52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Size

1.6MB
MD5

134f063d7cd47ec9ca2af5739d0822ba
SHA1

5ef164a30fc13d7681b809a999f202ce8b4ee411
SHA256

3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb
SHA512

3bd1092da887c23ed2e663cd211a915b19a974ef4b17c368cf90ef781795345ff0827bd7abfeae111a6ffc00d34b7bee5a65d535131b083e855d3c9737618ffc
SSDEEP

24576:6xozmm5K5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:e5LNiXicJFFRGNzj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2208	alg.exe
1096	DiagnosticsHub.StandardCollector.Service.exe
4728	fxssvc.exe
2012	elevation_service.exe
2056	elevation_service.exe
3068	maintenanceservice.exe
404	msdtc.exe
1888	OSE.EXE
4812	PerceptionSimulationService.exe
1784	perfhost.exe
3024	locator.exe
4664	SensorDataService.exe
2772	snmptrap.exe
4232	spectrum.exe
2152	ssh-agent.exe
3880	TieringEngineService.exe
1624	AgentService.exe
1400	vds.exe
4128	vssvc.exe
4852	wbengine.exe
3700	WmiApSrv.exe
3992	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
80	iplogger.org
81	iplogger.org

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fc305cf87cad7dd2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\System32\vds.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006740f70b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5cd490d7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e92d8a0d7d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c9a940c7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000792f030c7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
1096	DiagnosticsHub.StandardCollector.Service.exe
1096	DiagnosticsHub.StandardCollector.Service.exe
1096	DiagnosticsHub.StandardCollector.Service.exe
1096	DiagnosticsHub.StandardCollector.Service.exe
1096	DiagnosticsHub.StandardCollector.Service.exe
1096	DiagnosticsHub.StandardCollector.Service.exe
1096	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeAuditPrivilege	4728	fxssvc.exe
Token: SeDebugPrivilege	1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeRestorePrivilege	3880	TieringEngineService.exe
Token: SeManageVolumePrivilege	3880	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1624	AgentService.exe
Token: SeBackupPrivilege	4128	vssvc.exe
Token: SeRestorePrivilege	4128	vssvc.exe
Token: SeAuditPrivilege	4128	vssvc.exe
Token: SeBackupPrivilege	4852	wbengine.exe
Token: SeRestorePrivilege	4852	wbengine.exe
Token: SeSecurityPrivilege	4852	wbengine.exe
Token: 33	3992	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeDebugPrivilege	1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	1304	3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
Token: SeDebugPrivilege	1096	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 3116	3992	SearchIndexer.exe	109
PID 3992 wrote to memory of 3116	3992	SearchIndexer.exe	109
PID 3992 wrote to memory of 2744	3992	SearchIndexer.exe	110
PID 3992 wrote to memory of 2744	3992	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe
"C:\Users\Admin\AppData\Local\Temp\3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4884

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1548

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9750229dfe19cf2d3d7263bffeccfc01

SHA1
e3410fc08da797b9c3b6aae9cdd1ebfe8844fe2b

SHA256
985e72c161795b6c7f4914b0e6eb078be9dcae4d95b26b0e71979aec314a100e

SHA512
7395c0806719324e69daf83e9d34b1878824080b9392b5b6398a2b3c4c9992486781125e713af77f1f22ab7845e6895cfae6c0875ae1029273b3e2ae974c04e1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6311829beb20b92509c5610f57d7ccb8

SHA1
478829f3bce1610e3c69096325d72b1cfe2801cf

SHA256
326d05974d86120f1e4412fb852ec2937f1a684823ab189fbc3068364dc4a796

SHA512
43803e627b6dc445a61bce191457426abf54636608651914d8467be560e62b0a222810daa673746a7889a9e0c0fca7d4ccbb47e7a2a4650da7948172ebb5de0e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
416af0bc399e9b058c9394b0c93b0d3c

SHA1
00462b599e201eb1eb4f6b0508795ae9d09f690f

SHA256
17a19575d602ddca138306121540ecab9fa637ccf16b8663c1722f088918b5a0

SHA512
5daf75b88930b9ec51a41fa246231e9935225c98c865d92f16acb5be0e642b4039510c9713fdc4bb9622cd00e58f1799375eb046f0be17bf6ed58a204dbb719c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ff71a90e34155d666ba6486142af5f73

SHA1
9892b3e7c95db094cae58124960f61e62e7ac5c6

SHA256
125ce293f426e10118cfcea36f3d9e7ba57d33f5cd140e7f09cf5010871d8481

SHA512
569ccfede5026aaf7d9971f38e0c40727fdfaea1b9b08dfcb3780daa0e371ec82cdbf85ae3503130b91b3ece57b4cb46155e874a6a24b1f992df97376273c2e9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6ace36bfb422890bbbcced4209cc2cb5

SHA1
ef95d893e04360cb79a124f4f9a4fd209b05b64a

SHA256
f9e21732acfa556da4203340ed0d14a34bb46f80dfe307ec939a0c9ef9bff4ca

SHA512
d3e1a14eb58a61f0b64732f98cdc7b959934572e7145753c8c65a739fda4195a327a3e701fb2ed132a9d0eda023282569dcb36d42699289cac036df720d52b44

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
33531e44fb4ef9f41f0717b3e4906b0c

SHA1
0dd9d13ee7903ec87d482db1021f5f3077bf7f38

SHA256
c819ee8e8c5e7e7496c85cddc3d0ee153fb7a4937603ade7f7da07f838153127

SHA512
23f3dae3775528890babf70d332d14e07fb7905a2c1a830a5aa7e6232b7125140d7f7fd9fba3b03476ee9338e228647854f9c1ce591db545ff8920c953ab7211

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
2f2b3675ff577d7b20fc75253aa0ce34

SHA1
d6a0d355c2f1ff04a14b8e2dff8a4101f4d41265

SHA256
4dbd1f0c3c17866aa91cd91408307f9be88914e04bdcd03489da4a8ef4a0ed72

SHA512
c1b725fa7e72e1403fcc8c3957c83ed693988cae8f3c1887c0eab2ca1e7e60583fea2c44a5ed7888155056250c4ac92b5fc95b784a2a030c7637c4b01b5090d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
69547cd445e262953625b250c6ec4026

SHA1
b05a1600e9e05c833eafe6f317efd8a1211487e7

SHA256
66d0a78cb4ba1a5a45d2c6ea5ec805a093d6f4659ee80fd4d92c952f8217216d

SHA512
4532d321d24f27c49ebe4aabf2998902537077cb6a05fe166ea3041224537fe38891129e9593c6b506c489d8305abbcd03a33fa186de439287bcc08ae7f92270

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
74157ac3e70ba4862c8d64e092eee35a

SHA1
60a7c5afd34f9e629ecb364e41b61a2556621d93

SHA256
530487c415e4215f81b5b783e0c55fee3c6cc2a11a5565499f84116f36aaff3c

SHA512
9da92de18ceee7cb9b0f66588d9ab5d8269da4969df1a723b2c63e98db8b53de18c5e601d45c253f4f6f954fc46e5d6e74846f5b65ec8aff06217d9690efebc4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
857d56037fa8c9e49d06ad28ce4daf8e

SHA1
a8b98f182e2a0b16d8d257530186589ffff4bae6

SHA256
5518d51aca2b53541caee75679c31b62d4e6f6de8613aa022d5a91fa84d57a05

SHA512
8314a1f6e51ce918c3e6c6b58c1849f4d1bac9a73e242415c8e23e384be01a48a3be5aafe9595ba01e9547b626bcb87cd78673e20446c28a93249455a8ab1506

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e54262ff743bb0b24c9ea8ee2cf94e1f

SHA1
6e403dbbdb22f402345daaeb06a595e801d12db9

SHA256
111db0aaf1aa257455aa43338938bbb0f4aee6d1241a0610a1ab7ef723a403aa

SHA512
28ac7325f0ea08cef11517ccc0eb6e9eecb1600f781cdc3245015043eb54be86c757509219241ba00ed0b58576a23a916f9cbd39c6a58d7f8b1712787223f9b6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
04a7e8b1b7e9aa915aa536ed0a5b2f02

SHA1
1101869e8f04356aae93ddb471d82bacbc6b6894

SHA256
87e42020293293ccdced56a57a49310b6e67c779bea4d1faf38c57a9b6f156db

SHA512
c762faef9db05422883790d09854c75b9a6763aefa3865e178b4b94d21785cf231dc508cbcb4e73f3527ac5ed0b4c4d37bcd463a994f1b18b999ea3a7bc697e8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
387b5862a35eb960ef7fb36fb0f0fc50

SHA1
70874083d7e706c0524852afc1fc6a8181f0dbdd

SHA256
047ce36778e71043027996c0bf35502f5147161487e69002da15bb0f667e5453

SHA512
3451347121811c8cb6e219f27e1796850f139e7e8ef56b940e98193eabedb03e5e50de0c5d26e3d5edc75389aaa29d5151de302255f47ca0425b6ec6e5a4dca9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b3a89f6705a0a963890fed32be265130

SHA1
b41ccf7b7dd476bbb30a2d030c2f9608df163a72

SHA256
dcad2a693fe3c6ec6f50e033f138ebb64756f5c98f18e3a7a10520b8660ee4eb

SHA512
1eb738f6b60822aec6f278dd265dface57a80cbb6de9b5e63e7f007484ff18a6b02f11c10506bc59933268df06bf5b2acd1bee54e7d0538ed74e05a4e8ae0967

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c2b5a5b4a4eac40c0a4d829200f323fc

SHA1
38ce5bcfe1f856535eed6b1a0f3eedc091ca5660

SHA256
eae2c4d2ecede6dd375b14045f5803e01bc1bcc1a2804038afc4fcbca0aedf4c

SHA512
7c3ca2a5dab2e5daff2026b463e99487049634f3e1aab319252e7a328a50e08d1d76cca7f8c3f1dcf4a8fed415524a40db7b0f3a520c82b54a9e733a1be66be4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
3e13ce331dd42ea3ac98cbe012503ca7

SHA1
568db5863fb61e141d762509f77a1014bc9026a8

SHA256
2b7e8b2b7c121004e91d5569f0b96f93e3bb87f5055e2280a48f00811843e4d7

SHA512
0dbb83890b0a433a23220193b0bc9ad7603019a64f3e0a927cdac554a05628b3a912f982924976dc5069dbb91312966a91041f4000c1be6ef0f157ef449ef637

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
734fa4f85653831793e5289a62c0b08b

SHA1
69ba74147830b4666c6cb453ca52b36314c104b5

SHA256
fc2b5db12d4532952bea500edf02dc7faa97b716dc79c868b921e0731264a68e

SHA512
200d18c7960053a3cfc12bdfa62be6cb4a26b96899ac15b94191757a045bf872f5ecccfb3d94a0b77bdd93736c3ff94d6b58c2dd12b64e2750dfb42e7a8035bb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
ebbd6a445e10ce250b1f9f806b983435

SHA1
dae654fec9a1a6e64140e45e41312e377a4bcd0c

SHA256
3cb1af542bb82d299e83ccd38ac31f61a0a18312aa9416fcde6ac190beee95b8

SHA512
998b32812ebe29e9b07f9492a5fc109f5f8d3b8c7f9c224484a0d3c31b71c9aeb95ed6b1faeb3ac00d30a00bd66a4b7be456c85e9a5896d48362fe50d0dfcd53

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
bc32a7c7ef3cc578542849f49cdcd3c7

SHA1
7befce539539ee0790376b03b990ff88e345a2ff

SHA256
61027adc20a0fead9979f64b296ccfb1e9e2a2c2af117c5c423a1b2efc2d2b20

SHA512
fba79dfa301c0450e223f7c28cccdf2a3752fc148f1c5ea61d98edd206527dc59bf5e3312fec4d2e67d8377742857fe0bc8d3dd2b00f0365b9bf8afcf4d37747

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
db39f04e3d2f88ce52e1cc6a8a5bbc5c

SHA1
f8e9fa322d7e2c11d1175b75163ea8b243173287

SHA256
b6c67b983107655cdbee50217214e740baf8460f65666cffac2343ef9404c976

SHA512
7b17103b434c243512b3fe94dffcc21514ac56cd29d4b6806a6fd49cc34d4778508c63db19388a15541433012d4a8c7395bd413fbc27ca63021bfe9f9394cdf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
237c1e8e68e10c24095bc12e2a72843f

SHA1
f1b16c420e273977cb96d731a73c7f24a9fa7c0d

SHA256
f6b47f34abce7dd86bd754696f2361c66f0e2e4c752b110a5e58dc81d16287a8

SHA512
26dae81976bff4944932f526dd64d3bc25668d5874f19864532d26314146d4914fb16130b29d45964f33db51451a96e6032b0455f7e782736e05e7315505fcb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
06b821cf30a1f157be25fe6a839cf7a5

SHA1
775f9cacd2ca209f7f32c420af631f33cd835a5a

SHA256
f608da27ce60a679bbcfeb3113725bb0127ce9d4624acad07190ad0fcfbb324b

SHA512
309bc761730a8e366864b9bb706797e0ddbe2f312bb9c8ced2436156b4f45cd2b54a8f463e12190782a7038c8215d1031142cf7ce11c343766f45e369c30b733

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f345c3eeb84957bfe3f2dafbd011e869

SHA1
2f452fe72c789b78cfbbd572ddefd6de85090b32

SHA256
7a259bc41f51252d5912679bad8c63b77b577b583cb35b8a8c8b4bb2112e6c7d

SHA512
f210f7d5be630b7edbfb237252458e7d82b518c588f82c7c4b30fd7d57c27d87b136c87ca3966dd1fc67f14159c6ede2749b07631586975944ef4851dda77257

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
06cfafadc04fc55e7c86ab62a5a5c568

SHA1
ba18398424295e9e1619bae62f8e689710ab1c52

SHA256
242fbc763abeeab22975c7f771b156496a760e8cb97c95c25410f9188ce8cb40

SHA512
92f187f210c143be2efcd8c0bbed9837cfec5f63d067ec8278b9d72e6a4ae8ff4567854d2c0af9dbdeb057b02e5f3b11968273bcf9a4b7dbeb24077d5a53b568

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
88b16e04a9cf9b8682b623b1318bc6f4

SHA1
ed77b8f7379abce4b2ffc7ddd3b2c31732d13f05

SHA256
cdc93b6a40a24f7383afcaf48e22d74009a431d5c20b9c4fed8595a097c8eb48

SHA512
fdc3100fee41c19ef3f0e6564352bc1975ea9115e7fc03f3b8fa82a3b111a8261c552c06509695221d12b9edb8adecbd89a5c0578a9c276d18d8bf65226b90bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e2d2d294e855d4a2c134e812e2579696

SHA1
d781505b95b378bff7751380d179fea57a8a60cf

SHA256
fd530700b794aeb2b5760bdfa41e4332c29f60c23e009453ca5bbbea8d3c0e64

SHA512
3dc7d0602d344aaaf706b883aeb5f09d8949b5230716174f48896ca9564c5f121fad6ed62f902da305218d80faf786953c3f13646cdae5a0a7f1cbd248946255

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a576ac16eb9fdd267ee6ed675161ab26

SHA1
280e1c06621561e575474b042c65c13513926428

SHA256
9b11b2638cf47110ed3ef0727460d6912d3ff589d1925324506cbbbf12418daa

SHA512
46c05645e044ec9bc3eb4c155c100223ebc54887171b9eaa527645ae5bbcdc98fc66f691a21dff9585fd9c2abd7be6494481d6f5427606a87ca792414bec5db5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
a7d4251282820424838ab22b5189a7f5

SHA1
54b54d013b4f93f5ab0b5bf5550863e7512937c5

SHA256
8dea0eb5132125fa438395e0068a4e1557614b6f1e91ced74111c6fabc1a6fc6

SHA512
6b6b9344ab4c2e638371c6d5db2b9b0bf812ef1397a924c5d8808d2aa679567867892a6ff2d371c2ae903b59b0599ed5295ad97570d5a478231aeb17380e488a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
469f73c79f5e287077d26af876ca3442

SHA1
c6c3a093110931cdd897654624c5b2f4056b6d8e

SHA256
0302805eb3a8afc24d3cd8b562eef04e8237c90b858419ab1c31df8d7d0d7aea

SHA512
1495972d9ad78d4985e2dadd669bd44265d2a40374aee5b7e42c3335241f11862a66c180fbb51131b0ced58fb6828ea9efa207667cbecf47123020e7cdca22fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
308e9488670003ccdf92c92f5654699a

SHA1
aac98091d220d599ba26b1dfbc413c99e21324f3

SHA256
5b5ea12456c55db940f865458c14ef39824ad880d84cb1c269357256579e388e

SHA512
8870403948d9e8da636cff7b8ded983ffa21c7805c6f4cf4cc3a8c398fecacf885013e23521b6995182f20ed2f5e29280af8c137d2e678affd9cbb738ea55f09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
e90f974dfe8c7fe6a5b24ea4ce19b7a3

SHA1
8e9d4ce42ac7bc1094de61e21a226e042da9c7e5

SHA256
5897c4d12bbeb9a7ed67efb0364444ed23a87a30ce75328a65a743c3f3fa479e

SHA512
dc9ab9c4edb8b64e95d9cf6835697948b0d84ef5be5e93243e53d1a637534909f68bb84648ce5760208f6b0515e3c1940416653fa3f5f6a42f64d99d80528b2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
aef31fc63685fc3a36f5d91253848bff

SHA1
aa376eff8fbd86d10ee21225230eea48855d3f89

SHA256
88c006c5245be3b9420ac4cf1b0fc9db89a0f63dd77c569aaec0e42e1e59b768

SHA512
5801bebdbfccd34ab77c0faab56fcf11d7046a60a7dc212ac28d7b4b1e35b645ab49bce8c6e15d4cf43352c80dfe14837fa3485a4d74106f5fe00c9d6974a2e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
744c7a28f3e8cbf8846775c272880111

SHA1
43ab26815783f232a3ca5fc176f2503091acee62

SHA256
673d8367dff2879a5171cdc152c98652a8f8c13b7880c3fdf5840c898e65b5f6

SHA512
c8f4ddadb858a6bb6900fca4bec41b6082dc4db94313020838a7db2050e366e259b3592d4f3d7bef5354980d2710615f10d84a7bc2d5179107136ccfeb867fd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
fb32a470764eb2c5b79306f801f757ba

SHA1
9568e2e9a110832991ef2f6527fd1bbc35bfa644

SHA256
521f83a54ba5009f1cd22c5c593632a876f063ebcd08545805464b66b593d3af

SHA512
23a77807af80cbc2877212bfdf2dbfbdfd23daacf5b9315db1b1b929d74cab599925fb9587e490924d0455a70289db133bf10a49cd8581714c27e71572e82f40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
3fadb643526ef5c91e8a0d7f8c16a1aa

SHA1
f30da7a4b75585297e45f422eb163556b846bbbc

SHA256
4f74e05c50f94b788ffe660d078dccee7a2b27f4fbac7fb65ecafa16b8cdfddf

SHA512
dfa17ae4374b07a003b39d377423f355fde97e1f6e8a514511bf0bf194ae9ab90bd5e142f765ce2fc52f6f9535f88e4290395ea4ee053da49d7a7070856c4c64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
a8d9df5256b1288e72ca8f7117889e1f

SHA1
5b20cf6c24609b52090107106c9f53e192dd5b88

SHA256
97a7e97a741e9fb5ce146d5abbba866f95c8567e6a5b1cec5d98c8b7bf6b9989

SHA512
71d492b00fed2d541f23ba9ed58aade40fc776ea47a8a6f39b79f2538fbe8cc83bb67a15a2eee475e3b637ad3307a482284ee20108ba6fbb9a626893b4758698

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ad146c6f5e4697182076cc8fea085a46

SHA1
82eb3d8c2a5f3733ec5b639ec0b79244040de54f

SHA256
e410bf60b6e2a35d5f8fefff54e944417cc76a1016153ed6b8d7c7e6a9eecf9e

SHA512
0ab2c5b9e0c1db808ab723f5d54fe238e68409f0a0b20770909c3766fe19b161a11ee44bee74179b1075a8c5fafe97d8016541e01ff0c7d28e3fc75747ccdad3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
8041305c335add648c2a9ba0785aa979

SHA1
e91d6d7f350bcf9affe699aa8063b1b08aa5a94b

SHA256
b3a794c3b0f43ca0fc44c6e32715a28bf8c4d207c596c363d0f5acd46709e6d6

SHA512
44567a2846d288ad4754d28bdbb29460c93aeb414f5f070133af55ff036f20b6cdeef9c4f9ad2a7b327bc2bd124d9ac0890fddbb3901bbcdc2616b0425f497e8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
51b835b8878eb267054104104d9e8252

SHA1
a35e2ceeb4660857532853fa5d0bba6a3b14ab9b

SHA256
100f86ff077fd39aef015606505fc110fcb2d7cc1873a23031a92fea0665ff33

SHA512
71fd677c7dbc28bd79d9521aed69dda1cd5dc702d4569ea777672406a49396786c9ac0f6fc968c17eb14ee2872d20e646e891ce9dae43def38e72b59f1d9a0be

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4b520851858ea28e2646bacf7d08d023

SHA1
17f178c3e11df28fcf53836f8cdebbff43a40acc

SHA256
7978542b4a93c907e58e03356080c80ad002d6fb039cd1e5f9a51ca81c9b9ccc

SHA512
3526e5845c044af6bdce450b758c1ccd25a2424ae9651b9d6a886c6ad60d66f4fb7275634a90c2de28a417812ffe7485babde91eeb2a5775a583af8959478ce2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
67213964540e05604fcf4932060d42c0

SHA1
17cbb4b1d731390af5b1670c4f0f7d46a939a681

SHA256
3a1fc09535f4d5e1feb5e8b29132bd0f34e9b12bca11c8bc5c7629b5b5bfea13

SHA512
50a0ea81513edf33284a3139a5f0eb0cec8c23b8913fa4d6253cd460de6c1ef0987fe1738619d81d08a342f6c6b4fb805b6f5229b4704f991b6840f18fd98d71

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
26b4023eb362e6ad8c4fcb69fab23b06

SHA1
7cac452bdaa9955c793df7771e3a0612807813c2

SHA256
042062f71283196f9b04db3e6de3c305dc3e0846e2f5e7edda4413f1337d25b8

SHA512
a95e81050072fbf1369017775a719dac19b9c3db6a68de256636cf868a06a823253b8da7a46d5275c655b00c63e1b5f8ee018f2a03cb8585e46701096218c261

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b936634815851341eb4c60236e179806

SHA1
0e56e65b81d862d4dcf4315cc54f344374afe43b

SHA256
2f6f41581550edd2b8c9329b22c1ac4e44c3a152e005f9a0866314af96a39e5e

SHA512
d53e6ed9d837363ae6675060355849a7c0b91bb8f0667e0eb390c6231f40dbb1f3b47966a047fb7834086c799aeb3659aaec065f2645dd06c08b06f729154b07

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
7dd900b94b1208a3396860bf248ae2d0

SHA1
d9b2b1e3e89af06305044af483e35125f1831e51

SHA256
a7186ae210030fadd8380c309cffa90ddb88fcb9c4739943f7d943183814a047

SHA512
c0967962557de3081ba3fbcecaa8496f98f92be21cae48abd61fb7e6bdf33df3c1ddd04749de578f7cbc55391eba7662acf62f9db9f90b9e527315ee3c7518fc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a8e6a8f583a231cd7a9ab553595d5401

SHA1
8c0547069e8ff36818ed9e940a7b71e0b9af9ae4

SHA256
85eb380a93e0c546b4cdaab17f997530dec05f9ad7b1b9d58dff8d8313db4234

SHA512
543f9aa6b87645546faff7572006e17cae9231a5d7c3641fb85dac137116233831c4486cfd41af5e42c1121b98a8366fcc44ef36796e7ff7dd39cb38aff5dec1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0cbc697fcbc475f70414df50f9725617

SHA1
bc9141d8cf27ad6c77cea6bac8196a536b2a670d

SHA256
d76f43c1d69e5057f71a972ede81c445eeec9b925b7a49808f5255647b9bf92d

SHA512
b1933c5d8d55ef88595157faeb96e7843a6430151c55f6c4cc5a308bca25e5c8d3546f4b31b7516e643ae493061ed628c58123c5575c4ca0d87fa5aa64bff8ea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
399390c93cda3142949fe0213ae3bfd4

SHA1
64d4eaba8894343436c4a19cf60f9e83311f599d

SHA256
781159d215316dab03c4234176bc06b7cdcba1ff109cd9f050d156719a4745c5

SHA512
db6b112e677f6bd169c10800125e47e81964f2ed70e0499576dbca479442ff043f46e80d662d1aac2b51b1a85dd575b0fc565103475e816477ca84cc8f967ae3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7fa2bc39a87bc3002e6a69153f1b152c

SHA1
684feff27d13fb2bfdbf9d6bbed0288c03dfd104

SHA256
f1a2dbdd6a8ed30cb4cf901e1cae80c0c7d08e62c5820617a2db65f60380dd6b

SHA512
ead51ffce67b77bb13dc149008753d56b9ae88389327be2e257b6f650eaaf6e4d46601378878c56f6838526d584b22944b9d6fb5fd2df3fe9d3b8db2e209c70f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d0b5839227336a6ed43f08b1831cebc4

SHA1
09e178064ffcfa3a010a68b145c8f28d2c86b399

SHA256
e7d4204d9e45c24b62767381e9cebaef4909dba6d53b0d5a7b975ce4c77b7668

SHA512
08ee5a1deb14f11ce91c3944b02a4df9fc8a642b9efae918afe8814cbaeb9c308d9758915353e33ee1b059a927354f18b8d322351f3570fe6c5e51d777c341a4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
60d952e0168f40d5d783b606667191ad

SHA1
b38b8e3ecafd6229d90c4afd524e93a72ee06dc5

SHA256
c039d16694a9a7cfb297b2b4c9f61669908233ce8008c0311869041d46a2a45f

SHA512
1afbb60e2642430adc23ff1c8ea5f9bb8dff4c498bc8c2b055ef23f24888309c4cb677e03495063abb899c4633d1705cb0b4864425ebfe7ff2c0f93305b3459d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cc3a75eafda365cb79292749c03e0233

SHA1
0dfd20e7a9e442c5de2ddd6b4fc6e03416c6d746

SHA256
b09f7e4812c98939ffc4aa6c30a4efdc1c0950330a08064f0be36927911352ee

SHA512
e71501409f3c84966c8a6e37336edf9b516aad394fa8650e8698cc4a3e9c303b5c1dac903a545afe533510ee069a981821aacf93a91baf147f6a2d71c15c9e18

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
63d41fcf40ace2620e1c8530dca5ec36

SHA1
dece7e2b79830907139354ea92c0aff780c18fb1

SHA256
2281c56d00249837242259228696289abb19087f7a1c9d3026f1003dafe807ce

SHA512
6f1f03d5e79ee4633c79cfaf7c6962c5fa13cc6681a99ef8c52054106e855bdaaa8c86051c32aa9a460b305817c7d92b081a47a32e98cfccb6dd1777e6b7733d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d2babe5096a6572baeb20d90badc1274

SHA1
ec6390543aea79e6ab45ef05d4f967ef7a696e29

SHA256
ff0b8b02850eadd9064e7606e8c3d3e0ded7c724c3c23cf6bb791cd7d129469f

SHA512
a4bc57d1513b613d6493a6720e76d5d4a59511871aeea44172896291a3741d29fa342551d23002e1fd0d56d72376366fda2b5b5d3a8e0e243a1dafdb11bec33b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
94d69243719676148d345d1d4fb9a77e

SHA1
c9813986f90c4aa115a50c4720ef94b3bd037155

SHA256
a1f10c5dab922fd5d27a13d9002b63dd4fb7b3b3da984d8be6a0d3fa9d8c0940

SHA512
441b1a754810bb9e4b80cd621677c9c5d81862102eee3f539233ff072919f70c14dae3eecd228a60c7cae21e07bd0efdfac9138b27ce4c6265f45c22692fbab9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
16ae92ef00274ac159e5d92dcb66d707

SHA1
a1341a162b99a27fa9be4af905ac57f4b5154b5b

SHA256
363fbc9174738b5eae8d0790fd62377a637a5c84a91c69581b5bd3e66953f146

SHA512
046e3f2e0823cb7968b9b1b2607f183df5ed64f53208e4fd302bcc20b61036fa5e091bdc50c5cf5f841eaf09656383df4593452ad39ad621d291bb4a85acbf89

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
15cb1d43c97abf1e29feaf15c979258d

SHA1
1c6247d79f6aa1ada2029e8ddc7658e19f4b02c4

SHA256
d4dabf6c57384049a534c82b528894c9f2c11b9bb74f96e2fabbff595f4b06ba

SHA512
ebd4777e71091c74a6688bef15465f9041549a0ad12542cdce98e0b06b65221f202af5350b0befa6f9b8e6239e487dcd34c0019a8d4e38c499d37fabb2673b6b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
831670c4377e4759a2469c6eeb18616f

SHA1
8be02456ab0e6ce59ac1cea97a0ad2ec2090c148

SHA256
c66c844abafe922447f65be117b91510a05db9587353a000800cd333c9d32220

SHA512
adcf94fef5ed2a0fd660ca3175f9b561b00fde08867c2cbf9694b0bc8a17138101a011f90a837a87a8de0218e0fe97a2b1aeb4963ae5bace6bdf5b6695e43506

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7363b32825095d5d08056468e7331752

SHA1
3d5499a371531ef575b31df599b4d885db93b25f

SHA256
ef492a29f88077df6ffbdf95ac89c69b73f73790a6f2603e6bf808c786763763

SHA512
118f28dd1fd7755ac6df6a7ee3095f4390699c259fa9c535d1efca87b3e98ab09b88b151a07b06ecb68190fac8c900e9788d178e1c9578cd1a038b231e61606f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
515a265726e067adec1415153bbfcc8b

SHA1
d544996a7b9ec1f1c9cc8d839e721bbe7f8484bd

SHA256
169dfe8391a90cee95d4ed2affd539d4bbf684fa0d4585fc8af461f391b8cf7e

SHA512
dd5967aa8b6d9a2ddb19f6dc2f729037b4cc5f87f536affad1b52e0c56641505fb111f86ac9e9bcb41e52255e351a0ddad2efdbd2a2ea1a8c612bb5fa184381c

Download Submit
memory/404-71-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/404-172-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1096-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1096-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1096-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1304-73-0x0000000005170000-0x0000000005184000-memory.dmp

Filesize
80KB

Download
memory/1304-124-0x0000000006300000-0x0000000006350000-memory.dmp

Filesize
320KB

Download
memory/1304-114-0x0000000005BF0000-0x0000000005C82000-memory.dmp

Filesize
584KB

Download
memory/1304-113-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/1304-116-0x0000000005C90000-0x0000000006234000-memory.dmp

Filesize
5.6MB

Download
memory/1304-1-0x0000000002380000-0x00000000023E6000-memory.dmp

Filesize
408KB

Download
memory/1304-547-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1304-0-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1304-70-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/1304-8-0x0000000002380000-0x00000000023E6000-memory.dmp

Filesize
408KB

Download
memory/1400-520-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1400-179-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1624-173-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1624-175-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1784-102-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/1784-182-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1784-107-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/1784-111-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1888-76-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1888-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1888-177-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1888-82-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2012-126-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2012-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2012-38-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2012-32-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2056-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2056-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2056-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2056-144-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2152-146-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2152-382-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2208-101-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2208-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2772-122-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2772-263-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3024-189-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3024-112-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3068-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3068-65-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3068-61-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3068-55-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3068-62-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3700-191-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3700-524-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3880-404-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3880-165-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3992-195-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3992-525-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4128-183-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4128-521-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4232-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4232-127-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4664-523-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4664-194-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4664-119-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4728-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4728-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4812-97-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4812-96-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4812-90-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4812-181-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4852-186-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4852-522-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download