736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Size

731KB
MD5

373c3855a2d7e25e0a99b88a46ee27fa
SHA1

649190eab272315eed3d6b0ce4ae20b727e2832e
SHA256

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b
SHA512

40fd31cf0c33fef14b47437d21a22509f8cf6444d6033efc78914250a5e4b34c46ab8b55751f58ebf4363387f4870e1381e2b045b3315ca245f41801fdcb65f3
SSDEEP

12288:rABCbwfMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:rABD0SkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
428	alg.exe
516	DiagnosticsHub.StandardCollector.Service.exe
3168	fxssvc.exe
3032	elevation_service.exe
4340	elevation_service.exe
4532	maintenanceservice.exe
4668	msdtc.exe
5072	OSE.EXE
968	PerceptionSimulationService.exe
2648	perfhost.exe
2976	locator.exe
3520	SensorDataService.exe
1484	snmptrap.exe
3284	spectrum.exe
4436	ssh-agent.exe
3136	TieringEngineService.exe
2600	AgentService.exe
2052	vds.exe
2844	vssvc.exe
4620	wbengine.exe
4944	WmiApSrv.exe
3220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\locator.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5863a96f85ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\System32\vds.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\System32\alg.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067e31e86bc99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009148e385bc99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4bc1786bc99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019bfd985bc99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b1a7786bc99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e951086bc99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007272ac85bc99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d330e86bc99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe

pid	process
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exefxssvc.exeTieringEngineService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeAuditPrivilege	3168	fxssvc.exe
Token: SeRestorePrivilege	3136	TieringEngineService.exe
Token: SeManageVolumePrivilege	3136	TieringEngineService.exe
Token: SeBackupPrivilege	2844	vssvc.exe
Token: SeRestorePrivilege	2844	vssvc.exe
Token: SeAuditPrivilege	2844	vssvc.exe
Token: SeBackupPrivilege	4620	wbengine.exe
Token: SeRestorePrivilege	4620	wbengine.exe
Token: SeSecurityPrivilege	4620	wbengine.exe
Token: 33	3220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeDebugPrivilege	220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeDebugPrivilege	220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeDebugPrivilege	220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeDebugPrivilege	220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeDebugPrivilege	220	736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
Token: SeDebugPrivilege	428	alg.exe
Token: SeDebugPrivilege	428	alg.exe
Token: SeDebugPrivilege	428	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3220 wrote to memory of 2688	3220	SearchIndexer.exe	SearchProtocolHost.exe
PID 3220 wrote to memory of 2688	3220	SearchIndexer.exe	SearchProtocolHost.exe
PID 3220 wrote to memory of 4460	3220	SearchIndexer.exe	SearchFilterHost.exe
PID 3220 wrote to memory of 4460	3220	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe
"C:\Users\Admin\AppData\Local\Temp\736ab04574ac3e057fb26fd753c9d18db1ef9dcbb6a6feb22840d124ff87f48b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5096

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4668

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3520

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3284

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2688

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
711e51d57b65cd4c75bba0f3035d7a49

SHA1
69ccbdf2fcaecb930d9bb3ac069566a2b96520fd

SHA256
6c99a23f66cb10c51227955902942d718ea5c32b44d6d6ae9901bf00357a1cc6

SHA512
0af57e3abb368ac01706f9a1f9af916ffbda21ae9e4750070e6a574627190df2717902bf4695993f5a4808692b485b090fdf45997f2d64889226a5c6ccafff72

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
7c22dc1473b69766bd76e4c94b2e0904

SHA1
e4aa6ce87c46c2bfa0e266a798fdcb827abad551

SHA256
adbe284d14f02e05075bfa8eb2f776d07e36c6d1300da40510780941e2d2e817

SHA512
8a257c348713e029ac8d48ed3c877f1747d55b5596d1ddfa57b0d5d83f2dcb1fa9c53bcbb84eacd6d9b15685caf32d59ac9384aa6091a9b7b2d7bfec12bd4b60

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
35fa24e6acd3ed5f019d0f09531da74f

SHA1
f01e0e0a64f98d07846e8a30761a9fa5a6df6a65

SHA256
430f72c2b4725c0499af449462903fc11c85f578f21dd369ea9da26789eda942

SHA512
0b0ecf22fd591ab6bdd8bd5e7ed34f62208a4cdae0a754ae1b44b043753a82b38f49144a938936c81d0dbdc2976de57addd7d4cbca52fe06f05c39a205ccd3fe

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
3e6409ba7a5a0700cc80e6c5ced07912

SHA1
359faa095cec8f80b2a835a5086d942a1d46228d

SHA256
1906c8613aa4b5cf555c6c530c436bba35b0ee8e7922bd49352a34d92e97b52a

SHA512
055520c259ecfb4933fc6783c30168db1461d240bee02b9edf0ef8d9c91d36881b1a32d96f450d412d6a3d9cd598d2f608ffbb07078ea7644b0c33d45af733cf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
5dfc0ac7ce0baf8ee6de8cdeb5681319

SHA1
f144a440113c71558d48b12d7f4f2719bebf858d

SHA256
a4ead70d8adcfd5c71af50293c8a3abb12915a64e31e14de207501f650892325

SHA512
0e8d985293aed0acbeb81ebc5fcd93571aedb642e559e167c52764f5529dc06feed158927dca03f3d7bcd3322c25a1d9d554047e339e816c5d714ae32c5c9dbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
11a93c998461f66c775bdac7a5840467

SHA1
f5382b774a0f88f0955de8a39533ddd698ea6719

SHA256
02f59b4779d92e18a14c5926691fd1224227708293c5be1f76b7cbcc1cc7de7b

SHA512
6671155fe3f79a756ee2205ff4b5dc3350ffa888b69200d9b4db43f5ba4b38b956be06654822c6af6bdb1296f9d59f5d5082cc9ef7d30d0a2fc2c1d095b8e823

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
3dc53523fc898d0b5d6823988d69d6ac

SHA1
fd4f6607299f1a21d0a68b08326d9e5c1c29fbda

SHA256
15f3f7464ea335fda9d2b13ab587a89b827427036f12184860df755b5b6d66eb

SHA512
f84235ca6d0a70d2378df3e257b5140aee36bfacdd6b71cb7daa08eac69fdf9802dfd70092012132bd9fe4b899c9d5d0ca9943cdabc77c5a0e0a7c74ef998cd7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
44666a65c183cd83458e14a505caf972

SHA1
080ec055d191aa8d431eb9140f34ed4629bfb24b

SHA256
7c45e25f7b7b1c06a6af1cd6a87818fd711a55021b38c397d15fcb15a8f78ac0

SHA512
54c77570b50c995718bd898ba5846d17a57d749523aa0a0913558e82d892ff4658403243b431b30dcc5a674b701a0aa469392fb814b3fa1f0787c4aac0f06a69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
0c5cd40b6a09c58c4dc8d4928948c9cd

SHA1
0d0660e48a298995ba9bef1a31823a3d2691ab09

SHA256
58b6f58ae063e61e0e530d94cd55d7d5b1fdfbb2404f73cda3ea75b20f0728b8

SHA512
5cf10bccb25a81b8e4ed9a021a6a5653fa9603bb9fe1a33e172b81b93a393208a42857e36a1cecd6190fb363fb6776d4c298ac8ca38de223178eb4ecaa6849c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9e99e4e05ac49dd67cc5fdfb8cc2a712

SHA1
ff8c53c61ac0b7df8d559bc4a927303895fd5ce2

SHA256
302677cb5ee1ceafc0470c03a20a54ead0d2bace3ad5387b52d62cb3e1c1f4a6

SHA512
f14c5c6267082a2b5700171e4e4b9a2a8024fc8476d97c83b55188270e5634c78bdf45695bd1c685effc7faffbff1b2ce96d1d13f8ff432f06be2f42fb1ff14b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
ffde376565140892441d116a39dd7ddb

SHA1
76c4a91b5eaaf2a616c4b250517604099b873930

SHA256
ea2f2bf60f780fc17b62af916ce85ae837e27c74613055a169a93fa6d763ef79

SHA512
ce3262bb194b9b9cf1f2a4041a068a8b82896dd0e254e9e573fc1cf39b3a6b6fa1ad0af4986c531660fb8946fee743d6cc048e911f27cce3b6b9341fcb7fdd60

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
3137f8453472a6acfbff70e35b77c546

SHA1
0592cace758fc8718ece4a6c3d3ef1a7eb77074d

SHA256
31a788b2fa3700ddbf6ed4ef395cc819d37846de5f7ca50debf7f8f025ee8689

SHA512
13fc5062570e8ad1da2472649fae273d99b192faa30b17d56727b528462fb2aab522cf8a1d9feeaa07c9876d0b516b5f056231856a55ad55d97556b5077e895c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
f35c55d9ec6efe5d65e984101d7b23c9

SHA1
c54cbabba15ba900e3cc9ec3f2a2d235be1b5ff4

SHA256
9b94ebd9e08bb77ed094523076a98d952741b08e26c92a571911c9f0b6f0f154

SHA512
c9a350823f816c9773f967c1814b24cb4a94f06a5e1ca49f833d45780b335a5fe03ae47b2defdf577e568473592b4563dcf85d1731ad38bc1e5aaed1dd6ae5b4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
aa36e3aa294faa83b556a9256fa3d750

SHA1
14a5571e300158c60558e0774cfd83c3cf7381a2

SHA256
23eda34a03c926abcd8f4df8ec8d99a0dd1a257adc738b933adb8770e5c8d4c0

SHA512
4d11c41952d9b7984520f05957ce96e28f877f39a2dbefb7b435fb20d296f6cd2bc60989557ff52f6937b696d9047f3f77adc228a8e101b90cfd0d211a4acabe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
5c24fa4f1594f5ea0af9068d9b3b7e90

SHA1
76a2467ed3f9523d57e986a3c89f96ba34928b84

SHA256
8bc46f8c2f18506e0d7f0aa2b1cd16696d4d8c737706342f6200a56b856afa19

SHA512
cae3185ebc82aada53b35d77ac6a8e45dc69389db105437dcbb1227b288b122e2f53782d5df442477e44a7a04ab22163e462f03a502375f9d76cdddce26cde5e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
a8cbec26cf4b98c2eb1782b82f07cda6

SHA1
361bba6ffd898de8771b86f0c09233f5484dde96

SHA256
861cb006e6c06069bf118ad45ed44164e4c1049182b8843c3b136585a378fa37

SHA512
05f2eb08202362903081c0d71533a6dd53dcb3511bfed95d40fcf37d1256263073470cb924f4ddd8d3afbde12f0ed34f087f547bba5bb4fb6a0c6c1548ce9722

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
9753d5f87ea46ab0bf10471e08b84bd3

SHA1
e83cf5bce23844dc03a657017dfc444c0722f90c

SHA256
b87f37295a4eb577ddf5c27c8f88049fcf1f2a74a332bc64237f3a7c9af276f4

SHA512
9c656955546d9eb1bccb3b2e0f2f180e8c8fa7b3b6a0621fbcd33c3ee6cacced70ee7904e779f3499976ac5eb9e6ceefcfaf9d83526cd5b2a1fdf87673aee9f8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
29904a205eed8f3ed43d1aa0d980fabf

SHA1
ca5696e5a813d02924b5343e6558242cc6fe99af

SHA256
c71da5fbb61057be0d133ce2dd1bf6f24ec3973c4f00c91a888b296d16f62183

SHA512
267fd040c278c54b24423a9df23edbb15ebcca9f045f3c292106e4921e91f71e09950aaed03b170a36d0cbe7a7331a8f117854da48844110468145884f34c43d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
8d8880b4cf159448cfe6ee0302b924b1

SHA1
e8e78574098d2ae2ff8b00077e3cd702b44fc0fd

SHA256
8d2a7e57eba17dc1f4dd6ac7f05d6bcdf6161c26b3c2dfc3a01d8cb344925152

SHA512
9a6700761080ed4df81f2de85f0b0052216510589791871c408bb161c47be95fff17c71f07069ee87e3732964c6ffe05710bd88809ede118377a5dfef1d640f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
999be9901cffa6b6a455f84d94d0f71a

SHA1
79b934802fed22252a8a06afda20347be8f27ab1

SHA256
b8738058fd565c42f456805437f7b025feffd19db8dbe778d23891a93bda0734

SHA512
4e0bae1c27b6c55851c813991c98c8482d5cf247ef564741a874f1b9ef041d52ae7920bc62ea46b76b09bab1f829acd799b3f8ccaf4e965aa1514f43033d2abe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
fb8e7b9a3e74f06ec4215a22fbabb7e3

SHA1
28265b79c11170976113fe16ba0e207aaa21c747

SHA256
4ca40c4fc68deec9f74bbd3a6c5f438dae82236b464576a606199ab3f301558c

SHA512
486f4dd8fe4bf7106fcd36c5536d2fe99b0a42f2cd8bee0aac5bc21110d56f7dbd57e56526f330fac8948850a5ddd244058225d94e1196c0b3417c22b10bdd60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
4ae0b4d9510eaab0173c75c9bf262404

SHA1
59bc1298eb2794113cbe2742bcbbb53f6c920943

SHA256
6541cf5f6c767793c9feb629a1c8bb3c139fb8e72f079de5ee2ba0c06201c621

SHA512
ae50e4f70484cb4d44e862ad8c778c1e1ddffacdf7d4f42be0a717fd0b80a3e0dc4cdccdac999c767882caba752f5b9ba56ff510466cb99470a1b560b7e22307

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
a53dc69ffad1581d3a2aeebd1b470ec7

SHA1
aec52902413a67be2d40318e2d1b851778180b57

SHA256
e5551016c6b6c7edd7a00ccbec2981c65cd31b7f27ba76ec4d2962fb5d183307

SHA512
f069e2505750c179f63d43e6924da0fccceaa88722a3a4366c59d47cc9a93bd7d9a97ebefbb937417fe4b9cc11940955d1bf765b40b33098d1bc7dc7eba613d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
cb0a030b5b1b432d4722e2ee7f477968

SHA1
ac763c67a06995f3badb6670c17f089990f4ccde

SHA256
a38a71deee411ce6e4229a9627c7a8d283ae6daf543555f052731b44ca0f4c97

SHA512
388655e90480aa6644b5d2bd7bbfff82777bacb10d48256dce5819ace9d0212453d7571faf6e3896d3a8cf1fe00b95201079a9be0ef33c0bb2beba4f9aeaf37c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
c2cfbfdac5324d405685892d7197bcbd

SHA1
60cd59bbacd378ffe0a5ad5fa4dec407a605b563

SHA256
19afb19f7940579f9ced6c5c478c9bdde5cb860386e807f63c8781c85f84627a

SHA512
98b20f180f2cf6b6de6369042931a724810af02adbc6db7eb5ad1a9a0bc22266585f9bb5b2e9175c6f426af3d7c1925e8b140d93a97134c153cba81ea61883ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
32671a5eadb8e3e87932a157cc0e4cce

SHA1
142785fb77ebaca91f739bffc19ed442e4fcb730

SHA256
a8709eb79a8a061f7854e7fc9c8c9564c2e37dad8953588907328f7970da4089

SHA512
2197f23c393735acb25631209783f6dc5b3afef345aa2aa21335bfeac8025a416e8f34ff0b1faef20f468db5ac03eba77b0eb9b29c3bd0207afc0b237ae41247

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
8a769a3ca458585778a481c0b4543a86

SHA1
9b88dd10b493c1e357247dd84ffe851aba0b5c1b

SHA256
03312b5ba9562c6c1683e53d79e4ec8bbfb45385f3d59c9e95b7413b9413fd15

SHA512
abdc0df5f20507cda6797bd7297303c13e7f7afa57cb995c64f3e890560720af43bebe67648e05ac1bfbf710a722ca937d25fc061edf8e42fe8ad7e691e708e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
d42299bda224bbb420b580b31538bc81

SHA1
d80378b18d7914294236db83fb089601dd5942cb

SHA256
72a2d0a832ee500d2f90a5213c8da784724448c7cc28d3d817a0a227049bc3f1

SHA512
48cb4cead934a78f58305e1e47e2834c564677861f9e0f35c5b0882a87f3d237305040100559de154eb4f667f9951f3896a707e5728bfd555bc3ec0a4396eac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
8ca1606f93e5c21ed562bbfc91b576c8

SHA1
7e79d44c98168d70a2257f3f5400d9cf2621e56b

SHA256
635dfb249860c7f16e79f60afbeee423da097450a733854da92322904cb4c07d

SHA512
4380851c85ba4ca0d4c3fbd102ee22970b31726e93ccbdbb5dfbef258c7f2e0ffdceb2ba25667649d0b5db7cdc75ce22babf9088f237096f03465e5b6971c8a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
265eedbf4e44b32cb83ca44ae432c2b5

SHA1
8ba0a46266f7a9ed71084872ac4fa77535539500

SHA256
72e215c684139d7dc0367c4c12d9bbae113378e8d31d3e1bda0b6c7c686bf1d6

SHA512
b1a106e8ee1329bfb91bf758fef2e73ba3f9fda056815578456781e2f90e10894b53654764af415a63d02e481e43be4b7536e293cb8c9b989acf43c010b32553

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
3a720f5d27b9536c4221b35c5cb12836

SHA1
4e1c3ed7687a23ac2478a9bfa53e1871dc50efc9

SHA256
6d28fe6a10ede47a261fd931d545179fbf58dab85a49b5d641312e869d51413a

SHA512
d78be275003781368fa9f8f24c139468902151cfefed45dcaedcedb33fbd4b580a2324b9ddcd9e0dab8ab68f6b23c646f99612698e569bbe012b32fa4b7ca48e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
f9ffc0474d44a1871e2195986b8cc27f

SHA1
670480fec56e3868585b23bbb0b3586712d703a9

SHA256
141b3cbb8b23ba03365d3621adfdc7bb7b5325db20551c718249c48bca3a04d3

SHA512
45fd4a6bc0dcc6d435587ab2b64f2c71a67ce116f66a4f281bad238ec1d25961b722f0e2bcbdebf0d85df43ccb20cd32ae03f103d216510e4c1384aeea9eacab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
efe5e9381b398c92a14e236f19c528e7

SHA1
2ceefa1382fd49430e3e73bf8a332937557c6fb7

SHA256
0f28032a6b5e1b8eeef1703facc29784a36d23395a9bf3a01b66e9d38d04fcf6

SHA512
ca64165ef4916b5272d18bafa2ceaa70ac555f567f713c4a6fe991691e23a34f99531ed5af168ba61e6a67ddd4398950a24bd056b00814332679b8c9b2e3294e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
f5fb52203c7e7c2094d42f5299b56e6b

SHA1
a0097fb7a833df33669e1038407768280529020e

SHA256
5c6dad99d623e9ad5afecb24dc70fff97e0e1d88f29e8daef511fe673e3a6b00

SHA512
33bf0d36b51cb5741ccd8ef1cfa9ef2f67b0bf1d8756d9602fa4c48a7a3fd88cd633255b1ba6a2cd4e4e1fb6e4bfbc7b4322dc05de273a60064202be834f4601

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
fa57e74d07eca7d6856ae224c64f8bad

SHA1
83fff237af9d890a2d57036693b1dd13cbfaa47e

SHA256
21ef72414ba516c642f694ba3cfd8eccdee42ee2d1af0427114548be6092ee58

SHA512
01e00c769c494362051a60569d14f4727f9c29984df16af45bf004b97ffe782db131bc1248606c7ff18f4f8fb9d8bab05ee51cb844a5b789b099f6a2e4f0398f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
433d54ae082e8044ab191bff28138c97

SHA1
a337d4dc681b9329285d11802dc382613be5a757

SHA256
d7c555e6e0a6a36514a658b26e3193439047f4cd4a905c35df28b46ead5b5f32

SHA512
a466ff04d713c5e53c356481e026fb1821cba11688e63f7ff3dd0fc6d121654d374869b9892a1617581d15c545e9b57d1a74878d520016a453b66ccbd3f8d9f0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
6c72d1c585a614d1e0aed172afe0c398

SHA1
01881df09c1a31a49769bf2e102f5e41fc202918

SHA256
881c9324b48a633b34d37aed53e094d8c951736a425f3961ec9058d82c96f2d4

SHA512
291f911fea0446f85002f1c98a179978a0b8c6a8601d76fc6f3e15b0f1f0390a2d98f165601718516a09732d329d6072327cbeeca5a9d3047ebdefd111bf2dd9

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
bb5c45b466af433a50f1b08933a2e5d6

SHA1
6c87630828fe29baf1cad8257261bc995951bf63

SHA256
dfba30907a05526e7d87e80996f3c0bdd2b4cb057c05cd55b1a695efd45ff2f5

SHA512
a64df56488146bd52ce01aeebb52cc1975e890881891550f01581654fd0601940c8f8c7aea29c77d9b33fb0dafa87cfb3e94eeda413f5792749741baf4238fbc

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
0722ada14f113f0fe558638053619f77

SHA1
57a40ac5354e77311e83cfdd7f1d4b9d84ef0cbe

SHA256
cc0b1b53a53a8c09ea5516091c6a7da32b84f2b12a18af9a12fdca1197bf72d8

SHA512
d5dc6184d5b6bb9593a8dad1c602788f68267d22d8991f79cce9d1c719c3a312b1df533066156415bd48247289fa22e95052bf80ab8138361c688957c904db8a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
daae61a7391c1025ba0af008a6708b9d

SHA1
c41a28d3a4cc74d5119c3c44cc90bb04f3da8ecd

SHA256
46fd2667bcd471ffaa4e30b900c0be44ebd056483db18d215244ec28bfe1187f

SHA512
4067cd0c82339ea8c7440b1425dc593dc5dc0d04a3d435be960ec83016a27ab2c13fe07132eb1708d85aa8743684be3868be618330e3bb8adf31c66d07465b8b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
d255e2807df64134e697a8bb3f668088

SHA1
f292b42b94335bcf505edb3e360365cc76202340

SHA256
5f42f50ccf48bcb18dfa13f780723f23f9599ce77bd47b5c7704ae1d2a5893ba

SHA512
8ed97b8629ad6d70b35be3461f05548988a863f6a66c571091956d3bc7214865e9b408e6ec5977ef768baf2d8a46564a4411f412f285ece04dd6fa7030ed26e9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a9ab0b509e225ecfaeebae551da8571a

SHA1
64a587b0282e35511049f51a4973e8d8dcf9a53e

SHA256
04c657d67b010f268b06fbf5b59689d0e021833588d639840f9786411e78783d

SHA512
e8c2918a0ef6096b365d4ec7a597fee1af4595197bf3a970e00e4c1252a554be206f071a3ab4ab3b0fcce38f34fb918d6f903a22e2d115352df285a6064c8d02

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
eacdd4f35b9d1963465e7e592ff59f7d

SHA1
35a7826077e7e774fa94457992ef99875e3c969b

SHA256
1a3326008f8c34fb990fbb2fa85f42e4ac9e8be91e93d2079e5bbc4cae1584c5

SHA512
c47fa7c05f5f6b5044a91e813c33e8b1021113286a480184f1a8a0fddd2a05b363cc446211babf36c1bf0e2e98cbc364b1b8029843939cbb50bac5bda09f38e4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
951853bd75d66955e3bff1ab5a8ecfc0

SHA1
00772b063a79cb9ad50ff1c94c03dda0e6cdae90

SHA256
a864ed1541a21c153f5f3c62a4e9133dcfc9ec378ef9749c31e18b8f41053f66

SHA512
6186facf82b43546dafe979d62b12b55f73714b1337557cd888ee3fa7b8a005fdee985e13aeb83f7891b55ae553088c2ad02b6d4e71d99ac8dc7355cbc05b85e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
7f750fa9add73431c2b66689f2d12250

SHA1
caa3b53b32723123178f1258cf4875fde3e128fa

SHA256
722633190dbe25c1defb353717747ef14e464a6e0d482a6a523f3e737ba2eab0

SHA512
3cb2d022d6a8b315130417a7b690f127abb20fe0c6fbd870a27cae19ccbc0aa579464d27fe52002be34b49b2692a37a67da8f4afb7559afef3af8c50d6212afd

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
fbd1c05100e710231ad5981f2d70b938

SHA1
2e3e5e07bb97d8a1be4984622faf62d3bfb79ccb

SHA256
7d4c914d34f05634848f0260abce3d4af144c2194faa3cee73854d1443b18166

SHA512
8828ea4688dadb7d2ccf7055e297efa09ef8f65e42a00807982381bd114cc58de865488844fada4c47bc64c89ce65d3adcf397c2f51547eec318d8dfac17f789

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f1d4902779ef3d16720b7cea132a3b39

SHA1
cbb093c7099f5b076730bfe8d7ed4c405747b281

SHA256
89612952ae64f86e46265e15db8ad22904bb75f8921dd8812b4b04b676829770

SHA512
049efe37e6c1624c8fa19a5d72b71f9ed8d2d9c3feb07e907e767e3b2c48c97aa312ee0d6188015e9df850aa40ef4f8ccf461ea67abe196d4c962e473939c563

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c2a01db9f42c7753c717e17186959c67

SHA1
d36c443fd329be4247bc0278c2ac71b92732790c

SHA256
97222db0d210f64d78b778c79c022e88f3cae78e5d91b533cf6e9769b6926058

SHA512
6b518ce55eaffdff017fafd3076c5f6bba29ecd1f85cdc3f844303b7684be9e77f561c275210d6f77d1fe1c518f2254e49ca0757c0b7f7f49849118a2529da0b

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
373eb583ee7cb8d5fbcc2d8f45510408

SHA1
45a2a64f3fb1fb57e74ac143931119dda3c35148

SHA256
7b77314bde449ff4e5e42cafa5463dbb636475d6af94705401d92c31783b53ce

SHA512
514d04b8bff2be760b93909dc8eadc25996cc2ebf15b582ddb5f41d013c4e67474ad06f09776a9e72b54d162f19e843001e5fe2e2b379345fecbaf35656591e8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
bdfe6f4b4877f3ec14690bfa1e20203a

SHA1
39713e49782213cfe65dfd74d3575975d907ac8d

SHA256
4d21c071b0b38779f671447b9d1d2b3b10f5197ffe2492486e02c2f51373b703

SHA512
626a89c21da02353e25b9cf58dad618c40732beb4f51cb9ace5075f4168d8fdbdd5a202fcd8ed2788ff92746f6226f28d6eca9bf0518727da24305fa8e9e5290

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
eb83cd34b951b507e8a9aa55ba6740de

SHA1
2355d20e3f26961793fb049d7292f9931d8675bb

SHA256
8e3e03fba64153bdef159f534c96e0bf80d32dde658c66bdd54871b6b1f71c03

SHA512
6c7233f2f0a11abd49346f9feff44dc58e856c4e1ab5d5e10192b84a562d242fe9dec89bff9498efbf7cd298ae0de7098563a0419c0af6728811b7e5224a4780

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
a92239e8811425f2b515d441bb8baf06

SHA1
ece1d5245d87c5eab2a01c2d295e7c80c0270b90

SHA256
8e4b9b1bf7a32db247bf1d14967cd7421f5bcabd8bc343d6fafbe27afefd301b

SHA512
ad257e886ba7c802dcd50b7fc871fc7cb3c9d4832ac847252218d39d6a37c852a790f50a7dcb97e7943f2c01f40bf312ae64ba628cdfacaa7a952931fa301355

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
8623ec6c75029b7fc2a2b5b1ea22a547

SHA1
9a794a04cda3b2d1d3d708f648d767cd4c72d622

SHA256
bdb8ef404a9635b77e08ede0191397b571545ad901fb2b8618b72dda74209d85

SHA512
bde2419fcaed00f3f5a86feb52e9e04fc459b6c5ac63d8f7bb5baf97daf4500e41436a69e26e8d99899bffeacab101b985d0f151b041b98d66515176c8573f27

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
deb1e4248f2925e7e948aa4c9bee9db0

SHA1
0a73b10aef5ffe3d588e2fa592e61239915ee25b

SHA256
6129a99eabfac344bd92b7e9f167c0a135309d2a8116b0d61a77507367d5acfa

SHA512
0f11faee2e26408e7ea8693332307364c4489b5fd12d75fa6b8f0116176a7afbae397a0d211647ce22de7bc8df088d1b8eac15e561d3bfcca501eadc0dbf464f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
e023cbed89e6db0ac4bc436ab8778616

SHA1
6b20da8cb0a073b694866d232a10a372b18f4bf4

SHA256
cfcfb954e0cc5fda2ccf6ec62a6d99ab60a3538cabe0e7b04feaf292c65ce392

SHA512
0ea0938aeae56c9ec9519b93e18b1406ad147dbbb1c1a56cdca9264f6e3918942c893e41ea1bda486833199733df806d88c4b77e61c45e6a1a5b572bc32fbff2

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
86a54bbe5f12bf09a530697f3c4cb909

SHA1
69b3bd23e63dde10dc38ecf97cc7a79aacc0388f

SHA256
23e0d15f3a232e7eacc368e460143aa55f2146f83cfbcb1695f6c49c554c98b1

SHA512
b2f548281caed2cb6b3e81b731c1b37ac79e9a5703117f9a383e51956785d24b25ce171413ff033920b464afc51a4a638b4e2308d07f18bde4d985096641af4a

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
0a02fa0de59153cc901d940d05fa36cf

SHA1
d9264a18b814cb6a2b2f7dbfdd35a26e237ee21a

SHA256
c605c52d707e00a1f7b5cf08b45115220686f0daed6014a74818dc28534c9135

SHA512
6ea07ab82471affb4d2d470a525ad5ab68aeccb4b227930f45e51f8183744252df9acb9efa67a5d19f49ccce47d80388d63a74960a74c66a451bd415b78e3662

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
e83ab597ec4dc7d397132198fab142d1

SHA1
5a09be6eac9469c45ac0b5577fb9320517e55b81

SHA256
e26631966b69a3a8720313591aa277e38f5cdac1773eef732f2f9279f960ce94

SHA512
240de8f2259df3e5321c2690b5bb435bbbb380f6d67a95c6afcda5d20da00db5e245668f222b7cc58fc9f227a503e85ef61f6942b862bf9a6a1d7147a6f51380

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
5a7f3e66d2f8967bd1e9b1c80ad1ba9e

SHA1
fa32be4eb2806ed7b192b514afae216bb73514b8

SHA256
13ff3e6d497918c488d467cbd795ec139d96e6fd36bc8d8ad1f4514355712721

SHA512
600ed7ebf13b412bd1b128782c97b76cf7b67936fda6fc25bb8356cbd5e8406d476ceaa38b3c062e5324a251bb4f89448e4be12f3127fe2dd1b851032ce14371

Download Submit
memory/220-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/220-586-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/220-8-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/220-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/428-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/428-592-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/428-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/428-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/516-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/516-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/516-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/968-297-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1484-303-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2052-313-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2600-197-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2648-298-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2844-316-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2976-299-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3032-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3032-595-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3032-52-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3032-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3136-311-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3168-84-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3168-43-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3168-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3168-82-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3168-37-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3220-333-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3220-599-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3284-597-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3284-305-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3520-589-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3520-302-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4340-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4340-296-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4340-596-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4340-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4436-306-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4532-69-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/4532-75-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/4532-79-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/4532-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4620-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4668-86-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4668-293-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4944-598-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4944-331-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5072-294-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download