76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
Size

1.2MB
MD5

b8edefa02f085a64c8c079e541e258b3
SHA1

4949f81bf49a0ea66e3f23ce6a9aa70b6e502794
SHA256

0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054
SHA512

526f59ee03f6b7b351caff2e0e0841286af749c294370db34f57b07f62f014e11b6b8bd3d43904c4db6c69a40b7aefe661526ae8c5d4e95153befde98380b30c
SSDEEP

12288:0RJXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:0TsqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
768	alg.exe
4520	DiagnosticsHub.StandardCollector.Service.exe
1392	fxssvc.exe
1896	elevation_service.exe
2516	elevation_service.exe
2460	maintenanceservice.exe
1436	msdtc.exe
4812	OSE.EXE
3236	PerceptionSimulationService.exe
2760	perfhost.exe
3660	locator.exe
376	SensorDataService.exe
448	snmptrap.exe
4268	spectrum.exe
3692	ssh-agent.exe
4648	TieringEngineService.exe
1968	AgentService.exe
4588	vds.exe
1912	vssvc.exe
3264	wbengine.exe
2488	WmiApSrv.exe
4164	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2b20d5ec983eaefb.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\locator.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1D4B5551-822C-42C0-B673-53AB80587853}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\EnterRename.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e991ba26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043d6f7a16055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000422225a26055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b492ca26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c05a5ea26055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f634aa36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000449afca16055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f88165a26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ac3e4a16055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1ac0fa26055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c2ed3a26055db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
4520	DiagnosticsHub.StandardCollector.Service.exe
4520	DiagnosticsHub.StandardCollector.Service.exe
4520	DiagnosticsHub.StandardCollector.Service.exe
4520	DiagnosticsHub.StandardCollector.Service.exe
4520	DiagnosticsHub.StandardCollector.Service.exe
4520	DiagnosticsHub.StandardCollector.Service.exe
4520	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
Token: SeAuditPrivilege	1392	fxssvc.exe
Token: SeRestorePrivilege	4648	TieringEngineService.exe
Token: SeManageVolumePrivilege	4648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1968	AgentService.exe
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe
Token: SeBackupPrivilege	3264	wbengine.exe
Token: SeRestorePrivilege	3264	wbengine.exe
Token: SeSecurityPrivilege	3264	wbengine.exe
Token: 33	4164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeDebugPrivilege	4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
Token: SeDebugPrivilege	4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
Token: SeDebugPrivilege	4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
Token: SeDebugPrivilege	4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
Token: SeDebugPrivilege	4564	0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
Token: SeDebugPrivilege	768	alg.exe
Token: SeDebugPrivilege	768	alg.exe
Token: SeDebugPrivilege	768	alg.exe
Token: SeDebugPrivilege	4520	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 832	4164	SearchIndexer.exe	109
PID 4164 wrote to memory of 832	4164	SearchIndexer.exe	109
PID 4164 wrote to memory of 3636	4164	SearchIndexer.exe	110
PID 4164 wrote to memory of 3636	4164	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe
"C:\Users\Admin\AppData\Local\Temp\0f769b4c84e763b2dae26a6ca5492ab04562eeac6e13c742a855ba8c555ee054.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4800

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1436

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:376

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4268

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1656

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:832
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d9d079a5acb604845e3e398a9203603b

SHA1
a512318cf4a316ad93d36bcd327f50ac6e36bdd5

SHA256
3211f6ccf3cdebc80bd46ae4046938728ec5cbbadc0fc929b04526289fc0a139

SHA512
fb3edd02823c54a51b1794c6b4813b94ca448b423bce11dec2ef65d9977b60ef6c09f1f3cb7d33c2ae9390501818ff86ac54326f2a7312059ea7884a197a7c7b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
65a35f7a58ad39fb6d3d20107d5f38b6

SHA1
e5e1d05b950cbc178bcf6b5218a87f84ca1cbc72

SHA256
983ab423390ae7ae5a11db04604827a6ac7ec410f8b3b145f626170d17a4d004

SHA512
0936b755309201ba8554aed3dc6a2c0ad743afb208f3ecd1fba52aace546cb028aa91d5bb129adaa954ba314849c708b9fab308cc3af075e4374071856c7da63

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5f2aeee5a3133bc1488c85be37790d9c

SHA1
e98eb1916f8a36c7de3249e3ffa5ef7797df4521

SHA256
700a0be3d74cc029734458579cd39123b1d3bed7b246b2c07ec1e6b5dfa254f3

SHA512
65aabb1703432ac33aac78bb4ecf4d3633e02bea922079755f8b4b78e29ffb4d640d62d6c9bab7e81328c23d4e29778fae8a4edd6ce7439ba921f12fce9d56c9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4aec38cbf72d1acaeaeecc352e90480a

SHA1
0678a0cb67e15979f64debe482798b6147d27ba7

SHA256
6005d25cd140a542e421690574f14fae7e7a97739e0357c8c908013564d355fb

SHA512
2aa105eba8465200d875c44d64d9697a1502e53267d3a71b0eb295005b83a025936ffa1d463e37b1d1a07fc6525447c1bfa4e5aceb06891aa83d0bc5256b94b6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6fa74752b8485480340c113e2e1da6d3

SHA1
ba4c5c7f69e19fab3f1102f05b3809cdbf4333aa

SHA256
f3db4ed7f4a0c9a5a69e19099dabf4f51622e575d8689007ba43695ec255e43e

SHA512
07102fbc558c419229160efdb4db568ad890c6f4baa42cc6c37977f73179dbc40ffd43a579e17c32e34923dcfefdb09c237a97ae3d0088764d8f9acb3641993e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
eb141b0787cd6ac66d421b730a953426

SHA1
aea12e948ebc14b174b36be2034f8d282a72f18b

SHA256
fa90ef272bb81ba18905e8d7f9d238d1eacec693dfe7f62040366a389ebe7c42

SHA512
e62f277fbc2e1ad7be6ba87f1388f5b342a0a36c4ac9bd19c25f276aa5e798e22fe41b2185aa2edb7fd39b42975d5e48877286b22550f5b0abf5c436ec3b3fed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9351bf3439e0efdb79b5289a96124214

SHA1
e11dfebbd9e520cedb0b749956429e69555a5962

SHA256
f500e1221bbb9f30bac5eb70b8b9594f639935e8d739131de02309219b451b82

SHA512
1862b4cc54b54a144f552a27443793fd0745bb7ee939a979a1f01b12527ef661cabda50ce1b7626b19d011fac8fd9b46fafed94ce9b58d05a6d872fb3085c788

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e0d6d41d8c83a147d1fb963cd297065e

SHA1
a60dad77ada95be81373fc1778e375e17f4b1c39

SHA256
edf8abb778ff76b17ca282c2c39431a1eab182ed16b3eeb8a0a0688a1725d23f

SHA512
de4a2f8b550df0efe3a32f1ab54a7d6da61472c2ad300206afd479386e9cf6b748acecb4646d1840ad49de93fade2a499aa8d5d176f5bb2fd511e0276549777d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
76df1057eeec32727919f73bc8585c1a

SHA1
643e2471bab7e5ac234524fc6289adcf0ada8e8d

SHA256
a015f46a56651d1def4b1c46ef1c5a48325c9bfe411172de4f9ab0f2803d8b46

SHA512
aa0aa0acf03614aca2d74cbc0bf31b308152c18788f9ff27c9a7daac1235cd88922d263baba76f1483b29f498b320bc2148e0ea5746e731995968c04ca972b9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
187818f258084fcd8260cf8fb7feddb8

SHA1
f864c98cca23f7ed34927a18de303e96c10b7b26

SHA256
5f35244fc4a5a77c467757fe7918dd0778f24241c1f55400900e9afe72d181c3

SHA512
ce272a85d02c8f515391b3fab71ddb89c09a2006baabe9531369dd53684c1134dd9302b849f9849a20281f7aaeb9db7890b1a838e25cc29f5b5445b579eacd79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ea0de1a4e3b8f44c9e6539821f46dd6a

SHA1
8dae3c00170006eb3168c482f3f1a1fab1d012e1

SHA256
dffb6306893d50df7427c26bc049374f6899f2a09fbda08a7fac8f2127bd2976

SHA512
15a7b31d93017047fd02ce928749b72b0c71317762d61c3da5c52eb06896fd3f21e2a9b53f44a49c59c2bcdbeb08ad850273df8951250d7e562ead406ef13332

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
94c05d167f53ce1ce113e2e6dc844ff8

SHA1
cde4949e7a3ecfd59294e00cb8832ef3b7fd1130

SHA256
72b269d3aeda14d7017ebe01092071fb8e03ae311d343d9afb5405b317cd0cd9

SHA512
4ea04c1d0aa15bae6b06571e190abbd1977319922369ac572b5feaf2867b37ab3ec6c32d1b85286307ae535fdadd6096940d5f837dacc778c3b2fc1870f65db1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c84300ad6377372f65c040b1158cc632

SHA1
ae3bde2160c51828e7dc030bfc7b251edbc2931e

SHA256
7469efc10c4d492414d39c69191998d16e752315d68998de5492da050fbf26f4

SHA512
90689606ed69c9cd944b831604c73ca84f4f124510b3bc6389767b6086ae860215d610e456b36ad2886486b0a752411d940a4b876c4cdc0f3c6294baac62fbba

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
39d588990356f5c27c6b2fb3aeff2322

SHA1
4e1c224e7f51a13f71c6de2f4c2ab9aa0e559969

SHA256
b07f908b087ba6e3fe5f17ebde482068c20c8046eecac7a7f37b94e68fe2f72c

SHA512
7fadf2dff63d94742645ebc5655bf04d0054aae6131091c33e6fab6d3a140f204acc85e3245e302efb33bfcb879cb450d1d37c662ae385f137d1f8c56cda6d4b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
71441770afb4506c16bc99b4200fc48c

SHA1
6cb5e3302afec8d9587e3d8ca9d91130d06ea62d

SHA256
9e2e0b57c89970cff2f0ffe5526118a583afd04544f075e72a60f0ba47c5eb61

SHA512
207dd062ef50b8bf165acb30ec0e59114ff81c3737fba87cb875ab4483a78a84616e370a4cd1c8ae3e8540762ae9bc28adf7998df96e2199ce60c8424609a278

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
133f95d5e2cafa7e1c0fc3a288c77f06

SHA1
f08ff004b7a967467c16f1f2fe6827c677bfa52a

SHA256
ac60d9bc8ebcfa62c4eb3e5c71199c3339381ecaa3ba9a28b4f22115dd83c105

SHA512
2781bd3b6100dae7eb9bd210b9222ab28f9547b110c8dbc648e0aa47faab5690ecb42f1dc8b3ba031aace99b3aabfa527e2c867a38ce30a344157b4639b5353f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
350a58a99a59a46e3316594ef545345e

SHA1
2a9e6b70375a30d1fefa729d05ffba974bd706e2

SHA256
968fcaf433e8a9504803f135c8f71380dd857f20756844f9e43a3b1f826ed563

SHA512
2c7aead92e8c4492870b3a82fd6589abb8ca41bcbf6c8352095354cee5fedeacdb11cc24a4da861310ec29e055229422a9d063a855c3a779335e7d46fe2fabb0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
3b04001001b8add22d804dd3eb80cf4f

SHA1
1f036a2632380b18acc45df5156f39639911dba4

SHA256
2fb461f940f1e76e0d917666eb528770dd260123037697166fd72ceddc6bba9c

SHA512
e94e7505b7a5d4ec612c1e4de8a0ce714b892cbcf5402b89d071313a3971b8e2244cd3f1a76969d36a536eb929c0d657b8fc0f2e10a16afb3a2efea4c6fa87f5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
47af622c750b9f3fc96c94c793ea9915

SHA1
8d4fb284523828d815a8ec0e6cbc1fbe733809d7

SHA256
b5d222287940668ca52d50fa2fca41fb077fbede7b0abe44fd2da34239d7086e

SHA512
fdd50ef8c9a38930e861e5b7ab568785a5a456078b2f5b73f2f75c42f5029e33511405eecc306bf86ab94fe1fdb57901d2d4f4a0d4c113ecadd0a88d8b5f73bb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0abc1df5dcfcb17b91f0c81a8be17938

SHA1
89f3289be92683cf56811e7be51f9b4c45fa2e8c

SHA256
914602a4fd63e8ff32327d0d7fd83459d90a1d747f54f8fdc647c25c45ffab69

SHA512
2e1864e3f78b145e6c025a0d1e900e81ad32852b7fda7e571e92ae23dc8497d1f7bfab9ebe7533684cf83944e37a3c8e9cf05489265758405a5edff33bed3539

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
2fa46c4fe262f0be53038f9bae0dfe57

SHA1
4bd188b0d0fa837fe35f315b204dc7b55b204414

SHA256
d6640797e40277418635a9e6e955c14a47904748d85ecd6b3ac9765895d59654

SHA512
0717b46d6f459448957bb5debda7a91571198edd7839cc38fbbf6547005885c4bafcebefe7096c66954ba3ba390730dacee6fae9ec971ce7d6a5ed12f4be008e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e32b1e8272689a40fab439ec309007a4

SHA1
afae0cfd1d2dafbf6f7286260cbc65f9459c6654

SHA256
c9ed1fa3f18ea16002b07b18a91f23413579c9d48a3255e15ecdfa2ed565f801

SHA512
45b9ecad157f24777646b06298b35ba47a85d498975d2262903b24e04b24de5b3ae39f793452c6caf4470fd990fdb670f0405dd9b3eae785d059ff9541dd8002

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6d7c642cc5ed6a35e35378971327ef30

SHA1
fb58954108b52e6d839c35d83146327ac58f8d13

SHA256
c49361b69729cbe604625fa097618674c174f463ea1f2b61935efd629b900a45

SHA512
8f021bfbd771893409be17c9f614edc9f21e0eeb2a79c6eeb06b9a340b5368140d3495032b22a921e58d905afbbb738ea9907d61b8c7bfa1ae22a545049127c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
116a8b71b0be34cdb4050b9556ad35bb

SHA1
a93cec22be3e93d55a2339ced2b95a03434fd7e2

SHA256
4a20a66ba8497c3291abd300291d3a8c8f02aa0df5a3569db76d2b2104e2b289

SHA512
2872258517df800f23521ef338acf24631e41b1662535433badf6501d1913a564c363e8c40e5c20bc92bd26ad8c33c55cb7d7ada1931a38a228ec21d31b7c6a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
babe1ca3459ae12911b71f22c353d218

SHA1
77dc4123839cdbcdc37f37bfe027c5016a95c1b3

SHA256
d36c1c8649998b5e662fbc89ab2dbf55fb9de5108c9a81a56dfd5b74409e2dc9

SHA512
007b8fddb87e632e641d9ee174935a42a19820a29f36c92b7707d14084b9e7dcf63b1439c91c36a01c07539cc0aa97f86f4ddbb4d050740c978101777f4577af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
8b750e5b7e9c683c86d8bab1644faf91

SHA1
a0789d26881991c7eb4951830b1e7328fb83f177

SHA256
98dadadef9aa9b91326db6307f52afa2c9efad6d0308f324114dcdda4e9db72a

SHA512
8f230c118eb9b2bbcecde0e896b9c9367668290713e1a403708c9631c419c56cc9453cd9837abb1a7a3087c81ff952090e06f0cf0637e241d035c9f03fe2f011

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
1c85e2d45e141c32a4c3e821db32a711

SHA1
cf7265c0419e42d0f434f31cba49162a8dc9c60c

SHA256
4057fd71421e93c98d8f7091ea11adb094f4f9857f43413ef1b1738e945a14f1

SHA512
97ab8dae45ade96ed3f30a44fa4e8226ea5397eac1394e836f788f7ccf8f45413f7f5b020860083e73912a27f3fa3294169c65089f88b6e8a53064c32f8d24f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
be735b8aa332a7965c37054e2aca8164

SHA1
8adf8b82bfabf466cb462bffaefe4cac8415988c

SHA256
68bb5ef9d8eb9891eae32b3b32775ba67f78abdb67fc1d6768a324aff9b202f7

SHA512
7b375471cba625f8fe5eef0182647845942b37a0c57f5e2981037ba3f3c0dc2a981c8533900e79db692936668cb6ba5a14dd089cc69b384c561a2087b92af443

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
58fa4345132309d9acf79e0bd1f1e0aa

SHA1
f649e445999ebcf751e50046b19dc7d831be38a9

SHA256
b6b66e0eeef515f283de648f107ded14585c6a9b0c947eb04eeba6c97e07f5da

SHA512
84433902617f55a7dce2da27b4748588b38d0dfdbbe68b82918988258c0975f3ba4b12d72c3905002cfb9e7dc127150269eb35cffcecf3c7ec92bd22b5fa4434

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3dce85255f1393e53aaa33328d5dedc6

SHA1
bfc8cde0c3192bf4bdec3961115c42da4ccbbdad

SHA256
4c319a3638a486a2af1e96a2190d7b94715aeb5353fa9f5102a9c9e6759f48d7

SHA512
0e9ecb51e0df970d797b6b945e255088b8f0c8dc243075eb123e2f20db7df43ea23879a7013b5b26d67464c2bef701cbd4efa5930a4af8a73c491bb02eaae70b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d74cefb8c567eeb7c8186847526377d6

SHA1
9054fc5eb2f0f0b651d4e0b096ba6ea2a1a7571c

SHA256
eb16164c13b5d9b7975114a013d16077d19089360e27073422699553f76d9651

SHA512
d0b9c22ab4d61ac6b209fa12d6f16645db67dbd01a785e6907fbe019fd7d626d23403d359be035f39f6579bbbe55a15ba2681e7a1faab0fa8f485b381901339f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
146070407cf7b13f9355d8eea4842dc9

SHA1
028513d8e6433bfccee3e186c9876959088c8c68

SHA256
4f05a689e2fb6d502f6c8442c5da360b298596f4eaac87429d020c3b86a30339

SHA512
e9902b7118408c16fbec6ca49f0d18d60f2d3afaf53fe5b253098ece7ec05033102c4e518ffd8c00ad8e7d7c4c09f91282d63365973905d4b23b0d4d4eaaa283

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
7b5b1d312ce08f808dbb3e85694aa097

SHA1
6e82a2af16c05010283ad97cb5b5467a4bf04672

SHA256
961cec0c7ab7f725cdae1caf91d42b1b2cdecdfc331f7e3d895aafc6ba8c56e1

SHA512
25df39d6bcf579ba433551e2a853283e3fd6bc480fb681dce2f02bb4fc3ca0fd20bbace3dd756d2a582116f4ffb184487e01a096096c69ddf9373d2fa3d207e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
66c26be9bbff56a3991e1078ddcec07e

SHA1
8a4d8eba892543d392e3768c99a35cb0ead78ce7

SHA256
b3889440f716a85aa06baf1069669c72477a3f020e3bb21c37a925e89faaa098

SHA512
79fef2093dc5b02f1557f8232d97a21ea029855eaca2b035de505ade671b6da50299ceb19f9d351d3e5fb2d82c6e245a1e60d31940a8384c225a8cfaa206d285

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
091649cd953cde1a6caaa53d7cc40f72

SHA1
f830d6cd17e991c6bcb187b0d795e44819eb7019

SHA256
c834f02560afc2c1bc872d595a8b3a21ebd6ea64a495183a5bc0a680b66b08a0

SHA512
9b5d5e9cfcc59b9cab1e87e32f209244238d782972a51e0635db31d0bfdf289f2d6412678e259e9c7ef8784d9b4483a71b30e5064e833385a876a96aebfa8945

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
777d2f076eee71ce456d692336dc9740

SHA1
6e4578e82b2ee055f26c269bc70232a912e9e250

SHA256
1f8883a9fd1dd076f76e816d67757a29b58f31766719496cfcbca702903b4627

SHA512
ae6b2f26cede0784a11e3d34efb13a37fd241f3009f88bff5bb4b76cd20158ead9eecdab845656d9afcca61651ca29f9a8bde12aca2ca270878a93a95753acc7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d97376012ad1c09899ce70453a13e978

SHA1
dfc6d3b829de885a6b65fd0d198bfff8350ee495

SHA256
015a74de2414a6f8c01ae59280bfadf7c984ebab690bd4e73885dc7cdd068757

SHA512
022b5cdcd846aeea5391177313ddddf9ed82a2303f0541224b98127eec0498d0c08e22d1e91315c25c10d0c3e5b44b5a0c4674fdab3fd46e92f367b266f932c9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
82eb0741e48f3e29a2b4fce51f5a3b63

SHA1
925abdb5d6d8edd39a0f6ca45d201816dea83cf8

SHA256
f1763306840a450650f8c998e2acfa14f9d2475f3e6639328d411d3f456933d8

SHA512
5165b0144fb48091cb1e00a299f088ea8b6f4f00eb72e498a525e47035d2d7629ffbc210b78af3ceebb1853783af4632fa423cda4f17b7f06d3057024fcba074

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
11172e4438b49ddf537c2bc3a5e7a4e4

SHA1
8fedd0557e7feb2c88eb44aba6ea3baebbf8b158

SHA256
c047de02a12b2db77226e82cd5ab186183fd80447162dd09dbd0394c7a094abe

SHA512
fe60db63ac652a7b3cd7e492c7e3bbecebb346bce0c966ef508a397615e8f715b4e5808d5e6f5b3d7afc8d97af04a1da5e32bd575ad5033e981b9e3ccb5edf30

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0ce3e4c42b2db99f52ee3a18b7ec5633

SHA1
205df8e9fcdaec5912a17e465eaef9330a58f4d8

SHA256
43726d7f47427b306bcc7a72c161f2bcdb50abecd2fa286792fec9376f03ccee

SHA512
813359a42c01fb6520599ecdcc40363869a4768cba6e0593e9a50f0a6a2f78589721885ee65e59335f3ec38be5c7a7eba1a168a84cf92d239793e6b3415b0b9b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
447389ba8045c9297e4518e454364f58

SHA1
074ee2b7ff5c300f5f7da47e29ae4d15a57b18fe

SHA256
803e0ff3d8f0a31179e5d3456f77054e0c83a66867b641b9d3621472106b7505

SHA512
2e07e03c9354798ccef613317490fc3ce8e7a592144d43a22a88320cdb7a59925914bd1a5739576634d1e8fd3c56525ab48ee34b7be5724d4ebbccd53fd12957

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b8a4674c6e73c5ad383de7dbe56fbae1

SHA1
eb22779e07f4f1f930d9aa9500dc57038f333d83

SHA256
25eb0fe420295e50eba89b973d9039898b20da19b583cbc274095aa4bb5fd7cd

SHA512
80dd58bf94c9dade1c76537161caf5277278b163ad6beb8f36be46b43badb7c7724315107ec94f2a93dc0e2c9373e828caebc038bc331e81f3b28244ff199a6a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5f6eda404dbc1a39810d362c554b5bc3

SHA1
2d602757b9fc04fa1dbb011398478695212362a3

SHA256
e6745d4e9a6040fb410bc71921034ed7548454ceae192728f7fcf4e18f66f5af

SHA512
f40b6fca94a6dce5cf59fe23a8daf1c70fe26999c496b2be94e9b7f5bd3cb27a843780d2ef30a871f57aa8ad361d6f6d90d4b635cc202f5dd9cef505a1d3b9a3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
56c35c6a34888d81b319e5734a8c866e

SHA1
5c32c5d31a7f6bbe0a03fc0f0caee58f55df8c45

SHA256
b889a413e5a0e35785f0bb0e3403b186362340330eef1b79d1a7fe36dd64ccde

SHA512
4843bb5bee130569fd15b11bace5091ccc17bc045cd7ac1d626acee59a3ba0c222a97da7d0854d3400c7ae9116e7b5031d4c10bb342b5dc653ac627ec0830ff4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
cb94858bd091ef45c374beaaa20a7846

SHA1
ef2bd0f0a61ef2e5a19423d750a816587f299319

SHA256
cd7979853733f26ef212e5ef79f124a97aca95bea68a2a90b07ae12596909f45

SHA512
a45c9b650a649818c765c7667ee701b53d2aff597d47ed60a4ca24380c1c0b0a5bb260708fff93cd6af384a9127016866ba084676c4ca7f3e823a0d219c844f2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6368398cf2d79fdb8f2a82439fbdf033

SHA1
7f50408bf2d8cdf5005449220be57d2e9aa4289f

SHA256
ac67112d7380a59cf49f65cd3aded4cafece1feb496bba0ae54875f4190ad7a7

SHA512
5fbfde8bef3a3272535d2dbe6dd62c8417d0bde45ec57684fef1a7efd14d4bbdd3fe2ff49aa44f8f0623b6ff993d724019824663b3b25af972c6261e7ee9d682

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b244788028149e9a0cd14a332f7bdf83

SHA1
8a9d90d12cc90fdf58aeae4e04d908a93d5d7fba

SHA256
d5a90fec9a1e2b79cdc48730bf7ac5609917ebae3b0910e5f0ce16de4db8fac2

SHA512
2a82671a7cc2a9f0c1c32f112f5679172a295759289ee22fe8a3a1c843a9bf8c112a607e6b4e137a6a92774445d06adafde7eaa89908374c65ca9a88aedeca45

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b89ca9bb3dd35c6622cec95b6bfbd0d6

SHA1
cba635b56fb261aeb3f85af71a30d05c7cd00c52

SHA256
812048c5208a2ab99f129cea75d4d4517b92a89f90c60f30612d33194d73586f

SHA512
7009c1f6c2f2051cd6ca5b7aad228fdb925a3b30dec70088e1883471247b548eaca8699591fc283aa567ed2ac0cd22cf53fa3f938fb3e455b470af18226ba465

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
edeeaf883cebee10dfd6d63cac6b6a20

SHA1
e70fd8dab6688b6ba1e518e93949ed841afe9ef4

SHA256
64221a9cc7a6907df310efc669a3a6780cab3ca4f7ae33cac85cc267890f6eea

SHA512
23175b0b955cd8a77b821ab0f9c9e99155fb38ffd78232b8544ebe83348face8406b3ac6fe09557c33c6a5de948f811db6bcd1d40f69bc77305a0113bb3a13f3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f883b0bc0d2b279de0f86479c8627771

SHA1
76b8da0388b1494a9ff1762cd49780ea42acf535

SHA256
5ad0d4da38f5075636eaece41da12d162102dbce3131aa543afc7a06bb52b84c

SHA512
5515a2f090ae0cbac923f011823eb1bd1f5f1407849a83541da1687002ff6090538dafa3adccaed3048da8d8b476727d122b48a698acf93b6bf654470b38cb89

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5d3ec8effa579b478fe996f7880b7420

SHA1
73971c499c4290946902de4cabf2b8e6b878102f

SHA256
7be83c6d9bdbda95285589d403b5fb737d0809802f94e3d887b820f0e745f97c

SHA512
cdbdd93578a0175c25463fa93ab051db71211c79ef3ba72dd6e1476b57b292d30e0752748b6d1fbb40609f2f6ad4f96c1dd5380454cac0eadb4a7178c3b7a8af

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a8d8ccd0c4269605877f12376a22cd65

SHA1
d21f8f37b50bf73fbd0653631eb2d64f2e23a244

SHA256
a76e634354d65674daa91a483848b2ef95fa258fff080c731141a5608ae1b2d4

SHA512
be977c8f3082b8ddeec5f3b3c0d16521db304c62da364c74985bac62075b2eb8a8a78353d3d398765202d06454d4aa653f8d26ec0904d39f2b9339680375b863

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
27f67395b279e2d4934f0e78639a800d

SHA1
1b22d4f04c786c2523d4f20cd90512e89cb303e9

SHA256
927c884d5bba87f9e1658e0297ca3d1e131f3bf12a4d24dee0fc0fbf46aef902

SHA512
2c3caea40933c2c149add9dd75b86edd6f1898d2c800d24d803f6a75391c97c0b733d69c83df5417f20eaf6b35dfccc975a2c817a6aa0f7dfead74222c732a4a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c2d77e8adc36a9f77d08c33f82b41a8d

SHA1
a817cb489ea2fb40efdc877374870c1a908ae670

SHA256
e13ba4703128c137fa5126a504b0f2528f86dc5bde3000362a9f1dd7b3b02ded

SHA512
c81a0f06419799c7afc133f1eed9bb6cddb47c8d9b76209e1bebefed937a0c725876a1bfc41ef0366959ba785f32687ecc2a0751e58f50ede269d7248cc9e322

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6ea1c745e5e253d8b4d7e41c2548e8f1

SHA1
1ba199ea1795d7222c50624efaa121470bd93fa1

SHA256
d6152cf181720d991b90ff1a7aa1a25aaea0e47b89bcadf8ce63da5ce7056f65

SHA512
dd859e930ab607b5d03f9a80574013ede6b4d8290947cc5602b3c8745f24287e9ecfa63f987fad530b51d544523bc656ba834377786e1e8a1d3d696e7b24c0fe

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3096d8020ed95282f8269bddfca9be34

SHA1
88ceaf6a90631d35e09cee0c42be6c336e7aa61a

SHA256
939d1d58b23cbb7b5287ca431dca9938b2debde0178ee1565d9a374dcdb1aa89

SHA512
a869eaccf504a4760f7f76e96625cb5098246447cb31a05d9155ea08deff7b36fdecee594d837bc2301de362814cc28a101843d8e89e67d0b48e084066bc4cf0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ebe2e185073af6f58bc1d630b17a69ef

SHA1
5dce2a100d5e1c62e40f3e404e89fc1d812ef916

SHA256
3f51aa56779d648910f50536eb3802c92d0e8213ca99645d61c84d935a466ab8

SHA512
fc9f6b4fadb454a380c54420cb1018ae70ed3c35873f31e5d07639ae464c5fb53dd3ad8ede848f35177dda85047635f72365fbdd8d9fb00d2be55c1945ab7138

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
24bd6c3eb7b7b19b9817c93af1f69382

SHA1
75ae0c95faccc7e7617bd3b7e82b6929203eac10

SHA256
a6491a79c1eb88596c5dcc0dd82bd67a99b2355756a9339718d3463e91049495

SHA512
3fa92237cb00c3dc4058ad544976a36839f8306bfe620257fecf4037953de0cb61ec1e7798780ba201771961ce8c1ec145dfaa27ea8a9328a45711d76bb30a88

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
d12c87b89ec64875cd1a223f8ef4f7c8

SHA1
1c853ab896810b4abb899ca098dae083ee8a765d

SHA256
58f3199d1db6a6f0f0b781db9209a26a2a4c991d7bcf25187315eff7dd061a52

SHA512
fa37fa81133cb6900f643d70666480d3f404d30135a2aca6542927012e9c28e7a74856565977161e37fc904b81896e80a168f02c4e1669fb6bb19c079f92c6b4

Download Submit
memory/376-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/376-591-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/376-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/448-332-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/448-156-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/768-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/768-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/768-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/768-91-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1392-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1392-61-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1392-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1392-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1392-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1436-93-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1436-92-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1436-203-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1896-57-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1896-167-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1896-49-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1896-50-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1912-587-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1912-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1968-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1968-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2460-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2460-83-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2460-86-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2460-78-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2460-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2488-263-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2488-592-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2516-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2516-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2516-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2516-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2760-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2760-242-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3236-118-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3236-230-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3264-588-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3264-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3660-254-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3660-133-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3692-181-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3692-483-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4164-593-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4268-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4268-385-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4520-129-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4520-26-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4520-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4520-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4564-606-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/4564-75-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/4564-0-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/4564-8-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/4564-1-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/4588-583-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4588-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4648-531-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4648-192-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4812-107-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4812-218-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download