76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
Size

9.3MB
MD5

7f02d2bc4450b27cb13ba01f79d063b2
SHA1

9d98b5f1734a26c1dd2d93133e2b13195f5340c4
SHA256

0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b
SHA512

d561b7d03ee24db26a554c50aea1264eac7ab64e882e8f9651fc203e9055f843183425973bef234024318adfbdd14807ec9a9a35ccb447e37b162fe9d8c77ee7
SSDEEP

98304:+++cfxjnXBJ3t76NrboXEhKE82RivJkHEMXiSKCvyh7wRGpj3:+EfxDXBJ92x2FgR2JCEMHKCvQF9

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4384	alg.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
4768	fxssvc.exe
3952	elevation_service.exe
2704	elevation_service.exe
4700	maintenanceservice.exe
2948	msdtc.exe
1152	OSE.EXE
1096	PerceptionSimulationService.exe
1828	perfhost.exe
3964	locator.exe
2500	SensorDataService.exe
4820	snmptrap.exe
1892	spectrum.exe
1884	ssh-agent.exe
3312	TieringEngineService.exe
1924	AgentService.exe
1760	vds.exe
1704	vssvc.exe
2472	wbengine.exe
3336	WmiApSrv.exe
620	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\694644873e6c0d63.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\locator.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\System32\vds.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\java.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaws.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009185c8a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c1375a36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000745de0a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cd798a36055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cd798a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af3b03a56055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046adcfa36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
Token: SeAuditPrivilege	4768	fxssvc.exe
Token: SeRestorePrivilege	3312	TieringEngineService.exe
Token: SeManageVolumePrivilege	3312	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1924	AgentService.exe
Token: SeBackupPrivilege	1704	vssvc.exe
Token: SeRestorePrivilege	1704	vssvc.exe
Token: SeAuditPrivilege	1704	vssvc.exe
Token: SeBackupPrivilege	2472	wbengine.exe
Token: SeRestorePrivilege	2472	wbengine.exe
Token: SeSecurityPrivilege	2472	wbengine.exe
Token: 33	620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeDebugPrivilege	1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
Token: SeDebugPrivilege	1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
Token: SeDebugPrivilege	1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
Token: SeDebugPrivilege	1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
Token: SeDebugPrivilege	1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
Token: SeDebugPrivilege	2960	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
1092	0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 4532	620	SearchIndexer.exe	108
PID 620 wrote to memory of 4532	620	SearchIndexer.exe	108
PID 620 wrote to memory of 4492	620	SearchIndexer.exe	109
PID 620 wrote to memory of 4492	620	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe
"C:\Users\Admin\AppData\Local\Temp\0d0696212a60ba82ea918f3e9397268000acb230f4103148df9b6c0c7472b76b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2704

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2948

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1892

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4488

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4532
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
54c560aa945773bf8257dc838a5a6ba1

SHA1
33d35d7b3e2c575f9aba12e58f34b00a74d3afc0

SHA256
498104920539b313d76db49ab27b095b46fd4e2d98cf6181c90459664b1d1d37

SHA512
24a0abad781420973e1c47eb58e6865c35d46c34156324c05d6e1af23f10f06449f64d5e6fb9d8753e569adb54021d3ae89e3fb1df862ddd1a99a9f10f516328

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d9adc7c3f66200e66a6dbe66eba99714

SHA1
300a60cc6fc30ad92184b41d1ce595201d60fdd3

SHA256
574ff1947423fcbd971882ccb3dedc39a3261db535123e071669250cc248730d

SHA512
df106cc23510cac2fe86693e2c59d192dc1e7ef1b3c68b2f0f2f66e8ee54733e91d6025a9daebac7b49e349cc4d6417e822940d80827f6bf5174a020f4f3e4d3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
45d1a2b73a2fd5dc913e66baae6ac712

SHA1
51330ceb00d4650a8f15a5ec455c7f911dec1180

SHA256
fd083e79fd9796cf7f036dbea3a4c482879552b158f47d8c7c2281bf06fb2ceb

SHA512
4bd72bdbacc32074a10d13f4cf25dbaf0ba3956e3540b92c235034079f16a5d592bf48edd22b228885d25045196f9b44dc756643b1a9397a3d3b1485a891563d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a2b82d95793120e8fc8d7bec19d1c354

SHA1
19e7db1a5dbfaa5ec4ea03df835af98de45c57ab

SHA256
48cd1ee6b0fe843d1a92fd142da9648660aef4f8646d61f0766616e1709370c3

SHA512
1f4d6792b59c22860fcb4cd389465eeaeca6d5147dc967adb9f2eeca15691e0701ae13058190f0d46c58e9d9420ee72bb9a8b71e8a19309946daec3b92f92c68

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8294c724ff37a4a31d1a3b83cc7e05c5

SHA1
4edd456090787d83979cecdb9cad882cecf1239b

SHA256
bd1e6184a4429fe20aeac0de5ee3b9a8bd63ab0da81ab2faf0cc4bcf18849d1f

SHA512
1e0198c6798b7b083ea35095e830ddf940535ade619974bee7b5738f6178c20a5067e27550de90377af7e25ee1cd543af339e85bece20110e7d5ebfacf0e6824

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0a1ddc05e6b19e661a75f2fbb73dcbc7

SHA1
38db1d2cd4e48cd583b0de247361931217f5c4bb

SHA256
179907647a090b77ebad19a83e83fc3e254fb9710b20500f820a8c1e7df74317

SHA512
872404919009a7068a8eaf72e365f976f399beb7b2d5fbe86690a310d8ddb3cd198f403988bbe23362bbc7ae4bcb38dad9934e1e8fcd4971dde75b9cffd8baf6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
16bb16c7e53618c6adff2d7ca8a996c8

SHA1
fcc7824459c37902d95c690fad2a159521eb1586

SHA256
8c99f77f8d5c5614b5966823d86138c4a3d67bfbf839ae5e2b761084b5e44198

SHA512
f6af6d7198447f3081eb2fdaccbeae28a0f02aeb429c9c8df3f2899e9fdb45f19260f44dc89ca686a6883d988cafd1847da96928f23cd718fc8fbbd96adc9c84

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
208ec620ec78798a8bbfab2945b5fe1e

SHA1
0a182e629d94452860fefa8ee087969cb7f27a0e

SHA256
797538092a071fb1d5a775d168e7e33df76d42ebe4598bc5f22dd9bf4bb1c727

SHA512
eed242926f527f572ab4e23c8368b42d1b45bc4680856ca7c592ca33b68c2e61478ac9c664bddf37210650ddc4f4e72bccbebf1045776e36c4f973afaee96a12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
fcd9764a876f92d311637d0db1427b27

SHA1
d2de3b91ad6b3d86490dab4cca57371767a3e79f

SHA256
ef8beb1f886c1df26093860f5749f7c347d6b87bd48a37e27b06663eab30b800

SHA512
ba35c17b853d8b284022d52f183c6476263396ae682d6171a850f91b174574fc509613bae1d8679caaa06c04eceb9c82b19374f1c140ed38af2230fbc8b9d5d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
049bace54236afac6807e6a36c6f0f4e

SHA1
1bd0dd8ed2b3ee0a05b05a169209820f7032c07f

SHA256
9d08ded91d3eb822b1a7a2cbe6e9a4dcbad965b42f0b87094aac3f1289992f69

SHA512
a1ab29a1f146c3a2c8f311d34724ad29f4ae5c24ff8cbdc890a168beea0db48279a079add66373903e95fb328016005d8846c662e932017c8d4262e2654ba740

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e9e58a7f7ff495c9a3ceab7d66546e19

SHA1
ec42f6c08f4514d025996695fa4b826c34548731

SHA256
1ac5177efdbb2c88e4b10593439427726aa4a01ef20ef0a4f2fb196f15203405

SHA512
746e25156a869b01ce76411aaf486f902a4dc788c5f0ee9b677abc76d9646e9884134b741d9c923e5c4cc747584697d5c9a75889573f2f2fc3778df8c0dd6ff0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
455449e57a345381356fffa7087b9f13

SHA1
68e4be83ff6cd9ab4b51a9e6e9d184f7059c4761

SHA256
11b824cf94e548671299ba1096e140fcadf449226ee77013bd4681f33216efd6

SHA512
f4702bbc0b6df2df904be8c9d6f4118ed9c0890cb3e13b3c5bc0d4bcdce7522311fff5f8348d2835a30a98f77ae9a95e162486b1c7b8bbe9b0eeb515ec94446c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
6964c13b86022aeabb3071e558b7bb7f

SHA1
5dcd841797971d19ca78754375f27efb48e387a6

SHA256
0b0a6084011f8410a430da082b1a76d8be87bdec6a4652c991c4aec348153534

SHA512
fa95bd24bb4f6c37b4e50cc19357d00bb32223ac2d41544c2a858d8da8ccd777ddf5f49414c60f2df878435542068ab7d909a77a51ee22deb1086b8975f95194

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9057cf11cfb181e4f5a65865814e37bc

SHA1
c152454eca981b37a4e242d57bb2ce93a3f98733

SHA256
1445d9b6ddd9eb7fc2bdb06f12d8054a5dd881f4df8915ab82b05e50af55367f

SHA512
6a678be948dae780474a5b25ae60bbf9daf163349811dafab87579fe95a9a9167a5ff583abaaa8e715bf4dcb269d694275e83605f4098fdd8b2129303eb142fb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c4cae9cb1eed45d4210ba54bd21bce62

SHA1
e890f9a94ef992f2aa10375e3a44550a7b715bbf

SHA256
e43dd5e67072e592b4890c9917bb1d6d1f10e412c420acd409ec5b6ed257d746

SHA512
b9e2b11ebe19eb12d6079848a8f9d685d63aec25215c7b252c3c854a4e6dc45dd91d6dbdd4eb96bd9a0a92a4f4ecbd63082b124a76207bfb17ae00321ee0fb92

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
98fcfee2104f24529fdd6d878c1f398b

SHA1
0b137434509f1b50f8fa145e36fa6e9e11b14d60

SHA256
cd3bcff6f4823d3d80b429492d4d227708f48e57856ee632aa010c944e455e44

SHA512
80c15e7e9a5861f9989f270f0b00ac0fecb6f64402de334375214788f799a1f7fbf021e11da6ae2e118b1089a5ba78f9a5c017c6ff4edfdbec35e2282deefe66

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
945d709bda0c853f84c482352cf9a431

SHA1
67219db84bb44748f74631f730d9b1d86e8b0d80

SHA256
da709163276bef8b8921bb38a0a440d50f5b16e526db0e521574456d3739cfef

SHA512
4d8e479ca11491bd5aab1a1ecbcf1ac539b365734295c9310e951d3b7ba4d9686532420aeeebf437c40dc89bb093d5eb366d44fd24dfd51dafea8b9645ccbc3f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
aee72f7b66a2ed34b76eeb4527018c0d

SHA1
c9de7db8557f576d4ad11128319ace2cd3f15970

SHA256
b15d993ec097a682dec379caf12e3efcffe56ace586151d1fc06a9a20dbb89d0

SHA512
e5ae11bb9659dbeb1d6596a238c8e1396b01b5309dafe52d5fc571a27b5369c05396f1d9500bec6702109b70e872062742c3e587cb00fb42b7982b02fc52bb2b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
dc02bbcc11229d810b41c1e5de78d258

SHA1
f1b086861642c88a58d62722db0023aad98cccf2

SHA256
b369dcf2a04a11f174ed12b52acf8307c1b62093f78130097d28dc04c3d72e57

SHA512
77db0b0e5e976863cf1f0cee43fa6c6be1a5a26386fbf30508da567bea8395072c2e1d6c50a40494cdc2b763b278f823f8b0f271041819f1b69371fc15d56868

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
46c728295face88250ec7faf4290a0bc

SHA1
5cef9cd9c96ed19776b8ba0817ab4a962436f2d4

SHA256
3c490aec95ae8bb93e700f967ab51f309454731ef686e0bca37aed4c4990dce2

SHA512
6b6f65edb700afb0d5f30b4529abfc2c9f7ead4240cc14a6ab57e11cec1d976df8e28a06efa6436d83c41a08b1f0a5533a8c6c81283ca4f0305f50e571901613

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
435d13fc4a3dbd12839b918afe414b58

SHA1
dc365c402ccbdd56e49ac793039963c78225d8ff

SHA256
7fa27c117fde410820edc0fd3d6eb1f77eabc71183581eb93812c43441a2974d

SHA512
22c71d7cd1bb3380b18df59d82cf763a1f06cdf2b959f38f9b3266bfe22bc53218363cfd80b7bfcb02ea87b28ed515ed21871b2496e6f0f5904f976df4f08e50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b10f945aec406b8f210a5349714ccba9

SHA1
c500e3615e1d6897d78bb3eacc1c2d400893dbe3

SHA256
f4043c77acc896d94c3798e899841f8f04ed0b31ad7751fd6ee7914e31c6ae63

SHA512
a46b550f806c66fb3aca5f86772704138829705ae61191a7553931cfcb244bd2266214151316d2e517ac2475288a2c2a716b34c34c7c300e0632ce800cc8665f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
90a586f523bfc2b7b300130b87412684

SHA1
e399b0a01284030a6c50c7f139e62e954fca37a9

SHA256
4c5ad88111b154b5a2027bba240e258764314e6a344548ef30f79d96880ddc56

SHA512
073aff5c604378c66f4d5986f04190c2f5e4afe2c58498ebe190d39c6d3bebf3321143a26b37d5cbfdb2b6ea79131a5701ba6ff9449204f5fd9e7847c6f0621a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
112659b8fc45bad2846dcb9cb7f57a04

SHA1
378194b2e31348aebc166da93ab3a4f11d3670fd

SHA256
29bc3caef10b6e10b4f612b3456cea2b852d3f8e73e09c643cc8d33935e86215

SHA512
36ea42da2d6ea9033739f379f88ea5c58966804098cbcab819de1abbb8266c492eb9d369f3ee50945764a6fa1172458e2aefd1b7cbc11646d0d02e76401da115

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a393af4ad5e26f6c61ab00bdf0b71b16

SHA1
6edcc56a36da0c4574c4768a835c1ee9f1cd605a

SHA256
5ae314cb7e19af1ce7d25a87931ffa38ee9ab2295784ebed877dbf21e4cda205

SHA512
3c0f3aadb5b5290479db621f14d3b84e1fb02203df50a5f911c368bb80ebbd83bcc919deab5e073484f6b70fb17de47761878eb9dc920fc23d6430ff7ad95ee7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
443bfd67791b80639a50f423573f1a55

SHA1
fbc7c822243543802c2a638c718e89bb03c8dca3

SHA256
d9e02a1f2093f8cbad61e3b66f1386d671f3be182b1fc32747b90e5d238c8bb4

SHA512
0383758725bc2bbb200a8b9e7a4e844675fe2e41096de7059d4719c72f19b6971a34c72c6265496e3decb8f311a4790c5441e5fca4188b1ee4108aa7d0eebf37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
caceb58470dc98022889362a4dafda26

SHA1
ef892b633fd98f18f2a5e68c52452d90bbb916c6

SHA256
ab3cd5b171393e3c390613912e6db6db7300ee6227b863d60580f7312f8a0047

SHA512
b78387eecbde2929ce89b89e6b8e745f6c57fc2cabc14b28e66ad2c34390966c22060b826b62310dcd8d7d864b51caf71422643c0335553c40f68ee90c53203d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
5e1b986fc6101e191c8e37fe51afcddd

SHA1
f5534220593e31d5894be0aa252a1bfba25eb116

SHA256
ce0d172f08a8b662bccfc5c26eb10aa30dfc24dbf107b17ed3008a5b40450496

SHA512
829a2cb3dd2a49c03243fedb27be419854de224eb3ced7b309b8fa38f913d77985957eef814da22d3f0e6fff00d8da3ad620efbda77b4be533349bc0115b5043

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
982f06683a20d636021e355a3fba77d8

SHA1
70ac9abaa036624d24b6e6b61e6a03dca2672443

SHA256
e6c639fe271834f7a64c7713076eb4e266f5c5830757f7e61ddbeb9018dde70e

SHA512
f39313b8d1fe87cfca3a381cb642910b2a7a6de9814beaf28eecd798c35fb6da2f760c9b419aa55c6ed0651b592053422228a060332690b6d2f6e3a2694d1c3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ee93a6106d0a16bbe4950bae17302423

SHA1
f2ecc2fc3f573493766ab873ef81a46ee21d1ec7

SHA256
77d74eb390542a3aba596a29701641b531fb376b3ec78602f4dec1c8fd7bab2a

SHA512
2e159d5a8c30bf381214de2b5bbc52479acb2a14176d4d28b5ee875348f8c9c08c167f12129336b8c92afcc8e8d360449e8c18762a2daf98a45648cca45e2f51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
e148cbf0b9c35d9c7fb2a14c53a7aa32

SHA1
742eddc531ec429655abfb803919a11432565c10

SHA256
df1f1193ce48f8ff0b31736af60dadf7462d3180fdb2a00dbbc6a3298d2864b1

SHA512
aeb5656cb74fe92e7497507e8597eb20c6000a8bcea42e4a29e237000fa2bbe2db47ad0e247567d3ccea584c0a41a880a430c184ebf368ed7c38c36832fea5af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e83325fe2c58ddc0906802496f3c18e3

SHA1
f37943aaede55a2fa8c0c31b3c7ba375d26ed844

SHA256
5d2c2f52b6784130b5970da3e7b0e899f41a73538af1562e48f7f906a7ca7952

SHA512
ed27aab89ccaffdf4eae331a829bf3da9bd62154ff3e4c42e467dceda91947dca61b6ffad9e7e58a938f7eae0d0de49210bebbf2fb6d851159bb6b37299c190b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
36f05188754eeec0a8699ad6816246aa

SHA1
4fbf60ed32a23f043344dfb5e3f6194c88280d62

SHA256
9cf22e98a084eee79e5313c7da8efd08a1b341b74b1540d8488cbff60d7f6d11

SHA512
8a4016e094678827436ef9826d34172b7229d0fb1867157a0f22f7be6df4cbf2b8080e819b783f096ccd2205a17c7afce11fb1b97b37ba0e5bbce5e7f3ff922e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
ad7bf859dd7185e901810a1eea49620e

SHA1
0af82318eb48cd307bb8ec0890c82f7fcc700c44

SHA256
6e60155bdf70c7a9e30c87539f7be91ad4570648adb62b5662b355a6753e104b

SHA512
6c75f87907c08879e7561a5ed358e86ebaf19807a87095513236e649e6cf8984ac850d093a083894cae4778b98059f08424776f910e9d7ff58dbee9541ad8207

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
6c066d1a0fb73de165cf5abe12ce2ef6

SHA1
08a91b35898821d3257a5de38af3c03c0eb1374c

SHA256
1b14e20e0487239e2f1c4c4a10c2afa9d79b39d89a1c8923561c224a43514bfa

SHA512
dfd04a0590cf10811f237eaa6ce85bd956490e8a33281f6d82346988170ec54e81dc33d4af823735863f8ec7dc7b0d0f3dd608de5242313c19dc3ed53bb3c2f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
16669ff211d5719f051540ef6809e21a

SHA1
49b0739bebb46cba334368bb7191a6fef7f27cd4

SHA256
6773d993c0277fd251669411f321b10f43b841ec9fd0e6ed88dd22a8b84bfc1c

SHA512
d18abb234a238e0cff51979461dbf98fc2341a523ed5aaaef1fa6fc3e13c7a867bab07a5f6532fbfec98a03f4314331e6e43615f1cf01fb7161e177e77b8de90

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
09615302e7d7eb145652cf566cfb0534

SHA1
931229972f40f4bff027b59737a2f99ad4d3d837

SHA256
a01566cf0974cbbb665709db77010667b7de93d7737ba6e8cc9b6dd96d91bc10

SHA512
33a68e7b9d7b5686da4b536c69b1577009a9cff36e4ccbacee5eacf586155fb4fdc7422cc1a8e89a09e5f97a98fa4327f0ef32d390ae9b2943d058b07113c035

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
2c6b92cbde5b4506ecc0e7f868628799

SHA1
8df33aace09684cc18f087dcdb202023a14bb0d4

SHA256
4e8db14b4d4a05ac299360f366e3aa536626856d2c3ee8d7b820151c882ffa82

SHA512
0378b6d40f5f7a5eb7927a90162e1dbc84e49e2ff5bb2fb26866f3e3a950ad973549638e9642fe95b6cdc5d715e63eda9bb2b79f9fedb20c1a440300142b2775

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b247519eae3c5a16a9808c6c5b100492

SHA1
bf7b7c7a4821655694e929b86e97567319f05800

SHA256
bb4bf379aaac9ec6d4515baeeb970e3211431c9d6411f59a607cc413a16b4a91

SHA512
92c28b396990c4e67f5adce8d428db270cf2e6bd94a25fae8d0d387192be13024662e32356a6d9c5301346051e1cb8a8121ea05a080a07282fb36bd62c1d4975

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2c490039702db65eb06e46a8c7bfde92

SHA1
ac639aeb528b353026a8aa96a7aa916957e0f167

SHA256
75edb7ea5d1c329f16ae643fdcbad768dcfc127ce49e6eb5743c1d39d4dfbc50

SHA512
4f995023692f2437e69dc87b87b034d53b94beb53c7fa3c8e05f97365693e77e732aa97182b7835a898cb9a0b141c124823b1012932d9c34c3fa09d64363842a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fa6817c5882ec0b8a18c70f49f0187c0

SHA1
e375ae9c5ff5e3497682e2edf16f1b2088fee4a3

SHA256
f3df96fcefab62520de8c6d9aaf91722ed64672cd4628f86e6886b98c0d218f0

SHA512
70b60a7f563562c2786e97efec9c6fba29318934026403ac38b105fb45ca4da1959e36f68d14918b56fbeb658abbf5b3fb130f7c93cb74c118f19eb2bf0d92c1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1f447fa42a389e8f41818781ac0e4a93

SHA1
144bb72c0d7c1ecef84e8dca66f3a6e5f49f602a

SHA256
04bff621435377b0160413cca5c8b0132c742a51ef8f3fdf65ba1429c510f7d4

SHA512
2913a9b862a1e2600636e92e61cde99e06a40423f4f477e82c1d99c0b49d782829078cdf1e17ec7c60f1e745e4ba33f75bf8ef444f7ee944dc8a24a983ae4401

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
70f5905445a322dd3d3212eabdf46fee

SHA1
760dbe69fbb1bc1628b9d7796cda313ecd9b46c1

SHA256
97874bf73baece2597e4d17e2c4a785cf263fd88249be16a3b70e6d7160f57b3

SHA512
9714c894f6fa4d0a3b99121fdc39b668d6b32761f002f900178e22c975a39319163b1a1550c3f443c6403ca85c6fd9c159feb75b5be6660f6b6926efa0727287

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
2c6ec6db5c4bd31e82071e77ab41c80e

SHA1
2c15527bd17088ad15d5b2d7fec44c1ef9a5952f

SHA256
e8c593223d9569f6954e3b2a7ec479b8ded1cd9facbbf2ca4eb9478a8d23aa7f

SHA512
1659848c8b00e2cfe72f087fb9b3ba8cbf6a0adb58fab66e742353660607efd75e2862bbf0dec47e9c1f134b21aa13c6b9200c72421a74f549f28429ecff625f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
8cfa08e695e3a8a1d4724a926c0fe37f

SHA1
edc87aae05239eadbbad5e538d9a90d9a83f9b83

SHA256
272d51963dacba2808af15026dc63f998080ea1066a11ee90ef8efead1eec479

SHA512
0b4b31b6090a2c48f9d0777049ccce2af49322305a81cb5a8377bf679076e797a71cf5b0aca049ea67605b44ab9fdcb02d5e58e888f5246d5c177d51771a439a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8321c19a8b8b420c5823c5881fdcd407

SHA1
b9193e3af066cd232b7ad90500857a507cab788f

SHA256
56a8f6d0eb6639eaedb16dd05e486f273efe3ea2a2599b0436861d95cf5128b3

SHA512
64e521e59a47f8ed6f238f0a3f4f602ba1e83453bc3a5f3479576f327d152c3d20c8ee0994e3d1dd4bf5219c710e640c5edfd877d232b29a1337aec88f366b8b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32849593b2aa514191ec93ee882e13c4

SHA1
81882558a2b385e40d12b3f572b80cc1280c369e

SHA256
5e870da9249f7b67ef4fc8e342172e4279ee272fae6dabb87ecb1a614451bd4a

SHA512
300a1030a0a8364a7ae3f92c756f17b66e4ff263d70428d9d65c8d229f7659513d3c8670e67ca4478037b1201a5abfafb3945b4c36bc988dcbf01d97824799c8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ede6e5cfd55100fb34e2a0ded037a93b

SHA1
09f5aa7a0992d881730215a5a7e973b7839d3fe3

SHA256
5a8e2cea0a2cc98978ebcf125667d70d15ef4a5ba28b32bfa67963d46d8d9cf1

SHA512
129f4c9d0a1872fb204aeacfb99e8aa89dfe3532245985dde52a5a08fadf8dc502fb5538ef02d45bf7c7cc9046e3de8752cc608bd33e94fb00d47f53a00fe975

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b39ace8d68f215b89ac2acbac52577ef

SHA1
66b2fd71479b5a77c739b6e142d5e584f8f4f3c9

SHA256
10bba2ef14d53b980e54d23c437165de70268dd0325bd942f9ab19b2088da884

SHA512
6fd7a57594a48f1866f6c60d13404a67b9a95b7913a10489bc9b2f4037703246c86f0cd67ad8d899f0a22f5f8cd56c987211a8c1c43e7bb4ba45f2af0cc60926

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a1cfdb764d433f0e5bf791c6e3b8382d

SHA1
6fa958963d575c6dcc70dce678069cb87bf3e668

SHA256
908ff386257c8de9d5642bec9702d416aca6b67700e91b09db9232e34bbfba9a

SHA512
35067d63a4416809debda95cfccbc999ff53043a4139160d2625394454568ad36c561db4652ad2c38fd79074fd8f3ee609615a7f8dc4110b83a85e30d3c227b1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
65b1a8d8296b97e9cfbb4ffd0234b0ab

SHA1
3fa36a87cca1106996caa87aa6b5805c2f5492bb

SHA256
fc7cf55ccb1a7e2d5aa68a302ee78d6ca89174db865c8ee6175b55723cb4cffb

SHA512
26c7edd883d349bf02bcc7633397ae64ad25375ab452912fffca878102634779e37709b31a7e3c99afc2cae01d5cfaa8e18082b34b448a17173df776720dc455

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
627230321dc87e5bf9370523362e1753

SHA1
ccc3d130ac53f1df928316099d579cc786b8488e

SHA256
e574c4cb0ae419eaec57c7cd2445e818b2e7a9b49081308d07b13341c6feb46a

SHA512
0b3c5e80ebbc855e98e1d80db2252860317f8b20be5aac4246423dadedcdb35a996c9f981bca64f908fed12102cc694906b1a44bc8760b6f08871d84514644d0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c6314ae56a056b4925c841cb12e15f70

SHA1
9ad43e5e44c911921428947f2ec3ddad23633d9f

SHA256
0c646807f5b6f2cf99399810910b2e16419f2456a866a6e5edf3f2c7449ef320

SHA512
2e583de284b808838d3addf62f211a3685541da1091e838cb587d129efdd2fc1d18a304c45734e9ce6d912d51b30b73f2aee3a15fcc8187368fc8d89ffae8fe6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
aaa6291f66bfc4e601fdfbb31401fa20

SHA1
3a0056849022b1164637855694640db2ce10776f

SHA256
bd6066464c8423b151065b3cc391b085bce9fc927416cb9328bb386356374394

SHA512
4606be4dcbaf28c1bad48b42aae112e84dc3f9a7369075a6afdf7fb018d1e779881a20c9db0f775b5c9991c24142b745234009c27b5b75ab2928e89f72bfa97a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c06347b2763b6a67786e2ccd03e0fb57

SHA1
0794c0cb7c0b0eb2170d74a3830507cfc1e303ad

SHA256
e9825cdabbe14c37a97ba45a599ae31437c7126d7e9bd636d9d17a99df440077

SHA512
99d90112d95b94d0ed97f9e2753ed120fc45055071fb5c7d62ccdb1c4e84fe5692fd6ce48a41ce4bda97bf86aae76b5a659a34324ca2c847a74b523d697706d6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
012c25ba7a3860589c00b322c013f54f

SHA1
ec8341a64c18582786d0b02746b3949dcc4f8e35

SHA256
66c535f9b4e859fbf74921dd29157ce7a8aa45f43e7bdf4616686cb5246d20ef

SHA512
dffe48a5caa7a035c042e8de5027caf311331f91f2bd299085c21215eeaeb130e28c69d133a417bc64e192964be4a85b7f1153eef9e75e84d1e51e70f86bf1a0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
217ef3898a6092062071bc5b08d90a27

SHA1
91b8ca7069f2e60f5f76cbb4fac7dffb71a40b36

SHA256
2afc369f32d2973c090775f4c9ede07d7052139eab9feb9918414a74ffd22a41

SHA512
a58dda4dc1d2d37c371562d73a33e9927df8ff88d34b0afb4851ddd45c118872dc151e637edb52232afc047baa5e18621e946ae733d09de1c24ad168ea5eaffd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
69e361077d519991daac65d84343fbe4

SHA1
0e1c256a052079e36ba4ec733f8973eeb4d3fc11

SHA256
516db28a536a5d229a1a32a96b9113c8dace25765905f300886d60e01dccbf4f

SHA512
67ade39c49023dfdc041b327390d3678e7e865d1bca381c73ca9c2e04d20e71a2db35c0151406cdeed12361c5889645e471afefe4c3e059ba207e19dd9b5257c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
04ceac71bb0d32c99b214a0ea39bebf9

SHA1
3d427ba11617308ae967c9167efa163cb7aa2a88

SHA256
60e271168d3556985aeaae18e9f0de6e19f367ab18403d0cc26bcb08443fd5e7

SHA512
420d441baddf354a2e5f1e6a9d8107b313512f07cb6ece39f0c2ef7f354020626781932f0e89fa7a29c4bb4e841fd42831c40c90f8347048f3d3c2fb186af077

Download Submit
memory/620-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/620-488-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1092-10-0x0000000140000000-0x0000000140968000-memory.dmp

Filesize
9.4MB

Download
memory/1092-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1092-69-0x0000000140000000-0x0000000140968000-memory.dmp

Filesize
9.4MB

Download
memory/1092-6-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1096-85-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1096-93-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1096-91-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1096-157-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1152-81-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1152-75-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1152-153-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1152-74-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1704-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1704-479-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1760-414-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1760-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1828-106-0x0000000000770000-0x00000000007D6000-memory.dmp

Filesize
408KB

Download
memory/1828-100-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1828-161-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1828-101-0x0000000000770000-0x00000000007D6000-memory.dmp

Filesize
408KB

Download
memory/1884-360-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1884-141-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1892-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1892-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1924-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1924-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2472-485-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2472-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2500-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2500-486-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2500-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2704-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2704-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2704-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2704-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2948-71-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2960-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2960-16-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2960-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2960-110-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3312-147-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3312-365-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3336-166-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3336-487-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3952-37-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3952-31-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3952-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3952-39-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3964-111-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4384-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4384-99-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4700-67-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4700-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4700-54-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4700-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4700-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4768-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4768-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4820-232-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4820-118-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download