8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a

Resubmissions

28-04-2024 10:27

240428-mg4hxsdf46 7

28-04-2024 10:21

240428-mdncjadg51 7

Analysis

max time kernel
291s
max time network
303s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
Size

1.8MB
MD5

632170e99a4c30b8ec0d4cfb3a1cecb9
SHA1

aedda2d4339ff9a90d6b3c5438549c5833212f4d
SHA256

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a
SHA512

4a58424ac1d4807fb665397d36fee6143e20b7204ae648aa2ff996d1383cb033d2a7de39487d1fb36fd19d483ba68ef0a8a226d7d9e507f7597ea5ded30c6d56
SSDEEP

49152:8x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAykQ/qoLEw:8vbjVkjjCAzJNqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2936	alg.exe
2652	DiagnosticsHub.StandardCollector.Service.exe
1588	fxssvc.exe
2912	elevation_service.exe
4752	maintenanceservice.exe
2700	msdtc.exe
1660	OSE.EXE
4012	PerceptionSimulationService.exe
3380	perfhost.exe
3980	locator.exe
1728	SensorDataService.exe
4484	snmptrap.exe
2100	spectrum.exe
4708	ssh-agent.exe
4800	TieringEngineService.exe
1252	AgentService.exe
4416	vds.exe
4792	vssvc.exe
4860	wbengine.exe
3532	WmiApSrv.exe
3120	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SearchIndexer.exe

description	ioc	process
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe

Drops file in System32 directory 55 IoCs

Processes:

SensorDataService.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exespectrum.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db	SensorDataService.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db	spectrum.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db	spectrum.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f221e7d6f9acea50.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\vds.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin	SensorDataService.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\locator.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	msdtc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT415F.tmp	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM415E.tmp\GoogleUpdateCore.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM415E.tmp\goopdateres_te.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	msdtc.exe
File created	C:\Program Files (x86)\Google\Temp\GUM415E.tmp\goopdateres_sl.dll	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	msdtc.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_163859\javaws.exe	alg.exe

Drops file in Windows directory 6 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000236ffdab5699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1ac71b25699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
2652	DiagnosticsHub.StandardCollector.Service.exe
2652	DiagnosticsHub.StandardCollector.Service.exe
2652	DiagnosticsHub.StandardCollector.Service.exe
2652	DiagnosticsHub.StandardCollector.Service.exe
2652	DiagnosticsHub.StandardCollector.Service.exe
2652	DiagnosticsHub.StandardCollector.Service.exe
2912	elevation_service.exe
2912	elevation_service.exe
2912	elevation_service.exe
2912	elevation_service.exe
2912	elevation_service.exe
2912	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2052	8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
Token: SeAuditPrivilege	1588	fxssvc.exe
Token: SeRestorePrivilege	4800	TieringEngineService.exe
Token: SeManageVolumePrivilege	4800	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1252	AgentService.exe
Token: SeBackupPrivilege	4792	vssvc.exe
Token: SeRestorePrivilege	4792	vssvc.exe
Token: SeAuditPrivilege	4792	vssvc.exe
Token: SeBackupPrivilege	4860	wbengine.exe
Token: SeRestorePrivilege	4860	wbengine.exe
Token: SeSecurityPrivilege	4860	wbengine.exe
Token: 33	3120	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3120	SearchIndexer.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeDebugPrivilege	2652	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2912	elevation_service.exe
Token: SeDebugPrivilege	2700	msdtc.exe
Token: SeDebugPrivilege	2700	msdtc.exe
Token: SeDebugPrivilege	2700	msdtc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3120 wrote to memory of 1108	3120	SearchIndexer.exe	SearchProtocolHost.exe
PID 3120 wrote to memory of 1108	3120	SearchIndexer.exe	SearchProtocolHost.exe
PID 3120 wrote to memory of 2116	3120	SearchIndexer.exe	SearchFilterHost.exe
PID 3120 wrote to memory of 2116	3120	SearchIndexer.exe	SearchFilterHost.exe
PID 3120 wrote to memory of 2520	3120	SearchIndexer.exe	SearchFilterHost.exe
PID 3120 wrote to memory of 2520	3120	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe
"C:\Users\Admin\AppData\Local\Temp\8548e9dbd761868d6fcda63a0dd31fd5bbdd0ce3f41c8d77583603c3518e0d1a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4624

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2700

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks SCSI registry key(s)
PID:1728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks SCSI registry key(s)
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\System32\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1108

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 940 2828 2668 924 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
2⤵
- Modifies data under HKEY_USERS
PID:2116

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 940 2848 2844 924 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
2⤵
PID:2520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
453fed23562c2d9cc157858653a6ad01

SHA1
78beaf4a247577ca73c50329fd953ac28f00dde6

SHA256
c4f660cc057a6d293d09392e7ffb526dc5553c23091e10f9ff973591c6e72cfc

SHA512
cd46b75a4e7db3a561e056ed350ad165ed7df9116970a84ccc3f766311c341a928ce16837ed2d7fcf93fee1a7880d21824d144fdb3fefd35c66d97da8f3afd8f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
f0297ab2a410dda839590c8139082897

SHA1
76777e552d001dcfce02ecdb7644c9bd732c3b6e

SHA256
87fda25695976563e024d6a304230e7a5ce62116269f19c303e917057f6958ac

SHA512
fd25c2b379124ced44206451260bd42d660be0dbe1befa9059ef01edcc7b29b9010335c6be077b1e3df464d30093b77b7b7cd09a84e295f8220e093a2cb57029

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
bbb60343a1da8b2b8a938816ac501aa5

SHA1
8a9c093241f0f47994c6fe4baaad24ab7511458d

SHA256
8249fe3c97a0151405b9e16967d565f0289b27199e80e467ff931ace94e77310

SHA512
3613fc20159f52172bc1f5f3b37a5ae3fb54ff5c00f1c02f825ffca39bbdddc221459aa208f7effe0916d0fe5429a6c435a31ae28f6c4ac104ad6028c99fe5c8

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
746d795565edbb33f0fda9cb248559b6

SHA1
dba51e69300898759af23511320aef8692aebc73

SHA256
2b2f8cbf749a11204b8914fab25aeadf63d4e102cf142efa4c5db72669b586f5

SHA512
25c3401587f31b763d826e4d629e996adc423b286d5bded60dfd4844f6682a007885c80ad83979f2836568793f3c26d2d425d9cb4f5e7812b166243372a7cf72

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
f35dcf282982609bc2a9805766077f33

SHA1
64f4a9b597aa4d7ab47e83fad83417336af5d204

SHA256
18c4cda13e6f0f0339643f96dba35b38745b26dfc29361306eab9c4035b5c84d

SHA512
2cbe3d467f8b017d842435a58314ea16a75dd87b3aba30b2d08a5a456e4111d31a3b0d783fe40be37205a14126ad2bd6409108526427af6dbe01a4ddd1fa74d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
bb4cb75f1364b526db07238cb9744bd3

SHA1
0bba24c3fb84acfe59ccc1f36178797ac3416fbd

SHA256
19188f8cce2661083a095b66a88aed594d9b932eecf935b812594e07a281ad8b

SHA512
a697615e74ae7436193c5a06b976b034399c45649a68f7d2d10fe31c6af5ecc0316e07f96aeaa8d46625b6665d4b47ea336014c3508ca6500749e789dc2c156e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8e093453be19f1fca3b97ed41bf22a2f

SHA1
df61493e80749c700768012d856a8f366745e8af

SHA256
ac0f430b4d005d9cd9992da271d7460e8860ac1a7b02fd7e42948125df823ccc

SHA512
8c0f97009d476aaa713773cbbb20a49d092d234e69c47ed020c09351df35e3334946e5efe29d8270909bb07529a06c2ad28a032e016de46202fc05cf16bbb239

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
723e96280598d081df6459536bc2a927

SHA1
73fd1427d051948f11c228fd4c22e5e1aec5e255

SHA256
1384fb858e38d51ad11aba270af4b4f4f281293745f6d3ec7d817227185f3d39

SHA512
802ba2d84d20a6ab61fd168ff7db6d7773c3721a2586d4537ff48073b8b419a0ef95943a402065835be74120ae4de24d7b17f760b3a37f65355b661b6191e21e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
4ea320f71e8711efe1cc5b9856d392d9

SHA1
3449c06b6159ff9fb9f56f9e1225b88c15eeff24

SHA256
c9097e008058d1e4f207ea38edb7ea2d62352f5d1e81769989514a3304137e34

SHA512
fdd6f802fc7bdd6310387fe24ae845717da8196c4fa555d1c441967e9d72e8798dbb9c45fd7550b5ef4dd82d56dd147efa3643b286527aa86ed9df28b64a93f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
825ee3c5236e6d07be227dfd99db456b

SHA1
1a9f607343bc60516a8405cf9eee9d33b80aab13

SHA256
9fd7670a90d7413765729c88edbe0224efb99b10eadb630ecbd8790938b9be6f

SHA512
66985203742f819aa3f0cda166d30290288cd529342e0fe0c5136aa12850cb3e410466f722d36fe9cea435d9666d3375b799ecfaa68f49869031f4009ef62bd2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
084e9c22572f7d019d7c3a6e477be149

SHA1
2243c0e26f5e2c71e1ded510390ec587ca4bdde1

SHA256
9c2d2aa034155dcfb2ac57c7cd85add9fb26e127134399be9ef79f855f94e368

SHA512
8d83685c25e3e576ca67b9cd0fc9711e4129bbd1482a9e819765ffc6ebcae9ecd7463a67e9a186dbc0dce9cc75fd11e84a224ccb1c82909cec6580c97ef6a545

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
ddebfb6c8973fba746ee4a9ac8f12f57

SHA1
72f409659c585ed2096466491a56c6d7c82b0562

SHA256
31759b50b541f044cd55c414616ba2ec79e0d3a2798b05ea2822fea7e9f88b7f

SHA512
ab9059005bd76f6559b601126ad4ae4c6348bf4eb16fa4370bcbb74b7a8eacbd1a9ddfa5887e6a0277c26b6f897ea512a7f456a1e93d627068903c5cd9098e0a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
2b4779e9f873f65d002f3b16002c06ca

SHA1
bf033fa13f86bb1fe8feb0f10cbf8f8ec695557b

SHA256
3e764dcb98690306943c9b209da35f0ae8900991a28888e76adccebe574dce29

SHA512
bae5573493bc3c576c19f2958f0bb4ce4504bb1a80e4d3d3dc05f0a433d941e730271f56892deeac138fb91961ac871c4cd5111ab5d8dfc1e485329626ddf70f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
479d28f7b46833d7f47634421527cddc

SHA1
8c6601702790aa0881c2db414305170af850d513

SHA256
be1e6b90af164098c9885416169b5553a49a13248d47c33ea57de4ab16c3ced0

SHA512
8b18125887667c01f2a0b453657db60141eb85ac7add3b4c6e2db3e5810d43cc264e5ad6bc5963d8e03393bced8391b3cfbf279d49d52e4b9e27715f7449cbb0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
2216d7d0f1de46f4b276fa41004b0252

SHA1
d0ba5d54de3ea8ab2a28d05e45df56b45645c35c

SHA256
60908025579bebd1399172933900788fdf914c088a7b30bb58c3fa92a011f540

SHA512
5085e2d8392350a691621f8b94d0ec20be8977f9900ac55981e3977ddb9d43e9f0dcd65b183de19c6c4870907811271aa8c991a57e1d7cfdbc34f4cfaaf90653

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
de9a4f40a805bb07c82960ec494c7ba9

SHA1
6fdd6178d1026b1f40cea591791439ac2ac31117

SHA256
ad3c7223de19e867f6a486733e816279629efbe499e47228c4393e5433b9dbf9

SHA512
bfd883d6d44ac1e097967f9de15a4523132716fb670ebc0b7328e6af782088e333f23e6ecc39cf35d885f5404aa66b7ff6007625622b72fcfe962b2a72534934

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
70b09301c8cbefb484a7b13530b5fd60

SHA1
50b2b49466fcb50c569c7e5d1b9804d4183fad6a

SHA256
82c965fa9e80c901c138a235f293e0e214773b3c433e1cbc3abfb740336cfa13

SHA512
df7c2ccec81c1f8e47545266d26e550be899fc87a93095fecdde89c7e694b58a4dfd2c1bb48ecc1bb4942c4f9db7a8ddef384e1d594e843fa74e5863173599c1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
c15bcf1dd28ae4bb61f2ed3a1799626b

SHA1
5dc729c45da3f80cef90e32ccd5f5d601ccea742

SHA256
cd4e7a3b1148733f98fef562d5d348d4959b7e922c49a7bfbac01477b57f7a2c

SHA512
5717d0db09a3959b5375d318062528ac5965733d74599c990e552822eef8547b99ec08345e1f3c892173497ac8bc97cbab0f151cc9201a9a77b0e8c7e3d086d7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
feaed573d053592a3d6952cc471a0e10

SHA1
157b823a01ddb3db1f27745c5f8035d93b881cd7

SHA256
fceec4fb7cf8cad16688872e430be1be4b8406fd904d445fbfbc2286aa89b330

SHA512
09fc3716ea3c0ed3bd0ea0b84a596881e9d52fb9462e824ee63a0a4abf473792a1d61d3036475162330d6eab6343e7f550dfce8b1fcea6a3afb346d8c839bf00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
08165d260e681ba98f1d43f4943be174

SHA1
63070aecfb7f7f66f7ce458c939f61cd2f7b377d

SHA256
4ab59dee22625298a16445e002a4f4880b32c70efc0bf75f7c6afcc535ca3e74

SHA512
b3d37daa52940877496df03196bfd146cb0b3d73d40d860d4edf046f55f03ca014cf8e9de9701fca1f0981f8b2dda4e20c4a0d3e8f1055f64c8faf3087477e08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
0889541978d90d00dcdeb960f0385a5c

SHA1
404efe4367de8ee629a80bcd0afa757868109aed

SHA256
307baa77ebe65abc8af5f6036ec17ba1c2af166ac0965740d1431541a7d90264

SHA512
c6237bdaa1ab2d15a57703c00e7c9acddb70ecfb9adb5ff15b7dab55f9de7c9d3eee575c2906e852cbbae43fcce8b2e7fdceb0abf5310465bfe16ceeda18924e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
515a4344aacdfc97153f7c543b3a9ab3

SHA1
cd0662da333e06b8c3c95a94904a8c7a865aa531

SHA256
f6f3338f451ec501af69b53429d7fdf51f6bc3c5a1557e6e7be162cd56bf5187

SHA512
4274a0139401436f50d16f1dbee6d5d8280c51b40f86b2208d7de2c838c89ea0e6f5079a190d187f528fbf626298c8bdd1d947f80d55b89492253d83bd751468

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
981e5ad3dd95a96ab76a187abccf3f77

SHA1
aba5982f921b6d12dbce02376e2f3a98c4003aeb

SHA256
0d1831ee3cdf60c6faa1e462297d0a812b70f788f55608f1efb3ffddd04ea381

SHA512
7fafdbc6889229af8bcf21330173eac6507f23f911e7c9249dd7fd3d65875b0e44f29b9a61dfa21f558dd1c711ccfb530f6ce4b1b4736a2205e13ed17df3fe79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
3a880eec2fd85fd8ec9b7cb72e5ad25c

SHA1
fec317c9e8a22bee61bfe12895b5fde421aa1d88

SHA256
a3f71fbda059daa33f749113b4fc03f3e031cc90591cbdec53107b29f3ac368d

SHA512
00bb7c6770dc7c5bf7d0f4e8c8a1670e29aba561bd85ab25732ec732cc3fa0b82e3fd306383962b7c40ec78776f45d10c1ec25e83a6af0109d951838dbd35be9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
72dc4b889f90b50ae0abbfe754c9a6e4

SHA1
5f8aeb77ec974a7bc6acd43314eb6071026bcb09

SHA256
a6c80651f955996ee55c937c238696f3e5a8a21b273869d62b09668974f5ed87

SHA512
f7b060fb76772c73c5b169aed769221cc8b7e8ded04d42bac17f19b526caee13235d1a2d0e53cf4c7aa4f36394d3e051d88946d224e4169833b1ec4e31a20b09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
6e6d7de6263cac46a418e31bec64bd12

SHA1
25ff1d362ae1cf8184b64690a5be555f4d885e19

SHA256
067eb9834c61e4aec32b16380865aa6c500a3bb902ddcc35db3fef7be44b39ea

SHA512
0b11b6fc96e0ff492143339ff6bdff3b0bc3876026f5fbcc046edd5cf41c22d2145165d4accb2cf917e01b62e69f4355888c530f6816df7c8191058ef5982a61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
37512949a009b154e46c8ba2ddd6fd21

SHA1
36178c7a7d2bbc9216902e1dcb177d2dee7276ce

SHA256
aa7a747ebf78719a6b3193147b73e39ddbafc6068cebbf6d50aaf2ee0b1bb753

SHA512
d538349e9abf636a7850218e1c04e0c2a986c4980c296cfc0ba691e51fb39a7102507282c49a5ff05c3ed8d9e583c34ffd65aac8ebc3e3ae98a820534498de90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
cfaa06fa9b8083fbe3242f26a86c6558

SHA1
5ca976194dbd8eaf19edddf75ac43c784fdefb8c

SHA256
aa3bd24ce504dada7ce0e6b210deaf567babdae1720dbb2cb99f4e1e04ee0451

SHA512
d2b2d3f3c1b75880eaa1385d01e3c6badcd9a1c879d095ee48909cbe97dd3c75d181627e24e847dd2dc1329c4f2784804e157c891ed46e4d8753a49b42c41658

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
92324d7e1e2f5c998451db834ff3d0e2

SHA1
c81726ff728f31abb266500e225f3033a3a4af68

SHA256
9d409ab5e10bedeae74c0a6b9238cdec1f0c8186dd1188423e103f5d581af86c

SHA512
78f12170f09d3463b2ee275df375f733e21a93198cdf153d4a82647168ec7cc0047debf655cb40677304a570a648dbc59799d02dd073d95f7e871b2943c888e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
088dfd7673123fb86316cceab0e3fa14

SHA1
43898633ac132b398c6ee2a1dc553276e0432d2d

SHA256
fd19c8daceb883aa1a87cd75baccebcc974a80e56ea64400f9bf8085ed9d3985

SHA512
132f1a2a386dd72e7cfd1130217f298102a6bed57e96b90ea102ce4f72f086c92acaea9b6ea004ba447d7a18500247afdb723f45715b0337af265157e89cebce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b4f81fa4017fd1ac16b5ecad1931764f

SHA1
02bd09711f8722bec4506e4c6c6cb10e643e42a9

SHA256
c7362f97e4b8bb232c6b6af715ced77d3f1668699d6ed5880ece787fcad7bcec

SHA512
74ecbe07afd0546cecc38bab6b3fbad5ac2781d486c62617ddcbf1137dc76c7711d450fa00df578631ca449b8e92f1729f06bba489be441adaef69f3d2019a65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
43062103fef40bde329ad25b83466d33

SHA1
0f9ce1f9b798c52a9fce3b65de89596201e08a6e

SHA256
d9a845d4b671aa625c8080a64b232c636fdb52d1a58574fbc431dd9c9aff24c9

SHA512
ff50df89deba5e4b4f5f4de7089406d0790d13398bd1b2c01cebc6f0084839747da474147c75d5306e71962bbf931aac3146f5983ab33c0963c4bbd7682c8949

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
a089e56d2a3541b612d89ea3c1db483b

SHA1
b0072d1514eba98751dc4a870f3f6c70d12e2f26

SHA256
98250ce45ce6086001a2a3f655fd461da49ec0a521d830869f8d7784b4487031

SHA512
de9df9c054475b4445646afef52e511b89827f36e7eecc0d0d3e6fd58512f4ad683ce6225b8f82093e283e78126e225c55a603e3a3883c7b0821420d2447ab67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
87996db6c7d4cdf2878e16e2ee392ebe

SHA1
068f21bccd1149e056637e8712fa3c1167d3a239

SHA256
9623d67e2e538aa08985ec818d4bdad562a08d47e951388f3fea97b2ba6561b8

SHA512
3e447b5155c335d006625ba11cebd421d478f64f49f96ed2aefa3825c3bd7eaa95e6f7a93f34e73ae1c2289cdbc5dd96cfde3ccddff580a95a820d5a6ce46d27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
ab94845b8c34b08b5f7517e685b1decc

SHA1
b8ef2449d5ddee85871ef8e2c548f65aaf19987c

SHA256
f3a6e8c4b85f287a65d59d4ccfccb696038f64f22ab6b545221df006ac2265e3

SHA512
2edc4ca638eaa92bb00027cfda639ac03333fb8872cddba7865f26d69d1829307656fea522cd52bad5a1096d40ad6e55bb971a0390e5e8e176712e1508ed0674

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
7ff1f1b62a0b1a4cd754ed2fbd3c9b24

SHA1
594f6a2fdc098d7b7dbf0dafb141a10a52f41eec

SHA256
a23c7454c2e548948de7a4b6c6427e2d5378821b0319ad50c3d4e93d94178759

SHA512
577e0d48962441f6f051b015a3a73b756d1bbc4069888671aede09db7627133187e579714aa1b4dec5c2d019be0cb1fd3f3c65e68462f6c9cbf1693fc0c8157e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
c830a5cbc666fd54c7d020cf418f9343

SHA1
6c4fa6c166d28d70145fa46e45879f90e97f930d

SHA256
45bd99d32d5a8c437a665c5cb0acd65bbb869743c267a036f17157ce94e80ba1

SHA512
ea77112c2a5cc07b4168e6c21ac4d80f028eee6a3c61d8cdc78dadf34f61086f777a41fb991da448f3cc6ce80e789d88d9dfcc732f69f6e9f846e5ccfb4222d5

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
5c253bd99369f3ca43b4914990c80d38

SHA1
e05db845dad3c8926a98d0f24caaebbe9d21310c

SHA256
cb9529f3ab13fa766a3890be865777021c75790b4dce032c23c1ea944d9fc34a

SHA512
823914f0457531115c45565d45fa7ed09c54aceee7bc95871af60ca0e9707910dce84a535fa78c21a3587ac6d7a50bb3923609d8f41ad40347d6dab4eca22db2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
81ed0f2991403d1d9570056eb30a99b3

SHA1
a874785fbf1b068cbd2ed9456611752e66fd2a69

SHA256
2a5d552dfdc86d32c4094cf1378d69cbcced1f2cb8fa5703fa9835e2edee19ed

SHA512
e7f3d7d30d49952ad45bb9d3ff2d4c09adfa67842a84644465636945ac39beac941a989c03b44997097c1fa6bde6bf4c7e0f43629f32cafd5e8b84fbdaa50296

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e11f8eda33f43295634aff130f12eefe

SHA1
4e8ac66e5718376269e4157b91b530ef274bc900

SHA256
c03d791dc874d7d84ded9bdcc20d99000a20c582b67508e1f16d0980da02fde1

SHA512
2b37d036a6c357f2e2f92603db2a6a420999e40fadc0895853fe9d6c6b20cc8b68f57268a11e0a9ff0f11c32d8ec5cd9c76d19eeb824fb92dfa595f9cefc4914

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
676KB

MD5
40bd4bf39afaf1dcbd49c61efa1b2031

SHA1
a76901556f4a30d08b425925ac6479080818daff

SHA256
7251a827419cef22a6223d8db8361dfe0e8f3b6d11ba0820f17d376f7a30101b

SHA512
f5e624dfdf09db7f2892ded93b7f4168ec1b71abf35bee91f60784dda23ece89d3414cd558fa4f9e0d17a20fc63bf01a64fdb2931dc7f68882ae03eaab70c62c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
22318db72d5f81800e069dfb44cd6ca4

SHA1
62a08192b410619f6a86e527016886532b9ba785

SHA256
4b9472735308fc0caf8f5b8b3469e8ce5dbb59143b3d6a72978a2fe3877d7a65

SHA512
2f1e9c42f9b09792fd86785a0edd236c96ca7748039865730798843af8883ff92d12c2c1e166a00a861c7466fa86f81b5f0debe4d636d2f61a7d87b87d6cb7f2

Download Submit
C:\Windows\System32\Locator.exe
Filesize
596KB

MD5
dc4bb32d9d8c8a89c0b88cb2954f5d91

SHA1
b20199398d8016f60ba2b20b894bb310a7422497

SHA256
73c559fc7a332ffd4f567dc55b9538a3d926c486b3d32e8e0e8419bf18e0a908

SHA512
f2d85cff6c35c20fe71f03f460b2496e3041854a4c66a3ffa6e9cd1ae6a3f73a2cf288d38a954939b95af172139ccee534a65e4fccc281644eb8b6a131946d56

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
d11bfd8e13704a8c89de4a9ef019b7a4

SHA1
8d6f0719e60faaf36f5048b04a054af504db3b2a

SHA256
f1f8c2bf1222d4cea420e14c11a2aabeaa73388e6416e8ff3386c07ae591af29

SHA512
4a700fc8da7ef3aa46e0fba063bd4c3838f859150dc8600efd19d8a0cbaef2a729d6886b9b060e6a6b36249b48db0ee7c8f877334f54d40c0b56e7d7ca281c7a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
800KB

MD5
d8cc4ca3e7b26a7cfd677a6df68714d1

SHA1
2b9e57f9289039567bf0abcf93e660540650d256

SHA256
b8916c905fc2cfa9210a00bd0e79b77cabb9f8be0c8f6a0961f5d85065aaa5dc

SHA512
7ccba19893edea6ce779e4a647d31b26747142660178b9d15ccee44c8769ad895db722827e4f4e2fdc2293dee1a939a7e0f6dbc9a35063c815083ff34e94a7d4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f007730a702cc955c67c8f00103e52fe

SHA1
00cb9f7d5a38b17980d64f8babce30ca38a559d1

SHA256
60028e5d78814349c44c44828725b2c4e8158723739dd0b50d8dc42641fc221d

SHA512
a4e00488e3f9f1ca53d6021973e2458427c5009d510d13dc68057e16160de0de0a10df7d0b1c74e9d4455d6569abdf383ad9b851ddbb4ab32bbf78e3646e297c

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.7MB

MD5
ca9127a1bca1de2b5216ae389c04345a

SHA1
723ec26023b0004c73cc02bdb581ce9b12094536

SHA256
ced58b5c44287843229b5fdf8e34df391d339b4cd9a38f24226cbfec3c5a2484

SHA512
3681b1196b16a6b97ec2eff65121c7cfe7e4a89c291e0ab5d1261dbe4ca9cf635256fcb9d2dc1219c4fa02216808c783258e3577995314750b68bc1a16a2980e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.3MB

MD5
f47298261c448e57ba3754b143fd2ddd

SHA1
bd3463917a913aa3c9b64a83c48df74193e90885

SHA256
0acd678771df93c125a9f531276240f1afa4b8039d338c4ef8364c34dc9f85e7

SHA512
e631b5d2fb6989897daea85d70d21575512ed8abd4a10f6bb91eb64257ed28981afddf0ca3295e5090c09c6299bcb3ee9e5fdc3478a4ae486ea330d6e626393e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
904KB

MD5
9db7470569fcd63d080f682ee8aaeed7

SHA1
e4fac86dcc6c455716e14e8feeb1696dbac0b6ff

SHA256
56b16a797e867ff140a23e0fd8f3570ca5269aa2c94ac5489b0b77b725712d49

SHA512
10372c62de91006dd9f255d8941fd31fab1661b7276cd7e1a268a336a306a07a8890c65d3e2fb1f283971114d86de7f8141dedc486082e5e182236128cf9fdd1

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e6d4f2af84f71f3d8c03a329928d0a56

SHA1
0f4c700c259b0e400496a550ecd7bc6c33c5d475

SHA256
cbd09e25051e06a3e9f598ebdad3ebcf8c048a1995ddc51bc7a5f5abe8482356

SHA512
b9f723e4c7b4800e9d1fcfb2731e971a050c26d522876dab9c2989acac5199e9ef03ff8313fe1c46156db9a8d033a0a2c37e967f9caa63563894519ac0958ab3

Download Submit
C:\Windows\System32\alg.exe
Filesize
676KB

MD5
31594fe6ef70022c773644c86b79b03a

SHA1
2943c5e5db64240043b1c5cb9fec14e16cd9fe97

SHA256
1534f3d67ae0d5d96535fb38822c3e92ae9c5e038d3cd9a58da4331bb7a3de4c

SHA512
840a805ee8474d2d1d6e2d5fc906aec6b34acbee6681ae4e0d6eac54b5e689ee8fb36eec9ec1033603f96f349a71049413cc389640444902f6b23fa6a1f7e77d

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
732KB

MD5
8074cdd8f0c203ffd67bee42fec36d4a

SHA1
2c7e0d3cf3e738f2838efec88be1a6fd0effa7c0

SHA256
d55ed435ef7724da1ad1e6e34d062417a32ac2acac663fe68eb1ba2ab37ffa81

SHA512
96d26d12f3b18369f43220813d2fccae5bd83a1a03f76aae2010d1c38fc640c3e03e5687a746daa19a26cb38c5f94959fb416934cd685841614779a1bf9ecd18

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
604KB

MD5
e789ef337928ddcc021132f0048d2f96

SHA1
fe1528ee57c15b6d409e28f07e508f4258ad8b90

SHA256
0aea557b559e99e9257ce930cd83ab6809d832459598ffc7fce4a0b134b8ec25

SHA512
2cbef6ca42acf0382eaca5e0789d7a16d0a6a1ecc2c7aa734308abd12adef6c7ace10e25a6d7f3552c73d8199a7122fce9571636a346af781d9bd2d4f1c1e547

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e780a6bba2e6d3a2e357f5a8eb250781

SHA1
06eb2b4d408fd9d19b2c85e0358949209790b6d9

SHA256
1e46ed312c5530309d0e2969f8cd2bbe11e933972ed11614096ef3d727dc2782

SHA512
f664033b12d0af5bb1425b04e35c1e81217c8ffbfb1f80d42de998552e99bae27ea7c35e30fe48e0289e3519da54328d50082dcf0a450195cf642a8a2350d7f2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
768KB

MD5
6ac34830e990aa3ecf0081003da9d6f3

SHA1
01ab7ca066b46b03107693c564146e9c06c6f52f

SHA256
c224d5060fadc3f4a4fd21fc2b8c86b140aa2df35ebac20910fa44b7bfbe3788

SHA512
e799fe3b13d0104837713c0ee9eb4ac2c63a98506f586e02a0100926512660a9468f00a5d05de41cf481942b996f5aed94b7aea502233a69f3b005e9f16afb73

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
73f049020264dce49e0e015b5a037a7c

SHA1
2c6f1db87634ac01b820dcbd5debf4a416f470ed

SHA256
1d90a89ceb9bf5787bad5e110d5fe8f2675ae45b2762fc512caad073202c74a1

SHA512
2c808da0bc75ceddc8e4cca579dba58a63b56c8ab5a3fe1c07f7953405a5c7eb2c226287c89187fd700f2e70edd828847c25e6beea23ff7e232c4eeccf996dd3

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
2998832f2b71417fd43cb67a0d38a12f

SHA1
5e27cc1388fb041f244c8f1d1edee54808c17762

SHA256
b98baa65061bed2c3fc5a2befc6a2899ffe84fb03587d9e39780944a5caa5611

SHA512
4df25c40f9aa8cfbfaace89fe275471bdef4309c3bb0ac0cf5999cd8976aa003f60a0bc35ad37e31d91b6ee6cb666aa912bc1beabb3421ae747d2b7e8f74a1c1

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
956KB

MD5
a3cc94a208e9278d02a19411070bc706

SHA1
b372a55c8a2666aa33583b2c8738caa9adfd9dc8

SHA256
ad3105088ed1e89178d84289dc842688d6fe901fc13beb6ebba25a34c32a5d01

SHA512
cc65765eb7268b2487133960351fa7f8ee24f08781c5a9d55800bf780deea8f591279c4aa3979e197643395d03f68ea79a79a78828715cafd4ec3b01abc67c9e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
Filesize
414KB

MD5
16b9618962f5623ca791a1366eee5708

SHA1
f0d257511952f075b2a0ec7d8e8730c3e464461a

SHA256
e67e330837a6b2f6d5f76815e7235a512b54b1c90f2ad62a3e9d142ae6939c8d

SHA512
18e1d5a105b87fc72df94645685f5a8d3f593df2d3a9b8652b3b4a4ceaf92d3c7a67b0c08847186149dd608428cae8f1b3bc844bc7aacfc9e3219da823ca2fe2

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
744KB

MD5
0829cf2ea401331d6eea365afbec4a02

SHA1
2fe6f7b983c38c27b13887d62506005d45aca571

SHA256
b56283e381165ce2001061d3ddb2682fe5a74169da1e870b919c57f5f785491e

SHA512
6c590f647392592668eea9cbdc717cfce4b2fc30823907a810fcc8cd3e75e22cad9b4c1a80d689dc98efa85253c1b4c27b90584bf1c764dc280ee122992c5116

Download Submit
memory/1252-274-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/1252-278-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/1588-105-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1588-145-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1588-114-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1588-106-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1588-143-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1660-168-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1660-159-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1728-655-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1728-235-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2052-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2052-8-0x00000000022E0000-0x0000000002346000-memory.dmp

Filesize
408KB

Download
memory/2052-617-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2052-1-0x00000000022E0000-0x0000000002346000-memory.dmp

Filesize
408KB

Download
memory/2052-146-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2100-652-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2100-237-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2652-28-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2652-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2652-102-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2652-251-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2700-155-0x0000000140000000-0x00000001400BA000-memory.dmp

Filesize
744KB

Download
memory/2700-324-0x0000000140000000-0x00000001400BA000-memory.dmp

Filesize
744KB

Download
memory/2700-147-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2700-153-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2912-117-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2912-123-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2912-289-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2912-127-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2936-178-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2936-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2936-19-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2936-13-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3120-339-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/3120-761-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/3380-233-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3532-760-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3532-325-0x0000000140000000-0x00000001400C2000-memory.dmp

Filesize
776KB

Download
memory/3980-234-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4012-180-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4012-533-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4416-290-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4416-689-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4484-236-0x0000000140000000-0x0000000140098000-memory.dmp

Filesize
608KB

Download
memory/4708-252-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4752-135-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4752-128-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4752-141-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4752-129-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4752-139-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4792-692-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/4792-301-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/4800-263-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/4800-688-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/4860-312-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4860-759-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download