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1520-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1520-546-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1976-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1976-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1976-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1976-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2020-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2020-614-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2344-106-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/2344-101-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/2344-162-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2344-100-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2648-146-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2648-444-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2684-111-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2684-166-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2820-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2820-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2892-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2892-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2900-55-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2900-61-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2900-54-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2900-64-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2900-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3148-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3148-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3148-616-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3464-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3464-615-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3824-315-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3824-140-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4316-89-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4316-95-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4316-88-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4316-158-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4376-617-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4376-167-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4396-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4396-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4576-233-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4576-118-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4808-31-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4808-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4808-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4808-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4860-149-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4860-69-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download