52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Size

1.6MB
MD5

868bfdf4196d2b563cda87412e5f1c7a
SHA1

73068ee0a0ca192c1d3a7b48fddd5418a2879c98
SHA256

38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508
SHA512

0371555c5df19464b8c182165831efa60cbd8300cffd612bda7fa905e1d2331fa59bb59acd878ce977ec44ae032134ee9c24a9b29c5cf95d3b27a583d2af01a0
SSDEEP

24576:Wxozmm5K5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:a5LNiXicJFFRGNzj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4472	alg.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
2968	fxssvc.exe
3324	elevation_service.exe
2712	elevation_service.exe
4436	maintenanceservice.exe
2796	msdtc.exe
5012	OSE.EXE
3444	PerceptionSimulationService.exe
2776	perfhost.exe
4408	locator.exe
4544	SensorDataService.exe
3208	snmptrap.exe
748	spectrum.exe
2184	ssh-agent.exe
4692	TieringEngineService.exe
4412	AgentService.exe
4420	vds.exe
3536	vssvc.exe
3432	wbengine.exe
3660	WmiApSrv.exe
1032	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
84	iplogger.org
85	iplogger.org

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\vds.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\dllhost.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\locator.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\spectrum.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\AgentService.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dd3ca6e0cad6a2b9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\System32\alg.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d32c050a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d524a0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ce1b8097d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078a21a0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e164f0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048c2bc0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c306fe097d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007708c0097d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a86e00a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062d6b00a7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeAuditPrivilege	2968	fxssvc.exe
Token: SeDebugPrivilege	1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeRestorePrivilege	4692	TieringEngineService.exe
Token: SeManageVolumePrivilege	4692	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4412	AgentService.exe
Token: SeBackupPrivilege	3536	vssvc.exe
Token: SeRestorePrivilege	3536	vssvc.exe
Token: SeAuditPrivilege	3536	vssvc.exe
Token: SeBackupPrivilege	3432	wbengine.exe
Token: SeRestorePrivilege	3432	wbengine.exe
Token: SeSecurityPrivilege	3432	wbengine.exe
Token: 33	1032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1032	SearchIndexer.exe
Token: SeDebugPrivilege	1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	1612	38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
Token: SeDebugPrivilege	3436	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 3212	1032	SearchIndexer.exe	108
PID 1032 wrote to memory of 3212	1032	SearchIndexer.exe	108
PID 1032 wrote to memory of 2904	1032	SearchIndexer.exe	109
PID 1032 wrote to memory of 2904	1032	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe
"C:\Users\Admin\AppData\Local\Temp\38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2892

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2712

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2796

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:748

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3212
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d4e62578d3f7ee81d2730747f0542ba4

SHA1
dd823ec8791d0f2e72fe3b963e1806a8a7a5a0d6

SHA256
c51dd1cf50b11039a0ba57d6af75e9f2d0147e8dff2846cbdfa6f43d725f21cf

SHA512
8ad97ad0dab33c3990c89ccb8e3fecb2b134d3096762e2c8755feff677d86fa0f8be6da316fbe68356c03d060d05bc236a3fd79e1ccf6d9e8ea101c7d7df07a7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c6877e4f9ed41fc6aff5c7e85bbc4517

SHA1
90761ff92b7bebba4d246e5fbdef68b827cdfaab

SHA256
9987a3ba2a5d4d81ccc1374ffa07e0796d0d28a22ad73d4e194749d81350cd2b

SHA512
9d040fca5b69c07be4d9fddd814d6764b33e2bd679c5d856d9e51acdd1cd3d856210290c2bdc7c0257ff2690451e98d8d96a46d076029cd6b6a4af74d3679021

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
748317060f0ccb43226c22c88d57ab49

SHA1
b6ddce04175391eebeb45699949a30472702a575

SHA256
1ee8eb47e6ca39c1cdf82577f99a26e7da0eab240fda23b74f9a57180aeeea6a

SHA512
4e6c7a00ae07c3cd478c6dc368a766e36d1942528d0a945cacc239a30bf179053caf6e509617b20589c1c4342376707a7ff8ad6af8382da6af6fd70fa4838d14

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
69a5113b9948d6c3f59105245c386a8b

SHA1
24f6786a9e15937c05fa0b58986cc91886284573

SHA256
60a9f3535110147af587c9c7432c4269001d07ee511f8e294f9755ced070b86a

SHA512
23007df3e6dd55054ba64b2ce979a7a027b40c45663905ff4b52f6006737ad88b41d0a583f1220b734f8f3d939719f53cd04ac9f4222402f2c9c2987ffd75f11

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
810ed62cbe094ff80177964bf16090cd

SHA1
070b948f2924a9bcfdebd8ab01a4f677a4d76679

SHA256
d09ca90e55a1296310740335139a3644d80706c66eef6cec259b50ad7dc769cd

SHA512
3b7a2638a0a653cc838bcdd66b05e72757f151f050c3861e8bec21aa0b9d389f26df4434a7e3e7527d2f0560d7b14d397e1b4f3bd1be7ab85e074e27c17ab4bd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b78102fefd5625e6e5cabbb20f6c1296

SHA1
191bd4b3d6b609df389848901690056466180470

SHA256
c0fb0a49975f4a7a39828f6d5c2c8f71273e26f2240501032e2921478e69244a

SHA512
303698f4748effe12c60ba0afe7bb649cdf324adcb49eaa6fb1f9efd920dcc3922d8326f82d0af0050cc1b6d5bc4697befa5f1aa962b2ac0732da2c56cd547fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
196493030e7f6104ef0b540324ebc503

SHA1
65dea963f6ce5380c4bfe81f6d3d440115e1819f

SHA256
a0dae853f78cf569c63b065b2c5305d366362119e90c46b28827e51d971466de

SHA512
25de83ffd801105ebed6bf54c113847d52d05882e2ec408136e0f61915ce0f63d7e86bbd23a9262e9a802d69ebb3f8313b1ffb8fd8512c729340aad94e01d986

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c1015aa5f623dcee952fbbbdfd6114bd

SHA1
23a5f42a3f5539dfd297f4530c1d3303e2011ead

SHA256
7b70aa2cea2dd0e9a4c26e006a54b793230108ddb912bd97fffcda3a33a76448

SHA512
611879cbf18bd29abe7b2cbd7f2983c6dd0bb418523825c7e916b5fbffcb93dca38caad11ea7fcac4cd6867c3aead59b2c04d94a90f95ed8839290386d026488

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
36a81af5a631d7ac678ced84ff1a318b

SHA1
de661e3e12fa35fe8fada850a40293b0961873d0

SHA256
5c9438e390dfa5414ece4a9021e19bba597aec02bbc8ec73f3c1b4141e855574

SHA512
d1865108ab339f4c573167bfcd4098b293428e2babffead6ab985905797a9877bfca31b45cf60d6a3f64b9b9a8967fd7132adc2bfaf6f602e2ac6e9d49d5a543

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ffbe4cbdc06384ab699410db560647aa

SHA1
298b29ea46595b352e1f92004bc082c4bec2066f

SHA256
9357bfff007b41bf0146b84f06ea26ffd4f44fc771140ae613484b33d1993677

SHA512
f1cc1b7ca34050385a8639790254ea791e1c6b3e1f101db8eadc8ad50371ad6fec197e351a08b677f1f31616d3acff63862bc1b189f00fa258ee3c8564b56bc6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3aa4e85681b9ffb3f1a6d91bfaac4565

SHA1
40cf31ff3b332f9b9735e89493706b2fee425a9f

SHA256
4327dc354a4e2973c4c74a2f279736959e8bd69633d8607d9b7982055b3219a0

SHA512
279ffcfd9353ef32cc3ad2a20c02f94a1bc7a79796851548c003d11a2930050eb69ffdcb9c53c721893af45d0b4570a85cb82e1390d5f914342ab7a327588984

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b9717f54292eb8521ca94c7aecf07257

SHA1
a66ece11be4af278e6ed0d5f8abf490c5324b250

SHA256
bb0c3752365ceffd193aec34d30a439ee74ec9b1db6a958465f9779a2b5b63bb

SHA512
98b311cd006deea6ff7a51457d8b9496eab8abe85d19a9a6ed102e9220c564b5088504db49e69a126da3b4c7617780445f17463cb5291c9eb1969214b26b357b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
74b355b36ab6b8f5c64a74fce8c87772

SHA1
b1b4a31aaaf44378e366fbfeba89e91b51d33413

SHA256
a434396ec1938bf88d52330327700915bbbff5df27e663fc89476544588bc2ac

SHA512
23cefae235d77057e00baae1650baf86d85d5f81f187d6f41ab83bba4fc8acc24d22c288753683b13665e9a709570038121d8c2604be8796cad48d90868f45a9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
18763cb72e2a9eb864da5c18b49e501b

SHA1
500726e1382048ff71e59b65e41d73c1260b28d8

SHA256
1be0768bca2f962bc8f0dfdd758b9c608259120ce89cc11af6ad292cc3eac097

SHA512
147879e658855dff492784a733feccc35cae7267761167b3a487e3a39fd88ab836cf18528872d830784e36b9dce44ac991a528541446be194de689a065b9d63f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
91d475626f82d261b69933474b807d4d

SHA1
a70c39b68f6ca66e0d5cbfdacf1adcc48ba455ca

SHA256
6a2e6536580c9e60f5e966659060c34a10838228e53721e6f503eb0bd88704c9

SHA512
04a9633bd947ebaa50a29c1b0f3a227e418d9c9d16e1e5e2d3ca686336e6aa872985fd2ed01a572f03d102701f3099b7441e58fe16906f5b6389a883640bd624

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
9d311a83df1226255d0f8cd8915a6754

SHA1
bb56920ed0b1293d34afa98589ee833884724f92

SHA256
ca8376413dfadca7f07d4655e8b7bce39fff0c6441bba4f4d942bada160deb90

SHA512
12fc064ea28c536ab25a7892923eaab7bfa146b3569d60f3738e8a0ae59fa44c0e8f690babf6d222312544e7b49084873d8fdad6791a030b6f21a5e4b79499cb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
1666adb8c69975e037e03d63adee2cbf

SHA1
aa19f961413698978b5d33e2d53fedc11b158c50

SHA256
e0ff3ec53d08e2773fad9975ade881a25fd52fc61684ae3be56cb91371c2a521

SHA512
38b16a60c6b08b203d2fcbf17977bbd092cccc87591c610b79027c9f099b226eb296f687fe078658dfec75b922fe83355fd8933beab47bbf8214c7b815d74fb7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
215675567883b9d875d5fcaeb9f2a7ff

SHA1
9b7f90d7eda6d107f3f87707fda391bd72dacb54

SHA256
45ac8f8d946978627ac5e6f0ff7a211f1a76f83b229f5e07d8237cfd055dc6b6

SHA512
a642c8bbab0d3f398dad6e0a426bd56a1f82e50d61e29c66bdecae6bded0b6f5d0ef8ec8213f8975232155f0ad30fd02950855a7c0e4cc7d6fe2606943054d03

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
86015832a835c8fd799cb09f5a5f7676

SHA1
ad6abcf1e782e5f825d3ea2717d9b669d1db831b

SHA256
4a0c6b9de343e8a84e531d5a3de3778c2ef82f075c9bbfa89156a0dd6b38ce7b

SHA512
0e4e6deeabc181fc37cf9711acf0f55a8b1480d0fb7bdd5d99c7bca9985999303a7ed606e9ec4775037993784ab284bb26af4a7ec0845f2cc16d040b7be7ed5a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4901f03b6b160fd70aaac9772460ef36

SHA1
90da52e5f47f7ea4ff4298ce6b0fce6a40836d06

SHA256
5091315cecba2531fe0df889696849167f7393cba305c68a996c831545eb9c5a

SHA512
b7bc20c8123b25f426bee340c8e6bb3b3e27b52ae2551093a180323f8fac1966928077adc0275946b6e958e862aeba85500df63ec3d8cb4e0b03c11d93774ba7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6310702f94a97ab4407346f5ca0a84e6

SHA1
a16c6e231b11b51ffb22033e258084e14a546a8f

SHA256
5a6bbee19cfd025709ed18228e7222fe40c268891fdf4d6102fd7ddb6c29abe0

SHA512
45d6cc79ad20e52493c6880f19a4af2584819fca51e9f7dfe24989c7349307812733adc4d3edb1bc43d1a97735c0a1529a19df8ffaeffa03304ca389adf1a009

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
07ad5d16e4b22df304589ecff1369c4f

SHA1
93af9942646f3d3f258cd90e3258ac4af0c8f66f

SHA256
3a4f129c49ec0f2aacb8d9fb291aab5f95743498b3dacc6ea0d78ded852c5e30

SHA512
000d19824834273be06c1bd007239651d12424541addccc04b84876c37d1441094cbf4c67f4fb1478da0f96987b79a08e71465c3899d98734479e73a41e4cfba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
60a06e2d0a510e58e8aefedfaa0a31c2

SHA1
51a924eb21212eb41dda567dd71e7d07e7a048c4

SHA256
1b8c3769afd7a39281c110d75d837718cd92f7e4ac9df75e82ad448111a6a558

SHA512
550e16fa6f181604e27cc932fba02be3ee1a47bd84a58e268004939e1ccd823b47bd088bbe132bc5f64e5d1c4b8203b4a1035c327859182e3427063acd8d0518

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
a3409dfc317d1e63180d71ab631178c4

SHA1
6af91040bc7e906c067dfa306c2828af7d944611

SHA256
966980ff0c46ef33e3e5bf0354a9397736354ea46896d6f7b4fbcbdbb0d9900b

SHA512
5af239a44b84d47db28afbbafc53e0012bd678d6d70e29e7bde8d51e5e55bf6ebf120c0f5392252f9a608c6382f1dfae7428955f8c3b96da999966489c54eb09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
afa6a455c9484cce5f5f87fb2ea88e8f

SHA1
330f38845c4aaf78b699c51519bf32f8f5e2350b

SHA256
13b53e49e6222e14968068d60f454adc39510b30afbe13e8a2c9d330df77e7b6

SHA512
9641672dbc710e8f38533f99443ec389ec1a44586c73aa5b48a5bb0f4db067ab23cac2acf10e8900cc9c2e5e75da8a4cc71b349572a7860fe3f062ce7db892fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
180fe58e3a5f4a4500a87acb65c76721

SHA1
3606932e91bd28db588d1966043eb0ce94ecda3b

SHA256
792855f1317aaba5aad5a9d5fe831b4a79156125a8dbb178ef1dd9ec8f3a86ae

SHA512
4c545298628da5196990c25c7e267087985c65681ff72167bd5ce744ec7538dd905171dc1923e3cfdf2f1fa3c504ca17db188befc1ff6f7857b9abe63e9ea730

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
714aea531bbfcbde3f4329207b66c859

SHA1
da9d660a9229c98d19766acc592895ae76f09389

SHA256
32ece58e5edd95097d94906601cbd9811272f6bd616eb31ac5a2a2fcc72d8884

SHA512
a9c7178646182cef8ceccbb99b7dd50473bdf74eadfed6d7f588cad0fc701dd30b7235136eabb1cf58cb630276c9aa291649b0180ae34090f84460ba4ae15e16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
f69f32bbb0e35f7ad2ff1466474ea4e3

SHA1
7462e9d8f82609e8161ce3ceb8976964e9d0e7cb

SHA256
6ee5d4cb4ba65f31f12f1014a2c8550e6b6a98a99281f1092f748af5d769e97d

SHA512
a223ff5a96dbe51b2d404473ce898879bca15221ba20b9692b831d95fa204aba499648e51384bede5248d9919d62644a52568b1ae30d7fe5e2ab69af59f1373c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a31c870c06216cb4c5932aef633db92a

SHA1
c9b37ded3e89e754093a9735109b4228459b042d

SHA256
dc0337f43a61389e0a8b8850a1ddb00582dac65df55c23b1b2957e1932f2600c

SHA512
0a17306ddf71153aa67f2a239ac6a7de036180d41f0576959e827eb49d7b66836ad2a4ea20de25096c3416af40be9534711f80ad1dc4d8b4a5b7630be8059fd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3f0f4e6f2ab93821781203e810835ee0

SHA1
e215a5387ce47ef3e87f5edbfe4eaa6322fcc4c4

SHA256
ba4ed0b2d5fe17d08458b15cc93f067af06aba448bce4d773b2921f06e2a41f6

SHA512
b3051af9b5cb7700819765e95a3109f7da9f71f6f5de6844403003d27344413919bcb09659bed52ae6d7e3c8b97ff7b614c57d96556abf763b0f2ab0c6cab24f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
aa32863841f5321a3053d0592120d59e

SHA1
1a41213b39a782c79ea82e2b5fb1c63464877195

SHA256
85aa0ea532d07901598004a0f9481a5174b5c040d8c6aa4afc1a329ab808c033

SHA512
9c38dff90250981e7fdb88597c9ad4a14cbc1a360d25b957cf8ec26f29edfbd3c5b9f3f0330ffde2a6bd59ea222177ff3b8aadb5f5ceb5eb54997f5b150b511e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
be384311b0243fa53cc0d0998cec6d5e

SHA1
a71cdd6a5457cc4070e47782fadcb52cba0369df

SHA256
e952b9b5f6765c5c8c4e69fc7d3b8f6506763ab49855328b4b8d61327365de3c

SHA512
48c138d7028054a2971ca9081df8b31da98b05e4825772af5ed7e68b290f77a8c2c3079a0c641605da885f2b45a70439409ac1b447ac278e2eb7dfdec19d0fee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e5956fb0a4ae4858ad95c48c43eb35d5

SHA1
9860ddad6b005281564a4908c92ba8ead9f20b07

SHA256
32963ef35a8559f9251c89cf7875efa3679d3d5a8d299313eb12e4c16c080017

SHA512
86043d45e748d441cf30168d08795ef8b615467a69228b7ef19fdf8545a58ecb193044c42349152752d14702dafe7460f28f038692eb6978bd7b383538de87c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
cc83d9117c8ce58cbe906a4a795c06f1

SHA1
cdfbb08cb81653a26b337a18ac9e65915073b5f8

SHA256
678f1e509d2cba7b76086158a23fb4231a6f669eda45360647dc9732672bc99e

SHA512
d7693427df6817005b28b0a77f99ce8e78035397811da817f5b6f6df98aa9101d2676aa538bb232e44903a9685a269667a57cb5fd5318badc74fc757be8fb7eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
7081b30cb7af68c9820d5dad4de1fb95

SHA1
8d2abb1660b9b9b30877ece7586a9c0d446d2c94

SHA256
22401744a33dde0e0cce94988abda362feace0e9eabbd83e606357a954f296a2

SHA512
a656e93889e61a69fa782e2230bc35517fb01200fcc31c9bb03409e017d43b88f627628b8a4ddd7162f687871beaf9f4b2c01a27dc07d59803deba68a24fa90b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
735028e8e66b48733a00eed91b5acd56

SHA1
97b35d5c67007f209333699153185c8a6bdbb952

SHA256
08f0c2405c8587871d7c3435cc72310920dc5794c4c83465ea91debfe916956d

SHA512
42c9940bee0ee2429f56913ab96a632d3d750c057ca9810250c37eb02dd4f64a4be2703fd95e98eebd53603e3c8488a28886c123e10e92b7d5a192d04d1eb1e0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3cf252c7d19125d8c2006d3991a06087

SHA1
cbf0b5b6c81b901f5df419a270d752061dbacd5c

SHA256
8b3f87974eba55890ab69fe5eee12198c70516f225dd2732cadcb1a6ff769a4d

SHA512
4748e46b08800da4e7ebac32232c12620d3f4307f1362fb25515819277948d49ec9c8c5343f707ca9d6dfaa1e3fdb9f700bf3c2f821d7f0389be8df104535f08

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
486607b970d2f740460b85f39a30ebed

SHA1
d1dc109573f904c527697c1fa7206564e1227a9c

SHA256
5a0a74c595406bf996dfc905283c56bae8d8ca4aa18dc6a7fe4c9eb3f4f36395

SHA512
5b54b3eb0700171b0799f97e2f1775e6b73e5221483227b332bf6d1031528ef748d66961dd7df88d7cbbf6d021943244a67b040946485b297b5b260a7feeb71b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1f30ae5bf3a3f1132c054fcd34fad5d4

SHA1
98ce298d2dc946731cbed8dd2bb9747ec49473a6

SHA256
e2eb11497bc1c34a9ce694902af7ef93de32649c94cf7d4cd4bb1ffaaca23b2c

SHA512
56dd233675e8b5f207d860edfdf68ea58b7d98cb763f6a1b8808aad087643901146f63cfb425f8e7d9dc68bd59ae54fddcb567a5ca081aa321c0770b75387c60

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
934f172dc1dfa92c1b5f5f23473a1751

SHA1
d170955fa46029f88b4feb525e4f3d872f43a779

SHA256
9ea06df19e054f8e1baa8f5e9028e75784877d3a98afb12fccd21a19674d0f5d

SHA512
622b43548339ea241e14f2d67e6dda5b0190b1d95ac5f467a246919d60d9af45760c6c2037e059593771e2c25764851d13e765163fe8061254bf560bb2f111d5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
314374de59029d878182e46738113bd6

SHA1
2252f472b8b7d44e594a445126b334528e416375

SHA256
14923ee6ecf819f81449f77ae1ca6dd906d447a96c80ab31da3bfaf4e35e3119

SHA512
11df323e22752923a4df60d4003a979422b95103f26ba47c1babe808b3ffb165a8dec096d511aa5df2aaf5ac0ed8b1a78f80c59ee5116937482634a95f5aafd1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
509ce7381b948b41216d32e1bacc2298

SHA1
2f9e63e6ea2d86bc008aac6662cd812264934638

SHA256
9142ba9ff58b7d854d391b4d788611dabce653b8ba9be5842d3ade986d0c7df1

SHA512
4f27a45df6f335716d2aad4386853ad039bbf2af452b1a6061bfee1c8e2a5128954e72743949201813e6b69b5087f1d23c01dd1dbb86280c565ec5f53c3f458e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f72baec72bccea3128866def0b8b06d0

SHA1
4edbf65e84653abebaf45d5ca9e9073146aec8f1

SHA256
a7e8b2d080723125cdfae029a6691a19dafd060be4f51da5eded79471823a596

SHA512
b9fc3b142fdce0d68d5859e7e3e5041d7848dde0d9f022d1c61034dc931094cc7122e12e8b2b7714ff5104313ccb8520216514e74776aea2b4ad4c136e0b3106

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
8ef2b3ce9a72099753fa3a541fbc691f

SHA1
ee4612d1ceb43a3c94d27ca6a9e131acc5f92014

SHA256
1eafbdf6e62d6e0e7e7d52a2330a7821da4ef77f44554c124e39faa4765995dd

SHA512
729a920b9a99108aa31eb81c30792682a2396eb02594e4b4017eef46ee201c6b7caf11ece0363964227b1dff954a1dd67a3dd3c96933c8cc0b860661b3c872ef

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
8413a98224d6f28188952b3f0f96f3c3

SHA1
66ef40231260ec6dbc5f467ea288859a11ca0abf

SHA256
f3ad27823ea7cfd55449041c255a8ec27c76f76cd923e5a85d5f05831525aa6c

SHA512
7bf6f885e7f72173b319e493462b78a18e5375c34bec70af7f730d1c24f8d1fa50ca880e77446099ae3061127ad8c98b39fcfb2b35fea99c53e57c8f78384cb6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8f90cd7b1a3ac5ab1726441ffa330249

SHA1
32a1a45d36778a6e63764fc5e6648f3974624e30

SHA256
47b7d2d5150f663590d2332389671ae06b876cd0abc729186c388e7d4e980f91

SHA512
ca98ecec0073d28a7311ca6978c71e94724f0e0c89585dc6089c59db439e44393bd44d57496b9a195a2932d60fe818ba07f32ba52a1eb03f89350a048aef0ce4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
80ad856c496112a1dbd7cfe4d3dce8a9

SHA1
280a23a075752e10e72c6129b2fecb9c0e115e36

SHA256
bf92b83a68d2bb5b19a6c5f2cdd54e00f185c83856153869f2ef61d7042765ae

SHA512
99fcdbc2e23b4b1092f8fedaa8f19adda93081888a5f7d6a6a51c76e4c17d4ca50ba37a8401a441d1acc27b8c0df3e2ebc85d2555d62350808a32d0abe959d7e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3f0a996fbad41688c5d94df1ddd8118d

SHA1
a80c80c4f0bbd75c41821b932a5e79647d8b2c98

SHA256
f3da77731fb7833550d2ee211e0d3b66518815ea1b52d6fa7d50b9c13dcec1c3

SHA512
0fd1895274e769fcac2a1ebd19a7072073c54e949135a8f42d207d9ffdc6c9a6ebe5979a1e51c721634ee4b56be813d9fd36fb68ae79f957ea106f41beae4dc3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1cb339c16dab5b0fce274c76bc975f10

SHA1
da7971a7528ab38e95a4faad3963b167aaecd448

SHA256
f49b5620c7e15c4c8a174673cbc4ffb7e2892f63a129099e599738f3fefee5c0

SHA512
866d435b8adfbc1d43a079e7a6d5620ff70b0ee780b12bd630ce332c0ca27067831402e5e2fba25d094637a9e592f0be8a2e2de9cb3f299070fa3011f8a8076a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b206b4b43527a34a182ddb696f46737b

SHA1
f2451f08c67fce214aaec9c86af6a977c2961b2f

SHA256
d1ac5756347f27952d77f2138353748522cede1f1ebc11245661ee1615c91a1f

SHA512
3de70eec8664b8437bcabbcd562c0abd2cc519073a4a32894fced9018b1001a2849d43a76d9c54a678aebae13443b8ecc96f17247bf213568c7078506a2ccb4d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2cecaf7f4669a3a62ec75514608ffa1c

SHA1
f57c9e6ac48c6dfdea4d2d6b577a730492d79070

SHA256
b9406ed3b174e05e4f718dc68b2c1ffa732576700ec938fb3ccd96c78cdaf98c

SHA512
b658ef7715a1d440c6f3e38cfcd516e9676267cd93bec934faf373ac7b5ea4fa7296a422e88793c7c1700d17ee96f5f37bd9f1a10ee3f5ee7cbc52c5b3b82a63

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a24b13bc51a2e3ae422712daee85e0d9

SHA1
2155a77318a7841aeb0ab112f40405e52f4be9de

SHA256
c126a00a47383a8eb6561973386604d22a5021d4826a73fe2eea0fb90b3d87c3

SHA512
3c5b916db11dc2ec3ec098db349a63781172bfbf14c480df1671512420da00e71ff0554115a58c6a0a78a3c2f6673818e13f9839175da7017cfdbf29ffea42af

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5ea60bb2c0679be4a4a808f1b8012cba

SHA1
c0edc535f75d0a66f3d1f37357b006776b5feb63

SHA256
98c612e0e0820ebb2919ff0c2026e39cfac28468ecfcdaab9794f4eb1fc0d388

SHA512
b4fb7d537911e1810296c71a95e65640eec5d82261616559cf7a3f0ad2179aaf02f0b3d67bde8b0c9f6730dbec97927e621d103ac3df593902c53186fa2d71fd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8ecf8384289d3b0725904eedda154745

SHA1
cd36d21e3a123e4dbf47a91ae09c2e91de01cbd8

SHA256
c43f9f324066a379bd124cae79dd6ddb18cb8afc34b88f11006cada637dbdfa1

SHA512
51b24c9a672767d68b4c72ef0ffa48086faefd6ced0e6f1bdcbc811eed47925973bc9f518818b4b844b388c699a4d16ed6f6fb52f1bffe488101660844980b9c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e50d2dc6d498b1b238de317fc95d252e

SHA1
170d240c5392ffa435f0a9aab84ae3f954a8d14d

SHA256
88afd5a1dc574cd287079a9ba519195082167ddb83e2c9151eae77ba431eef2b

SHA512
34a3dd39264f69f5a6f32a91c901676f29892347ce377fda7220a92f8b1562982d95c31dff8443018d6d801a77e5e27a0c07a86227a6fc2b4f2bae79b3402cf0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e6d1e8ff1fdc41d79c0ddbd1e08917a8

SHA1
709bf412633ad3de28d0a3764c80ce0da1d25ad8

SHA256
5c64ccf366d35c597d783746c449fe670e19076a8451ff54c8afc2edce07fe86

SHA512
fe61b89a4757d5eed087da63754015a319738612faf39a6f03f5dfa61ef641397cfda2bcee6f8b1a6bbee782684f9b9dbcc863f60cfcb2d56490b0b30f8895fb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6276222d0302d3a0b19547ec7d8cc2c0

SHA1
3403f99884a17777dfe699147d4fa01479fca10b

SHA256
5bb4b78ef58b8ee8ee02d1a1ea04ab74f70acabab991f2356f831dddd877882f

SHA512
dc49811b96dae0a7308e4ce282188e5fc946620c4e551547991a40acc266a87d8240f5e04c5736eea77dcdee29a59d7a3e960f1ed7017fa451fb71fe7e904778

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
020d86a8d1100f1ac03c64e915ccb095

SHA1
ac34627372a86ea056226ef4f8b0299474af8e97

SHA256
621bb1ef767db3cec6190bfc5228c6b0b9ce0001709b8588f9c794c138fb44eb

SHA512
5e0d5b70ce2c8be79e11015f024e11872cc535162def59c78b1fc0cc52c1ca6224427f7887ed1ccbc3c273d26f93f1bd464fd2d8cee9d66ef0fb5d143170cd89

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
f0a59c1137ffa1ed75252edf514b789e

SHA1
7a1c1942b978c69518109848c39e148b35f87aee

SHA256
ca19c3595c0fc625aaca9e06fb97d7b0ca17d34ea0b0542e40680cf5da1c189a

SHA512
82e1e4cbabb7c6793947720e960a71bd53df7bc075c0f330c8130307196988e8a79497649e35f6b30e7f26f11f7566228f16cd3393bea8c1ff3dcff3ef667ee2

Download Submit
memory/748-134-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/748-367-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1032-194-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1032-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1612-0-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1612-84-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1612-469-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1612-72-0x00000000051C0000-0x00000000051D4000-memory.dmp

Filesize
80KB

Download
memory/1612-109-0x0000000005210000-0x0000000005276000-memory.dmp

Filesize
408KB

Download
memory/1612-160-0x00000000064E0000-0x0000000006530000-memory.dmp

Filesize
320KB

Download
memory/1612-2-0x00000000024F0000-0x0000000002556000-memory.dmp

Filesize
408KB

Download
memory/1612-135-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/1612-8-0x00000000024F0000-0x0000000002556000-memory.dmp

Filesize
408KB

Download
memory/1612-124-0x0000000005D20000-0x0000000005DB2000-memory.dmp

Filesize
584KB

Download
memory/2184-148-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2184-403-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2712-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2712-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2712-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2712-145-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2776-101-0x00000000008C0000-0x0000000000926000-memory.dmp

Filesize
408KB

Download
memory/2776-107-0x00000000008C0000-0x0000000000926000-memory.dmp

Filesize
408KB

Download
memory/2776-110-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2776-179-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2796-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2796-155-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2968-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2968-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3208-121-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3208-292-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3324-125-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3324-39-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3324-32-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3324-33-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3432-444-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3432-183-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3436-113-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3436-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3436-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3436-16-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3444-163-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3444-90-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3444-96-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3444-98-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3536-441-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3536-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3660-446-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3660-190-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4408-115-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4412-156-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4420-440-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4420-159-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4436-62-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/4436-56-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/4436-55-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4436-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4436-66-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/4472-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4472-106-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4544-193-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4544-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4544-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4692-423-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4692-151-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5012-78-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5012-85-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5012-158-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5012-86-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download