5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
Size

720KB
MD5

7be5a9ab0296315788b3244ae5f6437c
SHA1

635ac29ce9146de63bf6ab60b08892a252376ac4
SHA256

5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d
SHA512

47d21a405e2d3e9a5a8e063be8738e154458284436e88a03a9c831bd1126d42076c05965c51e8d880c6186e2e30281655ab5549aef92df2867e12a1d9383bea8
SSDEEP

12288:yrDPdYKGVlM41NTnXENcMduaD3aawgPwCnQ3MHv8CI4OJ1bbPHHcFb+KKqCGNpcj:yrD1YRVldlnXfH9gPwCn7vOb7HHcp/CB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4992	alg.exe
1400	DiagnosticsHub.StandardCollector.Service.exe
5040	fxssvc.exe
3200	elevation_service.exe
636	elevation_service.exe
4772	maintenanceservice.exe
4272	msdtc.exe
8	OSE.EXE
220	PerceptionSimulationService.exe
4932	perfhost.exe
4804	locator.exe
1032	SensorDataService.exe
4236	snmptrap.exe
4520	spectrum.exe
3036	ssh-agent.exe
3404	TieringEngineService.exe
3096	AgentService.exe
4404	vds.exe
2024	vssvc.exe
4516	wbengine.exe
5076	WmiApSrv.exe
3964	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cab1bc7aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\locator.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\System32\vds.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe

Drops file in Program Files directory 64 IoCs

Processes:

5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaw.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056dadc07b499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005184c306b499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015647e0eb499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7aa270fb499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021dc740eb499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070fcf70eb499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd880c08b499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad95f506b499da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000638aed07b499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe

pid	process
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
Token: SeAuditPrivilege	5040	fxssvc.exe
Token: SeRestorePrivilege	3404	TieringEngineService.exe
Token: SeManageVolumePrivilege	3404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3096	AgentService.exe
Token: SeBackupPrivilege	2024	vssvc.exe
Token: SeRestorePrivilege	2024	vssvc.exe
Token: SeAuditPrivilege	2024	vssvc.exe
Token: SeBackupPrivilege	4516	wbengine.exe
Token: SeRestorePrivilege	4516	wbengine.exe
Token: SeSecurityPrivilege	4516	wbengine.exe
Token: 33	3964	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeDebugPrivilege	4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
Token: SeDebugPrivilege	4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
Token: SeDebugPrivilege	4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
Token: SeDebugPrivilege	4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
Token: SeDebugPrivilege	4576	5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
Token: SeDebugPrivilege	4992	alg.exe
Token: SeDebugPrivilege	4992	alg.exe
Token: SeDebugPrivilege	4992	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3964 wrote to memory of 5080	3964	SearchIndexer.exe	SearchProtocolHost.exe
PID 3964 wrote to memory of 5080	3964	SearchIndexer.exe	SearchProtocolHost.exe
PID 3964 wrote to memory of 4348	3964	SearchIndexer.exe	SearchFilterHost.exe
PID 3964 wrote to memory of 4348	3964	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe
"C:\Users\Admin\AppData\Local\Temp\5be8fc9a31943fb4795106f3e35c25232267e33eaa3a43425864ed0c3f60784d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2864

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4272

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:220

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4520

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3940

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5080

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4348

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
8a2468038c01af607da2741ee54fd9ee

SHA1
953579620b8f69d685f7d9befb79271a44cfd061

SHA256
4d79918eb75c584087a200f5569fcdcef401cfc2e82d873f27764c92059a27d6

SHA512
f3530278e2418c4d5ce20ead0ce5c2aa9c1f44d419a26ffa3a57ada98e8d00e16dc040162593bd0ee235dd3ac97585877f78dddf6bbe331106417f32fdeb1a3c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
a84a5c67cf2f80fffdbee8c73a28be4d

SHA1
0d55b7334bbd5028a847d98b7f9c2db3f9ca88ae

SHA256
69d4d78827a89c99ac3489fa963a22518ec3373577fae79d5ea711e466b11932

SHA512
3d43880b669ad330fc39d56edd085fa433970619e4d0a81915b3ecdb27a6e2991e89a031d0b68eaebaea04566172d69a26f9f7a4d29429972f8078354b9ba013

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
08df4abf709bb3364ea5b8231bbdc0dd

SHA1
39df98e216cc582e0cbd05b44a8137feff613dda

SHA256
5f6a8797b12155300960f79d54425821c087e2ebb90a6d5582446840511c2678

SHA512
fb8f7837117d5301f3de09079dd4a49fe7d50513bc1a93e3ccfd3908b4c6e72c394d6cb54dc004e3b77032ef1b0754e5ccd5c8d8a678fa9a54882afcdc20232a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
8fd733119ac873197f4848509f59a042

SHA1
dbafe937c1af18414a8962e33a156fdcc1e57991

SHA256
7905feb4327eeefdc56f7364348c4de545c8e6a952e1ac74c28a145f16cb45e5

SHA512
8bd4dfcb8e73efba234cc6f75a9b533b3228dc7ade721767f56518d5f3bbfaee4534dc71ae150d7bf0d9c518cdce914c5df21c6d490da670193206f556046dfa

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
882a25bb93b2c5623a0ef9d32b62b07e

SHA1
256efcaf84e6b8332d3e4bde9258976b0ab97565

SHA256
e2cd3054b3d69edfbbc3c6f3eecfe1d7ed8de033d241b328732b73812a05f966

SHA512
70ad91610a9c96baeabec8af3d4b92109dab07ac36501e068c3739a30ccc7fe999bd8a1a12fe22f77e0bcbfc38806c66a5dd537dc36e808a5bb9b8611246102e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
2ebcbaf48ff09eca98079a1c2457a72d

SHA1
f70a60771f4f1976c11709c0cfbd05a9c5c27449

SHA256
3796f33b02064c743b6a011aa8878a98b14482bd16cd3f6b1545c3507a37ba4b

SHA512
2ccb6670d0885094359e3dc340161dc0cba45645cbe0ceb085643f527ecab063dddecdd501f464ff5291bb6c317653d1125576b1d0fdd255b01b29e2109d0ae0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
6303e044116d1595b8d08dc3869bf062

SHA1
ecf3b94768d97246480dc1d969d9cd29050576fe

SHA256
16a042c8f47eca2761db357e05dfaf8ab1a9f3a9605ea99c14df4adb623141af

SHA512
da9e58a7afd76c3426642fce2bf5a3cc6f79b9a161f0de43a37fe5df14866d2314df55e8af10a9a2343e54506c82b041e4baf7f8ac0caae33919c3d716770ce2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
61f43a807e7c4b38bca90f30922fa237

SHA1
dc656472b8182fd1418103e99d75a5c149539c1c

SHA256
d835c759c80c6d995040a616a029b12ab6bd97ca50b51ccc5cd44c3987a2ee30

SHA512
1e702bced1c1fb6b970cfa99d9ffa0bbf5801c7e0fd64392b65b827a20f11d1a0e7f1f091494c2fd7cc9e0ae828c52ec6fa7ef52a9e080dc0c5c1dc96e327ba4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
f15f3dde52869e8fd6878d1c11caffb6

SHA1
34acf85a04f94bb022ef11d65ad6b051c4886dbc

SHA256
4024450612950284cf094f37d6c5c382ea99761648d4979aac655f8d542b918b

SHA512
b6b406f8167c9a4b75b0fa4648eab453c4d0396e459ffaa5dc25a4e075da903d1ad990789da296deced9c1823029fc5e1092f329b9ab44b3b9ebea61b8a973d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
33aedec81bb60c09125fa0d063da92f4

SHA1
f70d38da5fe3064deff2d2428105161acefb01f3

SHA256
794a0c1ea7e281cbc117d3e22e0fabd332e29274d02e4dad2d270b6edbec960d

SHA512
962c3abe2a88b9b169fbefbab76b80cd111668f3445ee6c46a8293e09aeac8435798eb1d0729cf28b1876415fedac6c7dce4ec908d70398063de8b5483a29d7f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8b179dae755a1edcc996f6d7ebfcc37e

SHA1
2221b665b42ff8d46ab6607796d9da5a2756e8a8

SHA256
122988e298109d0c9775cc800adeeceb676b1c62a232f93cc70d4b09aabdb6a9

SHA512
8b0f729cffaafacc6c9dd56819e8623d2c839949f0a6655756c18a53ec8fc905c87efc06765e63bbdb52cde6bf725aa4ed3eeaf6b205967b46e83c7d8511cecb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
075bfd051be69e9f576618b457ff0afb

SHA1
ac3dafd53e65d1feeb39989090e9603c9b123d09

SHA256
e5cee062fd0ee9689a426d8701d21b5d4b4f1ffa8d536ecbee3b241be9ab8539

SHA512
2c3bee258a65c72ca0f1dce4c5dffac0b5107c7f6065e3a9ea9c3188b920d9587fb2646cc49cab2075399f39775a0c7f57360782f5e6bbde68e204d3fa19370d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
02b4827a17701b3141fc5256bc4bd3a0

SHA1
cbc255290639fc8f315a996595d0aee345bafb9c

SHA256
82fa1c91bc3cfc0fff565efee5c95418cb3ea761db842682e6e0d48237cfa9df

SHA512
ef8492235e37b08942fcc3618e8b83dcc9fa194322210a3c600aaf0bd0a0fc22cced0f17e1c4e33aebb36b914bcb4222f0b40cdd6d54e7279a5b83ff92b2fa6d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
69faebdba09376ca8ff31f53807c1248

SHA1
668570dbfc205b2464e800ceaeca0517d17afbfb

SHA256
20a20ceebdd9f6a8642f2d3c2e3dcbc727bc7de369e6f18ae7a8120f915fa60c

SHA512
6a23611243310ca1b6fe14f1357c46fbad313fc7091fbd46fc5397491252da52b4e0013fd3876b8dd425577bada7fa0a38dd162b9824256f0d2adb0e1f2e906b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
cb37ca315489b57b4162b02ae2b9d120

SHA1
c0f8fd5bff1cbac0e7e52f6416d52cdc3fe83fa3

SHA256
d6d8a0df57145af956861152ffeb9ec2ea212b935427c6ef83eb385ada58c38d

SHA512
f97ae64be7ec91c12777183e9fdc7e51a0ee77339f65792fee9ea850a0a7f00e995a76c13f9ec5a4cc6a977a1f9926e44212daa084ceb15d63a6271254e3a9df

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
0d6dbd7b0d208857db190fb21eb71b3c

SHA1
7d34a8694ec596ee2fcef2ba022400fbc5b52a79

SHA256
651b740edae80c166cf1f7fedae25f626a431913d148fa81fc6e9eb30e870407

SHA512
d805f11b07931c4178364020293051de7df291113c41b3c0d1db152225d3fb8ba737cfe3c89275b0bfc0db2066c32cbf8f946b797a71fe459b6f710a9142676d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
1625aeea1e375e215ac8f13408ef40e7

SHA1
e477cefef78d696d05a3fa62bac21e951540f395

SHA256
9479ccfa0c61dd2b396fb038c427186f9945c1606dd447453e8aae9aa5ad8b84

SHA512
a710c63f63bb9ee44c51263c981aa0bdb35fa13acd951522a19b69f2ad8a980f8fe621778c355b9fee1de53c06004af34c4da18e09fda0de122aea004b21db3c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
bd5762ca1c550fc867efb1134458dd3b

SHA1
5f5b34bb085eb1827eaa2d1f52db9eae24de7401

SHA256
7049f7655f697c24235803dae1b334ab0fca74894404d36cad7f109f8016c6b5

SHA512
43a98733b8e005658906d9bff78b6c70b705d7ba30b349158dea7f2f4a3e0f4e1a09e9eb2c86daae6beb3b4975c51f25c84ddea7e2d40c48aaf276325a7ee8d7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
ba8936d561aec88d1a75a1cf9670afb7

SHA1
48b7735f9dc8de7d14c5bcd73b22756ccb958f99

SHA256
35ef43056dba72d6a3af3f5b3534fb1ec9f10ce4d5d205faac1bd40e46133592

SHA512
bf71bb7477add8f1f371498e4a6be321bee136f617939065d1088234e85cefac653343a28de007fb753470b18491d762cda79bde43e8abfab0271851f1bad4b3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
2c3d18ae315eb3cc84ab33b262861142

SHA1
4de35d23a159c4bf52db7b815eb1f25010d2dbe1

SHA256
b617cd07d39288a12f20fdaec10f75883853e934b9bd3271550067e142a8b875

SHA512
8b152db7e87dafb1b127e8f9e67eb7d3e372994e0e6308662b212bf9045ef9ac3083d6b3ec9e8cda177f363df0a8008ea94c5e4b8ae24dd65befa260705df002

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
ad68322ba21d00f8857f21ee1f4101e1

SHA1
6e75dc0dfa590b4d20068e78594f53379a54bcb6

SHA256
8510131add3eb701948d223f31985cac891947b98b91353bbfd081839c701530

SHA512
8b28d17b64e8a206e03dcd036ab1b34033ab2e5aa0ec82e5e0052155439e4754d5e81bc170e391f61176c28b8b1ae72f8c643b1818290bc48060703b6c2beaf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
e2e7551951e977f0e332b10bd54a6abf

SHA1
bdd8e431af6b98187c3db37852f2328c5388ee37

SHA256
baec39dad69da1e39671fa6f734124e7333aae1f6f3c677fc691f518061b4d25

SHA512
c099da20a7c55cdc450665996429b05132a8757517f2eee76e0b292c1ab0d4f2f2c54b32d646a972895d2acbfaea53b92685a1896a60062a44b9735ccce57bd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
8913efb5d79edb4d58fc8d793540feac

SHA1
22c6eb8c020d87f1e492a8fce755a1eb3a8b4aef

SHA256
e621e75e21d015e06591014807a94a1c148dda1a2276f31d8bfa55f6b45d9997

SHA512
72c9e2ba13eaf4549813a202a7051b380945b248637b8497c2d67cf25337121fd4792775810d360666f490f78522d737a22d3ae1cd37d87f162691089be65d1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
052caeabbdfbad1fb8fbb768faff93aa

SHA1
6f0b0f3a8d08d9fd17d328ec4cd9c9e8d4726035

SHA256
1fdd2df69db900490d27a42879599467762ebcc73482ab20bc698e14a2cfe7b9

SHA512
14a100878e799ec973653c7a5358fa22eaf0bc64b458687a0e526d066cea8852b99b1b3a301bb4f0f37acf449089bae63fb5490309f77f29515943dc26d5d72f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
07b8fd409522e92cc4e6c8bb01c57eba

SHA1
38ccd47cf945a28c3e2db0b1b6774b4bec523d9c

SHA256
1ca9f467ae1ec802eeae38ce4c0a3b32125eb68ecdbcf18eb6940217e156bcc4

SHA512
374700f9a9cb152eecc91a62218baf686907b31ad42399d04fe878cf4a67570d4e954b0688f9a2223003ca56486597b61403fdf50d17b6fec61b87252b2cf9e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
0d7fc9351150e6ab16f2c657fef5eb47

SHA1
4160b0782338b7ccaaf01ea6f9c2b30df9e68e76

SHA256
466ab3c8163004922370cc168a1c246cd3144dbb2a80573f033dc2759ea51c89

SHA512
f3ddd549e35fbaa3ce0da64d12c35270c5c356bdcad06b36fe50c326ba45044aff8d9eb7239f0cbea9cb900cb74d53443d8dcf4bea59e77da4e64ffd06f16e15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
eb4a84da63fd360df07bc633fe3a5496

SHA1
99565bcd46f38205f677a010e624081e5ae0e069

SHA256
15acab049cfe8c52db307b7c4c405b8858a1026dd8fd6c222ec13730f9ad53f6

SHA512
d1d7192f285e6e9e1781d0c4559d53776ba15a850c147aaebb9ca98fa7d564eef6acf162953bcba4ded44e46068de4179a980f143b2fdffeb0d40401b73acd93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
00fc8c32a3e5264851484d2045475c87

SHA1
d96334194ef7d2810a76e97924f24847f4402b4a

SHA256
66e5d065e266190069d9eea79efb9205244c5ab9704ab7d43cae99f59b96b369

SHA512
a8c6e97620d0452fada8586121b64082d48fb75083e3a6c381bb282742f3e6e71883f4b099b21be9d217d81709f23dcf1410656accc3b9115da94e830b47664d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
a688cad202cae878635e73fa587b5d52

SHA1
02bab4e1f82941761cced44584a039b5894b182f

SHA256
dca822630c414de0be288c5f433e350ff2bae023a06f0369062faec40af1396a

SHA512
2a7b26958c3e64a105ccbaa88b05d2278a1788395e3952ee995277e17c522de3afacc6654fded5493fef68ba068d97c3cec7ce359edaef31b054c3edb953b3a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
467a66a2bce65425d8c1cf58c9e06890

SHA1
dcdebac1a3b95b871c348ecc1ebc37f5fb633382

SHA256
194f97d9be727d749caf57fb8bbbb9e576c3d2f226da7d7d096708bf6ac4d068

SHA512
cede7546124cde973ae12fc4626cbe5b1254a2e73eeb0129b01711350a374576d319027d3a6463598e1aaca38c5b92d7be73a6b1b53d9cf5720285420ec1ee9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
022f3022b8135af06b1ecc59abd5dce7

SHA1
6c30e82e80d5296a862b09cb518efde269d4238d

SHA256
1de1aff64dc462bdaf9999f05f628a63be23c244dd57d02e8afea6d88ee3c76b

SHA512
63a83d3b6156887c8a40d5ffa08cb8d69d6a51a9b0125704c12cbb71ce055b95ded2a9892d8b9f3488360ac30b75f2973d4710fa0206aa8857f2f7f4eba53fc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b5c57db96baa395f8581842d23d5d2d3

SHA1
e066c730ef298cadb8b19fbc671b9aeea161c81f

SHA256
07ab75cea308038e1ec0ed1046af65661842fa4080f8e5adaa4ba699f7c918e9

SHA512
0826b621572eaf07ce2a4c0a98c21938996f6b27b8849f17284e8665cec62fa9aad2e5df114fd8d1be78b6806db7394d97466ab9a2187ce384facc5a9fefaead

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
3ba2b6b0a96e7c4fd4d6e4c6598e5b0d

SHA1
accf752b3f09ea84867657b5460db9ebc37ad40c

SHA256
931a6b3713965060a812a34a540d80fc03a7ef117585ce5c52802cee6affd62a

SHA512
331bd446e5b55a896f7983abc1bb3fa0af997c55501b08bfc0f540efb10b56e16e0d55cc970df1b1343dab139279c55232dd2b6b96cdf74ccf63f97b7c689e65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
9f94527b733387c834ce2f928a03a066

SHA1
670d3dc53052487a8bf832d44f0a06cd22f073dd

SHA256
1d5d25959a114995d7a40e13f9709663093f218380abd66bdb1a88fbccc65b1c

SHA512
8a860d24e30533b1f4029d0096bb90b0643fbb2a36b8a986fb3a48f6263460692f5d39b19078159cc634c2495a2bb1bec1f63a8a245e5aa1ac20f77f335aec98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
900a9d75ee687e42dbe9ab4924701eab

SHA1
1c396d821e9815a73591fcaf4bf53f4ede30a294

SHA256
577bf5f014f097d8b4abfec4f69079073a70e1a53139748fee6f5264c874880f

SHA512
29a7e169075806b78ceef51210cb0c9728a13cb8d8d21fb41119d04fb947c33c4bf6ba607931c902431214825b0e2962b4f8f755a1b825343022ed707054f550

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
509996340b06ae6351b635133c596317

SHA1
12e371a7e3ffed12b2cf9cedbf057606f3ca3d3c

SHA256
6570637668bcf953ffbaa4a430583f53c1608cc6d79d9413ebd244b8cd15e7ae

SHA512
805b2315f8bdce960f23d51e5c1ee1260f6d54e684b692406d97e6e50378d8ba17c318a5625983e5be4762ddf32cb025ead3eb1d04745a241f79296b051dd79f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
26cc41c53b7cb68c82791d2290b812a8

SHA1
5c1516b2c353fc147e169616d9f31c2512430cb5

SHA256
dbda006c540005b926bed043d61fa999e5a258b3f9f9180fac716379636aa565

SHA512
122ad3fe862650072d13aae18f6d42f6aa22d9a959108b3296597cadfb6599ded7ad0d98a62261e23562ca8e1329412103a3bad08abc0f38122c346aa1f1d73b

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
91e8b279d17d48e0b32909cc8df53c13

SHA1
d46754e54d626ff6bee396bee223d71f47515c16

SHA256
7af3ce866cc874d1f2040a3541eef6d52fabc9c05633eca1ff8d01011a0e9e9f

SHA512
197e56558754278991ab6568cdcca21e2f3be43de450cbfac70d22b20064214c478ef45a6deefced463ae744dc10a1d7283fe182d01e8060764e578d92e973e6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
5008b183959fca9c87607835884f2b49

SHA1
8e51812411ac89a5b143fc59260ec63be3809f67

SHA256
415732df4674df84b5191e57f9fae57b2f243d92cdd514523a9565befc8ca6ba

SHA512
9a6996f84bc1724857493e610ec2330578ee1bb7b98a280c7173c1708a6c9a48d567849e24c14886dc21047396ccae345ce323ea741ccb8d072172a5f3c50870

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
61f6982b1589f44de849e08893e79d61

SHA1
250ffd0b6d3606a10ba7f62acda92515b5de3647

SHA256
dbeec155c9c87f2c21aa938b6444ea40c7980b8e098ba68ca84bd3db0ee391e0

SHA512
b6d652528e5456fb90b77ee3e272173dffeb114385a056475619270a653b725f60fa60f7cdedac15b7269df3ac355f7f949cf0f41d8f36fb79f4d660d6909552

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
cc749da7be1ad5272c536a8092ff0d45

SHA1
e2e6100cf5909555dd70d7b4b56d6a5fddc7ae92

SHA256
a325b9099a8ba73363f2e6baad0c097498e9d176275b7f1b7d866c83956c230f

SHA512
82b1253b31e4e1ac10e0d54ac01f0c037c3bbd4452d43eda0135f7d094d7f0c4707985400adac59a6e13880d664b4f00b3505cc91a2f2d6fa2927082c9013d18

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
9d28093c8672ddaafaacc00193e5522d

SHA1
ac2848643a04d9807c2cd1b29877bb0a7770531b

SHA256
50b00717cb00f593c239d9d2b4eb37f3feb74cfb4b0328911d3bd0749e7cfebd

SHA512
ac282241e2eb9ebd0f8172e0f35ee1a955355d19dc5ebdae9c87fb9bce15d533a685cc2702beaaf069ed525197e3e20c83853c0b068362024bc63b65f6c7bb76

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
f612937d1255b20f745fa108db5d34a1

SHA1
cddf7006131c98d87f92d48117c01de00af4ba6a

SHA256
ec948a7ff6bf943bee6b4b49363eb9fb9ea90bec92187eef7c8fb3df5aaf4b6d

SHA512
bc8d1595a32d62a18f6b0da91e967fb5b3217e2193bb35bcd87bd8aa990f225bf5f7c9d78315ccc36b3f847dc7dab2e648dd4694e4376a58fac0cf1ab56a272b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
604ff2284cbd4da69341f3a5e9cd5a47

SHA1
26cc96912db1da6ea95c3c57dfd05b42c466a25b

SHA256
f36e4a34a34f15f26f512626070cd3c96e24c5792dade0fed76255c601809311

SHA512
1adf316ad9aba5e12b6fac9bf91f53cf155f5b96854e54612a2fd743b380c855b26db657db6b142278a3e72e53a9502a69d200f2da50ebe85506baecf9efd9cc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
6d535d3b383e31b0c66479dd115c22bb

SHA1
5ffb9682b7cf3b436bb5d4fedc70b8ce58cc582b

SHA256
5268183a7c47045c755bbb368c7f366a1312ef08831d270f2d8e041fd137af82

SHA512
ca00f64914af76030b9772819c589e6ce9b272e3161e280a04286cfdc029766d41f89919dcbdcd81e548e465d15af00cd993ddec7fadb726f34fba17ebffa195

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ac511653d6f8d1240a11c7963a2b53ed

SHA1
3241f4519a07d7df818e5b05987b8e8d255cbe32

SHA256
2465b5e817138c0ac390e685c4aca4ec6d7a139643655593d1b04558de8260cf

SHA512
4e20d34a23eb1cbc8c207ee63eed05e723adbf5268338732bd7a754bb53f7eb0f14c81fdc65a86d6fd807f31d89b42edde03538a4158a76b92107dcaabe2f2d5

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
89f8e1d921317f1067ca07a821514459

SHA1
55296f3e535ee4f99fc7cd7e686130aebdc9e6ea

SHA256
231696459aa1919ffbc99ae71464327728e248862204bedf8ce1327000ccc471

SHA512
76002c67e4b45848cc6a6611f09982dba0e253dee3cc0e9bd4b8bcfa3d19d557177ca539d5386312f369a1d14dc0c63be64b61cedac57668e45b9ac24f5f3df9

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
6f4045c4c2443a43b32650dbb4faab2c

SHA1
733de54bccda2288b5f673aee8b4ff79fb2d91db

SHA256
39d24189464fe40b28cad6e4159b69a63ab09dedb6b7e04c451b429acd116490

SHA512
69214a2db6b4977462f854901893013b48517db0c297c237108326bf61d937a320ee4bf3677f655a728eaaf197cab348a7ea172a3c0cd22f111ae5b666c4183f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
c20123bc09e8be264ec9d4f13f8c7e31

SHA1
9e9f4fb87162c19b12d544a7595edd721906c2bf

SHA256
1a03b5b28a3c440acf0fdc68efc9b890b7458cebaebe33aa9818f46912268f60

SHA512
927bdd8c56bb9ba0a46bb9a3a5254bf8689d44d7537bca4d801a6f303eb3b1bf360c30ced7eb1517f1660e943be952ec880cc8f94c603256081b2531267e291f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c1d0ca5e172b2b31269ba8cb114701ef

SHA1
222c6b06e03ac2454ad6502ea43b69e0a51ef2ca

SHA256
6505dc5b3a52208411f5c543a40f7dbd77224f5754d39fff61bae188661ecdad

SHA512
ffb3fe9c14319cf4773b1ce95348f551da4ec63cfb60f2390b47dff729dcfd58168d05f87f663b552074938bb4488951d98420fcab796d2a2c9b279d77674cda

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
f59c0ab7ac438f929b010f260747bf46

SHA1
402c7d78297bd124242c66f31d77750c18551909

SHA256
97412b0971c107fdcffacfc15769f31836c75660240c67f340f60957bdf4a7a0

SHA512
ae76250d1c00f8ffdd2d47154fb9b888e2372b1d515d209b4b1e45138a51c4f66192f31b2edd08fb6829b34fb435ec0e2e40c5ffa589085093600e327f0082b0

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
bfad3da808c8ed4c99c295815410ecde

SHA1
ab5ce5156725c097d28756b07ed9be444cc4dc14

SHA256
11303cd0291da8a87406db565d2d23a31fb85082be3be03af4d2fa8c74f688d1

SHA512
a6b1f349aac132089489d887aecd1165f84a30f8e01ba6fcd85cf48fcd82913f4e0c7a89ee7dc2e760ae50b97f0d108d34dcd574895b3740e57ce5d0d7b4218b

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
30cbaf783b829caf3a7bc2184138a4f2

SHA1
03b2d65899334f5f9abfd607742476a8769a52f7

SHA256
8a1161ace02668ddd1c2af6a8979d4eb1422ca9bfae20fd01aa92d8a000df6b6

SHA512
818c98d0163ca44cc50a90cc0db99f5769100106dbcfc784adae3c71e5b9431d799810e52a02aef5e8d26809b2688b6184dd6da2adec9eee68da7e69695424c7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
270616843413c49eab43259adafcf461

SHA1
4dff5c49eddc365ff3146ee310a67f022ad8b3f6

SHA256
fe224f659f850c1f06d7fc84bbd37279f917bb81c568cac04b09e3d75599d1e5

SHA512
a88ef77fa233fe23663c23752170cf872c6073e9aa5165e644bc84b064d80180ad8b8885687166dec0c853631b1e148b6c28b4584b060077a593cadb8fb5a198

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
514af56aa86092a17d2606f2f3bd1dec

SHA1
03252caeac160bf8bee64935118fa8a79566eaa5

SHA256
275a42560971e1f5c5c069432de5649881b5bbfe7497fc0707e61833b4c69c13

SHA512
2f2040652b60179cb11437a20abd5679352414674d8f0dde7bfcb73bb83e351e8733bfb0c622105a8e28ebf5a6094fd0fde665b492bedd3fcdc020c7e7c39bc0

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3f531e4571a479d41006f402d43a1955

SHA1
18374e55d97dc58e43dd7cf2b3a57878e7da03c6

SHA256
d57830402e8c673f7c14c902bde12b62ac767b38ce93ff400adcf663b479d840

SHA512
35917373b63431b7c6aebc20bce23eac8aab14dbf1c2ddad519a5513d447a8c6a47a5fcddbcb7d61471bc70fbba46d226e1aa428d09b4262c82ea9b7767f8bd1

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a9bd5a1d18a055bc08935c002429f4b7

SHA1
9fd6f42cbc392f42ff14e2047cc79a7cae0c9c21

SHA256
3e65112c872c74074eb0427c9e1efe24b8ddba8d597f5c088986f5d8d40d6bc5

SHA512
b698dbe63331e548b892d6921a0c003c241aad73098862356dce4f9d8811f8ec723d7eec994764cee020bfda5326e8b8fe708ec1236791675dfbd8265a2614cc

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
7ccabe948becd80502a1db88a4b581c6

SHA1
64533b9131ba7e5358417a3d81cfafab03ffbf99

SHA256
dfa735ffa13f3014921f8e210bfcf6829b9fdd9ae0a22abba34f1a3e4e1bdbc9

SHA512
0eca3a3fc2099d8307215263073ef7490ade046ab0f7683f219f50fea7e846d16ff50f8e711bedbf113245b154489774f165178d71265f12c0a8c4afc7b0b66d

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
7dc8876ce2f1af30be4ff3208d22ecb4

SHA1
5737f9103cf21ab0df735f45d1a03b9400aaa78d

SHA256
819d5c56b9fe454070497bc7bf9ec23df754f90246f302f08035b2e68c5a13ff

SHA512
6f46e108c102a0bf40b63cc5338b9113717c2296bd0082679caf05f256466f54e94c132a5fa8e42c426aa4ba284efbd3d70558b8eb289b35b543f0d13936a9f5

Download Submit
memory/8-116-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/8-229-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/220-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/220-241-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/636-191-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/636-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/636-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/636-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1032-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1032-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1032-533-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1400-143-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1400-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1400-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1400-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2024-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2024-603-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3036-534-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3036-192-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3096-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3096-227-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3200-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3200-57-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3200-51-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3200-178-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3404-535-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3404-211-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3964-608-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3964-287-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4236-173-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4236-453-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4272-214-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4272-95-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4404-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4404-536-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4516-606-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4516-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4520-185-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4520-530-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4576-85-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/4576-86-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/4576-1-0x0000000002090000-0x00000000020F7000-memory.dmp

Filesize
412KB

Download
memory/4576-6-0x0000000002090000-0x00000000020F7000-memory.dmp

Filesize
412KB

Download
memory/4576-94-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4576-39-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4576-38-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4576-37-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/4576-87-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/4576-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4772-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4772-90-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4772-77-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4772-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4772-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4804-265-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4804-144-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4932-141-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4932-253-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4992-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4992-20-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4992-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4992-11-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4992-18-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5040-61-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5040-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5040-47-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5040-41-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5040-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5076-607-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5076-266-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download