8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a

Resubmissions

28-04-2024 10:27

240428-mg4hxsdf46 7

28-04-2024 10:21

240428-mdncjadg51 7

Analysis

max time kernel
300s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
Size

1.8MB
MD5

632170e99a4c30b8ec0d4cfb3a1cecb9
SHA1

aedda2d4339ff9a90d6b3c5438549c5833212f4d
SHA256

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a
SHA512

4a58424ac1d4807fb665397d36fee6143e20b7204ae648aa2ff996d1383cb033d2a7de39487d1fb36fd19d483ba68ef0a8a226d7d9e507f7597ea5ded30c6d56
SSDEEP

49152:8x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAykQ/qoLEw:8vbjVkjjCAzJNqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2112	alg.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
4368	fxssvc.exe
2240	elevation_service.exe
3468	elevation_service.exe
3400	maintenanceservice.exe
4592	msdtc.exe
1392	OSE.EXE
336	PerceptionSimulationService.exe
4076	perfhost.exe
4108	locator.exe
5012	SensorDataService.exe
1452	snmptrap.exe
2300	spectrum.exe
432	ssh-agent.exe
812	TieringEngineService.exe
4552	AgentService.exe
4416	vds.exe
900	vssvc.exe
3388	wbengine.exe
3344	WmiApSrv.exe
2484	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 51 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\spectrum.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a87665ca7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\locator.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exe8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AF6.tmp\goopdateres_sv.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AF6.tmp\goopdateres_en.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3AF6.tmp\GoogleUpdateSetup.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe

Drops file in Windows directory 6 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exe8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ed2f7a65699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085d116a75699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000783419a75699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000194e37a85699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043c52da85699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b15a20a75699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f1a47a95699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exe

pid	process
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
2240	elevation_service.exe
2240	elevation_service.exe
2240	elevation_service.exe
2240	elevation_service.exe
2240	elevation_service.exe
2240	elevation_service.exe
3468	elevation_service.exe
3468	elevation_service.exe
3468	elevation_service.exe
3468	elevation_service.exe
3468	elevation_service.exe
3468	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1268	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
Token: SeAuditPrivilege	4368	fxssvc.exe
Token: SeRestorePrivilege	812	TieringEngineService.exe
Token: SeManageVolumePrivilege	812	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4552	AgentService.exe
Token: SeBackupPrivilege	900	vssvc.exe
Token: SeRestorePrivilege	900	vssvc.exe
Token: SeAuditPrivilege	900	vssvc.exe
Token: SeBackupPrivilege	3388	wbengine.exe
Token: SeRestorePrivilege	3388	wbengine.exe
Token: SeSecurityPrivilege	3388	wbengine.exe
Token: 33	2484	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeDebugPrivilege	2112	alg.exe
Token: SeDebugPrivilege	2112	alg.exe
Token: SeDebugPrivilege	2112	alg.exe
Token: SeDebugPrivilege	5024	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2240	elevation_service.exe
Token: SeDebugPrivilege	3468	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2484 wrote to memory of 2968	2484	SearchIndexer.exe	SearchProtocolHost.exe
PID 2484 wrote to memory of 2968	2484	SearchIndexer.exe	SearchProtocolHost.exe
PID 2484 wrote to memory of 4036	2484	SearchIndexer.exe	SearchFilterHost.exe
PID 2484 wrote to memory of 4036	2484	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
"C:\Users\Admin\AppData\Local\Temp\8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4804

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4592

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5012

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2300

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4596

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2968

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
189c416785ea5c48cd49911a40d07dbb

SHA1
66350ec8b6147cf98a7e4ea77ddd20547e2e940d

SHA256
bcf115b01d628c11ea0934c8695879e4425ee6b7f548f0fe3f37b6a4c054443b

SHA512
44ae4346384f4fbdc4f0f578a477254080286f690c0869e7e512553fc2c75ddd8c07dfd4f003935f715aa8ea7cfb215ba8bee801430960aeeeec710064244e9a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
acec628c5d32ec795ffe3df61ef964db

SHA1
3fe65bbbd933a4a9a0bdfc99738257b6b1e69ac5

SHA256
0296e3dd2b677b0e50625902f54b8914c82c99f5679c7dd6c2524609930f87cf

SHA512
f229d32a8e799a70cd1c8210434ae83c6179b78ab563ba38fbc7da02fd07762dbcf7833098441ce2e16f80a22c5869520e3746d27df3f6b71a9227a2565eb11d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
d52c62c75b53c7362a783b68774fb95e

SHA1
7a4f3870afd6eef7c74eff5db2f1bf0dad9d7d8c

SHA256
bfa5d07efe5b4e773b61308c947944b51ba46048dcb5a6a26c720489a5d991e9

SHA512
83636f9ba729991d4e497d69badb11f540eed0ad0336c07b432b398474956d849216e0e89df6e3d5df7c89f43fe7b4059406c828b92ace422f73171d55065487

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
c382250e00d3fc8f2d7490e0255700b9

SHA1
cc2e76de38c8ad9b0aec00a87de56e35836bb63a

SHA256
8b97069d1e9070774f29ce898121bac837f901048131b2aa81a8f267beaca8dd

SHA512
8c419dddcf540a6d08f0406caf6555dd8aaf8fb342f17fae5cf6950da68fa793c8dc961598a2cd6541b5ff97f088c012ae2d87ea477ab19ff2e347cf51aebb64

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c4ad2bf25e1c01a5451fe32160c809b3

SHA1
598f5864c807b51f79357e9d72b0056e975cbe6b

SHA256
aa5e4104df5d15966aba971679b132fa0e7b272ba32cc76ba6dba5b16ae0fa03

SHA512
9893b3244b07b74ac736827343c214e9973bb4c6bb4d7d4eaeb2b776ac7a07ba06a2ca605445f83025a6e9e60e60602fe90a64500ab195ec771355788a05503e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
4e202f8ac14ef26c6623918a5a5fa7c8

SHA1
43e64abbec4bf6847abeb6f3903bb2a2d6d01909

SHA256
e7f05ee208f21df5600f54e519a09e55a2be30e8f77778c17911883a9d87167b

SHA512
6e19d6185fcd3ed05e4f0f09eb637b427437590d54e743f637ea37b000dc8d8d088b096580e26903cd42638c7c1e58a804e0ea7a779a75b96d95fb5df12b6d4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
73a66a09f782eac8c9b3abc706b718ff

SHA1
7ccf4574cf71f5e551847ec00ad5dec80d23ad67

SHA256
020c20f471c4ae94cc3359ddb818e3dc393d63ffd12e5992b5676f713a3886dd

SHA512
81114fde2b2d63a09613448ac7584d03f9631ff73306dbfb3f5b09321b6fe361464a7b5c640f8afc4c16d7f295dc1a206b578e63964bdc517c876a38ef4e3e1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
932bd6607be47dd7dba57fbb8de8b359

SHA1
63ce0a58815ab1fdbb8b041c0952a3871e1c2601

SHA256
dd693848e5354b3380cd4cd91e637031a5162cb5eef13d4b65499ad23f25439e

SHA512
6f7497867ca3cc1b40cf4faad4d81c80ca0713d96f5e1928ee5743781c56e68e6d2d40ffedb5b5264379770adbcb89e3416ed2e92e068ac00039fd5c7456246f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
9f1bc58f65172cd9a271a0be391ec936

SHA1
92acbac35feaf4a564c361da6db786888cbcc2b3

SHA256
e94bb09a2d019d75a31b5d8936ed11b5fdef913068a5594e811975935f915654

SHA512
37b40af375e29c3202a65709c21fd8cca1a1848a4e190b085e5618d557f6027c844be8bb86ac9f591c624aded2cd916ae66f7cc517722fd608f967ee44ef0cce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
8f20f695139d53c2449f30264dbcb504

SHA1
a46fcfe6029cb9858b22b87b5bd5bce240150c78

SHA256
438e7811d53d036ecdd90f52ac9a6f716e1f3283be1eb1e81c3038adaea399db

SHA512
57df326bfda3cee9534b7fab4d972b38a3ed0b4424135e374ed32e4bd49aad7a0cacbbe19feff43949cb7009b42cf9faac2d6d1a6e8e2e2879b8b8aa618cd051

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
c6484c2c28e71a9fe6f4cc0bd7c7a4de

SHA1
eb9889659c3ec9f7cee2d8309b01ded82626abbb

SHA256
6a847a8bfc35fc733579dd6902d7ce952395ad146b3da9f969fb08105c5c4d20

SHA512
760f143f65ab47a288627bfacdf1f3085f54506092fa3811c0c903ac5cdd3010b0ac7ab87064983913eb4acf8c7d52b800e4e08d8f7629bbcc62b60384f521fc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
15470f09127a81a5ca83d93ebb4de558

SHA1
f9565bebe98963f62d41c23d4193ef88ec263c92

SHA256
f23774f3df2495d6e759105dc021de8937b45523819b92265886314efda8b670

SHA512
efa665b549df6cf444a5d70836d7aa5ca85c9c6e624c3b9d3e8f1d8adea02076fd4679dd42f90ee1052d0f300654af88a30c0cc16cf755c75567d7c9258fdcee

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
668447fdedbd37cb59f7cf36d9e87ec9

SHA1
62449efe5ca78ffe6e3ba589e90f1a6052c58e1f

SHA256
82339df468f013bc3226435876d2949d0d99f804f880865eafe88d9bb90bd183

SHA512
3676a8b14567e3abc3063e47e8e2b4e80eae0ae77106b7014acea5d2eae6e2fe394ba1f4d35b54f04f1fbb50d096fbe60371d23ad3b163cd30a31ce8a6083d24

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
d752c934a397c0c88340dfcc45fa7311

SHA1
1954edebee755e481480b34e03908a2d19ff974b

SHA256
1d7b4316325e32466b34358b69a21a48732cd15b3f6902935fbd299d02b24013

SHA512
e3385857887c3915748a6ec6892700b3e243400407cc66cef651baac95b63855e7fb91b0d668d4b52b15561badb528007e1e1fd755563345ffc2dc2fc1a3f56c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
24bab782cdd6dff083267fe43ceb71c8

SHA1
a623395c8a73796251656f1b8ad41d7a9a53f382

SHA256
7f9bb043fad93491cba51150987ff54e304cceae49096e9abc0f11e816f1741f

SHA512
25b5a59340f94c01e07c10b6b9a70f555d9d391209abc54e5b4c316e1a4bac50d1cb9821d68a58ff93d6e4ac96362bbb36fa3b405addd0b51c3f0dba7057909a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
e4a9e52d3e4334ef8c646e6bf4da5b12

SHA1
a16b9b63946d6562deb1e50721d4554da10e7c22

SHA256
cb9a835a23521a7904bfb11b8e05eb088b3b4bd61f6e855c7ea5dbb84d4458d3

SHA512
9238612560377c2ee47032af2d24e1e31ac2a3ab0834d43ede792b0896ee53c9bb198416f5c1ce4d2efdc3778e25f904e1efb3c33b4d4e5542eabf4ba6e3a37a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
b67d806c2caa54b74c52dc8509fcd16f

SHA1
95c8072778dbf671cc53e4f62e98ec64bd94d1c9

SHA256
e75b341859bfa0e5da48c0ae9bab1c9833b7fc535be251d7606daec69058be05

SHA512
9ab6d167ae648f5a5a88988579bd6ef86b0efdeda32df721be83b505b160a889c4e47c5626a70bcf4b7422a7bdd5885a10ee0ac952dc06047829b4f936856759

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
efadf1c0c333eabf8447d0b2d0bf7fa3

SHA1
23e35359bc994e8433a9175013280b6d50661e42

SHA256
8483175e4bb4e7e0e17f3abb86803e7cf84bd636c6ea0134fdbc5f06efd25b40

SHA512
90b367f5354489bf6d108cad1a8a021bfe5627503833ecd2342a7b5593429b6aa4db9fe44d4174a6bbc1783d278d91a46ad143c07ca8a4d7ca92ff2e311351ba

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
a7bd1c792630d53fbf59b476a5fee92d

SHA1
0cea96c82e6e80ccd040c5154378c8849ae6960d

SHA256
6d00fe81857de65067cda118c0283ef8f583107471cd9973ba871ae2cd218e77

SHA512
3f1182a4a03a0800533ebfb46efb23c8bca23b574b61965c2b5f16cc22f568dc4baafb52e3940890918d8a5656a0453f87a7af770fefef15136d440826e663a3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
253fd332c76fc028c0548a930ee053ce

SHA1
c577817d06463e98066dd1dcd8f9e90ed62ea9bb

SHA256
2f5b5589e017eb790608940f1c2132e329b35e63ff9db5c5ab776a655b92df53

SHA512
7da6bb0f869120764ad660babb9fd62acd961c3b99e3b1af867cdea55a2b83468d616b31798555050dcf2b8cee3dbf3c608fe420cdbdbe4d71ad6fbff52894fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
67c180a5a0ddce6c90ee3a23b63c4e2c

SHA1
ea479463bf9e9bb5b90b96754e5fd949018153fe

SHA256
32b6b3c16102491830e8ff06eba85214b6a8faca0597875f8225dc7c855a51d5

SHA512
c779b7fa355599c3a05d06dc3d0680849feb56a709b218858b2b3ab3c47b777f3212b18166de3df4f852a05055c3282297de8b3280dc41cadf57d5cbca57aca2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
3e0eaad39e590b96be6d8d39b2ff6612

SHA1
c3e76e36975287aa0c14c2bbdecbe91dbda089ef

SHA256
7db58053e98523b53310e38fff50a9100bc6c691fedeaca01783f9b5f0aade28

SHA512
4c682a0c75f43d031139305c36c9a00851274371a02e51113bcc54c6f7c09f255a53e258b43da4f930f993b983e29c1c6eac117c8b4d8fe773e482fe47125365

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
0a64c007959cfb253dd9fc1a2f6ca0b2

SHA1
759174cfe8abeee8c43096f62a12d90f691c6711

SHA256
e7805408a61f642dd094128d63e97c0bc0c3850138f96a99c5c112a17a09f133

SHA512
e54fc3ea0fdb33c04d9e366e7a2c4aaf30e3ab4b7fb755f0aa35233a405039359515f62053b10f4af2c426fd678b0d0c684b346d793034d77036c5f53a56156b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
94faee627a7a7065f568167bb1efc2b3

SHA1
c1854c3fd8bd170fc018a4865b80e8d876bc2472

SHA256
8331330343b38f147c66354e1b9beb23dd5ab5f6a66a5a8eb0d632193a96ea95

SHA512
16b6c1f9030082c99ff53f70024ee57ae115ba90f9aeece20556bf98a3b4ca394d03402df6f5eff1fdf079d88e0e0160cbc300282d82eae5af068fbaff8cc180

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
4be4954c50a05756fcfa105bce5d1c98

SHA1
6a8b80afaabc30ec333397cf245fbcc42b3f32bd

SHA256
9484bd744afa689292408353add5459746d9612887dba9c9283b9fc57458e9d4

SHA512
9e2650c86de5e18f10cd03537651225c161e16c2cc1fe23e9ffb57537767e551fa52870ed76cc28995f294dd78f622c76e25e1ae662f310649dbdb1e1267ec35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
41e73178dc8cc286dce9129261714997

SHA1
e5d34d7feb1eed47a6e4552f03b537681f30439d

SHA256
ee3254d1dea6f0e698ff40a505ab68a05389e89438a1829006a49708a3cfad65

SHA512
bc32ce2ac4db0cda9640ec91c03eb3f10cfdf9c5495183e7651410aca2521a66e7ef6c0432c30f57e9f970805d302e56ebb154922de91876b61152f3a9321ba1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
79fa57d2f184d944ebda80e57a380e7e

SHA1
9ad619bd56c1a4d3dbe51441c0d95c93e211d1f5

SHA256
760055a0f99b6fc7112a349479a0d78144f01a48886f132dd344c19f17a5d226

SHA512
9e75a93960ed48df63b36f629ed1a9439c6238f833a9deeeea83a99196c146ed43df216215523e0a02eeead2144dbbc4047900277677d1f565de4910e1f5a4ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
364c8fd45a2fdb28dce46ba19b83fe30

SHA1
9cbb087dedf93d8b2d34f9bda2a91c5a004e53d8

SHA256
787ef431df072f5af85c1e8b42e463255796c285569ef12ea0c6a7a727259615

SHA512
b1d1ec6b6fdd26bf9dab193d9f24b5bfee61c3b1122abd65e075a7cbcac13074050f41a354c3fc58bc3e7e55beac08a4bde4894f6d98e36be8a3b63b56d48145

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
d844560bdaca12a7e6b59ae9409c74ef

SHA1
aedbcd254740c1a6d1cb2ffdd8eb0905bfc37339

SHA256
1963b98f4ff414ecadb67bd553345e23dc6ae62207da199f8e533d354ff6f2ae

SHA512
2c05204590851b13e99c13551790fa2af9d359b51bc1a792781658646edfaf9d09358f912083f0005cf439fffca599887070cb697dea2c3b05b297e8d4e95eb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
392f61d0555d7ea13d042dbcf46c6a57

SHA1
3990e55a9ff8f6013adfce59585c629eca60a48a

SHA256
4ba88833e69d15e7c31d1c6919a20f9eda2dda3189260bc877fbd54f2a6e0a52

SHA512
21e66e895e5676b19101a901e5aa8bd1e6585e2f7b479a4000fcef116b949165b366d90b2bdba72ba5974568a070cdf737eaec31edb80af344688398c2ce24c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
12f131621e21d0ff906ed2bb8d5fa2e3

SHA1
be153e30319aa042c5223936a158996af1c9fca6

SHA256
7384b9ca1ecb0d8c9ddbf708d7f4e7e24901b00daa2d520de04fae87f4426599

SHA512
68514cb9daf6383d48ebaf8bec73eb5989bf895e540f99314b9df95b6e5afd917f42b1e17f8b670cfc0a31dd846f32797384a90a67e0f6e126092a9076687536

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
8614d080f662fbb2d249260e42505341

SHA1
577f1fe9712d6788009ca64217b5df679a5f3a56

SHA256
758f9b847b461d83981799134575e68450c442840d88d39d854fc0cc58cb9b7d

SHA512
f46cfc6039897a413b40ed6d3b66d1bdcc15b01d12a5a3f7b608594faa921d670ed2afed697df229b04b25f8779ee923756665e0f1cd8f7a0e9f7ebd83d38936

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
3c949b2ad1cf442d3c589a56a1da6105

SHA1
d9f4af1d66d6492c605019b9d640f38f8b9b1ed5

SHA256
f530fffa10955e6947d96e6b393df8edc64b57f2ab7133ac79df8d4fd9abae83

SHA512
a99a4b1a57222f2d823a75eb55aa89324bfdc003c4afe8fea6d74ce0478fdd91f319ee72a8e44047a91f55944c7b140d851ab56ec37c7af7ec039203ed0f76e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
d461bf63a31b3a645b077bf02bac6806

SHA1
5619da0f4943a5377bce7b478408ea83b3c01cf9

SHA256
3b1598b5ff1ebeb65b430a64ff8149444613f2ae3615aee4155984c9fc3d76ab

SHA512
b21e539cdf2904fd4635edd8cdccf359761be84b9bac3d418ab5d0c58f9e214d40b8b83665dd1036364915c445cf6d3b7ce62fe70d9c45f5c8829343da4ebe6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
7a4bc67ab1ae3a039ef5da710f5f1657

SHA1
f7dd147685eb8a727e48f3a88c8f2da89df7a722

SHA256
e72466cd1328d971cf26a4fe398a1cb36f79963a307c89313708d166476d728d

SHA512
7467af6b03dd9a3788a30c0a8b934b57fdaf413979b245a05b9eede6c0c63be1c8db590fae29155462ae29a2ba9e34574f1ab2baf37a7e49f3ddf728e558ee93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
df02e979e0459a1f9e3bbf5d3f282f8e

SHA1
bbaa8424c8b3f9393645e4b5ad0420129aae55b3

SHA256
4bc126ce5ca388568dfec1288876db2481eb6e9daa8f06521c614416381b1f60

SHA512
616d4fc160f11a67dd5c76c44cce2b5c18c1f8d13163666692ca0b006195ad9d57c5fc7cc957cc3fb94f17b25f1652abf8e06516c1156c2163f7a0af17452bc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
6dbe057721a67c5549b4807071ce71af

SHA1
ca40e048b49d95fbdf770928c019029a0f0eac00

SHA256
f94c491d7874df019f8b2912bde9f86344bb0f279e3ddcb39d18c9f3b52d0a1f

SHA512
2e9859ce9822468e759ee439d2265f4cd8feb0a68bfefc74cc7ab514b80269ff33f2976a9718dcbd4214c4dfe6772d29098ab71b4de3088e8053ff5dc7f8069a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
78eadd6554f516bc181c8489d6ee24ac

SHA1
2df788563a307625544cf8a73985a01992a764f7

SHA256
3e8df2fd9023e30f038e2f8b5efa12914125b4c1b9fb77ddc31f2017a17b5025

SHA512
0f6c691465b3bebfd75994a8d793ccf5fe2c989ba28ab879bceb89b8230fbe99447eb3e1bf88b262a8e406b040ba87e63db64c91fbe9f11bc884a0960170e709

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
36583a1d11405e02acc0c8291b98bb08

SHA1
5c7ec686a3924c39cc61fc0652459eb2d452d516

SHA256
8e4590efbd4e6e081a1971438945edd41cc04f2b332d4049323adbd6f7387aa1

SHA512
c8f052fa2c48cddea321ff769f5b254a7caee3aed99b79622cead2ac9d36124fc38293cac74ff782152d536b4f0b990039805430e9e0b9986b9b4f3db5f11ecf

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
d3be3496cde9130c6ce4ce99751c4419

SHA1
18dacf3a067913eb2c47f096f39089bb09728061

SHA256
aa0ed4ff04842a56c6549c5f7ee6b20b63a944536841cdad01f501a6c5c6bff5

SHA512
b79487e2cd8cf4348287e077b0009804b006cb748e5394cac4c7be480db613f4f16c83b75c59cf14fa0724377f981aa202c696010d1395544298149e282aac67

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
27bf70eea3cf2acbc699b6e07e7f9aa6

SHA1
10b04c96b17c060b4e66cda949a1db5adea1733d

SHA256
295bc8c526a2eb6b1a785a7f6b9449869af23d7894591666c427aa850032942e

SHA512
4efbe73df1f3aae919743e774a92c9445cb1ce8b038ef942ed344d5798d2bd0a13aa4345217e5b5bc6b1fc2863d28b820c1a32e9d0869265f89df97ff6c92a06

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
af4f7f8bcf9f7d4c0d13ee43c0b9154a

SHA1
c94b65739ed27077b7996134ad1569f7595d5846

SHA256
152a0a785c7df17b19cdb9504b3f991d28aa2308912d12e93101b7fc23ee05dd

SHA512
d1da721d1418a7336f4db0a97e76b5eb4188d0459ddd77e573f0a3b9d6c10902573c5586c52a4be9a8425552a2df930d8098b46fc3bbdae71b07e790a956f714

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
ce806a629823ee3735f72ef329adbd11

SHA1
b344276c37ff85db250a30c8d13ec889bdc10235

SHA256
c437a505eb193fe71ebe8652c5adea8da1e63336c68c62731a757f12f122cfa6

SHA512
447390664c21587fffe67ce51f24429b1b8a0dacaddcf3d35c01483712c0fedc7e036f08b1b07928d4a307fc5d5540b82c4046b1317464f799ffecaa420ba25d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
a36d70053ab8b0a2b07e4a65e49e5123

SHA1
54452dd20bb4757c203b122fba793b9b6e5b3c11

SHA256
f046c3403ae7ee2ede8f0c20b404ab7d85ad6f288736f627896b300ef8ece85a

SHA512
dd2c922bb34de696b42ece86103ea03834fb89458cd85530ae9743b7fab484b1197cf731a53db2e0804179ce4d76b0d582d1349e26eda41d681677161e462b97

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
6f7d5b41e980b391b6a461c9172d478a

SHA1
985974e51f8a15e51e4efb9dd37e26f4445864ed

SHA256
8e65e89c4fc34827484166530a5d4d193a92cc9f2eef429d2bd678f26a8e764d

SHA512
224cf2205b3cc44032ff19fdd5f7ef85a024dc0d38a8dbce684daf26295b1f9119049cb43d8b8d262b97b73f283d3bd3c162c73064947f64118e2ac01737b568

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
b53c263b437c98562fc7cf55f9ff9ad4

SHA1
08fe48d89b1844d99d83826fb0d8bd740c3ff5fa

SHA256
fd443c1c98393fc45ed9cf5f877ceecf3deb6783b06b0038668b9a5c0ee47596

SHA512
11fdb47069891370edb0c84119665a4a2e5b75769ff59982262ef9b5e2cbcfc85aa021f662fa80b9de3daaa783fc0e42f8bf34ce8d0632410410cae276322cd3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
24d47fb970f3fb60c9e17e3ae3e41f3a

SHA1
a8587c797ff96c8858b04d4bf75bad3bcca0e1bb

SHA256
342be3e8a1f43280cd3e593f76c39bfee1b8761739dc6e28aba443e98f4298f1

SHA512
6a4833d0d0452936aac18d13d159ca6e9c80ff3ab3399d339e1cf3abdbb075940f64b02f8775afc039efb2a6b0fcfaa0e738a9fca2abc1fec5c5a20aabfe7a10

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f6dd9501bec0700556c7f403724922ba

SHA1
adc139c595088f953e3213f9c77c342cf59258cd

SHA256
39b2a3db2cb386de03968fbcfc01305aa361ed256bd88209d0de536e67c9ee8a

SHA512
706930143a42bc3bbdd8d2c9a6bef0a136a183462bd5f3b5f89a5840cd246c861342634579e153e0cc1194ba22965f7e77425c9f1f6e18ccea36aa073ae921bc

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4c1a029cb9f9de74a7dca3e70ca75d64

SHA1
ec4e16e17a6355aeed65472bd8d733e3de4fe67f

SHA256
561680622ad4f2ee96bec7c22459fd8039c6e2318bf41503dfcef24ff5b5a80e

SHA512
a09a42b3fa4b473fd469ba4261cb94850990eab8e94c4d30a392fe12925a76ef7392e4467570e0080227bdb22d52f978ff395ac288a96f763ddaa55fbded0b10

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
9d35bc5c387d100af4e88b9700123e4a

SHA1
d0ca89d353b006559d6fddc23428693bc9c393b1

SHA256
bfe5989364ee5f1c4faa8e5a78bfb9dcd53dc756fff9c51a202e5f899e012a4d

SHA512
062c304731c3248313d64a37786deba3dc6c32f565bb73a7f1c5e7dc2f5fd578d3670c8b41a97fb48f54724cf06d498b4000e68734158a9950e061660e423621

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
331776ce4e1b71aacaa682c727f1c1b3

SHA1
260c7c2c71531f5e53a56e0dfd8433dbba636048

SHA256
5c9006750992c446a30a94b748833e4cb7e850c0de2f0a74ab5a46d3de883dd3

SHA512
3156328c2d28feabc44d5cabc49a60db75a25a514b48dc622e9cee97cee22ebca73d7f497ee625629f11ad55de64908bdac61429c28d3b12495f812952826575

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
f35d529de4ae2a37dde0e2e91cb5e8dc

SHA1
d4691b18dab3588f7329fe5b506c9d424b67a9ca

SHA256
ef07ed10a7b3f0b9103b58e51d9eccc10a095a555902267c374b0a747dc0b47a

SHA512
d8c605e1bba149268684ff26174c6781a6d1f9416259fa4e1814fb0dce51ade3ebb942b54a9dd71e48ef3e76e10be1dc9d09af075b47344bbe4886c0dcbe34fd

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
c5efbc6623ba542ecc42d7f5dd96d434

SHA1
3bd92a8c4f6ff2c7c0d4d27b72895e955edcdffe

SHA256
9acfd162bf658dfb457888e4d1dd704134d70337644dc962561a3cf671832f04

SHA512
9d5511aa85fb6067be26c25a8179d2dc0a9ed8505bd717f50622b8fab32f9baa581145510ca0307bc46602c40d5c99b759ed9c2de476437a2bdb1e8a82375b11

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e23e4411dff82aab20f53a13f384f5de

SHA1
ef04c5f26c214c6fc2ea71500c1cb60f02e6f3a6

SHA256
77ab90ab5f36331517b58d77c3b6bca6dc30b47f8fdc0566a1f6ed5f00214296

SHA512
069fa121c21cf0aae74ef512f85e6efacb195398b03bc13bdf31524587f4cfe7c65103ee4b1fd62d5e9e22d2350e637203c98b24a5b4592eee1bb26eae231a9a

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
aa3f11ea315e714d8810dc766a3cea4b

SHA1
9bc2bf604df222af32d44422658f2c229386e686

SHA256
d1fb771fd93467e1abeda51e3b25e4ffddb5a4aab6f94fc9fdb9a2146492d387

SHA512
0501a1a3a7fe7a23075b54e09be2da56ef885eb02027ed906cae847390e2ffc8dbbb57115b8a274c85e4acb53e9eb6c60532deaaf0bbb09d2179859769fd4fde

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
c91fc4f6382cb7d9086716f7b6c992a9

SHA1
29f611983aefe5a93151c1d45294f8832b7b4a70

SHA256
ab30c35ed8841156959c9fad7718ab91c3328c0269d01b7d2e84bb6248ecccf9

SHA512
0293177197dac8b82b7b29aaf2db565ca99d2b6019ab201006e675e3e50803b6e8075643a807ceb77f15c9a2e2ee6c13a8859aae7e877beb27d00457ccd5023c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9c153b7c4baadd4e9f8ddc377d4fc722

SHA1
099a94d82782ad21f57046bd52e9e9019af7ce07

SHA256
b7dbba4e173431eff4685e2f9bcc7947f0bb2eec81ba69c121144f003e151a7c

SHA512
8956aa3c47fd4c60405b81d355738ad0215dab0a01a5a36c48387a953417da5e8dfae8d6c76bc1a9fed086fecec2c5b338fbb8e8160daa34d693dbf87c731ada

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
b937ce6af96a2f1bae69db76c559813d

SHA1
fd254287ae4cdfe7bb53e388b9bffac4e04e9238

SHA256
317380420c820c1374a830cd7c1415ce85628b1bb7b0d80423c45b6ab56560a6

SHA512
96a49fbaac2dcf9151ad5e9735fbc8bc7ab2cf57b7d0d6cd69bf3931dee15b22fc7268b145287ed10e894c6964cf616a10abe4e4cffaa8a462013c0add32ed52

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
8a1d9b3e7f5d00fb60f63819732b09d7

SHA1
076926331d8a766add97608f27b7df1b7c0c73fd

SHA256
101e239687debfb2934a6cfa7179c00dbac6d9702451898141889691e185bfa7

SHA512
304ffd185aad45452a6142ecdc708ce796909a849aa42ac5c7219a5777eab61b0a12d627a36f07afe961d8042f3c8a78e5f56806bcb7dd935ed01d53d77ffff4

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
927581ebbf78d4ee3d31fb12e9564220

SHA1
9a73c4c2f5fa1d6fe4e7733b9cdae6ef20106d0f

SHA256
f3c4ca88173eaab7118dd01551c019f5069af2782835d807a94bfe9fce2b01ab

SHA512
fa2c950c2934ea716826404aaab77412d54d6a5221aed7f0b4a93c630b8bae5df013fee992f980c174548552db632d9ced1eebd0f885fe0bfae11da89c21c693

Download Submit
memory/336-183-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/336-302-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/432-756-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/432-261-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/812-757-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/812-270-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/900-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/900-761-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1268-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1268-177-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1268-8-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/1268-1-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/1268-597-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1392-290-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1392-180-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1452-518-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1452-236-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2112-15-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2112-194-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2112-62-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2112-63-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2240-239-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2240-122-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2240-123-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2240-116-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2300-755-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2300-240-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2484-764-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2484-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3344-763-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3344-327-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3388-762-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3388-315-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3400-148-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3400-142-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3400-141-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3400-151-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3400-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3468-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3468-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3468-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3468-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4076-195-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4076-314-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4108-205-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4108-326-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4368-125-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4368-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4368-112-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4368-107-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4368-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4416-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4416-758-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4552-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4552-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4592-157-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4592-275-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4592-156-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5012-222-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5012-754-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5012-347-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5024-100-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5024-103-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5024-94-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download