52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Size

1.2MB
MD5

71b625de639825efa82e6e30d5e23bcc
SHA1

5f9605a7535173a804faf070f7a4de15dab9f50a
SHA256

7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90
SHA512

13f3089f3c9e490711d87d792769cdd862ec0cdc8888248df33628482ad381f61a150d4338ebd928fa204221cff242e985689b945fc3c41ddd90d4556ccab835
SSDEEP

12288:2iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:A/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1540	alg.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
1140	fxssvc.exe
2308	elevation_service.exe
4012	elevation_service.exe
4100	maintenanceservice.exe
3840	msdtc.exe
1528	OSE.EXE
1076	PerceptionSimulationService.exe
4828	perfhost.exe
3064	locator.exe
4696	SensorDataService.exe
3332	snmptrap.exe
400	spectrum.exe
2680	ssh-agent.exe
2756	TieringEngineService.exe
4760	AgentService.exe
4536	vds.exe
624	vssvc.exe
4140	wbengine.exe
4108	WmiApSrv.exe
1584	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\locator.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d163498d674cc675.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F123CA10-B28F-434D-9884-6C3679B73C43}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006446f70b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bbdce0b7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ababf6097d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004761500b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6d6650b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe
4060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeAuditPrivilege	1140	fxssvc.exe
Token: SeRestorePrivilege	2756	TieringEngineService.exe
Token: SeManageVolumePrivilege	2756	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4760	AgentService.exe
Token: SeBackupPrivilege	624	vssvc.exe
Token: SeRestorePrivilege	624	vssvc.exe
Token: SeAuditPrivilege	624	vssvc.exe
Token: SeBackupPrivilege	4140	wbengine.exe
Token: SeRestorePrivilege	4140	wbengine.exe
Token: SeSecurityPrivilege	4140	wbengine.exe
Token: 33	1584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeDebugPrivilege	2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeDebugPrivilege	2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeDebugPrivilege	2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeDebugPrivilege	2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeDebugPrivilege	2204	7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
Token: SeDebugPrivilege	4060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2848	1584	SearchIndexer.exe	108
PID 1584 wrote to memory of 2848	1584	SearchIndexer.exe	108
PID 1584 wrote to memory of 2112	1584	SearchIndexer.exe	109
PID 1584 wrote to memory of 2112	1584	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe
"C:\Users\Admin\AppData\Local\Temp\7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3868

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3840

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4696

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1408

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2848
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ca1983a48ac9b742f250c85cf1217978

SHA1
dee9558e69d33658c9298868f3e976bbb7c5dc69

SHA256
6d0bc84077ba1eec76db391eed57e752ebdc6aa251ec64c0f92dac712a1b6696

SHA512
46fc6e1de95f4096bddfaa7fb4f0c474e566fa734a4c7039448e2959e514e83d1f643f823b87f54257229a797d09e90eeb24abffe6518f8e6d4bb061f7f091b7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
18f91d33ea871c37ce60ad8781f93685

SHA1
0ab21b1dd0d187128403b5b0552e2251463d6258

SHA256
13271f713fdffcb0dbc06fa244c1045c5a4fa19d42c195f993bd77736266ac01

SHA512
d5e76335664b181096fc59f048c50657a94057a30dd3bcdfe847fa310b74b0f8ced583f45038d8f6a703718550f18bf26b0b62c99eb20862986bab49c8975ba4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
c67fab72c8ca00f9708e65ba1cab1aa7

SHA1
46b74240703c71ade3f699f0cbc6e82613fcdd96

SHA256
cee2b9538138e3baf423f459c0fba47318c5bf511ad06e13cf7de3f3c081197c

SHA512
d4afdc7dfb4819761ee69d07e467fc08e316267edb02d15219572e809305d2f4547b37209f367d429d8dd9e017b8226814c496b68a49a0c9327e32ad27bd7def

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6c7455ff959b395aee6a0fdbbc52f3db

SHA1
f3d8fa2850da5b7d985c80988e620c2298e4875e

SHA256
c7d952d74f3dee35ce3bc5c726d9994ac65a121a0c32e82410566d17f39203ae

SHA512
2c6e4a46e908f9df7f153f1f780936d787d9b06fd9894129d8d26bbe4db81f5ccdb38f8b7de725fecf4695a79a63032eca2770e45ef718e39f6877c3e758cf35

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
28f98fb1056d16058f9b789ad22cd440

SHA1
e4c9bde97dd93880feda254d3a2c11d4e485f057

SHA256
480b7b892c1b77bf63223bfef560cd5b027db78375e8eb712055a2884e0015a3

SHA512
5ad99affc88e5038b16603d638a2b17a6b92f6a7bb6d104cc44417a8ffa00cde7c5fc1f66e108ba7b96976398499276a7cfc2751ea3dece75f9af2d979e5d514

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
14fa672922d91457a221f2e372e7ff07

SHA1
e0bdc9e4cd2943c2d181669322384ad566ff1f62

SHA256
d862676cf859be0b1631a73d661ca1f6077035ce0012448f6518221b46db7bfe

SHA512
d5342039e2dc48b835e45331411cc8c8f36ac68e0e1bbef7c94ab8df23e881b8981ec02bf0477dccea9a353d0756c68d40777d81e1b1aca5a0c70c0314a2feff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
1f71ea66f31ec558ea75e5539beea0c7

SHA1
bee75164fd2649b2235d0ac0b73eee687bc9de63

SHA256
e2226ab7ee1598a9f9fa2fd74637bb2d0f336e0e5a04337e71834d3a7eaa36b0

SHA512
4c2f0c599603ae8bdf84563d87ebe0d74c078d238ec6e03a7701194f7b09f857ac619d7f1eaaded6660d0ab87ffd2a2e4f3a57f79a40769eecbb5b25079470be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
83eafa0b1876a3242556c965caf9643e

SHA1
44eefa9bcc18f387caadfcbb41dabbee91e0ff8d

SHA256
a4cc90707c0b33bc21eb7163709439ff850eb16dd670afdca7d75936e1255d6f

SHA512
c753321d6698c8aa9886c1dd698f88ec7ba030563e73808992323aeda74b735bf61a67417ec1e59d1dfa18dbff6a6de83d70a3db105cc9540403b591e878a3a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
342dbcb24d75a196f5a6fb7057fd1b3a

SHA1
90912c95918dde8ae2bed100ff8767e669729d22

SHA256
3680f1b284b0beaf3a9d1446ca3a874f0fb7ead75c6a5a22fd3ecb763afadf47

SHA512
69dbe7c4dcfd6e41f2b09aa3baf79bc1cc3601ebd8096940f9a23dd6eaa1addff3536191d8e499141da1a61983839f49d9005a8d78194f88d7fa890857decbdb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
09cccb41ca409840fa8d71aa576005ee

SHA1
098286b0de5bf453a0efab94dc562337a0dea9ab

SHA256
4ce8a95e2ffa49b03e68c2e6923e2c496c694166e76e667df9afd048c7b341ae

SHA512
3ce35e85b8c1371f0cae935a77ebd7959caed2cf6154996df76502bd24e53071c31307ba6f9d825ede3e556e62daae4406fc8684c580f0c5f8873001e1558ba4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7756929e5ab654f098f741dc69f94826

SHA1
830e685c1ad3e7dea6a3025caf06f487785fcdd9

SHA256
901448fcc0def04ba223f31dd02f33b572c3396bf7ed729ea785e482f5583132

SHA512
6e4275fcb1851d2704ccfe37356dde16132be5d16dc80660785d6ccd9ac7e5124281fa44af51e573e8fea08a718da859664df31ba5c097ac17226a4477b64279

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
76b07e814b2a4d30d23b91e41d8e098b

SHA1
628212d27e2041aa4a80382e24736e5f1a1c7373

SHA256
ebf4ede7bf5dec163ddd11e0fddbcd637504bca749366aa11c373e0041950f82

SHA512
7e21502e445c1721abad54082cfb5222b45869aaa234aea4d8e6edad5b8bccbd8bc4a45a4a46bb3952316badfac3aa490b7264c8b79397a6e9b44f83331c587d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
b39b3c4ae61d2391f3a12be0d30d7b36

SHA1
12d5cbedaf130f07181ae02a8fccd6746e29224e

SHA256
7ebcb2d0d85e94b478b6b9c2ebd13320d3dba21868bf77c26dd9105fa5c2d414

SHA512
1b19db062baff64912fb6e4cebe1a6ef8131266d53fe5c47d0c94c4b147a798d7f08d2367bd822c890dd1971f28ce6b2b9f71a3acbb02bf35d704487994fba66

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
1af6ae1365bf6d30caa51502fb2016af

SHA1
a1f52000de6782af0890f0eeaaa2f2d9e65d81da

SHA256
21541c830e4631d266c178752b9a7be39e9e8e7bc87eed9aa06b7e909a2ae1c7

SHA512
e65b82f892b88c4910533a5a6b9e6c3c216bd45e51766a9f82977d80e08c144719ed7045e46a4ce57c5d88a3bb94725fae047e117a6942b52896cf7de98ce7bc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
6b22b81f01171ee1dc30865431127b28

SHA1
ca7a077ecd25077e4a0aec86911697a37c3d622f

SHA256
de89d8f30f7a0ef6524b0de53110de7da2749a7064daf8ba88b928b0a618a30a

SHA512
c24127cd027b30ff8755a37bfdb813799cd4d2fffcdb40c3d24f09d403581378243938c589bad5dbcce9503989a002f8803c644ee2a85bf32947ee8b60c778a6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
a9a484f76762a1c812752b31847e7993

SHA1
d8f48b9c8f0f2af9570085f372aabee4faf57e40

SHA256
88e526e5b43e3b4da103343740a1feeca20ac11a00744b11b7889fb67b0acc97

SHA512
4d6c3291edc7e521bd4c63145dedeb496bd06ddb735ebcdcb7939cc25b3be4b796bc1d04f91ade767841edda26609ec068c3b9e583fed842f754b0b63917df7f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b47740e5c30b006a062f201f05adaafc

SHA1
346fc4ad19b311938afd392e32fb2514d0dec98d

SHA256
37992d3b3ef28e81c1ef4c7cbf9df4965e54310400a845baed663584f9282933

SHA512
deccc3491a275b4c0ea6e5bc765bcdf135644c14e0308b32c04ee88dd7e46617e6076d92b2a7114e45abafa8374ec721375cfda5a6b33c0f327aa3f040af2350

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
59d75e9bce910893dc191ce85c5d9cdb

SHA1
a5a308376ac49e492f40634a729939911e4109d5

SHA256
c3aa18bddd07111cbaec48b2203b52d9c1db0b0061257a504ce55a07f7472981

SHA512
ba723dc93d609b5d1ec7df47f5c2a82b33d5e1a4f801f9881e35bbf23654d86f3147b1d75d872c1cb75c2104d59b657e37f639bfec3ebb82fdcf91dbf7845c3f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ff3613633c02e84f3ba69b655fdb4c90

SHA1
80d4fffcf94a98f410690f1a75e7a9191b93d9b9

SHA256
0099c6625f3e195de05126799d50e323fb885eb0479891600df479bd00628b90

SHA512
b40125e78492b8899800a8405ddbe269275207c6cf408abcf4e270b48ea923c78c8c06cf151f1f20015c290c52276481d0b4f4522b4a8f10020bfd58c9d60dbd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ca24634d7a6f647d964754483d03735c

SHA1
d57b6bcfbe59f6deb56fc80b50ea3fb0f850abbe

SHA256
2bcd8e645e62d35bfa6ffb80dd71c9ffaa56175c2452ce5b151e3c974e9fdb75

SHA512
dcc9ea275b925794c4c8c9cd95c865dc3ca684d5d7299827d11c2088c2c07f9a06cca984982bdd327e770b730bdb14fd590f2ac05a7fd638908ee4f71ff5980d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0894634ccf17ea0718985e136d76da1e

SHA1
4b44adab3452f85e66343072ac220964a026bcd3

SHA256
6b5181d2f4690812d2b73206a498cc76a2d1665e215941c90bf0991204f7a6a9

SHA512
199116fb85229ddf1d9a017f8e9a64525c0bc981544101f0899807b98b3b7b03ed521334e328b6121a703f1bc3a7cd8916adc9eb3dac75b9ce68961fbdd429b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d0db0f5e06a56127512bf473dcc913b2

SHA1
2058490c0ab5711d2c4aeca8a1cb4f331acb4a3c

SHA256
536e3bbdf19bcdceb168b0c4dade209ef8886e455a6dfc15c572a505c50e911c

SHA512
939fbbed3ca9a9c75ff1d4f421a04b03a082055a4c60254491c9162b1dd5b6f188310865b7e518bcad906b47decd3b8c96183afea7b58523481cbf01879ae705

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
309c27aec714b6c3fd1955b3582b306c

SHA1
86feb9ab835194d5b2f15bf2c607c1f3a64f5e20

SHA256
d16ceecf256f45721d3a1e9b9d2cc154463c1548032ea1e86119a9058f9344b6

SHA512
65c7b0c13c97e63b9ac1791a8f21a7a45c52ad792177ba1b36ebca0bc1d373ff0f0483b98a3d90f1fc9ef2d92b87c9fa598cb31f7187e6e41ea39c069a57e1ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
c01233f7ee590cac1a6205fd738c3d81

SHA1
a80a1a5c1f4cb45f814c62c779d1ad13cc3783c8

SHA256
df828fbe3391cf1be9ff6d89f14991303d3dbc7a0fc82d8cc653b6d8bcfc66ce

SHA512
ab2c8a571ad1cb1a6e44beba5153ca496313107c69181bf35e5c81d973b63b31ffc101f542b789574175dfda02db31e94a86b4e0d7bded998507f42f02eb372a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a2d6eb052616dc5bcc17164c10013ca8

SHA1
4dd40ebd60d4d8f263e79977c82ba977f197e38f

SHA256
db7e7312edba21dc1c03887f0e2a0fab8f7abecd1a960bb68c527b1a8d25fa1b

SHA512
c9adc77c8a145b1bc8be14f6f2d22795ce12cc9ae64ec29bbc03c19ad94d7b876e4f7fa537630c40320b7e7da20ce6d4ce6b7fbe39b36a5b172e2520d563a69c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7b4f059fcc5da6ab11de89e22c66ec49

SHA1
5d9283b8aa9db74b4863053363741d7e0b3f555e

SHA256
906f29bdfc9119c6146d9bd0a204cb7563f456e4c7ba77c67f04c2afde73ca02

SHA512
54ecef9cf393e52eed92d3f66254edc9a1e751d068962dfdc06c38683fa579178fe2413e0920ec3ab36fd85424e4415bd38c63df429889c31289b11f8c51c9bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
4ebde78ad9a49ed11ef0ffcf304570aa

SHA1
6ced129c9b0cc31b055d4819ceb3f18a6796f5a2

SHA256
3651013c9184c48e4a4482f6928332f2817cf3c5528412d9ac67ad7d548c833f

SHA512
032d7f7609607f598a6aab719f840969f5c2a90cb82499cbf6ed70e2b42cd64fad9a6c017ef0299286dc7215446aa541f532c9a3941b0b975d04e6a965df54fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
0e1aa58b500614db11462b331c5425d9

SHA1
9dc691e27e5aa61634a586ec596855453ab70362

SHA256
e9ef7031c39a2b54b4924459be4437b62d1d435e7316906e4d6718b51155b447

SHA512
7f7d231e6cc422634a4bac8139f3b11b1d1344459e122475b7ba7b6f41664f3d39e2ad26c519e6424e823f44f2803c9971d801bbf7fb4064b364cddad30442df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
0ac63d57953e37bf355c7ae1175ad638

SHA1
2484027f75ccf4d5b6dd17113b743bc0ac5de601

SHA256
4939a217d17d00d51e59fde00cb6b36b7fbbd39b08b7d90bfbdfe0daeb4191ce

SHA512
e8c67b66502bda1fd3454a18473d72ef35b9c6ea836593dd95436fda8ce4fe2325d1616feadd376929009b3877795ac0be1deffd7acb6898bf08fc23f775d37f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fded999483c5719a2aee978562e70e7d

SHA1
069b2aa8ffbea320c8bd820f050d89a9b964d60b

SHA256
1f7374bbfad7f6d930f8f3ea614f1bcc97fd0951a79ec97cc56bb660889d864a

SHA512
2bcb79798a25d3b5c71eb7be533eaad902a16938d13a80b49de873b2b946cefe837fa3be8697401e8e15f88bf7cdad53185c896eaf8965134aac8fc8ebfb417f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
1a4cab6bf9601d013ad5013b82f627b4

SHA1
6a39e4d80f4a324323ae657889075a1e20c46a34

SHA256
e93e7ecfe432d0a373aaed7c8344cc2c4e8939b3b4ef7dc6d4e23e04758184db

SHA512
3d87e4a56b69038a1f8bc5193474bcc45937b0b21f7a57ab2f573c521fb0cefc76e64fb958639feff4a067a6785379686940fa34c3113d6b0b344b8f488dbfa4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
529b7115aee7bf36233f88bccf2bee6c

SHA1
4ca871ba718c7e88ed4da979b9caeaeb2c5bd49b

SHA256
b787db337158ddb8a3ede47e131e4b5317ec14a5c1f29da42f2bdeefab7e79b8

SHA512
e5bc6701d35acc2d7c641477d6e1cad923f448ca645eb7bc730f3c34132410f39fdf6162dd254615bf4230ce39769f9d67fcbd488cbffed9078b97051b6a0c2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3c26224469c91023a5943437372d44f4

SHA1
832254971fec58f2a7222fbc77fcb1b2b2686045

SHA256
279f636b7b7c4f2c311b2c964e5fc043c0a8042b83cadede5127882b32c56674

SHA512
ba405b6b7aeaea2c6010e444285fa2bd1f0dd0726ccdc7e0552ba74521d9baf8d1cc591591376c9caa9b8613ac916557df7abf3604e2e1a4cd34d54f8d237318

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
294e5522a4295f4fb286f8402a685ba9

SHA1
d9f78518f447ca6d31e3e4aa794cce759e0416fa

SHA256
c7ec4e75b86620a89f745a620cf94526e3200cc9e627264c7d54d495c73dd4ba

SHA512
8fabb2ab44e17d4e3396901bb7896842118453c27005825eada729f1f9267a7610ae47df03f8c6d180759773a376bc55ac0689dbcbf175f2e90ee9aaae1353c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
7157f2875d3a2a27affda6855c3858ed

SHA1
a7163bd8a6af9595287a194b152e8245b5816f08

SHA256
0a584734f80f2093b0aeae03af812d3ac25208990dc0c81d9d256df353b64020

SHA512
405a924a1243d77d79b2f56d5fdc8e6b959e9b438f89f2ab59d52e92e0fb6f562b966d661970a32786281538c6d90b2209569a8ebf7eeb262f980ee4af5077dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
2b51415e48cec8e5197f76c49b9e53c8

SHA1
52f391e65ca102589f3c2585f6eb7d9f8bed0f18

SHA256
cbefeb3f5a1dcb490f049f88dfb515cbeeeb9795e11d2fc8e7b3ca4c95fe8fe5

SHA512
17564d7656ef6e6cab2e89a55e953de215a31c2dc3cf99707739935bd17f9f56bc62f075670d0c970e64bbb90f206d4ceefa0bbff6f55054f0391388b6fd9900

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a42632e7843245430fd7fc539f0f7a81

SHA1
f547e0c71e05e29f23a2cdbd4cb1aa25cccc306b

SHA256
fa7ad9ebb591822939e01cb5281d2b28a33c4b60d1be350f2b89a13409a0bcb6

SHA512
77758e15cb6f0eab3f0201460e2516d03bc275e018e929f331963f899ddb47fddb23bd7fd9d10c4fecc423decda06dd7b3445969deb4f5adee81b5d74287a2a2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
e80d6491bf3f98d4e0f1f96584bb6fd5

SHA1
c1fc5707f5eb249e14f426552e9d85940dac83d6

SHA256
4d26ee53276bb464898d4dec0d0bd9d92dbaa5cc87ebfb74fa61cb3fd91f60d5

SHA512
41d66f85866d0e58df6cbb47e23e6f57632078c69715f65001288cb186b12f406dd7850d154930be09a64147a671bb055679688e11dc53bce536ee98e5c92820

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
13a89cd96c72db35aef2473b488099c6

SHA1
8cf9a14fc180abe578c9bcda3933ca2f416095a6

SHA256
d73f7d4ef8fc821e54c107a8cef5dfee44a47f931c57e344fb25a7308c7c039c

SHA512
c858e490106d649166839079638a31b8a101165a8f2b60034732a4e73b09b6beb819b26310ba90b174c7e45640b5406dcd9a16fae8c903acb023d173b7ea7498

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b4291b4633e4a6e9f53b61fec918d8b4

SHA1
33c9dd734c8bb2b632b3d2b0309aea0c6affbe41

SHA256
7613bebffa458d8b2d990e58d9eacfaf133cd3772419336a0c67d4ecd78b8d64

SHA512
376737d5f01c9a5f754a9e605adac924c751152b79b1cd72f05fb2e447849269c9dadbce3356400209188849216cc8ac2917a14cce3cf30534b31b371d886153

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3ea40730d67b19dff48ad6854fe15e6d

SHA1
abd2e2bc8338d187a5ebe259f975bc8aae42ec2e

SHA256
eead763ff07545b42f28e690a086bcf21958b3d3bbd7dfa882a1ed63450de9cb

SHA512
a55c97a4d728fc0a77955def8402f3b7ec790fccc896508ec649ef46564dcd422b8d94e987cb6c5946337be46492aec2f0b2d3ea32c1686d64546fcfb2bbea9c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
74042c96235931e32828526d52724bcf

SHA1
4721c2a53084035ab5108e1e8c293efba52aa3ab

SHA256
1a45653d3a9ade1088138cb98b7f700dc711794a4c866eed8a3d544722bd81cf

SHA512
2980a3a5f9d7d3c82ab91e26669174e2f0398487d7250b931eee2a45c52c060cc106bca8882b4c92fe51808f2e4f125c58482d276500cfb927a9e07b0e979e37

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
97b75680a035d4e35c4b4a5bd05b995a

SHA1
d70bbfc25e4971d35a58733a2fa9dc9bef66a946

SHA256
0ba033710db559311b7b1fc2c2a4530e06f3a8c518d1f32c62a2014d120e602b

SHA512
0fb9b682e9f2a9568a794ab38397048e8fb328fcd09bd67603914f37f8a28008173c7d61c4888c2961002bda0f649e5f8b96e4a3573069a37ee993eb8df2d1cf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
87b40820652473b52c5e6b309ff7737e

SHA1
8660104057e73b1e0f1c2eec285c786af3ebbc3f

SHA256
0c2d02f0f7a5393a2c8355af5fe592dd1e191c1ca24c0f5ba1bd9d7eb00f85ef

SHA512
a807c2dc3827e40313a14f8eb760c32fcdd804aa68f195c56f07f44d767fbe25d979477b531a3dacf62a2690bb3f6f34a6c15fe393bdad96f2687721005bf5dc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
18ca8001c730d1edbf70e02316197e09

SHA1
a24b7471d1f0abd8930b5ee8d4ff577705d39c7a

SHA256
f7752968ab71e2f5ce27a7a6705edd596044667ae28d1345c493330ab66deb01

SHA512
fa2ec6e41911448f20e71dbb8655f4442714c943d9976dd701c015e42e9c5b9a3399ce65f55805b5c9f736a7da5c75ec38a127e370969e804ccd8ca33aa63455

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d23c8e4ee6d0e54f7e131a37e39365ea

SHA1
a7445de5480e71d8455825458028babe3a5cb0c0

SHA256
6b85bc1a41cad20f5c2a33aac3515a60d6b971d056e0e74698c50a626d48922a

SHA512
aa91d10b8a56b9d46fb17dc0de0cbc9ed870754c29a9dc12205242bf88fb87a398f15ef3f64cb6f9f93d64f36cfecea0f6ba445de94162cc268b3bb35c869112

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f39fcbc1fed1111848f1c0f1dac631d3

SHA1
cfbbc1543e0c8ee0c64e45a0bdc459251de13469

SHA256
3379f547adaa8aeac40f6472793d7dbbe7476ec9e35d52b09d77196bf6c4664e

SHA512
988bc06c14d2f18a4046574a635a0d7ee3d61583947733d5bf2afe3b95a3e52f73770bcd1d9e9dbeca00cded0bcb54ab461bfaf3d2a3b51c1e662012deb2c573

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d340a94c34aefacd6a2b1e46d5e168cd

SHA1
a7fccbe93d7d42811074ad5e06034310e3bb64c1

SHA256
971cd6664d168ff32d01b3e4ef5deb1c5d72c966d9223c25eaa22f99ad89deaa

SHA512
142da83cff39ebb2322f699f318c72db83d0d6cb6505eddfdf979d09dd822211d80db55dd12bae56f4e261584513000608ab2e70a388cc0b042bd4d7e36b3e8f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
994b01b648ca9e82ffbae1c2c5378fed

SHA1
ede5e6974d5381a22e31be3afab4df07dc2a7808

SHA256
dd3424f2c0c45567689bdef7cdeccb512a1ccd375039265de06a0651264159a8

SHA512
3cd453b3a5119c50303497e767d9786397a756288927dd643652804c600248cf42c7530f2d4f6eb3e0c91bb56de7b5406e9346048f91c2964c9d5ce73e2a1029

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
be794e043c5e23e3250184cf1036e2c0

SHA1
5abd669cc4ff49a96f2c77a8e44d4c0dd8e173d3

SHA256
2f17eddad2ba123bff231742ae8fd0207b48733edbb30af6f31536dc00f837bd

SHA512
5bda729dc13a6c5ebd1076a2a2f65cb8a7ce25e4cbf7161defb0b38c73274b5809be016b6144dae7991e2f70acc0ecb35dac71bcd7fae4280d76840b9894fc33

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a3abbcd0b36c2b97231cf9c647c3eb5f

SHA1
601d52c821cae815c235b2139b838abd6027b475

SHA256
68e46060858bc292a191d8bf2aaf8c63bc3cb44d455075234e0f5e9895b48398

SHA512
1775217d8422b8157f682c150e40bc0ce20d8fab9c1ea26734e5aec73efe1f3e99eb1ec75b91382d51752ec517e3099d1ea7914622923178aa9f37090a6714d3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7c0192c17026707c65cf3bee37208015

SHA1
3ef216717391e0ce4dc4dc51e0c02f73a3ba7fd5

SHA256
fe9bdd6a9f87ec3cb581d074e2310e671316e01ed60abfbf84fe3559c4a3922c

SHA512
27d6dade04387a101b55a6265d50452fb7f129300ab03ff8662e30c267230764b4e4a778c6defa0f02fdf51bec0bebc9e3e407ba7923eb1b581efed4843acd31

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5c17d7eadcf7fb27cce2b2e8438516ae

SHA1
d04df7bedc2737d9f4521c3c7ddd88385b01212c

SHA256
ce6e9f4c0c60508d89376533a63104941c050e501f333f6b8680fec4fb64316c

SHA512
d3fa231423970555bf74c76c3d9be67c4810751abac7d3362cc8e44cdaf516a537694c086ef2c1a5e3d2c1184e719b1f940b41363f6ea09cd69706e75e340ae7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
efdaf271a3ceca7ca744387a39e7cee6

SHA1
0b2ce8f33e2dc43244e773f9abee7f9e12a55ef6

SHA256
84c278c785cb44e185b411f9764c8bbc32d8706a6aad414d003cebbbc408f2c2

SHA512
dccb8998cde1aa80486a71a69f22b1d8f37985f2354cb46a54af6a66da6ab9a1e728a2728c1efafa2f3e825ff31c1c0a90cd28f5840d9f3d3e9090f9ff219e61

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a3b8cd6f85473f8db031745ad6dc44cf

SHA1
c1d21e24ce5faf56ae6403ba2169c5cfafd5f6a2

SHA256
537e4fd7e4629586eced818165d062ce967ab89cc1c6ae6785ca6a5e8d7188e2

SHA512
780a450d03dac2293b0cfb5bcbcf372195ced5477fcd1ee4fcac00b7f939f0fb50660961fc45720652676cccb387146069402f17158a250dd60aae2a702151aa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
57c3554b063ae61a58ea71c784f4e171

SHA1
2990e976015bc48b5a71540ac5b582867bf0d389

SHA256
3d1dfd8c9a796a7f96b8de7b73dc7d69d7fd99137d6c702a94fa4fc3aa86d745

SHA512
6708ee9a9b409880a56a33a65ad96532c486d09f8a146da9a94d9537353d3e28993391fc17a8cf937e38038ff094ee0cf033f083c3aeda3aff9822196bce1620

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9cd0ce066d143a7bbe30a135acee9665

SHA1
cad4de56bc917789a30eed3e8af9552b940bc61a

SHA256
025fa384edab8429756dafb0430e6c72901df71e43533f4069ca12aad3442f6b

SHA512
5f4f2f948198dfe03c54634323b6c212fe68a1ae00b36c53b730ea03442598120e36e2ec8def1f355278c9d38bf8eff262302f0b8d41aac717816cc3f60b73aa

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d446f83f859d37658cec24c48336968b

SHA1
252cd4a98786cd544c1f409cbc1b079bd620b2ec

SHA256
1e4b17b12d42db3c232e3d36f946711119ea11a0854cedd93830d7112e1c9769

SHA512
3bb5a61ec4404d21d2aa81f84fdda10255f8fecb5e9c4e232f1b699cfd09df5927f5410122dc2f2e82148895fe3b318e7e7a4b7445b32c8921ce43bb3d10e866

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
544bdaa6a7f1097e9062b02612b43d4a

SHA1
d7ee3a5f3259c75f6342eb7495c6a8abcfd7f0eb

SHA256
a517940f719410510ccd4913632ac43a6e36908564afc802e75279416b6ce02a

SHA512
b72389658f0e438e1e76a956afbebe4ad2f47570b2da789e4a3aedb319e0f85af9590afda34ed2f655b07efce0549c4164271f6eb9db3e81a13bf1cdec700d4c

Download Submit
memory/400-327-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/400-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/624-436-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/624-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1076-89-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1076-92-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1076-159-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1076-96-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1140-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1140-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1528-86-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1528-78-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1528-84-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1528-155-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1540-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1540-100-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1584-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1584-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2204-77-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2204-8-0x0000000002450000-0x00000000024B6000-memory.dmp

Filesize
408KB

Download
memory/2204-0-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2204-6-0x0000000002450000-0x00000000024B6000-memory.dmp

Filesize
408KB

Download
memory/2204-1-0x0000000002450000-0x00000000024B6000-memory.dmp

Filesize
408KB

Download
memory/2308-34-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2308-40-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2308-33-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2308-122-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2680-136-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2680-363-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2756-147-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2756-365-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3064-112-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3064-167-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3332-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3332-239-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3840-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3840-150-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4012-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4012-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4012-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4012-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4060-16-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4060-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4060-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4060-101-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4100-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4100-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4100-55-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4100-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4100-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4108-439-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4108-168-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4140-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4140-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4536-425-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4536-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4696-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4696-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4696-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4760-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4760-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4828-163-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4828-102-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/4828-107-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/4828-109-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download