d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147

Analysis

max time kernel
153s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
Size

24.3MB
MD5

e4511fabdff65b9eab5d04f669b16857
SHA1

24b601609f05cf1f295afce2de83aa8660fe3dc7
SHA256

d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147
SHA512

45eb4e51b63129f8428d719aa2dc9f7374a5be7755017a99629ef13800864f84895f162261bcfaa79c7ea4d4d0290f482e01681ee50a5ecd9afbe1d50905431f
SSDEEP

196608:nP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018F8d:nPboGX8a/jWWu3cI2D/cWcls1iq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1860	alg.exe
2848	DiagnosticsHub.StandardCollector.Service.exe
1944	fxssvc.exe
1172	elevation_service.exe
2840	elevation_service.exe
3544	maintenanceservice.exe
2924	msdtc.exe
3740	OSE.EXE
4116	PerceptionSimulationService.exe
4388	perfhost.exe
3212	locator.exe
5024	SensorDataService.exe
2892	snmptrap.exe
1088	spectrum.exe
496	ssh-agent.exe
2024	TieringEngineService.exe
4684	AgentService.exe
4624	vds.exe
5104	vssvc.exe
2644	wbengine.exe
4776	WmiApSrv.exe
3228	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\System32\vds.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\67f3defeb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe

Drops file in Program Files directory 64 IoCs

Processes:

d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exed3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000451c6396899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf2d9d376899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa6152386899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096f582376899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000590399396899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004019143b6899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe9a123a6899da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe

pid	process
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
Token: SeAuditPrivilege	1944	fxssvc.exe
Token: SeRestorePrivilege	2024	TieringEngineService.exe
Token: SeManageVolumePrivilege	2024	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4684	AgentService.exe
Token: SeBackupPrivilege	5104	vssvc.exe
Token: SeRestorePrivilege	5104	vssvc.exe
Token: SeAuditPrivilege	5104	vssvc.exe
Token: SeBackupPrivilege	2644	wbengine.exe
Token: SeRestorePrivilege	2644	wbengine.exe
Token: SeSecurityPrivilege	2644	wbengine.exe
Token: 33	3228	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeDebugPrivilege	2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
Token: SeDebugPrivilege	2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
Token: SeDebugPrivilege	2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
Token: SeDebugPrivilege	2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
Token: SeDebugPrivilege	2240	d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
Token: SeDebugPrivilege	1860	alg.exe
Token: SeDebugPrivilege	1860	alg.exe
Token: SeDebugPrivilege	1860	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3228 wrote to memory of 5196	3228	SearchIndexer.exe	SearchProtocolHost.exe
PID 3228 wrote to memory of 5196	3228	SearchIndexer.exe	SearchProtocolHost.exe
PID 3228 wrote to memory of 5224	3228	SearchIndexer.exe	SearchFilterHost.exe
PID 3228 wrote to memory of 5224	3228	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe
"C:\Users\Admin\AppData\Local\Temp\d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2208

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1088

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:496

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4636

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5196

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
f9ee3fd6393eb5b77bd730651b0102df

SHA1
9ab7bded787aaad0368ddeb4fe3849aea5ae3b55

SHA256
fea67c024bba3de7602d918e39206ea8881d68a1a23dbf5573fce10bf5268849

SHA512
2ede1d3428ac099df290f63b59f34ffc32473735d3a2521f1d67ad9b5cfa6f2fbee06a16f067d8e5f32e49541ea041d32f640b3ba746aaf595715b407a9cab53

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
18d89d7fe91208f62907e836682e67e7

SHA1
74cf73bcefd546440d89cc1a75e2f910079bebac

SHA256
13f5705e941e83a258069b65d79e1396c4a2b80fc93dc9d03bd1ea6a3e80c9be

SHA512
3751e3b91044209606bcf7995218e92d245ffe5a1120b6fb67186cea0c35cde1b27883149a15bf6cbc26141c80c33c852315e8d1f0519839d0bed2b53c17adff

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
158d20e4951f077817b28e62202d9abc

SHA1
62d201d09d59918dfb3dbd9d310c5495ed2b147e

SHA256
286fc2b9997c6bb45c783a102b498b14bd4247107e298fb9de24de67f13cf9f8

SHA512
a3669c5169b430c0dfb7a44d407642e16ea79913bc4dae7e9d9c52580de5f7a1275857f2ab9f95b141f8ffcc63556ed0e992cb99c20104ced17a27adda373f10

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
83ef3622d0cbd6492615685cbfd044ec

SHA1
a99bf3e199cb632b8f481b6d44067f14f6a86169

SHA256
ceeec46e55ee8c2327f95cc475d240b03a3d14e31e2cc97289874214fb9c6775

SHA512
dd33249fabf506507fad4aa2f26fee3461b97c731da8cf6af87a24a363a5e50e69800248e767ecb2aaf285a40f4de478940bf8496256b91e4c5b9e28fda8d931

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1131939473cf8d0e933735d2bf9827f0

SHA1
1d5c9120aa519e69eb86088af53841c11a426c63

SHA256
d58989392810bcabe35a79bbd8456676e2ed0a94233e5060a968d22a1195c0bc

SHA512
5ec4f466bad1b8c8897ff4c3f7cf63af271e49be4625f8fe25817edbd393721eb4eb830f676f0cc07f7c7a01e631a8f219277794fb606f66ce47462a6e5473bf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fb54876dde97094a27e986f9b84114b4

SHA1
885eb562048a4004841c1c90f99366d7383c010a

SHA256
ad0a13fd182bf3eaeb2d0d682c0481153224bb007d266b62f4e3e8c6dafd3a65

SHA512
b24ad03d4a2b0496d0894c92a8a8ff56f22969ad73d89b62f40aef89680ba243dd7e623f4b10b3766f928869e32f832a08e41d8d0f95cdbb724e3a92b4903912

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
572fdeadd02a9ba4f2b2c35ddc2b849a

SHA1
f1413fe810a16abdeee9b06400207fa56c0eb09d

SHA256
80fb6b86350edeabf59775cec44e8d01a7e23d32681475c51478b58509566d22

SHA512
87caefdebb1fbde0356675c903ee3c61da9b87594731edb3d179f4d84ba6140386a5d61235e88193131902642451954c545d51832a4bd988efb6ce2bca26abcc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c0d96a73a6d4485d8033a4427a5ff403

SHA1
2a655e5066e0047060515b9597f851c9a03f7bf9

SHA256
32881b54f61466e7038ae3210434f51d72312441d5c595d2d5eece684e08c00c

SHA512
9a69bb55f569d8527a6017c63cdfe41ffa1b53888fe4457a52e5c2f8d5a9a0455d50f85a9db7407d2c52e1dadc89529d2026e51227da8d17be8b5c47d53cf0e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
10005fbdf25cc12d16d14e2b6a156c1e

SHA1
19e4532dff4779bdb6873cc27fb2a6ea5fd6eb88

SHA256
90d49f567c4f7f613b8e05dae393924a3437fce40c4310d40f48f4bb89e07ae2

SHA512
6e5871e7df88c5e8c3ff4ac21156d1f3ac87febb3669cb07c7eddad5881e1a0cf234d60894b3e15d787e433cb6b7fd9802fe396f02b45d8134f83ccb3b6b2932

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a05010ae46502c0f9b580ff9d77642fe

SHA1
8551e9f69a6347578c3c5af9daf8425abfeca8a5

SHA256
75003b0a113b913aeb5f4f31c6d2e29fca17081b357de98ba704ab7bbb00d843

SHA512
5a4720d23bde39d79b8123fa259ebc4198603a24d60b8ed649b6d2e05ec326bffdb1da00805b0569d7fe5ba327900fae9fc6519d64996603344f69b5b0aa1202

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fa7e3d379f5b13cc3ea46c1c8c68064f

SHA1
a4a3c09eb8fc7b882bb646eb1bdb2b3cde598b64

SHA256
fbe1cb0fca2b7b05cdb84828098a498002ccd356de3113bcfc23b7f1730a49c5

SHA512
5c292358da25b5c93f902676c8de583c0c0455c0aefdd5e4a7843369aa181fea4e6ac964f86766be46c29c47df63af924d24855df2f0a4488f13ecdbc53f7c22

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2eccf7edbf6c28b0a2212ddf024dd302

SHA1
c97a5a3b83b573ad2ca38d8d632f83d0df1ec627

SHA256
f5e16e21a38227b5028e82b06a3ba3d9718996e20de90195d3e71a69cde48240

SHA512
4bdcf801a1e99e3b941608de34ad90ab1aa6b2874dd54b532f5f81dc8b95af440d65f82cf9c3b9ddd4c098eb941b010b7fb08f3fa43ea1679e04f23b056fde9d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e6d02f864bc7e54172cd9f53453fc05d

SHA1
c95462c716d252c13645db39c8956c5b61801d50

SHA256
48554a873686a7926d2fda657f491182812be187bd9b0b4e1dbec61ee181e4c5

SHA512
a3e47910c36aa44ec6a1fb452ced898a78032f15e108c99fdb2e22b26d03f85b91157a7c5b408f303172f7b7eb8bf73d2f85029efb700869a552c36f5c3c3e61

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
708eece91211e820cd6ec1c8e2d8f9a2

SHA1
6f8496eb131a0ab3b2562494c00e1e2afaa82074

SHA256
edf3639f2020a6e91a1bc302768424636ec13eca776c5451ca3c3acea465e70d

SHA512
5168ff7b5ce6527ab70508c0faeb732eca443c14727f048d59ef742967296073e6c84fce217760f30d94e424f404d47063bd89f8b996102ba29f29245e3f1c2a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
404277a922b0e66307a43407e43fd97d

SHA1
58ac9487bf5d33c65fe7b4604d8bc72cc02e45ff

SHA256
d4f64131893101e3ac28cf3c10f2b0693a8d3d25d9b43a5ed8f072a15bb0626c

SHA512
88cb29b62ecdc34ca93b43b3431e83e75a6f259e9f6d70e3e57f05e927ebb617e07218864687858466cfb7a53fe7e5f09938187e00abc2fe3d1d4ba21b803b6d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
06d621c39da63768d13bf4aa9b4b9e11

SHA1
1ec181d49b7d2fb0e61c65e63477678222da8e07

SHA256
d634ec07723f97c2a2e678f71eafea2997c7acc2a495934c39b36a95a083133b

SHA512
445e1ebe0500a9a0b9933038f69994256e27d5d1a066758672454e55d5ab99a98844a290c18c251c21f32dd5fea610a857d343e6d3350a1a1973b111ca23463d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
8408c2006c8730dfa1947c1c0096e320

SHA1
82b8eb5d83843ade35ddb7db9156cca98eb3350d

SHA256
cd4b42a9dec96e5160f186d3aebc9b2860fa1d3db818f621c8f611b6e8748c9e

SHA512
2c8f1449dc91fd65d66a253c5dc4050237a56871f7916e6637bec0cb1852cb98291fba167b4b7ba706f7e7cc64356048e5ed24183bfda94adc809343615c3442

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ff9637387386d561404a0b872a05020f

SHA1
a1fa34fccfb637d58a784ced3100d1e707445cd9

SHA256
38504b60613ff1bb751236454df8af25e3c7a60b8a56ceae5518a28e13de6be0

SHA512
a0d8ae995a2782ecca94ff6cc9a9187bd7ee008d541320a58cb7fb352afd0da4e759f1391b1468c7e53d86a1d2355ab2e4fca62b4da9f2863b19e4e1fc33d634

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
cc5f52de619cf6e19bed36d62cf5be63

SHA1
872e6e484eb685ae613f5a7043d58e218cd3f5c3

SHA256
0fcb58668733e1bb25fcb0c265848182a782f7aadcce430672c949c0477cfd73

SHA512
561b2ab2953c5369fcf37a0cd92d7c5cc8b4577e34c9c9dc1da08e706a303a557591b7dd085b6effce0d3a4cc7fb2fac448409975bc3996bcbad3b3261e770d8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
117ae6e5926116f26e20c9e94f894bea

SHA1
a8b3360a9ed2e124cff1956af3d1296dfdd972f6

SHA256
5bd808054d8c955fe497bd23d12810237cedb10d96e72ae602e3897ec5dd1747

SHA512
4d694b5d121c9997e43e2a971db00e02cc122a5c538441b7c7c304cd215af66150448601c3b993251d7534308b3d3125723f388539cfe9107930819fc583368f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
cb7f4f2e55c6d13288fd91ad9b8466cf

SHA1
921f537855d09c57677592a50e904df2b035a7dc

SHA256
d3d13ad3b2de995cc326be4a9ca0a0500eb276ecdeb4fe7177375e22e23fc0b2

SHA512
1e5f46fe40e38ab37c3bae32f8b90e033d7c583bb43e9fcb19c7c3a7c766ade36729bf16721b1f76e9e0a281b65e50373be96610c32d12ba2dba47c7c2b578ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c9bbba53a1caef8027b6407df900265a

SHA1
6d4f4ebf900c43b25fde711889f1d04530150ccb

SHA256
54a78615320c9308c45e20d1ad0701ff7d47f36c258478dcf0c715067cde7785

SHA512
4d338fc6e62b79b0534467077c9e0db0c920474100409dc2c056a3deba0f4c44adf11536c656168bd5f949b48c494827bad01d22d5074cc409f38d7be534893f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
00a5554f1d48d70d065fef0dd692ea9b

SHA1
a48e98d066f5ca848a5032068d36f8ef33ffda29

SHA256
bfdf0c3e15b0415478a2fb404651f5cc8065a399b2e2a06c2c4222177ebdc968

SHA512
225a3eeb0a970f787fe9b8f8327ca1b6e506cffc46b9a967289fc98c2193ed74f548fc6c3ceb4e992021a1efdba145b72c1ca637284d6d42022641cd91f941aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4a668bf34042a4e3378044aa1fdaae97

SHA1
7ed5d5d18a2cdc8b4a7d3c241d36159e0f1e5eb3

SHA256
e0b70839d734cad177278b350d1008790dc4fa8dfa2fead51b042e2228dc4473

SHA512
f968cc6200635e7b82915d16886672d1e6b74153eab8bd6a5eaa46a5af28edf7a4aa33c47d2441c7627c4cbf8dfc56270ad4b005dbe3742965a1efda0abf242c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9338c579c13cdc4f70b1db0d0165cff4

SHA1
e81e4fd4c64b6af435a0b1355aea0a9520ee17a8

SHA256
40d03e10a7ab5aa31aa78709550f5959ff7e199edaabee89c21190e8f3479e60

SHA512
4a0b0fee85e336a64ab6eb975c44c8d25dc199e0e09135e7b78e257b9164edb1108a2066c22c0289530b5ba6d5f1789bc251a3b3d9bcc7c762fa554c5926f1ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
3b260ca30f74e7b460f27152dc240fa9

SHA1
ae53d8400058aca3a14115f0529f88737c5be702

SHA256
0a29c716378c5f385e7a518bd4b4de831521ec328e5050fa01683f461e20e3b0

SHA512
8641998412fec1a139fbbd364cd1428e6c259ca8218fd80a62379bb7a182e6e44d09968dca19de02db9ab4de2de3eeceb8717b08c9b497c9d2b4b8cdcfe63e5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
253caca54b388de0f93c146be1fba71f

SHA1
038857285feb84258d5cd89123870370377945ae

SHA256
553da2c1ce5db05f3535516c6d76e2328abbe4202bb36e64d447c2dc862e1766

SHA512
67f765f62e727505918b0a0581e0dca2ec3e38c9cb580d92f23fb6acf9a485a929c818a00230d40f47a2cdf44e9bca745b95dc13b0a575024648b66db85dcce6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
35541a87fffda5180444d8bf880fb93c

SHA1
870b3de3c36f8d1f4b8bcff9e3196577e3322953

SHA256
d6d81b59d03dcd4e6ade03da7618d6c1660a05ff2cdcf0aa3035d61c549bae0a

SHA512
56198eee302369181f00b7ab63597782c8f61624d651a4ddd7369dcc5a49bf9190e1ac67200854a108cbfcdeafe2e7a2b15dd9384528e454d915fbd5ceb82c8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b32e22ba64bf188411cd2c28c8d2b243

SHA1
e8f83cd052a42507a969a9e421e09f23c72a5586

SHA256
5aa459ca82a25fc6ae24c3d5748769599e0b2ac7686eea8663f66e704f6adfb2

SHA512
9b7a48117cb34be7b446c3ea272f59b3ecd52264a11195a9c3e229e3a7c0105f99d3a6108de04038c702cd83234a510aa67678eb6e1c4c65f2017c006810b2d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d2d84a5ac3f2d190a16580f67da9380f

SHA1
4f08379b73d899f4a84860d7f5ecdb69d39934c7

SHA256
7e00c007b4e43d345b5a4157203c36e2d338f2ce49dac5dd8f986387ab9886a1

SHA512
55f37d7a7c088e61d7f3c2bd99d1e24f58502682273876b4abbd27973affb77c25c25556698d29e2305c887d4558b764b5e386a61018158ef7c4ede489d5f234

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bb1bea5f86012a61f0ea928160ce7fb3

SHA1
e75634aa345da128ec66a34d299c0afd62f639b2

SHA256
e68104442be9686356e2f27f75f7ad9f9df5255d3a88aaf490e121d365c92774

SHA512
5b39d9a984e35b4f971990f46e85d974060bd3b579bec52b7cb0f5c5a7d446a668b273d309b8c6c1cdec0abc00f084a53c3abf9d5cd85d9e9c7b2a8319808ce4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
310ac9a08e7077c88cc2f2c7444ce8b8

SHA1
0d5a65cc327d8da460e4d769850cbe53944b1827

SHA256
4e293dcce79bee95ce3b88525cf0a8a515ccfcd0210ca1a9c815c746fba274d8

SHA512
544f8d1acf743ae9b3121745d8e32678a4c29782a3d1df69cb69bad5f484f480aac6c63bcd7d2e54e5e2f0c8407b0786468a85c90f33e21647c58154dc9b550c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
56d82eda0585501cea5ee2e76796cf5d

SHA1
946271fe9b9b694a05a7710190b253f75e79c8f0

SHA256
f7483ae7b4cdf32df50bb32e99fddcea3b9b79624d5cb9fb2199ccd62b4e606a

SHA512
a17c07c1347d09039f109b74e57a70b3306c905951167f5d075e26b9f26003efdf92b060f037e4c3ff66e7ab09c28f0bde6c21490a773aacee3e1753deff523a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ee715b0cfa415a3d73cd9da43ea3d532

SHA1
385f5538741a1a0ced53ab1eb4584e59edbec361

SHA256
f7651d849d7a4ae7b241133605c2a98762459e7c536d474e86398fbb124d023f

SHA512
cbf50b8023eeabf1e2f2ace62bad21d57c6ada433c95e308e0548de0a6181f6f9dd09cbd38634efb4e2a64369745af8cb77407e40eff7d3baa486f7ddda2e90c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c2e0378e62dd3081631595310d13fee6

SHA1
03a69f15a79faad88e96c33394584f1faf66d415

SHA256
f12cc1114a698fdaf4ad32c446c5c12c51f4f773e3c0259aab0791a7ce7f29be

SHA512
da29831f5c2f4ca3a375fd58c2d32b4196fd5a533360f08adfe72eed75af3af734870f9aaf47d0dff8fc79648bd0e63d55c7a60b9fee058b55a92a7209fc65b6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
397832dba6ba7eaf9095d972d8c9827b

SHA1
c478b806659064706be994cb03dfabc14ff2aba0

SHA256
9b7216a9dfa9171669035e3236a12474ba29ba78d47fd394662a240c4748851d

SHA512
bf021ab4edb82e03da6ea5d12f09d5f4243b8a2e2bfc81a2a3828ce4a31d631027ca9c27f5cc56d117bacdaf185fb86995e6e5aa45c6d03c1e5e27fca51fdf02

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a12bddddfde953f211886da5472f1af6

SHA1
2c674e78e5c6036f3115df08426b2c371b20fd10

SHA256
633be3f060833a521102888b36ffff6aa6ddb0064bca379bf68e0dfd536113bf

SHA512
89b2bf1985351deb6c958b504b0b3108cf5b5c03b90ea339b37fadbf96180070c1467ec50f15d9eca3dc38a8ae99a8723dfcac8634399fe34b105c9c9a06c318

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e3a04f73c637b375934d96056cdafb95

SHA1
dba8e63986a952d854848aaeb79b1bfe99a64d2a

SHA256
6389a2da439ae9a6f10640998d772d0995866c64059539821c9471073e1aea2f

SHA512
373ba25da70a599f2108c6e1a110e0638653c66d10a8926ec697de70819b9cfb6930749f4120833bc126d36c17677a067c4cd10b80ad43713bfbe95c9c970c2b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2c9df61dbb6f66e333fbf662c8c24e39

SHA1
350ed92e9666fa5b62d5b01647ecf9939035fb44

SHA256
d28fc105368cf9a77c673db1352f983d1915a28a484be7bed66f68a17d5f6a5d

SHA512
9d607c958a6865f3d0737cd569e6eff5b73b0631916c456716bc030cf80134bc1449867c0abe6045a0b82e4dd822b666c55ad10df39cb80f6cb3699d5a5a196a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8aa877c39363a08a169fda1c08d0b018

SHA1
1416b8e9c9399026b057bf331842fea8e354fd6c

SHA256
b9fb851d850b73541c2310a6bc597a51f7f0ba6982526fa96b803961d2e8a44a

SHA512
8846e85df39f7bce9b66d5ec1a1353f4d14331c736d08ed6616c0d43b891f96ba1b9443e65450483999bbd32a510fc793da0136b4e0b0e3c70a48a594a7e5fad

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
607289c58360df54c29d27c62d826c6a

SHA1
8fed3e67ca4b48e7bb8dd6a7037d2b51e81446e8

SHA256
5c8daefa5c3e750cf7da435512e34e16881fa5478100f3109b4a9291d0ba269c

SHA512
16a40b0e286ff8d295a430ebc064449d70609c9cd5215c2f27bbf1b99d5a9bbb04f333f4c81c756359728fa360bb749491c31b13fadfc2dbe89e06df6ca1d5ab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d2d2c38fc1de63416651da1754e0533a

SHA1
c9cab5a6648820755cc91834729b9fe39bf2f346

SHA256
07117c65eeb00e1417d06c8d3bfcef8858eee9a0186fd8ee6a00c584f7d2fb97

SHA512
f0c57f1953c9c20da4617ac95faab4de7f83fae2a7b2ffaf0d091927a23c8f87b69f693aca82590850e7bd846944efd83c0e7fdc89df2086ef4db28cb79a0a10

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
defb42a3f1ad437cfb15dbea12b19bd2

SHA1
8620522c63bf9fe4d731642590af567f5b2caf68

SHA256
f91d260a58fdc751f9c031e6b4a6a9b5721312a488f0284a4ec1ad345e98a316

SHA512
639cc90986366e55ed640a0541e306ca1d31f202c325450462dc31b4925c13fceaf9b3106ff0b7e5089e257e587f343ec02d9bdc393c4bac8c909c83ba073b81

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5ea396beb6bd64322b557c6cb9d91328

SHA1
7bb9845371153af95966e7aa655efbf6d100eff8

SHA256
b34368cdfda39951091352d5a175f70b20efaf94e3d4d0b64944e187c96797d1

SHA512
18dfdb1c86c7dba7c2c2e23a65c3a49213d44d355673db0453e0c1a8846472019244dffb9b2a24fdc34d553f6be3286574736362e94dd887b818cd64be9687e7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6bbae134a0fd9281e76b833d3d30c578

SHA1
ab32bbc54b606061611f9a12b91b6373d029b233

SHA256
bce957e333a29d2157c32dbc4737a3148a88cd8f6d110b5912b2a1caf225c7b6

SHA512
34bfb4c32407e65f101a917b78c69145ce99966c39ec34b83e727abee2ff7251c8473f86ac565020f155bf1395744661e01a118b09ebf22ea1565b172e29d649

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6fcab6e660dee75d0f79457464f42d36

SHA1
bbde606a004ef85e2139c98ee71189631e33f9c1

SHA256
99be6b11ce3b9d1ab803f1d98d8612a4a8322d4285e9ec4573054000cac09353

SHA512
4827b3f8f7aa3e25cd3c89566b041a0381f628ac8e18e1011d8e59f31ad3835888c26c2c1efd91eb5155b9c31748314a65703400480f9e08f2839dc8386fa47d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6cc0c479bb1f67d7f2bdee70725a99ad

SHA1
df0fc0d328aae6ae2630c6724dc2bf8bea426f5d

SHA256
55412f8e19020a2ea9a2473a9b73d5a70fb3103442a44def80ec22a7381db551

SHA512
f7544c4cd808b1efc8811e0b18ffff8c631ec816da8fed9ce6f99cdeced3eadd4de5ac78e09b3d6a6a2a406d7a8854720427634a1a704969aaedf0e70833de65

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6ab3428fc4b7f78c8db8c13e337da49f

SHA1
91ecc4e01b71b3468ef8af29d9e32f876acb051c

SHA256
fad2ac9249ff5e49778f9073d452afdaa5a239d8c14beba43322b08cbe08d431

SHA512
9580cb59369f204d8bf475fb45c008bac34f63f59eb3677e966e7c99458b03c77bf8a848740e3559cbe75241fcf89a0cc0aff76cb15aae4f0ce5c79d15021e0b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
30923758e47ccbe63925795a60afe5f3

SHA1
b8da207673014b254bd5b49695819ca64118f52e

SHA256
543bb57ff0693ac17fe1567326bd0e0f39e20b4c10ccca48e3dbb39b852eb67c

SHA512
51c56d208b28056142bbda537dd6f1c5c382a84d7ab64611d1475d8015de72a6a2f81c9d4c65fd95e6e400dee60db035b55ebbceab4e5bf39b419a5a41aabd53

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
dce79dc2cd0d0965deff23c24244a796

SHA1
e9f0118ae1b35e2ef384d41bcf86ac69bc8a5024

SHA256
91611734dc9e1b12eb0746448971c0652f9e8e95f007b1b56f51760f3ec598d4

SHA512
2366a6c2d2898c067223ece9b9e1b8b71d5867db209b180633535f144b224f0706d19638c9e17c34d90e8290f4cc1da3f520e3bea3dad8667ec3d85f0eaae242

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6fe02cd6f46ace2875aa060686e7d84e

SHA1
17ba86131209ed1f3b4b7a2cc9f176b27f194fcd

SHA256
afaeb6102b38394c54c1ee6c788f915ab4ee6fdad57dc8f1a0ca18aec1df454e

SHA512
de0313df7194596d32b382b068de98e824fce57abfe0df9cfb55c0fac7f1721c61eafb0ed3d0feb5d4e9e5a5a75445b14cee2f8296e33b035cc716d4bb98d368

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7a57c0a56531739afdb768286fe03e9b

SHA1
0e3976ed22ae1ede90cd1ff419924931ec0ad0f7

SHA256
a31706df25b713fa0be1fc427a1390ea13acb64f05710cd58e0d541f11a17109

SHA512
388cf82b2e68322088950da53b4d0f2e305d7bdab0d5c3658e49a29a35e7e6094f569aeb2dcaf406f38def2070829dce76b331425f2d4e660f9e7a7817917fbc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4885b4631e59d2b4a90e75015cfd2859

SHA1
09bb7df07d30c4ca7f225f00190d5bc6a35c025d

SHA256
29569673f8c7615e4f48db219286ef8d081dcb27432fed6bcc9e785dc8bfeb0e

SHA512
4b269d508096dc9810379b2e59a5f1b86774b7239dd70a124f6d65884a42fc34154ec6f87b226eae59b5a6c01f6b3d5cc34ad4cf0ce8b6897ee6c4f7b8df5fbd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
46eab8f595c71b84f111377d4604da3a

SHA1
66292a27c68be9d09a4f147d2e63ff245c6da24d

SHA256
df69246a8442975625f76e924600eac5e02d805736101716b661175b84c2cd66

SHA512
94804d75069ce06c64a5ec130f336674440ef787515fbc8739ef2749207e5dfa9b05e72a0e762c73a8a29121a987b658ff8b60814087169b1ccf57605dcc7dda

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8af6aeb3d7e4092c3f5793419e55d7f2

SHA1
0c9d80b93af00770b5e6baba7b8d32139912ba73

SHA256
1e673b83669dda436eb549ceff04b0911f79caf460291109665425c57760f14d

SHA512
0cb5bf2c46d0b3c0291b2a244de2657fdddae7140fca811e96eabfe2ef497cc8ceb5f16984670f773ce89621aa806dee1f092c2d41297837bc90cbe29710f703

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c36c093fca6fcc058ef649614c25bf53

SHA1
5decc1719df7502856aa72a8dfad894a0575e0ee

SHA256
85ced7099cbb3309fa9134ceec089496ab8a651c44da2faf307c48be778f73cb

SHA512
c9637fe5a0f906969e70c329e3aeff1aa10cffd63841026b7e9fcfc8450630e67cffcf3943d0ad0479af822ae752ae41e30198b3fa99f67d34c7f2804b2eb9d1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bc7afe280363cad43b24adc091392529

SHA1
98abe077be8311163a18759e7c7ca1deae711e19

SHA256
41bae31557d8be87aa66e633ebf5245e14eacf99b0055bb800b2ca0c0c4b89e7

SHA512
7ceb12b199e2eb444fa4f9a4be77729f4394e1805ee86db81e984d283aae1d349f04384dcbc44107da9883626d21aaa6d3bf396477fd63f4d455ceb2abb15ddf

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
3506b8d9a5f25de0fccbe8c12a9ec2ce

SHA1
1fa702f31b8d4682915a94f964ab56179d0ec05f

SHA256
f2417202a887252bcf4ea60020940889848d9f032d33f660e0e35d8f042f4620

SHA512
af4680252fcab780e101fde90eb934a6818eca8360f6833dd4711acdd4a98f968e4bf4f68f616173715f42a1b5b912f645f9103ce101df03d064540488ddde7f

Download Submit
memory/496-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/496-416-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1088-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1088-361-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1172-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1172-58-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1172-171-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1172-52-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1860-19-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1860-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1860-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1860-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1944-48-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1944-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1944-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1944-38-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1944-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2024-202-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2024-442-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2240-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2240-87-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2240-7-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/2240-6-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/2240-1-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/2644-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2644-479-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2840-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2840-184-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2840-62-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2840-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2848-126-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2848-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2848-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2848-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2892-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2892-327-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2924-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2924-89-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2924-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3212-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3212-145-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3228-483-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3228-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3544-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3544-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3544-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3544-85-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3740-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3740-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4116-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4116-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4388-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4388-246-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4624-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4624-458-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4684-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4684-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4776-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4776-480-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5024-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5024-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5024-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5104-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5104-465-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download