6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
Size

658KB
MD5

a9f38044f76bd418f6db757eac713f73
SHA1

601e2cf4d81c2f89b89cd53659d44e44d3ea8439
SHA256

6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f
SHA512

f0136d38f04aff04267fd3754fca3d54b86cf0e774922fee5e58e714656915ba95f81d2beacea2c166d4fd2b2aaab0c05d093b196a22b912a4bffeab73d58479
SSDEEP

12288:iHgTMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:iHfSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
876	alg.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
2308	fxssvc.exe
4804	elevation_service.exe
1612	elevation_service.exe
2792	maintenanceservice.exe
1696	msdtc.exe
2564	OSE.EXE
2328	PerceptionSimulationService.exe
716	perfhost.exe
996	locator.exe
3476	SensorDataService.exe
3284	snmptrap.exe
1424	spectrum.exe
1132	ssh-agent.exe
1080	TieringEngineService.exe
1548	AgentService.exe
3196	vds.exe
3948	vssvc.exe
2744	wbengine.exe
2780	WmiApSrv.exe
4324	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d203d1e57489627c.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\System32\vds.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Windows\System32\alg.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe

Drops file in Program Files directory 64 IoCs

Processes:

6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fe37b83ba99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ceda282ba99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf702883ba99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad13aa82ba99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034d06883ba99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007718f383ba99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2474083ba99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069372d83ba99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be964e83ba99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff1d2e8aba99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe

pid	process
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
Token: SeAuditPrivilege	2308	fxssvc.exe
Token: SeRestorePrivilege	1080	TieringEngineService.exe
Token: SeManageVolumePrivilege	1080	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1548	AgentService.exe
Token: SeBackupPrivilege	3948	vssvc.exe
Token: SeRestorePrivilege	3948	vssvc.exe
Token: SeAuditPrivilege	3948	vssvc.exe
Token: SeBackupPrivilege	2744	wbengine.exe
Token: SeRestorePrivilege	2744	wbengine.exe
Token: SeSecurityPrivilege	2744	wbengine.exe
Token: 33	4324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeDebugPrivilege	4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
Token: SeDebugPrivilege	4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
Token: SeDebugPrivilege	4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
Token: SeDebugPrivilege	4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
Token: SeDebugPrivilege	4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
Token: SeDebugPrivilege	876	alg.exe
Token: SeDebugPrivilege	876	alg.exe
Token: SeDebugPrivilege	876	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe

pid	process
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
4752	6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4324 wrote to memory of 3024	4324	SearchIndexer.exe	SearchProtocolHost.exe
PID 4324 wrote to memory of 3024	4324	SearchIndexer.exe	SearchProtocolHost.exe
PID 4324 wrote to memory of 4344	4324	SearchIndexer.exe	SearchFilterHost.exe
PID 4324 wrote to memory of 4344	4324	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe
"C:\Users\Admin\AppData\Local\Temp\6d6f3f5cc65e0a7743a4f05e1aef1c606693dc34a405d6ed88241aa33ac1104f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1544

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1612

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:996

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3476

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1424

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:972

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3024

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c771da40e2ff4f2acf164d6ab8dea808

SHA1
65f9059e2ce7df7d647fb85ccaab9020a7a13f79

SHA256
2912e3c66b53e83082c68f4488dcf477ad2a22a8cd976f61e0b27a7a26772f38

SHA512
53aa98c58c15881dc7431e84f075365fd884245815b321e7fcfc8e6ec216c0e5bac3172a3095f0d6f02daaa48d56ec3c8748f48fc8b49c5c11f22ad279ccdfbb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
4d9d0046a433a450247adedca4556a99

SHA1
b7af5b1b8b3a2f8e3640837bc81d4e69e61744c2

SHA256
eae2a8c15420383d5ddc7588e3b9e3bda291697ee47c434396eeef2df1848494

SHA512
2bc07221993361e10d1e5539c53180d2756a2a8744f8abdccbf2e89f0fa46220ddfbd524e2bfc661ac7635d4da2e78a41bf272d58d6607b4bd3689d3b8f01799

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
551815937b18799372141f4f5a41d602

SHA1
56128ea022fb130f09ef7aa7d49072929d879b7b

SHA256
076c83055d02c231eee6063b8b70178cc9d88096ecffa66c5a4bd570cbf9bda8

SHA512
68e5d0238b21d361637d1c2be5f7a3b8b87490b7404dbc0c3d0d3b227b443a26e5e9f373aaf483c1e30901de7e65d11398e589a8d5f7759852644497e25a4b8b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
56de93b816ef074f3e0a918dac971870

SHA1
ce894bb566d24b12dd9eb6dde0fb152927a4b83d

SHA256
46f66b534e39d9268344e9eaf4b6404b1895ac7c83e044d366a196d89ca0828d

SHA512
c42851ae751b6c47b3a4438323a23824dc472425ef8cbcfbd57d17ad7cf8a4249da573b9ede3e2eab8f7de3246c1a5657e277b830877204a200437089dac12e3

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
460a4ef63c5e91bb2dae59cbc191a457

SHA1
4a1ba87c85f478b31ee4ab0ee721affc50be7b31

SHA256
b28fba7531aaf4f0c95dfa97fb678a31266ed9e2567cf5237c4663ae4e030ab6

SHA512
f23e71ce777b4501bd62f86f66aebed29c602a927fa81c6c941bc56078b4315703391d72d370e6d441a5f85ba43eaaab673bde12c5db936bb7d6438fe437126d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
401d203f025dc9ac71c3b3ca6d02114a

SHA1
36cb7522c9565424045b5c1d6b12570d833f842f

SHA256
fe899394965f5d417c785aceea82046ddf2547d0c758e6ea392b0ad678460e20

SHA512
8673a249678fb9b8da57c3856e0caf04f5cbef362d01e9f272582bb2a3a3f7152730e76069ed97b577b8f791736ba8f58194f968459834975c78eec8d37361ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
f727341b351511d30307f599a4f5b5b8

SHA1
4b9d9318089c2330695235b7fb057a9b7fc26903

SHA256
b7c0e3fe85cdb25895de1cb137e0c832c2d7516b7d292885f227008d1c91c7fc

SHA512
dbdc6a33021f9fb6d936d18d03654657c674612c2c4fb1f6df8f0814daf8ce25727034d53767af66fdd0dd6452444960879f64f88f35467015e705f0b4114475

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b9b8152745eb54a7c6b7e98bc030c7b5

SHA1
c5a40a3c97c5ea3157749d0670e5641867d1d8f1

SHA256
e7152780fdea8f062dcf8d3a2a93a0ecd5e9754845471b90c8acc59cd969b13d

SHA512
1344b1f7a6349e6edf7bb99d4b3209a6570e7e9aafda479ff35d72f40aadf2ddf502b2b5e6a4b2b4f51467a3cec8a4f019c18871c5199803f6a4e62d42400bbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
e71563f5ce1d095b5b3d2d0e01c16ee8

SHA1
13a62e49ced4d6d8384fda3e6b7348f7217c269b

SHA256
85617d9ae73e78244c81286fbb27d8f62dcdbda1dc35fe6a42af07b7b2096c3c

SHA512
8726ee798795f9323909a749e63ef39ed86859fabb1797c7e09e1d65c36aaa5dc7ad62e706b403c28787d987024c70f006514eb1d20b0285f170c42bfa9d7af4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
03b38664a34bd34280b8119ddec0afa5

SHA1
f5ad59f1f6d529f5782ca7976b7d15bb04acfc6d

SHA256
25e149df0d41e16fe11f990dee8a7086f1f6b1dc0b767a6ca8be83a951a57879

SHA512
2e80251e8a535b07559378fa47e2d68bf80f207050b5e8a30955baf611d6047ecca5635f8529b60407cf152b8f8951cade5cd79fd347584148426afbd7f8decb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
1a7b4932fe33792f16065729a59278dc

SHA1
9881110161c9250f1a9ff046d7c6791b2c0aa77f

SHA256
feffefdbca71cdd1a5fdbf31397134b10ab32b33ded3e2b5697146999206f777

SHA512
e8806cbcbc5a817042cea820e6e35a991d461f1fc43624e331d1926d0725cef096c32db253ebb6256dcee93cabd07c8be784e3eb48c2c25f8bfc3099972aa803

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
2b2429350c151d49af33005fc3bddcfc

SHA1
5401c21fd0ce130f2571c512e639a2b03ddc3277

SHA256
6c13713ba0f69ee2a76cc3682812c62948afc371ccc32db93eb2b084f17154d0

SHA512
b31bdab876a02fb3e96c74f025206bf9ddb6b498caa1c82838f72478dd42b603ca9439ee9368fb119a6b606256c745782af8f83423387825bb5f27fae2c4a473

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
195070cd153b3f9fa1c6d37a803e2b6a

SHA1
1d451a7ccdfee176d11aa0a6aa594065b3ef89e0

SHA256
df576b50b2c1e7cd2cfcbf822740333b911333de961654536fb90907e34598df

SHA512
98131e41eb18db6ce7776b9f324041e86b3c5d244018257dc292721d214a395ff92651d3814915e89014b7b61282c53089d6396467642623c92695bb67dd2589

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
93be839869c5ae06be7a7d10eb423ae2

SHA1
997c23a6a36b584ad6cde0d63f1ca25ff7e7e8ee

SHA256
442b78772cfe936bf12017542d60b7292d364398dc4b98eee4a25523921fa889

SHA512
bf083f01d8363bf741fa1b4a7ad9341ad563943ce29728d3d600bef8f8e675e11e1caa68ad40db0711cb2762b8056fab9c8b2d1621994affcc379c559fcf50f9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
88a65bc2640390caed138a62d8a1e2e3

SHA1
e051e3ed3ca12e66cb73323680b6388b047dd1b8

SHA256
c19e293dd367b1868a275946adf434f149cf4f96646b515d505524fe86a4de86

SHA512
f4e343e8a6c6edfe498c334696dd40f9b0d159036eb58f1485c411d05801053f0463d21b1e77dde37fa1a8749773f8e5b6404f05a900ac123f8f838d69611995

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
03a2e4c3e86740d47f8f1597f0aeb25a

SHA1
5ad6840c4a00972d7b2e66ce1eb1bcb7ddc3d290

SHA256
41b8e79f30e65fe82d42c562d3b966ad72bf9ea6ec1eff9d21ebfa8efe00c7c7

SHA512
85c0d17c72115cddd6de231fda81d637c8aada3ef3c0001ede7d51f8ba2d74c8170407bbcb027dcf41f613b192be4f3ac72b86f8cbc80f3c05291627a3eb91b6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
afed063d9dda0c426818689412c861d2

SHA1
2fbf1bb7209805097cb31ac1e034336035cfa7e9

SHA256
1efbd5249aaa3aa1501f60b65f1bb2c1ff1168f07b8c650b91b73925c89f51f9

SHA512
8cf2f850cafbd8a514d9ddb41bde8a37682f81517f0dacec47f8a321ddc6b992b6212d854736655982377a72592a112eee07bae3fe3900fa88ee312ffd2a4eab

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
c7e91160f1539135ae7742ab33e0a7ac

SHA1
df36c79fc28e0fad3e6488ba1675fdcf2f8365b7

SHA256
513a96870b04c8f09ae9b7f2127c8133c14e7f57f4a32e78b38059f7c84e2fcf

SHA512
0d0cc7bf5b9bdd18d55b379c2d65ce58999f66b694a5c5752d85857924c31b9bb7655150126a48f4fef67f09ea6faa833b96ffd89c1959897cdeb42d4dd31a52

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
8b941b5ec43bd3ccbae46af57651687f

SHA1
1c31ddbc25edaf287e87ee90747c9d87702f71bf

SHA256
93fe34dbb944c0e01b1f22f36a5df7708cb0f6be8e84c65fc9cd0d933b80f745

SHA512
ae3c55342f0edf66d450d14d4395cd74657c6d39fb4fe08f738059f75d5ea838f7bfaf0c7537cd80d02013373fff46c401c64af862b811cd6a9ff3dcadfb26ed

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
6c267bd1497b519bd9ed450131cd2a0c

SHA1
b95db531dcfc6f1ff930916300c6a42851a61648

SHA256
33c091080a51aa2cb04ed1b8da52c37e81597defc384891501b7ef147732025d

SHA512
4a09358e031b227102680003dee69e30fdfa97f747399c8939d526675d1ec2e859e324c3996b13c921bdf467425dc853d7e047920e7bc9cbf52842ac833bf8cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
5f62b8b48bff40005dd4b74720acdf0c

SHA1
7a5d1fd1ad6ce37c4c00b0b0e7fb759f9facf812

SHA256
1ae7892aee645f3bafeb4d042fde8a464531ea9b619c41f0635834829239b3b0

SHA512
5b05372ffaf4a95bf77d1ec7f0e1298962e5fc5f6ba7d50bdf26df69a5b3478c7d2932a6aba60f24655798c16265f6ded57d8061ea9e0d716638827c6fe89b8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
554a8ea6180b1e79198b7aef5009833b

SHA1
e8b3342cfc39244af5d57b9cb127d86546c163da

SHA256
ba7443ec972078945920bc6ca37ce4b0dfed51671f46836925bcd260c0266c79

SHA512
efc4d69ace043c7caa19f7f2b42d77f009e5c83ad8a7d9fd7d85513c57db69e9a109adaa692e0c8b9832fb7a8b1e5db009a64edfa2ae554bc717d9b96098a0c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
dc3d82a90273764890621f618c41cf45

SHA1
05f0d541c9d5d0c8d0676ec5a8537d38d1769cf3

SHA256
e420922a5420ed61cf00016f66c7b205f16a2dbf46d3e4fa7c198ddc1be4bb42

SHA512
10c6aa7ae2c5de37fd97bd2855b7d6550e6d1706e53ea49f22f2da5e50bac4b516ec9ec7eb10bc3f15ad43929919cbd56dc77d21306caab24f09fab6bcc052df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
cbca7e7aa1c7d1d294f8a0d5fdf49811

SHA1
008208fa631651a57332737f22088976f8b0f6b6

SHA256
d0aab34ca143acdab7b9a3d255314fb3a52e0fe9b26ec04c9e74ca22283e40cd

SHA512
fb8ece8ab21fea4a863d4a3d239719adffda73f825828b1be70a0853122e66a21cf5d62fef1835f60a0b0b1987d8fd3365f44ef034333b1211ffd235ff78674c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
3ce78c2779581c593218000d783912ed

SHA1
7c3cbc99364c8d45a13d6a15aa15deb46e3f5557

SHA256
d5f01efcf9ad7af5193b8febd731793acc2a663d7adf6df68fca3dedbf14a299

SHA512
f9879bf057f48530058f3c18a922ddc5801b7389f1a37991f0af3c159a1ea7446031b8b3daeb81f45151a69bfb7d88507eb033afdcbcf5cafb862dca7598d50c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
1849652010b43d2c2d8f02c5e511d042

SHA1
41257841749e390440442b55ca66e38b9c2a1c11

SHA256
df00e2986e53bf7e9b434fef08d79f183d7d58c275056cafb77c5f4281a5a3f7

SHA512
6d4d81c7253d9f10ef3a4d676cf9e2762eb20799fd00e0e9ce0ca0d0ff1c847f6dc53ef522e311c51a9587786b1f171fe5b1ccf1e01926964a0718834214f0d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
fd29464d02825124414177c44326f2c2

SHA1
5dc3654c507067b549ae2eef9cb210e9a70367e4

SHA256
27e9afea2895fa229c4f8879109602102276d224a99f299eca4758f1134b445f

SHA512
b4a6ecea11540d54798491700f184199e765febfc815a93ec7d7a300033a6dba7b40ea7588debf3c728067a6e84c5f4e69a6fb9276902c797d896f46f99c9de6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
2e623a07e41f79a6dbeee5d47a08dacf

SHA1
55f0b27da3347df1572c608d462a2326c346d9bd

SHA256
f5c737524c840af0fb8a0185b4aa3d8dfcb282e6ef37b29811881163d0625ff5

SHA512
ffd2ced17ab57736e6dda0b16074e44436b969616391bd07f9b309c0babff0f731f5a1396ecfafa1f1cf643f66a4f89a5e7340e0ec4cd6519cf3c659dac8f9f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
08454580d86a072495beff861e28c279

SHA1
0e556cb3b9e99feab11753f7ab61d7c28e6aa212

SHA256
552266141f119ce8051b81898eccab24a14902014077f4c6b0fe0cf8e1faed13

SHA512
8b84a20eb14750e614dde28fe47d310a5766422cbb402cf6bc60c58bd41ed0073407892564cdff69a0fb1bed5256d730285ef38abd9e7ed129222d1b875f93a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
86ffc3bd91a02b930a40ecbb29e9bd18

SHA1
d96f0859710fe4977f627d893f5cb6fcf8a1b33f

SHA256
b1b16f46dd0a3f9983a5639741b629ebfba56e8951b084c5359a0b2a1bca301f

SHA512
fa3b01a8f885a3367ab2489080da93f64af2d86a3c398b5759e553a6fbc5cce82519396a2cf7d58ae27b4f8ea5e43af7f06bad8390d908b0ae6f3d3fb267fd1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
5572f7fec198d4c4081a03d35bf8a599

SHA1
32b35f334224556bdef46678abdf13c8807f7551

SHA256
e8915430515389cefcbc7aefb5a66b87a69cb1fffe630aaac7708dfb46724392

SHA512
d67b8cd614fadf69845f10da4af5cdd3e702c4dac98850e547ee296da894e879e5cecf2ec17caa45c66dba26ae5814a9870153791a7b5d693514a9a4ef70d02b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
def85117cc636a2199e6ed47c5c38833

SHA1
45f790ee5c173b6b8876bafcfb9e33f545edf414

SHA256
1d8466a67d6b9384f151b26338ff0de3a60324bf0db94e87546326204b67d891

SHA512
3ffba25d31380538dcfe5226669793ea322f4e1ecd7bc298aeca8915bb44fbe45478e84766acbc4d2d1494a697d343d94701a8f0c32df82ac4000c7777400f30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
3b752250d9fd12f55f0359444f99063a

SHA1
c73142472e760f54356c6dc3b14faf54a36714d7

SHA256
0bd3235d538200c45f16a013c7658947b41d987428101745cd700c332c0b69b7

SHA512
ae0749dea70ac9126ba679d34fe9d87231802255a24040a05ceb73de4168a7acbd61dceda8f2256f54ed173521cbbeb6e112929957f227b3ecf08066d5588dae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
10abd46af41266bb9f0497d102f3dc2d

SHA1
6d668ded00c229b36564f3545d83dbe6b84af941

SHA256
c0787bf08dc2627d9ae5146ca8026788c5e3a1ebed73013a68d9ef554fcf8234

SHA512
c410c4cb37d700028b261403846581e30d755e257f87628f195f77552d5f16109560974265da336763ac0b2c79818fbbf09a04ff8b8b82c35e8a48b4a7a67208

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
034d877c1dde1710e3afbb3c48c2cac9

SHA1
4c5e70ad45ae84580ae625eb428ee7545da3fa00

SHA256
4ef95f26c220da6497b4ea92bf671e371875c343b607dff7ddd566eb817ed80a

SHA512
79906486a4b15e8bfd8195393294b4f46e6943644feb4dcbb4b326e2b1cadbc1461e281040fc206cc4e90bbbf1848e5539f32fb7b48754f62aad3bcaaa71d1d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
d8bc329b6ff2ff0ae9a60f0f5592cc85

SHA1
8893732f7fff30cbdedf76310c1e1464c43e7905

SHA256
459d2b72ddc1cf2c83f6df90eb9f3f040ae75578f4fefcbf349c3bf24ac4ceaf

SHA512
218c09dc5f0828f048eb16bd0741823d0c23625d911b802b021f3b0ae08dd250a81a3ddc28d48e75f78906023afbcfa819a300ea870f24e51900d424949e81fa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
bd48e5853f05989f628863eb1bf9ccda

SHA1
e672e6fee8e64d9c5c0bbc86c936f63d31df4fda

SHA256
6b016614916aabfa4a97fa06b286523fef28905a967c36fdb558328aba239d23

SHA512
92d035a305813056fbe001181eb7f9cc21375d646fece581c59e409d2e52690f7ef735b1d0df22465e61d043eb3d2580c8cc742a4344f9197db54479c8fb6d20

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
fdd6fbf26457411b67d3c034d922d1ac

SHA1
7c3fbf8d107ffc51a75cb827b85622ff2215fd8d

SHA256
d5c380adc43c221ac5b6012b696703b9bd9329ac2d2f36e016cc6c9cb31f48ab

SHA512
87d581773a595fbae9f3c8b8f57c7cb33de6c1b4202855f17f6504295ceb1ace6fc9b8a54ea1bc1d72a7b5501fcf4c194752534f5a6ac5d03685be38ce007648

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
2a57e4688a843f8ca12bed3e6e6a057b

SHA1
6eea39786fea8ae9bae0667a8fd738d857b2b38c

SHA256
2c36a04ccccb7accf4b04033af5c618b307a6b13610249f5afa659ee84d60b3a

SHA512
4b6376198a883d3db5eb844e7ea89ece8c98324b07119ceebd7697947ded149bffb96287f44a2488723cc91a2120e9c02897528f3119eec475dc59d054cae437

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
282e4d590c133102582607db5346955f

SHA1
f0b2fc5e53f1a6d6b40ae8d90e6a01b58ac89064

SHA256
3d9f70723c86be7ce59d1d66b475359e948a309161f903cc7833dd4451337dcf

SHA512
b72149de83349c877851c5569800c5fa16d3a3d40f5a71b8346bd4dbcd101bab148b8130ea3b7e6323686a1214877d5fbaff21d986e92e9eb7e48b68c4185b91

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
328fa546a8aac3512308cfc59929f21c

SHA1
2bb7e701d2d7b3dba041cc1b002217f0358163a8

SHA256
838f446742e0f44a62b8d94d43cbdc9c27215c80df6f114626f7dee4d9555026

SHA512
44a91151a206bd2bf0a920ff7249425c50e71848bdcd36f144da39d5468cbb9e6f9d340259b4fb08a59377e9616c06052ae166786d59907c1cc93c18783acef0

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
71b2f76c972b0db9caec64667a6d1fa0

SHA1
2ee65fc6b5846025f9a4f5c3b671fe38c5ddbbc0

SHA256
8627d17813d5951773608f27ad54ebc4f0748e8b2d32aef5d24cbbfd41d760b4

SHA512
c92ba00f615b499ebacb6d974d47e67e0523cee434f0cdf6d85909a3ae4b6f6d241d2c630acd06321b6becdb8e5c4dd6ae5f4646ec10cb8ff9bc650d092efe4c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
359a38ffeb9899c49bb126df9ae58c66

SHA1
ad53d5388e6344af43ec36e8c02a8a64e47d2533

SHA256
5ba3a1f6fed7c21a271bb3a0f07962c05e5b01bb4efe54b07da6ee19da713d3e

SHA512
4aff5b7371eeb2b0251cbf17f54eaa94c7aa7a1458f43b2b682030378cf7bccc7cb4d124f6d3364b1c42889e7ead90786d76ca02d51d553e399bbc36039c9a25

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
1bf94a23b45cc31a89784eed532e9921

SHA1
ee7de75f2f3df4c72ef29cd5bc43560e4143b8b9

SHA256
4e6910d42eeacf664f2d4ca1275eadccccd56c709344cfad0a2170bd8c20fcf0

SHA512
1ef3b9795ed37f9047a6697f702746d0640ce759b344ecafd3b9a8c71891fcd0b855a4ee08d7de27edfd94ad88c8306b396a6530f89e448d9ebf84b21347bc2f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
8b3d1cf4b9a84c63cccdd0a47a64ce15

SHA1
4f2831ab5a8b22918b086023ad604e3345828b91

SHA256
7409dff68c558431bba001f5271e6676a843bcafce78aef9035f3b7fe41e8699

SHA512
083cbd9fcd8ad42381cb163a233e6fbe6e375977ba9b78392dad4a0d1a82c4c548c3462c995b31fbc50b24bcccedb99ec287c421243c3f7881d6b18c9fa5a3d1

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
3f8975fb728e2a948fe6a5bcc411ff59

SHA1
7a6547486fc9b29a142266613e6d103438ea8fe0

SHA256
8dbe9f8e9545f960c4dbfcae7c695afc18f7f71c986e8086f635f9f8970ecffb

SHA512
083235b75e1ed78106289fceb280a57b2de60cb9473bdb110632a8f929e52867a65fe8a599bb256bfc804b432846165de86ad2ec482ca752f7f9a8db6a751a34

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f88e05f43d0779e5c456a31a50038b18

SHA1
d940956f48e0dab7f58006a31b4873eb419d87fb

SHA256
0ce001a0f0317df425908beaead416161f46432d952c694f5f889ce67068a884

SHA512
cb6b0748ad268d5514f8205c66bfa788aaed723b4cf86fee2d2d626553164a65701eea7a6fb9f417715ab910d1a65431c8054cb22f41275e5160deaef566c392

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
9d2f7f6b39f9fa6b3f556211177c874f

SHA1
3e78bc4aa8ddc07dfba238bec38da51d371d8ba9

SHA256
743776e8303be9ff4f5d37d7890ea39477e2a3611c5033a31f09c45c440e98d2

SHA512
1bef583cc76d158e455e21a8d4e2b11040fbaf40eef1765b83cbd9007660eee468e9288e7dd2089b48ccacc6b8aae54180526fc4d40a409917548014c4030435

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
306ff4acb59e947ba7d7cee03ac32cd5

SHA1
d36a94b125ba021aacb4270e022ddff413260d91

SHA256
0da90f29fe86dece4269de90b98031c8265895429a8006f42370f4b1c5306f85

SHA512
88c9157a5a362f7591b01908d8ddac0cf0ef0b5818ebd68c64f2b16bb55d4d539e5ac968634c5ce263bebeb45db79fa75f462e98b00d3039c5996a3e7b35d7ed

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
3033da722f4bedd16c45512cd6632443

SHA1
96fc89d35ed3d0d768758b1072507b2f9975c6d5

SHA256
d00cd2ce9e73d6d23100131b23e129ecd1faeb983abc12f23ab18b3fc817a589

SHA512
77eda980fdab451c07fe9b635558ba895586ae624ece7e1574736d73445e1bb13f0b8ba390f308151adecb216c2f3d176d585fc53111ec2e670e848a36f91308

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
62c9148072b1318a98693e720ec6f6a2

SHA1
fa2438c4fe477585c743ad4e7db0cab030f35934

SHA256
e98c414e224cd23f89f53c9142c44e0cafa5218e024d6f3eec824890a4f9eacd

SHA512
8ea4b5c770da6432d4c26976c4fc6aaa544dbffd4831656cb77427b88b99af5d362d39326d0895564e9bd15760255524a44760c941db45cf3e1e76720ebc2bd6

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
3cc0a127cdf408063fcb1258dc7aeea5

SHA1
199399072c543ec5523d3a101db744a806d8b4c3

SHA256
6e935f2f782be980fb559c741552442108f64a38e374be26df740c88be1ce6ab

SHA512
f9fbe92d7450ed368f396354a609f74718eed052bc088316cccbc40196c6b6ab2d74dab270785448c987dabc2c8d20f9860a791b4aa3117e69af29014aad24d1

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
be2f56e451050f94d51d93cded56813e

SHA1
2af8bced0edf4619e95999ef8af3b115c4ed9e15

SHA256
22511b6d3a4592dc5a02b65e1c57a5e8a5de3106e5c3d4d349985e50aed87921

SHA512
03729d70bd8dfa52030b58ecd70f529ccded102f30841401456bc076ae1e42005d20b7de9546802814bc7aded0fb251fa4800aa223d5e9c26b40acec6307b1ab

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
96e7c0dc51905032976b18470b300ae9

SHA1
c05125e1a5465781887e8ad4459a95ef2c1d71b1

SHA256
f06c1cbb12dd08a763d4ef0316b2060b1a90df9a95e86135b7db535d797aafff

SHA512
6c4aa23a3e7c069c896be266b887313b414a156b430479655a8bdb4cddd070fbb360db9475f72e2de892e14e580d1433ca0ec9b85685c66168d117f3567b3e60

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
9ccf23d935679feea5aa7817cbd66e7a

SHA1
6ed6ae632c7b8c079ee0499e7656ab69997842e5

SHA256
7e2c56e9e0f1a4a3609eb928245d79acd9cd17a42b17a83ad4b0c7ae0fa7afd5

SHA512
640b13d9b905a003804ba84aac04b22bcbafa4bd70145d77f5a6c98d2247acff9571152dbc84487cd0b2e13087a309074ad7c6e1bcc203a297d97857d4cf2e30

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e9022c2043a9ea8cbbd1237da7a33ff2

SHA1
a587f35320b7b4dbed784ca1354db674a3403b4c

SHA256
225eaa361b166bd82c762b6fa8a19c33853625ce02477245e5c7409f796e5483

SHA512
1090a9dfb64b541143bbd9dd12bcba2761443984060b21989fb42fda667efd9db1f4a4883791f841650ee332041aacd6fa59550aa2a39e11e0b92e6790924cdc

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
e6db57d8188df576422ff80ad30394dd

SHA1
df896205e86ac431f4676e2c0e27b9c802e0c785

SHA256
21f151787f0eef257f63e05b909b33123a2d250a9a426c3d54998edd35814722

SHA512
ee1d080be7999e6e3e7df1a526e4cd8a4a739fcfc26127e2e79d2d5a7c7dbac6e4a4cd55e6d13c1077db54789c2ce6cedb75a128b9b3a649a6cacdde917bfb5e

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
b568680ee45bcafe2d2ea5a38f3a981d

SHA1
77ea6e0ce4b17d83fe4784a8d554865a939569fe

SHA256
3fbaef1a8b062894deeca3a23b85839c15c4d6038a8d51193c8e073ef42421f4

SHA512
92a41263ea55df6436118510c44837cd929811f114191b24d2af932daa29436e2437c1a042e84c2ffa817fc693769cfb26291e60f8e7b875578eb2f9dacbd175

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
fc2ab6e8779bfe9e9e3d7e47989549d3

SHA1
28c43fa622c90b010bc9adefad7fb9446d89900d

SHA256
6c6e9bdab156755d77d7487c24451305fddb68cb574e7e60a8328d30d155a60a

SHA512
c335e5a569783c58b79c9ce3198ed10c6d0f19db4060798d891635e3d6b6792149ea3ab7904926997e5f3039ca06dbbb1502a5369947b4d478d28629295c4847

Download Submit
memory/716-205-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/876-18-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/876-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/876-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/876-496-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/996-206-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1080-211-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1132-210-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1424-209-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1424-552-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1548-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1612-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1612-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1612-533-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1612-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1696-88-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1696-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2308-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2308-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2308-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2308-58-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2308-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2328-204-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2540-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2540-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2540-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2564-203-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2744-275-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2780-276-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2780-554-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2792-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2792-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2792-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2792-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2792-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3196-273-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3284-208-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3476-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3476-207-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-274-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3948-553-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4324-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4324-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4752-271-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4752-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4752-7-0x0000000002200000-0x0000000002266000-memory.dmp

Filesize
408KB

Download
memory/4752-6-0x0000000002200000-0x0000000002266000-memory.dmp

Filesize
408KB

Download
memory/4752-1-0x0000000002200000-0x0000000002266000-memory.dmp

Filesize
408KB

Download
memory/4804-532-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4804-55-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4804-54-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download