6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
Size

4.2MB
MD5

bbc7ebaca03d2240677b641896e28b09
SHA1

d2559a69d0e34fb8f01c1db65ddbdd494f7da2f3
SHA256

6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33
SHA512

779576891aaad1808560434880334c0b1d87b67fa580bab17d78f9b4c3755f6ee53f3375641edebcd0b8e514bcc130a35dd6955601fceef1ad2cc4b8eccdf995
SSDEEP

49152:208OhxtUg9OUi82w6aQp9dgS1GUL38XhCOYc3iJXb9emEPGKOPkQThMYRZnm7LBF:208vdsGaQNgS1r6eTnuFzqG7wRGpj3

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1304	alg.exe
180	DiagnosticsHub.StandardCollector.Service.exe
4780	fxssvc.exe
2676	elevation_service.exe
460	elevation_service.exe
2032	maintenanceservice.exe
464	msdtc.exe
376	OSE.EXE
2764	PerceptionSimulationService.exe
2212	perfhost.exe
3672	locator.exe
2160	SensorDataService.exe
4340	snmptrap.exe
724	spectrum.exe
3584	ssh-agent.exe
5020	TieringEngineService.exe
1512	AgentService.exe
1076	vds.exe
3676	vssvc.exe
3900	wbengine.exe
2840	WmiApSrv.exe
2200	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\locator.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\System32\vds.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e985c0c4f93f084.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9f8b106b5ebd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000527ea212b5ebd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000398be50fb5ebd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b489aa11b5ebd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a664307b5ebd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b501d905b5ebd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000038f8505b5ebd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ea8000fb5ebd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bea2510b5ebd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9de770fb5ebd901	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
180	DiagnosticsHub.StandardCollector.Service.exe
180	DiagnosticsHub.StandardCollector.Service.exe
180	DiagnosticsHub.StandardCollector.Service.exe
180	DiagnosticsHub.StandardCollector.Service.exe
180	DiagnosticsHub.StandardCollector.Service.exe
180	DiagnosticsHub.StandardCollector.Service.exe
180	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
Token: SeAuditPrivilege	4780	fxssvc.exe
Token: SeRestorePrivilege	5020	TieringEngineService.exe
Token: SeManageVolumePrivilege	5020	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1512	AgentService.exe
Token: SeBackupPrivilege	3676	vssvc.exe
Token: SeRestorePrivilege	3676	vssvc.exe
Token: SeAuditPrivilege	3676	vssvc.exe
Token: SeBackupPrivilege	3900	wbengine.exe
Token: SeRestorePrivilege	3900	wbengine.exe
Token: SeSecurityPrivilege	3900	wbengine.exe
Token: 33	2200	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeDebugPrivilege	3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
Token: SeDebugPrivilege	3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
Token: SeDebugPrivilege	3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
Token: SeDebugPrivilege	3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
Token: SeDebugPrivilege	3464	6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
Token: SeDebugPrivilege	180	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2852	2200	SearchIndexer.exe	112
PID 2200 wrote to memory of 2852	2200	SearchIndexer.exe	112
PID 2200 wrote to memory of 4960	2200	SearchIndexer.exe	113
PID 2200 wrote to memory of 4960	2200	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe
"C:\Users\Admin\AppData\Local\Temp\6da36817a938a7c9cd3fc921c54270ada1d6e5a742dc759d089d2be7ad82ad33.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:460

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:464

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:376

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2160

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:724

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4460

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2852
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 808 812 820 8192 816 792
  2⤵
  - Modifies data under HKEY_USERS
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
be21cf7143a11ab8e6b215b3afc0bccc

SHA1
9a0a1cc41bf5c528e7b3012769c748170654d6c7

SHA256
9c2d8ea29db699bb70baa4e58121825a5abffd8e1be0e1ac92a7b0f16392b92f

SHA512
311bce9b5cdd82b51865d3b77634fbec00ea2e855f4bd8487ba88e3d98e412fc19aab5951e9b1c66ebac991a515a93400a984dfa1d16a8622e9b80e2293c1c06

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
49a4dbdcfc5c3105895b1f093ba4bdc0

SHA1
1aa9c52e0d3c7f3497d9e4fa4c589d57aa08a2ca

SHA256
319e7075a11b7dc08933629bfdcc3e61c236d70de531d87237cd5cd9bd32405e

SHA512
1cfd2cc73deee0682b1c41344518d3f9285f94f7d2b2af7220e052041768b3375d1edd0258c5bc5be6c7dbd9550578e9a64991abb514f638b35d7c63690e0e48

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
49a4dbdcfc5c3105895b1f093ba4bdc0

SHA1
1aa9c52e0d3c7f3497d9e4fa4c589d57aa08a2ca

SHA256
319e7075a11b7dc08933629bfdcc3e61c236d70de531d87237cd5cd9bd32405e

SHA512
1cfd2cc73deee0682b1c41344518d3f9285f94f7d2b2af7220e052041768b3375d1edd0258c5bc5be6c7dbd9550578e9a64991abb514f638b35d7c63690e0e48

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e1f6c6cfab5a87edfe30efe13e1cd15c

SHA1
7d06f8506443d275df4d9c14d7ac9306a00de179

SHA256
f376d6eefba3dfd7be9dbdd6e4ece61501ebd22ab2f2b9ee89c5a3be8ec320bd

SHA512
1538bb22bf4b012ba435a0c091c433be8747e25586d8b1c18d564932b9b78421235ad0e4b01d10cf1a306ecc82c1dda0f07a96711f4fe2b9e1d49fc942883536

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
dd74a10f36a65d2b1f3a1477438023b8

SHA1
299bb71da352bdd442fa0e19621bd3b7deac9397

SHA256
33e6c022aab83183d3f5050f22304685b4c4fbec0614739715119ba283ba5a4d

SHA512
ff88efa6d7caca5b1c520bb0f7dcf28f0574586ff50a62bd2e8241e5240038609758e29461e65b4f73dfdab0ef3807ec12ee8ad30c168ab611b3f91b857973a8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
a1635c8f8d99aff9cf20e367b8d7cad0

SHA1
089a9b64710d2ed98a6639bf2c5266386a275ae8

SHA256
d0b1b613125c1676da09261d68307c8e6c726719b57c4e000270a503d9a5f259

SHA512
8cb6182c74a14add164ead6fe324f525295af41c7e38a51205540645bb53fdbc4b84e1221e15188e8033f2746a2bb8a8391eb2125b7864edeba7e297e097e837

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7988cd2cad332ce8f5c2f28fb7d7dd61

SHA1
38cf6f741672310f090b1ac2dd18a59a58b14b2a

SHA256
f9605c3d6c999ad088dd4e88f29df6e0c4d3efe5d34bca93918f68aab5532233

SHA512
02b5985cfd5f5ef0f197c2c0c092d19fe87672d78e361879a91c71c60f7cfcde57e86043ff725e77297d2068a588e2e487e1a9cc49ffec8970e5f271f109030f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
8aa59f981c02923b0c0bf7d7d0f0bbce

SHA1
2c000f66be1321756da328aeae556edfca5af6c1

SHA256
81e85698aae20d949b7e129559540c00d0ed02266d75df10aac8ab8246d897dd

SHA512
94aa1580e19f7cce09ca8bd69f985c0aae787f94c6a7536cb5b4ea380ac21a7efc975ccdca02f6ee2fa84aabf9e8ec4bcaf135f69bf6cc1c0a6705c18a6396e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d4fa5851cc9808eec7699c544cb80f91

SHA1
e70d6001c1c57fac4a72c8d7f4104f138bc374ce

SHA256
0c9036146d7070dafbd7ff8c2722ab9485efdd02456a159d389681adb41e5c9c

SHA512
38c1edb8228a4461e8dc227e7b0a4c7eef7d496059aaf8cdde7ba8e6a88a206e604383b3be45518c414cb2c07b9a6ca53388a55f7cf688ad95258d8e0ee5df2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
7bad2a4a710051b2183ffe92ccd6ad6e

SHA1
25c1dbc27d384573f64c7fd56203cdf13a6bcbd2

SHA256
47d9bf2c163bc919b6968cd564c77b3e88d8ff2782b028215271b7722bb14774

SHA512
14bf89fc1c738d4792fc3e40ab7d679daf07a65a4d9e8420c1be201cc90feebc365fbb4f170df0060a3242b0e1e5a2061348a3f4433d933416b500d827d96a56

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bee09bf2f56dcd9e1d907c49eef57a03

SHA1
eae9c972b2014e8c7afb42b48087bca0776403ce

SHA256
912a4b00b58f99564c641926ae208e957016b1ef91f3a607d78d7061b505a2c5

SHA512
7053a120d5b32f5c6207482847ed6c3b271a7912ded64bd1968d738f8089618fde697891af0b2a72487bcfb4fe3af4de7286ce667f2507a77fa73fc822312aae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d43d211497a7a6303e57fc2ab17941e6

SHA1
80d0d76ac97fd69d7d9fa569d424ea48b236be0b

SHA256
46f6988534b55d26b951e425f6b16065f79c96cdb4b4316300f3ac95da29e4d9

SHA512
ac20f191b26772fc988381ad24cd032b6dcd932a7a1586287bf77457c22b9ff29d156fd03f9202f1d1fa398cdbf1f28de7170d0923b39a3d6a59cb108138713b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e6599b190eeaf886d1f0b6a86c9a25db

SHA1
3b9cc922b9855b609c6a967914d754725e7ae281

SHA256
0bb9c9c59075ab8458b37e759691e497f43906c1d1915f7839d297a1cd09d67e

SHA512
ea5292b2075e8db56029e3cc7615ee8c6960b3ba07930b72efca39e56899dbc5608c0a2b1b1ac439494643b9f62015eca9797399edcc00ab31f1fb56c0feaf88

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
93877046a8131b2f097924e93ed208b6

SHA1
53709e04537119d26a40b43a9f92f12b0660490f

SHA256
73448b3cb158b743284dcdd57418dd52381f53ce338d6826272a025da8a633f5

SHA512
b02000fefe18b546d17071b11fe3a7d96164717eee0cd4fb683a925daad23e949453d40f60b9c60a2b6375254409bc9f4b81f7fd6bdb08f192418608a4f49e6c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f30852661e35d01de8b547432cdf76f5

SHA1
97c061820be16e3761783037428a3768e338ff36

SHA256
6e28d388428b2fc939d5502e211b07c6f239de390a140a73c642e83d70c945ce

SHA512
d5088fda04bd5fab8d4dcfb31f5d8dd643ecb2495f4a8f8560a6dd84974a5d367300acf99be5d08db57d224501f0421d7acf0a7e8e6721b1b32526b6ee41ba45

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
f5787e1878d09678e2322c4c38297a3d

SHA1
c2b42791e482cffaa787de47d9ab576e2ce38e70

SHA256
f5d85f93f331d9f65ee0fae61e1d9691991e91840201c36a430372e6592f377d

SHA512
7d14b3ec11f866f445864c8bb84bb501a6435506acc9c257f7e2c89dcc15f6c323c0536c5476145342736a6737755bc1c3b1634732c7efeebb816cfec34de184

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
353cf8f58b3f0514fa0e8469c4fb9465

SHA1
08148f2577c3c09fb73672209cb41bfe2a03e6d5

SHA256
5a2b30d88117393685870bc782ef2e134314e66b1140513b559f333218ffc8f6

SHA512
e0209b98e511bbef0a7ed1938901871ba06ae3bdaae59aa2a57056d1692cb325b58a231310de0f50f5e29368939f0aa8053b659a02f2340fb3aea6487cf9ae23

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
c253b9c6a9acf10ee72ac3d2fd06a9ba

SHA1
4980c6f01f443b5347131c760484208b5124b174

SHA256
d30e00ebb5430023b9e27f1b7e8e65eb0934d9416adbd79dd6f40a6f190026e1

SHA512
1ed12ae82592b41c844416f5002bc1acf1f379c4c9175efe98f88fd7d04a5c7470f303490ec4b3d002dfeb0000c4a40ddf4d4484d4e64cbab272599ad1d85f2a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7a108d45c4eea5f59272208f59dd6be0

SHA1
64ca15289dbfa90b682d67ec15bccd292088b701

SHA256
ee0d30fa372af16978f4deeb6092d0a5d83b0dde61dc6e65c50a5394898849b6

SHA512
65c759411c68ece1587643f28148aa203789403f366d8318cb41231caba1aefbdfc15396424a11eec61a33c042b22e93bb2a51ce714067d37bea549a9c45854e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
318f49d3c0ba4d65e28e9d8b456f463a

SHA1
72a201cf29484a84816409f4eddb964e78408ec9

SHA256
73f95e5dd26a5e945188df3aea4ec516f3f010adfe37a27e75b6f60b8fe7ff4a

SHA512
5f9c102fb5ba490d68b185ab09260ab2091a0a9bd4f2ad2817a8c5bc7d267385ec7630ada66b490a50334b746817778c3f3e8e2802834785bf664aac043f36eb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
538d99077323ed3da51d3fe57f24afeb

SHA1
24db6fe9b1ca98f92920637b45d7b0d76be3bc88

SHA256
8e740a49ad4d5219821fe697f3497352d88bbb2af63c25d4cb3684a822a95d0f

SHA512
565a9bd4796bd5e239caa53149b59d70e967f6ae155503e9c0f359ca5daf237f5d79e03e224deff47a75fb62f5fd4f12c83471ecc988adbaef1cf76138300b41

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
c42e64092ae58fd3a1fadbcc46cff15a

SHA1
2ef52d6097054c275f45b0e3936381aea864b419

SHA256
b23bc0617adc1be24a5a8eb24f39bb118524e6159bbbd66d86a44f0237cca233

SHA512
5684b058ae960bc5bfa93cbba91fdfa706fc89b08b70e3dddf0ec3629c6c6290f8135033e6d8bfd0cf07583a54320176907b779e1e55bbeaf9de3b8f434e0046

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
ca96ee77e7e1dcd854ce875054c97e40

SHA1
cf848df27f7a38218dc78447cd1aaef40d0c82e5

SHA256
54a83a3c8469c207bf3935d9e12a1a1fa9375f3591e47c8d3e18f24906e87cf7

SHA512
e63dc7de6fdbd7e10226e2ea72943dc3867af22186fddab9a20e2dd768839406fc0dfb6ba763e2e8cbeaf520f421ddbd88b2294d77cef3d387923d21fc80f240

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
42d40e4856d69f4cab941aba199c7db2

SHA1
210d396d25d7f626cf4d36ade645a7d0f25a4a2e

SHA256
1c5e02dbadde9d22cbac432e1e73ff3dfc1db4ce48e5e37f48c3fd6198cb9138

SHA512
5fbe7abda621c6f202fc8ba2c9c3e43ac565b900c3e75eb8e9c4f61f3f9de020ba2f1979c30fd427837c91a8418e96f406f6354831531e0a214b0b7eae3d9706

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
17be1fd1241985832024a595eb9f2b1c

SHA1
b4190a088836d8c524cab0d760904bc7f0449d49

SHA256
b4f6d2e9070da3b17f25046a5b25ce0bca25e6ed64ad8e492bbd04d5e0ed134f

SHA512
53223671626d354684ed9789275edb8c864b95dfda7038054a051601e9f4c376e790716a40cc49c9a176a2d99c4d5880c5af10c59e9082d88d1d8531d2075652

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
f3d8aed30951bcf4cdc2a9eeea322269

SHA1
ccb8d83290e590e9bba5c5568c44f68d909b0411

SHA256
5dae010f394efa44cdbb2414c8a021b6eaf997cef778c7dfba85701bca671259

SHA512
55ccb848ae9d5a4eb5b1eb9b57793a72e4e169ffca46728414680eb678430420bbb07169245d6b96ac78a234f8d368fe093f530bdecda4533cc42ba77d3cf00a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
63cffa6d66bc4db8f44fb78610e8068a

SHA1
fa094896e51b50b5b14969ee380ff5a611022f66

SHA256
05c8386a2e641a1efd358f733df87b4ea97b0ea20ac3bc8d83361318ca3fe204

SHA512
bf3c541a3f34af323e5a81f3e9b66b10e73da4cd30035da1f7688997b19a72bb0009c3ddec70ba404c1ab76938d05467aa0a58c7b31e47b394794261ed5939de

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
06983326bb05ca9329646b5fe5a0d58d

SHA1
446bdeb0bb45da15ba24505eeefd16749f48c30c

SHA256
7d7f11d9f64aff72aea73c0f8cdaa390270d611f7690708182dbb6f7381f8aeb

SHA512
8718e24e559b8ff096255b6ac4014fabe7418bdea974dc86fbcd9a6c9628787851d5cf817c2e2c01f38bbd7358ddc47c0faa3e04309bbbbfbc3db34d3cd2b662

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
9434522c35d25350248a8bb7e0dcd841

SHA1
4427d638e3eb11fa70065c4db61f65d58e6e13d2

SHA256
231c4c10400aaa5d0a3905847edf4d24f6b148bca802bad0fb8425c5edd16113

SHA512
def3f0ef70c4041f63a7dbc143c908942383102ffd81a8ccaff1e58f419b0fa2ab1d5e191418d51042da139d71ba0c728700396415ffbedc94031f88e302eded

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
871773d13e6d110aa048d2d1751ef0a8

SHA1
72984d665870aa8b8042c38bdaed08d1e672bd76

SHA256
b7599b22bb6aaa8a7f173ad972bfa3d7e866dd31207931a8614e2a0ce8c5eddf

SHA512
20caa8b4776009b66a41d157fdb24022a1d2d05c4d9ebc81ea9eb304f3e8d4f24282889efa9dfae4dde3b2f48a7e57e3eadff1909724288dbcf9aebc4879cc17

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
185d5aa41b779b783b7825dd675eb326

SHA1
77bb4cfd6a9fa0e4e87ad8b0cec9c0e523a62e4f

SHA256
ff11a659d0fbf606d1791b449fdb3bfa05fece0c2d165204eb42b119d36ab1c2

SHA512
7121b6c7b0d0a8eed5d8b4a6bc10d93578b9808e477d419b9a2dc823e564c21c7a1a0ff85beaea081d74e9ddb63591ee233ed9e5e5359e35bfa37e2fd07bffb9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1796931a376bffa5165aad965d623e2c

SHA1
30bbbc489e34905ca46187618bbcbd20320fcb91

SHA256
aef94073a779b254e1320fe39c970c28cd684a792f15b9fa8967a68faa18edf1

SHA512
6c9dbc052dd781394dc0481c05886ae1501d18c668c2d7fe4fff5dee151f38e3f70c15c05e53d32802a7cfae661277727228105f7d8f2e6cc54a1103469ee993

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
a0dcc3df47a635a8be2dc1eac35a9fda

SHA1
44a760affc69087e94819b67c3f184f698c0936f

SHA256
fab50e4a847f45a2b160aa7310db8abc16bf1e1c853f8e92fb9fb57a994fdc0c

SHA512
d967a2380cad5dcec906e7223a0c35628af0061d6f2683ac0185a58e9429846e1c0842a1fc0c71dfb00f97cfcf9fe61dcdecaf8cf781274541602d4836e14baf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
f6feab6d1c6eb7186406df0ba2012780

SHA1
226ec02dca55fda5474fe9f84287b76dfe6ccf57

SHA256
d94b16be99539c7a0ba15e0003df7dc49d4827012d2fc68354be7a96753a3376

SHA512
ac008461f8933e716f9da674efa960ee532d16ef5e0f6707c17eaaccd9a9934a54049232fb809268c6e1e333d133dd600b6e9327c5ddc2f20d688b8fcf0245b0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
12f710d81cca75e0195fe4bdacdc0f47

SHA1
e424c95bd0b185f2a4ead0d943a8248a703cbec1

SHA256
18aeae89b3ea61723557a560061bdbbad2f16ca7018f886f12d2bc6a3da4c7e1

SHA512
d4a2d562dd4b1f352fcc0903e68741a600f2258231cbd442770662e53aaeeaa072f05bf2331b4e3639ca830145d00aeaea5174da8abf53d327dc0d19faf07959

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
77311d7ff05216d9c639c2a43f2667c0

SHA1
a0a1a2873cadba3bfa01a9105a931123f10a1a54

SHA256
d3e117d0e9d96b3fdc039b9e00897dbe50428edbdc4a920831ac9482c83cfc13

SHA512
2887cd1926fb99153da23de85745755035408d232e684b045c1a69b7481e56f9cc0736f049ec5bad7f0d9fbb56db9150fed5ad25b105f5ac4e7c9c762e4943eb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
875717f8a8d5434cfe7abd08d782f2c7

SHA1
248e524e4357cd7a2c6b79b94533801a0edda260

SHA256
0a3d6bfc8bf2023895f45219bed7f58dafb1889f49841ac282a21b22ae0a07cb

SHA512
faa9cdabd50a5b42b1e68ba8b80405aec09c932475aa4a54b71a9418a80db774c9a72ba65aa9656d9fec441dbcfa19d05c71a020b664b104f829f369d6e83066

Download Submit
C:\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dll

Filesize
74KB

MD5
2814acbd607ba47bdbcdf6ac3076ee95

SHA1
50ab892071bed2bb2365ca1d4bf5594e71c6b13b

SHA256
5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

SHA512
34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b6fbaeaac14b2748a8b6133a24980459

SHA1
f9e73b0e2ff94ac6224758632ef7ad920318ac37

SHA256
a3c95ab2ef60fae3778903dabd613eb15ebfa9bfb43b219a7b467ef85fa78286

SHA512
31f04886c5d75338d4abf7f9a894548a33653383c40b73c7e2d2a3ecd47b0ac00e2374befd1972c76238d12275093be305732effae7a4793b00dd01cf4dba99a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7b970bfbc32807d873d412aa8fb98258

SHA1
5727b10900f260ebba9bcfaefce22f8c91f1ca7d

SHA256
9d62e20bfbfbe78789c92c3741521d2f1b8c5a4aef2896c4e6f6b96131bdcb9c

SHA512
c35c91b92a7eac79f9b3b66bc703dc57851c7f79c26c15619ab877126b1e6dd92431f7c0a648c1ae104cfa667f42ae56d7a33a6107b65d8b7c8a4cdbe917e653

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b69b34f7e2e918147e3cf71f67f811fc

SHA1
d973bc40962f35e8c03184d2682407f86f94852b

SHA256
a241226656c7fb1868be91ba37fb8e949fdc4a90dc1824a68199daffa5751159

SHA512
b57abe3505d6820fd17a35b6476a71d747c0829377fc5bc18cc0c263bb7d41fc954962e704440098efffaeb9c6ae09453aca16d4940a5f46e77c58c7422a0f33

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fdb806370b9db63fc2a8c7ea66d5d623

SHA1
5578df0438f9dc828006e639e41d075f366eea03

SHA256
26fea19990dd6b2b6098978dfbf8678ee02838278b0a4bbe27425bb8c147cdcd

SHA512
3cf532f31b6c7e2344d372afbc19ba0991e3aedb2306be7bfc99489cd876c1197d8443a69d6b4a421bfb0589aa8c972f29fbdfe0370353ee135ef9553f65d922

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
22570092da98b318a229d33937c8011e

SHA1
00472f7027567b4541e6e3681dbe154256b834a7

SHA256
4359642c07ab18b678a41524a3995c32bf35480e3a8601e1c14e5e7d5c7ea82b

SHA512
2db329089d6b5be5876721547d31e001da75433690c77a61f631a773f518d2670c32343459db7ea45ef938c69879db19c9214f5a74f61201f78161d33743f385

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f95d3210fe407c00d8f0c65fb3886501

SHA1
1cffedb2e60de32eb6b5a4065c6980760fc7ea65

SHA256
18c27d9cbed681629b60cdd1cb566ad621abc7b950d3a90b740b8f492a12d595

SHA512
16bda717d59fa9edb30557ed6a595719816c14757ca282749bb14c0e2db3a252be6dbcf9c4dbd741855c87aa97e4547dc01921da96d06b6d780c7a2e3ec32e26

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f95d3210fe407c00d8f0c65fb3886501

SHA1
1cffedb2e60de32eb6b5a4065c6980760fc7ea65

SHA256
18c27d9cbed681629b60cdd1cb566ad621abc7b950d3a90b740b8f492a12d595

SHA512
16bda717d59fa9edb30557ed6a595719816c14757ca282749bb14c0e2db3a252be6dbcf9c4dbd741855c87aa97e4547dc01921da96d06b6d780c7a2e3ec32e26

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
309db63fcaac3fda827f9837d143bcf2

SHA1
7d908b88d718356e928b444b59026a49d1597489

SHA256
56524b3b73f9f672557a9a30de73b9a94fe4c690a7b25b49798051a08235d4e3

SHA512
5c474cd0945f70fbc68dc2ca7868fed6325ba2bf8b21f44467dd5ec475477f1201b847c468c0a9eee9fe3eac9193718ba7c7060dd3dacc9313333162116514f0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ca95f06ec4f023f86059be23dd2c8787

SHA1
56d3f0e166dfe0578ba7003b1f71077432cc8f2f

SHA256
2584a0b74f0ddf0eab8729723960f046e4cff4cf2efc49e9c78efd75c4dd48a3

SHA512
33ad63b3699b53bf60eb71534cb53b9d94ef48253c074b770aefb3be0c7da0b5a43a09964007bffde633cf8095d1657ed4c18aedc8cafc8b83fc4ede60e07506

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e85b74331f5287e6d67f58ab9114fb73

SHA1
17285719fa87ec279a25bd78b632c9d1ad2eedf2

SHA256
2091dff0420b1780a48dc754e3fec399d326e409c2f5738f8f736b5d2624c286

SHA512
5127059c3c29d0f48a1cf18306055d2060d355551a581f93ce41059b705b265349c10e42bd7233c889a718937757981c02e8b01cf8153073b3b13377865e0559

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e85b74331f5287e6d67f58ab9114fb73

SHA1
17285719fa87ec279a25bd78b632c9d1ad2eedf2

SHA256
2091dff0420b1780a48dc754e3fec399d326e409c2f5738f8f736b5d2624c286

SHA512
5127059c3c29d0f48a1cf18306055d2060d355551a581f93ce41059b705b265349c10e42bd7233c889a718937757981c02e8b01cf8153073b3b13377865e0559

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3f2eb35fa912bd6179e3756e202a49f8

SHA1
eaf6e91e567f6b7be72bdd9e7ff66d86663198bf

SHA256
eba8bb0d8f7dd0fa510417ebcfea0bb56f296d7487a575fa5b830857056c67f7

SHA512
c7d3812eff8aaac533b1ccc677f1116036fe6b4708e08e376f0812fb5aad141568d0bc0791a768ef28018b221d7845ba860ebd3e1502c78f1854a9b23f4af82c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8f1aea72908fdf1305dd6dccfe706824

SHA1
99fa5c7d067d10cfefa1cd0f810d135cfc6a11d9

SHA256
0b212df30d85fed24dfa246f46d569bc7b0bf46b599fe5066b5182cacd9ca759

SHA512
6b8e41282effb16bc50e458be55d7669ad413f9fe6d3614c5b38251ff528eaf5997b5677b1fe4fb6645a00d4be9e13bd83c58b9214df075011e1c27d98f73c60

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9230704cc10a0aeb6cdc387d5a9abcd2

SHA1
1e52b05bfd05f4c7bb4685ba1382d8a757d8e04b

SHA256
a45454958061aa4b5cd8855f87274804f418a7735f814eaa2ca05b6c691626e7

SHA512
c07512e9f3918e20d165c5a55352d5f71c5a71bce4a4cc51b42d64835b94d881a1439d4650902f652a7e726294feab97776c9ec4f0c324e7766b4c00c68c1b65

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0e852943da917d7e0409044cef8fdc19

SHA1
072b236e0b2488eb56242902aa199c211c907205

SHA256
1b7dab010d4bcdd183508ec8a4a18262a7399d6d201ce6100ddaa7259691c68e

SHA512
56be45231df95bec7bd4ee9309fe2dd5977b03e1be61d72c24917bafdf58e1e5fbc359a6eb36a7db78f4c488515c988dbdc4e6362f89dd905abcc20f14b61475

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
6d6b4378723a7c2e861ea01c6c52f4d7

SHA1
eca6bc1b8c53f2f1d5773bd2b737ff98ee6cd9f4

SHA256
9e3b4f1cf05302c10d8937a918331084e3a1b889e6007b139c1cb8a70e64d019

SHA512
873f38aded144b6930f9069608abce6f598eb55c3a5e04497569c4ac4e6fe0eaa3997cd89a87596a5b3f2661daf70228428783b78a1723d65ee287088cf1614b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
277df5288c7f1a698140d81973c4e846

SHA1
debfb2f3d63bcfd1db5230f10046061ca1b35ffa

SHA256
6cd7b56d84890557b03464f0b675716bd92fe449cfa96815fff31ca88d97bfde

SHA512
a9ca2c91f20961faf4d58bc3f530d49aa0b986334f0efd79fc9aa705fe1fbc7419b6144abf02c431af3a2e7167bf9cb1e0cdae2805789d614c2427485baa9a98

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
573eff34547f7744ea54551c1d243a3a

SHA1
d07798f3642ed42080d9c70b1327a0153de82d84

SHA256
6f9726a5c80d36664124d3996f1130484713e585acf51b8e9d28bf86006805ae

SHA512
dff5573886f7ac5324058e790d84879ab877313eacdee39ba43a27efd7f9a1e1e73a9dd4f14983fb108b25624048c9c019f6ce30efa28d5ea5cba5bb514cc740

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b157b7186bf5a85f8d4d51d532591643

SHA1
fa6201afb2daa7221d66f6d758c709c8ae9c4f2d

SHA256
f4fadd4f3716867f0d60899bdafda161260f84f9af3d84094536d555886b6683

SHA512
53669dc8826e194698f8fede7c06649baa1259e9542d890c1f836588c1b4d600942aa3fffde5a151a739287f4743b39737264146e6d49a938982ac80b5fc295e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3234d26a61c74274e9fefd8a5a9893f1

SHA1
380e8cd4aabfdc95647046d353440922030a91c2

SHA256
1bb96c879c5ce9399c3487ff251a76435d40d34f9f9c27a245442ec7ed2147dc

SHA512
c5e32173770cf3626e28f73c6ba823accbb200cbc94eaf3e6f65a86484e21fe0eabcbc77c4107c108a38a2e86d85c2f44459dd06d584dd1111bcccde47150793

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
7b970bfbc32807d873d412aa8fb98258

SHA1
5727b10900f260ebba9bcfaefce22f8c91f1ca7d

SHA256
9d62e20bfbfbe78789c92c3741521d2f1b8c5a4aef2896c4e6f6b96131bdcb9c

SHA512
c35c91b92a7eac79f9b3b66bc703dc57851c7f79c26c15619ab877126b1e6dd92431f7c0a648c1ae104cfa667f42ae56d7a33a6107b65d8b7c8a4cdbe917e653

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fd2fc1b2ba661122354e0fc623da7b14

SHA1
4c1eb3fb8bb002c2ab5e0f650aa79766464a805f

SHA256
223595ae9386d7dfc05e443b9150681b6c5d238a8ec6aed1589c455c9de41212

SHA512
cab654df8527077dc562669be0f3c70a7f3f72188ed349f75f7cfc813a5f0efd941ed1ffd4e45b1fc2f82a4862468eef3a20e40247ffff3de7a0c0839abe7b80

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
69df5951ebc20fede6e427ee9bc78f27

SHA1
21a96155d76ddf104bd9b188224b00915282269c

SHA256
193f62beb906beb48e8a48491f977e27e9b17d783fb83a7bfa259c24c89931e2

SHA512
8d226a2b278d57b19d6d33b24d1cba8be18824bc4ae40530d4eb382911b91ed7988197ef2b5fb0687aca19f5db5c3dde1c384c22dc3c29e29f397146b0f9f4d3

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
fdb806370b9db63fc2a8c7ea66d5d623

SHA1
5578df0438f9dc828006e639e41d075f366eea03

SHA256
26fea19990dd6b2b6098978dfbf8678ee02838278b0a4bbe27425bb8c147cdcd

SHA512
3cf532f31b6c7e2344d372afbc19ba0991e3aedb2306be7bfc99489cd876c1197d8443a69d6b4a421bfb0589aa8c972f29fbdfe0370353ee135ef9553f65d922

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
d9ded8a10701296773ff71888a192c59

SHA1
be7c663f312b89b6bf856ea3891cade2d3fd9244

SHA256
d89d6e6f3479206e86bd4a0b1c3eddc9bfba9d8703fc12e6588741fda174178c

SHA512
a60072804d55b32c85204f8a6785290c6038282d1dc85d9aa5aab868cb3c7cb88daf4e7d5deb9f06acb6314ad38c41cb369bd9a9a8ac0302a700069df62b0911

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
49d2842a17202d850cbccb0c3d27a328

SHA1
aee433aa685b08311d87614997a6fb81aa52e5ca

SHA256
2de086b6efd3c819c22ba2674676e186a29254369cc0ce16722dfa16191bcbed

SHA512
e25f8e2665e90b678b924804637c79f40bd456488f55fbcadf34dc8709ccbe6c7a45e67e8e767ce725643097f572dbd3861d33479d9bf4d61a4b2cb9e561c912

Download Submit
memory/180-88-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/180-22-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/180-21-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/180-29-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/376-91-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/376-100-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/376-145-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/460-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/460-59-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/460-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/460-123-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/464-84-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/464-137-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/724-147-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/724-139-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/724-189-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1076-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1076-173-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1304-83-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1304-15-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1512-172-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1512-169-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2032-81-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2032-78-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2032-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2032-68-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2032-67-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2160-131-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2160-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2160-180-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2200-359-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2200-190-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2212-122-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/2212-168-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2212-117-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/2212-116-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2676-42-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2676-43-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2676-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2676-112-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2764-160-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2764-104-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2764-105-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2764-111-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2840-354-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2840-185-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3464-55-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/3464-1-0x00000000025D0000-0x0000000002636000-memory.dmp

Filesize
408KB

Download
memory/3464-0-0x0000000000400000-0x0000000000837000-memory.dmp

Filesize
4.2MB

Download
memory/3464-7-0x00000000025D0000-0x0000000002636000-memory.dmp

Filesize
408KB

Download
memory/3584-153-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3584-249-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3584-162-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3672-127-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3672-176-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3676-340-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3676-177-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3900-181-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3900-348-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4340-184-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4340-134-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4780-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4780-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4960-405-0x000001B413DA0000-0x000001B413DB0000-memory.dmp

Filesize
64KB

Download
memory/4960-399-0x000001B413DA0000-0x000001B413DB0000-memory.dmp

Filesize
64KB

Download
memory/4960-401-0x000001B413DA0000-0x000001B413DB0000-memory.dmp

Filesize
64KB

Download
memory/4960-411-0x000001B413DE0000-0x000001B413DF0000-memory.dmp

Filesize
64KB

Download
memory/4960-407-0x000001B413DA0000-0x000001B413DB0000-memory.dmp

Filesize
64KB

Download
memory/4960-410-0x000001B413DA0000-0x000001B413DB0000-memory.dmp

Filesize
64KB

Download
memory/4960-397-0x000001B413DA0000-0x000001B413DB0000-memory.dmp

Filesize
64KB

Download
memory/4960-408-0x000001B413DC0000-0x000001B413DD0000-memory.dmp

Filesize
64KB

Download
memory/4960-403-0x000001B413DA0000-0x000001B413DB0000-memory.dmp

Filesize
64KB

Download
memory/5020-165-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5020-292-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download