76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
Size

1.3MB
MD5

7e7886d0451615ab6df702aa31702cce
SHA1

5e3b104f66d367e2edf24868142e0d29b809994e
SHA256

5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7
SHA512

a46b2e1dc39007a5114067236665f32efe3faa6859ac4b2a3a18512f41d1a144504fe379459d927a88de258492e6a79e4fde51ab25fd6fdb6a389c2b9af755c1
SSDEEP

12288:hlyfcDZXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:hlwwsqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4456	alg.exe
2276	DiagnosticsHub.StandardCollector.Service.exe
3352	fxssvc.exe
1228	elevation_service.exe
636	elevation_service.exe
3364	maintenanceservice.exe
4512	msdtc.exe
448	OSE.EXE
1652	PerceptionSimulationService.exe
4728	perfhost.exe
316	locator.exe
1212	SensorDataService.exe
3840	snmptrap.exe
4588	spectrum.exe
1616	ssh-agent.exe
216	TieringEngineService.exe
1380	AgentService.exe
2404	vds.exe
2388	vssvc.exe
5072	wbengine.exe
5016	WmiApSrv.exe
1648	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\System32\vds.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\locator.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\25312a4e94857919.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\java.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ff644a16055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ca2b2a16055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000589ff0a16055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008765d6a16055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abcc7ba16055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000966a79a16055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e0877a16055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
Token: SeAuditPrivilege	3352	fxssvc.exe
Token: SeRestorePrivilege	216	TieringEngineService.exe
Token: SeManageVolumePrivilege	216	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1380	AgentService.exe
Token: SeBackupPrivilege	2388	vssvc.exe
Token: SeRestorePrivilege	2388	vssvc.exe
Token: SeAuditPrivilege	2388	vssvc.exe
Token: SeBackupPrivilege	5072	wbengine.exe
Token: SeRestorePrivilege	5072	wbengine.exe
Token: SeSecurityPrivilege	5072	wbengine.exe
Token: 33	1648	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeDebugPrivilege	716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
Token: SeDebugPrivilege	716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
Token: SeDebugPrivilege	716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
Token: SeDebugPrivilege	716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
Token: SeDebugPrivilege	716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
Token: SeDebugPrivilege	4456	alg.exe
Token: SeDebugPrivilege	4456	alg.exe
Token: SeDebugPrivilege	4456	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
716	5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 3088	1648	SearchIndexer.exe	107
PID 1648 wrote to memory of 3088	1648	SearchIndexer.exe	107
PID 1648 wrote to memory of 2736	1648	SearchIndexer.exe	108
PID 1648 wrote to memory of 2736	1648	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe
"C:\Users\Admin\AppData\Local\Temp\5cebe74003cf5206a46d4ab96a9ca9ed3d44b6258a8a1ac20d4dbebbc5c384a7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:716

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5088

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3364

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4512

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1212

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3088
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d0852fc398935d2bd58a0737dc5a0869

SHA1
a654a10d59247ee0c75c16a33f806c1a29b0aca0

SHA256
6708638274f2492c0d9c67107460736f0dfea4fe73d2c8a23d4012b39ebee9be

SHA512
07b20463dd0faf8e3bd238b50d42f169c269d97bab237795d6ec6b5d907460f8357002a4ac9e59bf6fe9955a40f17a73d1a8ac08cb35435d3456f6b923437225

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
79dc82c6d749abe17176a5439c35fa11

SHA1
1860b35595bfc49f8873bad73c02ec85a8607ac0

SHA256
748fbe3abaca1545f65d02e9930b92a1d7cae82f1050ed24621f2806f23544e4

SHA512
8187a8d8913fd69f3903a6a2fb379d80f9aa3dc0658da6d8978ae7fcc3f9fddf7b178b63dc9f29e3cdc01ae879a6640cfd72fc5e9bda1acf81220dfa19caabac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
233a66532d5148a0127e8366644c8dee

SHA1
c4a666e4e159d4a2f503dc29e2200227f46acd10

SHA256
83445af1f2c31ebacfadd1c8821724a7208accff56ff583978a83997cd10d8d9

SHA512
49f6ee46621118991b293110d4c54bbd15b8900004fcfa1f76677c5632d67400f7dbbc6d0aeafbb631993a1c83aa006e47ec62491c815dd806b52692e8e183d6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
982e60591b2a215e7aab95e205978eb4

SHA1
4f613cc055c3e61a8e919b407eb6756c15882e83

SHA256
9d6e66dbf1cffdede7f582ab89c50795f5b3c164650021d8c3cb4fd3b3ef9b2c

SHA512
b24c975a2b936073facb8af1d3fa9a2687e8bf482fd3fe18d9f8b97b191d882e89122b5894ea9a80a02b7c36bf16d18701da5ed671fa3acc529e2dcfaebc81b4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
100fbe1b5ceebd57b29c85d2074fcadd

SHA1
9f4f2ae75dd4941d0e8430e42cae20ee9168bd62

SHA256
120f86d5179dbd0cde784f552969dbde1e2008ab556183cb0ea4c84243ebd762

SHA512
f3c615d5ada77bb62af335625cfdebd4b2516b200a374dc8f3639f01fb29a54c39e0c469c286ff4b229366a9ed0949920b1104d137660a1eff6bddc8c9f88640

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
164c8d579b76deaaf0f5fad4bc490f65

SHA1
a0c5760e37059fb69b9c68d780faf1c9277f3691

SHA256
5ce7e93717bea036f1448a87fc7341759733297e0f5fa6dbef4bbe42352f9a9d

SHA512
fa0b673404e593c92025aa2a17b5ae8ba271c60b3fdd30dafc7de0ce92eb4a2caf294ad81ddd80d08e2e1a1d63d4246d0df5d6d553701f677db44c0dd7d18b2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
faccef16241a309dd132e69351c4be6d

SHA1
ed1fb4106f3fdc49b521aab0b9484a1d91a93074

SHA256
2c24707279e96f1f63181c40b1bc722d34b5f5280028bb1c782afa84d17a20e5

SHA512
01412c6cd3f01df6fc1b0e3b27306f18341c466dda5bc9e1d04ee40607b83ee5ab86c97efd587024d97b270862cf564ec059b83e4125e0fd28208bb7cf2c9df0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
16158b6dd7844e30120b78cc8c5d6139

SHA1
9a3f033160c9aca94289e53880cede88d38bd19a

SHA256
fa93c61b7cca998cae175a24f27beff0879f7c45e220ea7a33fc2df011b0897f

SHA512
6516e78f66825b16cb178ceefa3b7392a7ac93ea4618f2f8f487737b6a61ffa1edd2569ce937d8361022ca96e0860de030dcac9dd0675631a89a2616f785bbd6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5c638dc983799b4802d52363982c3966

SHA1
b49cdaafcfdcde52205ba9f29438cdc6430c7111

SHA256
f5ad282b900338ed35093f84d5ca1d5d3c3675c463119e7b3b4a505e82382d18

SHA512
33b1be0df32d43aa59c4e6b7a60051399eb342c6ea476b3fbf892c2c7daf2f8224d7f3a7a30447e11d6cfdabde428d27c3fac05862cbbb8f27b80fc41a3e60df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e822c60aec0d11239b2eeb6bae1e841e

SHA1
d3bf64b28fa37f072ab7c8911428fe7f709a9bdc

SHA256
9315595f63927c7f39c52ef43e4457f5b1cc7d62b8d2ad711f518ac5263f5601

SHA512
a8eed9c5f1532826086bb0e116106bb13c79a5f8241759c7725a4db5d1212137875ee4f1fbb2a564e611b8dbc2ffd15c8a730f35fd9afff69fa783b0484d236b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
200390b02912bc5c3a9f673a553bce1a

SHA1
c4fcc8290f6dda44d7a15f75693d90eb0dab3ffb

SHA256
6fa6b8d585b69b79b6ef8363fee306dd6a05d1203cb65e7e32ec85f40e7a6d97

SHA512
8c6ac78c753d878e93e2982b8609d879666adcd1f998733c36640ad17f17d6e03fda198c875821cd936b1a8b069014cb5ac5a5d844ab74b43ee47efefd1f1d9c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
afbe3760a3a3c2697db6d5b0fdf41420

SHA1
9f64d2bb5cc8010698a50e731cb86695bcea3c85

SHA256
af6308a95bac084e4b52c49f09066b935c33f96080a3cecf3ae8e47aa1a0e4ca

SHA512
a3935391afca1d74324cda583f1d5543dc49c2cce82ba76741836e4dc4b0ff3a319a2df02544e37ce7a98a031c7f040b793ee46581ee643dd8877804bca0dfe6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
92ffa105234e4e94749999d524a69300

SHA1
2314cc846254fa5047d19cd6ea4a8730b60b97e3

SHA256
843f3784e493bc33a4944f1d841fd51ae2ad8ef5f2428cb7136cff037153339f

SHA512
474b36f1e3e5cb278ec8776627a6733564bed64dc2a2962fab481d0140e031c15e9e7077d735c1d2a495e94592ca87faa18a028134ab58620b2a48a1f2c25809

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
4f5fd7f7caac09979f3af4d9db044bc6

SHA1
38b9badbca3ba4a6161a134dcf906b41ea4ad047

SHA256
3b3ea22a73e738b9b71abcbdb7f11e72681ce62fd9dd45bff2e9be76de0b7958

SHA512
9cdc528157ae2eb5463c61a718a4c625592674caf5cf972825069c2e0457b0a5ab2ddd481aca0c8fe10e226a04eef9f5ef85b4ddfd36cefa8de395283fd30435

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
cbb5341716c6a98a8ba6ed808b460dd6

SHA1
16a02aa72f1f74ddba68b7801137a10c1a4c5157

SHA256
0e278c09e21c81d0b4660b9fcd92d20430b18692fa6be3a26ef223d1573a004f

SHA512
c395f29dba000932c0d9df758bd261676ee32d81ff9053638d41f50d430e52a87a223d91cb32459b2ad6b1e2d1689e5f5517d4190d2a3cd09c1c9911f0764d5a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
526ccc756a89c0e6b33311671bf72476

SHA1
d2c191a33423ebf232fd275b017f69eba8751437

SHA256
a31614d534e50a02cc65ccc257675dc61ae30a23a2d55a52dc5b503978bf0d0a

SHA512
4eea22b00f1bd887bc0c204b5adaa825fc90d0b95754041074763ad781fbf11b7e6913bde524467f2c76578247fdf2f5b2e50fbad735b8aabd82c9e46ee22c4c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d08207a341b721fd74155e645af8cb8d

SHA1
0d78eaaf0de51776fc96c298da9230f1dc0a2ae0

SHA256
adf802793a8e15e6e8fe533d20a2c8f07a0f4197d28429397739326c92b135ad

SHA512
9e6c87f3834e5a0cbf32b81ca091820a6cc2b67179aea28d5c99f71ce023e5559f5f887a62cf27fc74dd596a4f943820ad1e579b3ef83aaa1c13cb11fc977df0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e014b026d566445b720d7cafe63c3721

SHA1
81fa0555a9ea5887af1c9a28435cdcf2813a760c

SHA256
33fc0537b359fe8ca0a616ab8009a1adc5e056609489d9739758f249351041c3

SHA512
a9b4fe9edfe3943818248bf1db4534d792b5338d30f1119f1334be9678e8c527e91f9ff18cf6713d1d8304b32d7e1a56f5e19a3a34ce1afd99b5290081d99313

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
2f0da51e41ff83aeb22dfd129f89dd36

SHA1
868053a5b880f713dfde75be5ad84163ca61d98c

SHA256
ccbd4248f14529e8423bccee21e0ff8b4a5ff620cbac01377db0357c67253129

SHA512
199b16bc4fe65ccfc7850a7ea54c1213fe5ea10a2423395d61519ddc1ab3bc3e44f6255ad679870d63ecba512fc9fcb4b88ba997edac448c7fea52600a3f0eff

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
001cbff5f9abe2dbc606e86ae4927bf1

SHA1
00bc13588fb169b84a5145a30b4db49185d26bc3

SHA256
e67eb4ac11298c9d70eec9d2a886aec35af8c5038aad074843ebb647cb9c63a5

SHA512
b9f3e753096518693697f9cf96250650271182169baddeec6154955a73557e2d70ace99ada08587431b3a53168de97b129982dd64eba712180add6b35353ff97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
593ae60e385c20334b9b98c36a9351a7

SHA1
ead02389cfe2b3465e05d7ac1ad45c8410c776e6

SHA256
ea856eedf44a30efb3cdb19a26050c561868704a3f4c47aae8d231d06d368520

SHA512
3ca287ffa35f533593e59faca2f72a515d5a4008821b1ef12c4c6d4a4552a582b4cf2361e58269c70cf0de3fce96bd7867b622a3225135cf78348ff558798582

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
400ce764fd91ea7babe20b10cffc6425

SHA1
34b56478968864eafa3be637b9c0d48939daa1d0

SHA256
24f48f08b8ae50f9c288b2d64626d38f7c59ac63d76c28b69a6af3729d2c58f4

SHA512
21ec602289b4b4a6e1cfa8ec127752a9cf4adce8827bee0901ccc10eee664480c5188aee9a040086219a13f9e2ac844b459cb69dd0e89c1fffc408b9a962cacd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
213726e9ca655f1335aeff1e95fc91de

SHA1
7e99c88caffbb3c6b207455225b9ff10a29c5362

SHA256
dde631ad5fdfe0bb2a8f3f7e93c6b9ef91c0990532d0a23c80308cb45ff94a7c

SHA512
f326771915659ec7e0969c685a8a9b48b89dbfe5764e79ca6f94cabb81b1b9d7f9146f03ee768abf60ea0cb8d8056f08cf025d9c26a07099e20bedaaf99bd551

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2d45e21a2d9fdeaa4b7970e4ea2dce01

SHA1
61d00583c41024551aa662fbbb0b2a9fa8d7d713

SHA256
674a6b89d787b7a8e72918a9ce57b9e4649fdb14839b49184bfc4a0092cb24e8

SHA512
b772278050ca63242c667f1c5fac3f54f78b97358569657d7b1a9d97bf8c55e7140b75a6eb61ad74bfadd9742fde73b4144345547b84242f99f625314d112431

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
2a446aa6d9dbaa49142c576be57643ea

SHA1
83eeb29f8606438ab087623d8c92dbc960387ef1

SHA256
1ac51fdd614268c6be7adc0fe55b5dcfec30b48b3d583757462fce2082e1dcbf

SHA512
03aae0c03283522d0017e109f4030238f4014b0b28817d40750c7659466cdf181faef18f291010e824c010ec2da005e0e3bd324f43d01815afbcb311eaf23f9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
0425abbc9fb52f647e3ce61abe75cee9

SHA1
afc5ce2b226aa8ebf61c2b0b2b68ef12a569dc74

SHA256
789ef01f2e2dd980e5646c8e831f9af54b6911eabf1785ce362fe93be35b6c0a

SHA512
4d7b987b85d4caf09dfcc2d7e2dbc8bfd4f8bf5473f19f83917353eb2085cd17e27ec322e633f73f9a70e159469de66b80855b852c6cb2190bbdbdb7cf97c6e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
560216520058a1e9e03ada6e41c156d2

SHA1
41bd000475f28c1b522a6bdaf872675f7aa3ccb1

SHA256
974baba6cf2fef539f56408ecd925e2b4dab9f7a0cb7fe13d79735d89d5dd22a

SHA512
fe0850ea68f6ec9664837fcdf1077feb292d201085aaaf48d5c46c723705a6fc55c85ce53228c59574afad0b7cd8bafb2c58550e7f571550ab996f4bcdf51985

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
6a60e0465fcdcef74696689eaa6c149b

SHA1
e42c00135aeaba9bf4889da67c9abe1ff962a7a2

SHA256
98d576abd73d0d477282086fdaf76fea48821fbf5eb80fab0e949d11f9eef242

SHA512
cb75c11ac4b7ab614e114d04ee437552d4a847f94ab26d261001d22eea667f46d6ed1f734d0c7e214ad8a314b81859148583aed80054dcf7a7dcd270364ebe4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
4b86f4deee0b098bbab6a3eb9eefa08b

SHA1
a361bf3ed7fa3cc23e03ce88ce756ba2e22ee765

SHA256
892e3e9d3308ca4a159d4ee9eca3d635208f1bf3b86564d56f8a3ff7ab250c3d

SHA512
d403828e45fc8dd1c69263ce46d8c34a636e13ba5e6f8d24d28f96aa93615c6dcd71a816022401132575d2870ee22ad554448e1126f0d56a68f59c597d95893b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3261d177aaba886ce5f4589e7536dc98

SHA1
665d4d6e7a58497e996979e9dde4a1e8fb2b8e26

SHA256
97e4ce6998f58f8045581b0507f1c8cbd6cfc5ef08e26b14ab366e2c3c25c300

SHA512
c03c60a5f30148f5eb2535c0dc4555f24f21d91f51ac2e0c951bb4084d0397777ce7c7c0f7dd2e28c95633077045de4b81dbca763b21b3ed50e8ec020bae3cc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
bd9f8040cf2b2b9ec3be92a778c2ed20

SHA1
112ac4b962ba8865fd5b2c610d57c77a783333f0

SHA256
13107c77a5f54f94254059a53ad545f6725e2e8dc67adc3c4343a48258ff9b6e

SHA512
095f98161be483a5d17aae0e0b624d49cb60cf120639d67eab0fdd21f9365ba1593ac15570870362dd1e82ae5189b01604a73bcb5f96ba9bb5ab2e644b91cb79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
352c417d0cdd72cca909989069aefe2f

SHA1
d68480e53e0e1a3102a4df65b172b225cb388be9

SHA256
f7ff20665563af5f5601fec5a568c5494943d7b5583d59ada43e482e5d297ad6

SHA512
2c182ba623e2c02f9a58cb5d924994a1fe77be288795e65af9589232ef119071a1be7bcc2875e0a3a0aa74a4648f1c0faa7b6566a2b763a2a98935b1e8fe552f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
826de2c1dcc987f1f670a995c2169833

SHA1
408db73b2a2ef30f7a5018e588a42fac7a422541

SHA256
721e74bd0ce391b97f1cb96a8bf6b969d80640842eed782123d9bc588078ae3b

SHA512
79a6d5542101ef11d8e8332ed259242c08ec57d8acf663b93742c6fc065e4ee8a54836836e36b298dfe673cc9d49d51ae61cec90c1a65f79bfb1584583c7fa38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
d286d75f59bd786b78912de871104944

SHA1
0ba65de9802bc9a5923301d6a5261891e0d7575e

SHA256
a889d3c7bf70afb6e6cfe0468160391b292ac2891df9f4ef7eac73f826417746

SHA512
13a175cd58448dade409fd04fd4b2da81103ef31afc83504f5281d01a519933e1cd56fd63c28c3679c7cd88f1720ac1c5085cbf3ea7901e36a022eed32c9f347

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
aa37dc6532279a0f820af100a6b7fd67

SHA1
061e23be554f006c97221ecdd8d3ff1c2f17f866

SHA256
8ec1903fd56bf99b34dbe727d0102fc864ea1ccf0a3f1178096fdc350f73ec31

SHA512
ac722f08bb87f2c7ded9f2569b8aa391b682a9a1735b957a66a17c7544061fe2fd0c92263c3a491fe90975890c86e1efd4dbe1dab860d58c12c4c56e2146705b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
4b3b21dba6a2c3d3633b72528763b797

SHA1
1783b4810369b53f9f13dc1c7e3ef3d268b29dea

SHA256
f9832c6ceef905905de7ec500ce8cdbc8d7cd2bd39dd5edcd258edeb4501b76a

SHA512
5697292141a50a6afa2cedc48e39e454419ff61452e0d0da743357ee8cf8eb2b01dc8ccbb5e69ceb25167ae4ca3d600f55f542ccc207ce57f20cf03ef42efef2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fa968cfc0d2f7cefa5210554326e1d4f

SHA1
8ac4eec2d2ac7d8c351ac85cfbfce7e41fbe1f8d

SHA256
7faebb9aa6e21ca210acaecdec3315b8d782422502ebd8992ac4a6bdc0bd7ef5

SHA512
7e6d47dba4471c277e07f71b003c8db9d5b28d4e2ae651e519d6844c018c98ab0ebd6cbe43aab0efc3890481a76b600cf36e414458ad31613e272a6c3aee0c61

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
f0147d7283a88ebbbd4a95fb32f6ba96

SHA1
a0491eec6382000981af6eec2ba4132b858dc2f2

SHA256
a2c9e127e98499efbf2c68e1a37a8678861bbcbda95b3f7f2b491e86e3d31834

SHA512
e14fc87af650ddecdff611c3ee66add04bd8aab950d0e5c06eaf70778d9328903abb9fff05cb9e1f4c8587bde4aff373cc878bfa137dbddf215d69d5f0111344

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2b6645f2d48c0d2985ed87a25638c033

SHA1
e068a834a42d51a4b1cb002594dad6f358bcd549

SHA256
f72addd361fdf22f5a0cc1dfb7021f656ccb4d10f84f0c931b756f43e690733a

SHA512
528ea8aeb426b73ac4576278ebbd275e531b93da9a9ac0a2471c8ba0162b0e6cf75f31e20f39e41dc1db824e2d32ebe0c8391c1261ed5aa83d2c760b09e5e89d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4894d34366532f9b92a354c1fcfcc078

SHA1
682848ab85a212995d0e072f62b1420059a62902

SHA256
701c0c7114469d8597a002ab9f306d25f3c7939f1805a5b9839bebd3cbfbb709

SHA512
3c419c117fd77c194bd9eed30a38e832081bcd01c982a1c01e097a55099b7ee41b7d5b75a2c381f117826a68d84f0a4b69e157783d7c711728d8ddad18f4e876

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d25658929dd3ccf68e888b4a2e3b00c1

SHA1
cff2f65c10479cc443477d85c3f43bf096b9743a

SHA256
c5e21c772b47ecd1405c8545b231b1d74692c9fe728cfbc561b82fd8705ace74

SHA512
436c951dc52f4deb2e90688f033465f35346d2103636b4aa7851594487e5fbe2611214a841030562d90995b1a2d156a655eb2f25c27c874c83a8a3d01abd3009

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cabd1e2539af2c25e57433bce35a031b

SHA1
2f4936fbf55e80b558335ca8ac240d179d7ec36b

SHA256
6d2a54b81faff7678fb5f878e9151ee0c3b9b0b5236bcb8672dca42e5ec6d036

SHA512
175876d8e356456fbe5b290dc0141079da3f0951d1c8d13d3cf4e9e6fde1753071a2c42f04503ed38e8fb83ea5c5736765ec4fa7ba9d7a9dcb360e407e4aa471

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
84f3afb26eb710201aac71d4454b20c3

SHA1
94b40059b3244b674b6d5c4d43c5c062f305d671

SHA256
442e3db42f72db35a5a26b8b80c64492306a82f63ea60c0e0fae9540d11947e4

SHA512
9add89872de9f87edac2ee07894ddc2f7c884317a1291c5f10e5a96604d6a604e00cd3e590efb23f564a4071af1bd49999c5960e132dd7b0421712a4cbace130

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
46040c5853f1d437f4bad9028c5592f8

SHA1
3ff959d24a5fd1cf81e097009ac07caf0e8c4fa6

SHA256
582c4376668de9926d925d7210f96abc9ccda08dde9ebb92d6b05907384c1be2

SHA512
dff069eb35e3304f8d9efac6945c229d2d77fa0d0fa27a15efc783395ead394e9366e14bd7044c08252d87a09e504cc4acc0aade00add781cc67c4b8c8c618ec

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4d96b1d7e7cc453de1bcb87c7c0ad7da

SHA1
8b6f35d140423f1110d5c343cfacce92b464678d

SHA256
579c30d075420e95732a62eb579e302929a50b872c5438d2bb7e4c6563c120da

SHA512
99798e62fa458266a91a2a5041c8592d56cc8099e01fcdd3bb6dcedecf787f1cd0a3e2b0a5e87c0d2e28590b550f4405e7bc62f5d2b752d35b3cd2254c592e4b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
74ed8e6352ccafaf5221c35ecd69b2e9

SHA1
7666498bddbbe9ffbdcbba90ae5b11613565dc40

SHA256
4d63abeb33cbf915f5fce38ccad71099c310503c56533192d40f95f9feb2c5e7

SHA512
af51619e21cd7b6bd7d6e2e9d59d2736dc4748122d9e01a23f1b6c58038dd6cf07dfde89a69047ee64118043bbda5936fb787f96edeaf03c7de9d529e1d4764d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3075b5732232e848c38e52c9e3646ab3

SHA1
149fba869f6ad4167eee59a4e5f4f6328266f659

SHA256
c9562ec84a51a998b895da8944b1704bdaeedf75c37125c12218ca60d505a63a

SHA512
32624c66dde82e0ba8964546009e2da016834d7758b11d114fad49193cb0669308e56c6ceb3ae01824d6f662638d0203c1a67738e01df670fce54b33229fca81

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
282b53d100d29d11d0f08a5fdead60a8

SHA1
d8dd4510355316c77d578520d5c4ab9156d8715b

SHA256
79d0060e16fa4ce7fa3a05bdeabb6bd68f03d5cea1fa13cda65a160291df4d6b

SHA512
399bd8d4b9c92b442a130510936d1381eb3e232270f8fb9bdc342c8502a355b4bfb61a5c2dc47bbd32e3e428ce09e196777c74c40d53a4c27f3fd187eb73b843

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e18c4f59dab1ea104e055b8ea4762526

SHA1
241c2182df616367fd911a44aff47769eaf43982

SHA256
1de8d5dcd8f2ee36d90e94babe8f16f68cab86cf52091b97e15b0a6b5e09c7de

SHA512
1e826f053e7f0541d905c020d2f21f7afd00c59d13a95e65fe8ad7a98a5ccd43992ed5dd72012b98c1de85ed3e4374c31401bdbcc5dff339947068e7bdccf200

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6dcf97fb5f4c79c5075167c0cbb2809f

SHA1
1d7d50282cdcabde985fd3809b3617252fb19b0e

SHA256
019fba55f9fe87eb3209ffe5ecf4f0a957d7c4f0f9d60d94d4c2b64b84590558

SHA512
745fdf862ec24e73841c54dfab84401bda42b71f3e8ec9a6cdf62ca55b53f2c13697c4f0245c0e119488342dd7ab7572747ecfd15193bc54c99f95b187ee8a41

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5020b3c1b2955c85e778f29c5918c414

SHA1
0bb8ec007fa877aa11eba06765993f6033fd22ed

SHA256
f90f204946570fbe8e2302c8c90eb1493e2418318faa558353f25cfbf72bc357

SHA512
0f98acf6900ccf3c8689cfe7b96bf9d2782118573c74b861e1d528c18e1e44e449b75cad9a567772d0ea7c87260574df34d0d476a4bfa9941ac99191090ca049

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
90dd6c900c4b20d49f44ebffaee846d1

SHA1
b4d4bac29b72da6658a9b819fa8991b4494ba265

SHA256
a3098dd2bfc97c1f2594938b8d7dddd1600394030711de730a37565c4d68565d

SHA512
c93ae0c8a696cd46a27b8ffe0e8a5ed250eba73b1c99b7f719054ee6636e6f6d167eaf4a4bb14a0d491c510547cf7c9b811dc9c45f838bce876ecc18e325105d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6b1e8ce704979614cacc6baee09575f5

SHA1
7c8b4026690cd43ce8571345c26fe2706888df60

SHA256
60d06869f4c896a135ad1d57a3cef831a448f695ed8cfc98f80a7743c984761e

SHA512
a7f01c6b4b99dca17263a96180d4990f2718a9db80f73fb248d45d4b92caf8fba471d0ddf25893bf169f83fd67ae1fc0941a86b43e6f517b487f94755adbaa7e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5c3f98269c272301dfe867bf87dbc387

SHA1
aa6b87cb6c74ff4b1fa3c414e6d0f2e88acf58de

SHA256
396e14dbedde8702891bc85249de646dd1a96415d1e1752d629d3639b00d8a35

SHA512
5130e8f27edb62b2f3e7db2427550ae9564451fa20f6b6d718d41fd5d560f1a44ee0af4db697fe5a7093dadd642daab36d8d4a5006d8985b7a164ff1fdb9c42e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f44b7419cae9d0e720cbed8cd2a510cb

SHA1
37215133c4d2926dabc0739d814f9312bb240475

SHA256
92d8e2501f63d1c15bb1aebe34451425e66dd077b2091997a8c7b6d2eea6d0fb

SHA512
f33cbf084107862249a07bab8e6a2c9f6a9750d8559dbf4129396e07ee54f89692541e4afa73c25b44273f9b0287abecec201dad6a5e168cf26e5d3879e3815e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1dfc3a8eac4c1f03a37dbf95fa513555

SHA1
7f67f85406514ff7e33c19781b4fed8f70a6dc94

SHA256
2baaf09598a940a2712ea2f5670180b37765ee57f3976c5143af39b183214e45

SHA512
de25b80cac688ec00c9138516d1327bd88b955aec97114b774073a6f46dbd5e4cdee1550ccd1f9a839a693c3a46e3dedbf05fc494e4626e1993464496e2177ab

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ec4dac817a2133251e53a5f3bd28f711

SHA1
4f6f0aa75fb8d40a72612540730005b5cfd60c68

SHA256
da65580a9edfcfac57e45e7b5dba24a576835e69a552a99905c900cca9fd44e0

SHA512
41be08e6c550f29a18a84a103ea7a06c7e8d40b00a09aee5bbf64f1e9cb5cfa31c528b4ef6106e8464dd29dc12b3b91f032933c69cbe8450eff117e62dee8085

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6f742044c3bc0b0051bfcb60210ebf58

SHA1
0f9fb2b96825f53940b1293d87ae47eb9a920ed6

SHA256
ae4db75f5f9a02b4296451d8073b4e50f847290b3be299acf4a37b1809363399

SHA512
4db4cddc73a664829f0ad0fe144822b9e276e0a9191fcb96a461678b025e899d820e6a1c2441bb776e9172d7208679cf0b69cb8231b25115a9e370548fa8c89d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
19d542a98ead7c5a045dfb219899ee9a

SHA1
0676b942eda26336e9e4f60681b45d6bed33217f

SHA256
7ad5693a1a62790bf2373397c727ab9d56732e85fb3e3c1abf5a759a2ff92fc3

SHA512
39d5f7d04e5227f1ac53f5a8bcad7ca15dfa5997ff9a75822df1ed6b6b4e0a0b860aed5d7e9dba07263165617bad65baf71e74d82889c64a65e44a2785065750

Download Submit
memory/216-201-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/216-565-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/316-254-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/316-134-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/448-219-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/448-116-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/636-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/636-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/636-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/636-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/716-8-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/716-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/716-83-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/716-0-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/716-10-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/716-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/716-106-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1212-145-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1212-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1212-575-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1228-53-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1228-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1228-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1228-168-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1380-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1380-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1616-539-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1616-190-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1648-577-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1648-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1652-231-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1652-119-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2276-130-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2276-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2276-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2276-28-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2276-27-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2388-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2388-571-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2404-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2404-570-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3352-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3352-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3352-39-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3352-50-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3352-46-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3364-81-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3364-88-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3364-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3364-87-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3364-75-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3840-344-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3840-157-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4456-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4456-115-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4456-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4456-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4512-92-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/4512-91-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4512-204-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4588-169-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4588-435-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4728-131-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5016-576-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5016-263-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5072-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5072-572-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download