44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
Size

744KB
MD5

54f5fac4eccc0df47a17515858757322
SHA1

c7a1f087bde2717f822c22f77dc2b5a1ee414fce
SHA256

44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900
SHA512

40f134c7379bd6a3aefc6efbb62e092b153a4b027b6d04b2afe3cd6a1e1d845fa547abb9e068b8c03b11e4fe672c6867573c15498943c6a592297683bad3960c
SSDEEP

12288:Fjl4znBP9KGVlM41NTnXENcMduaD3aawgPwCnQ3MHv8CI4OJ1bbPHHcFb+KKqCG6:NlyBlRVldlnXfH9gPwCn7vOb7HHcp/CB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3736	alg.exe
1772	DiagnosticsHub.StandardCollector.Service.exe
4020	fxssvc.exe
904	elevation_service.exe
3700	elevation_service.exe
5052	maintenanceservice.exe
436	msdtc.exe
3864	OSE.EXE
920	PerceptionSimulationService.exe
1304	perfhost.exe
3812	locator.exe
1920	SensorDataService.exe
4092	snmptrap.exe
5112	spectrum.exe
4524	ssh-agent.exe
2264	TieringEngineService.exe
4852	AgentService.exe
1412	vds.exe
820	vssvc.exe
2384	wbengine.exe
4472	WmiApSrv.exe
4148	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

msdtc.exe44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\vssvc.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\wbengine.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\AgentService.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\System32\vds.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e6427db4234f82a5.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\spectrum.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaw.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaws.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067c1548eac99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f0edc8cac99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe00f38dac99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028a0d18dac99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002963f58dac99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e40b08dac99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a23578eac99da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe

pid	process
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
Token: SeAuditPrivilege	4020	fxssvc.exe
Token: SeRestorePrivilege	2264	TieringEngineService.exe
Token: SeManageVolumePrivilege	2264	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4852	AgentService.exe
Token: SeBackupPrivilege	820	vssvc.exe
Token: SeRestorePrivilege	820	vssvc.exe
Token: SeAuditPrivilege	820	vssvc.exe
Token: SeBackupPrivilege	2384	wbengine.exe
Token: SeRestorePrivilege	2384	wbengine.exe
Token: SeSecurityPrivilege	2384	wbengine.exe
Token: 33	4148	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4148	SearchIndexer.exe
Token: SeDebugPrivilege	396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
Token: SeDebugPrivilege	396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
Token: SeDebugPrivilege	396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
Token: SeDebugPrivilege	396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
Token: SeDebugPrivilege	396	44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4148 wrote to memory of 1668	4148	SearchIndexer.exe	SearchProtocolHost.exe
PID 4148 wrote to memory of 1668	4148	SearchIndexer.exe	SearchProtocolHost.exe
PID 4148 wrote to memory of 4368	4148	SearchIndexer.exe	SearchFilterHost.exe
PID 4148 wrote to memory of 4368	4148	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe
"C:\Users\Admin\AppData\Local\Temp\44cdbb4ebff36c6462341cea102d4bea3c27187b2467e66357bbbb901cd93900.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2256

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3700

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:436

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1920

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5112

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4444

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1668

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
2⤵
- Modifies data under HKEY_USERS
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
35e67364ef9b9d6e80f2791d76edadb4

SHA1
4b51221a56d7c0ce1b9a0e1f66035a9fc34d1ce4

SHA256
fded24ffafc7280b61e21d5634a0d4acbdf227caeb783905286cad5ec3e59123

SHA512
82800c914c760b6c80ab40adcfb36d92856ef322c00d3293ee590f624ff5eec2ed2ceaf78c33874023937450e61178616c0b913feb6fdfada91cf52924c1b251

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
74f2246819accd226681005844009647

SHA1
053b79b90b4bd229835e336c1aa57a30375715e0

SHA256
ed5b90edb9b6afb17b65f0d1a1c44bcd2a6289a3ddaf2207af88dbc6567244b7

SHA512
e038904e03b5a1e3f7d325895329485f3147292f5571cc09d86ca7e8b342355492f454966e79ccdd46f65ec26b724e06fcc1341297b9d074300513a5fb62090d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
791bc6c43163947e4b82486c589ea336

SHA1
31d8d28cf67440ba3d31c621c664258bc8d5b11b

SHA256
5c08505b7b9c7a806807af22d6e02912ee5b2ee1646129702ad03f9b7479dd01

SHA512
2eba3e3e0fab2a19479906a5ba4d570325a0097ae1a2f777d35fa28b50c3e641669071b207a356591121fff80a893b9100934597b3206629c992bcddfcae5846

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
99ad81e9a457fcb55eeeb7f22744347b

SHA1
c91ea8aabe497fc7245c9746f65004ca05dc2c9c

SHA256
452512dbd7c738946bbc1f9c2d03c33474b3024914146ee3664b9191b734e212

SHA512
96134b9ced15f896abfb017e927ddcaa52281a7f2585fc849503aa634c1838f31be24127c298ba3a7e9c21436c9f52afbe8ed2f51e285a8e148cbba74f81aaae

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
71d9ed0be460a3fb6dfbf85d7abd251b

SHA1
cf469129a2c059c0b289cfd565932585a4ae572e

SHA256
12efcc164bb3c8520fb6680f38190fdaca4f08772397e6905897db7ea0f9cd17

SHA512
1b1bc3c96bb46dc96995407efc06603a24c7805aa62934d8777d1714ac35869f8534403359ca6e0aca873db7e2b4d86c645f3a152366b32d843468414b5adf49

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
c6c2a151daf0a736e44ecbb4e9e48789

SHA1
2506978748b50bc8cc465ac9a32c92becd4b2aaf

SHA256
1317c3f6b3b287c7bfba4d2791487f7409ee59d6fb14d354bddcd5c398238d19

SHA512
5d29b8a710db437c10eefa84e99dec5334345f3d712431dc9aff9ec7869068ca5d38c33369a63ba4c8e4e00763026c08486692d3c03c2c286b76e6ffa4d36eee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
312cc0f5a8e54c64a8b99af95c5ad731

SHA1
ffbe420756a1e94a7d911588d0c2767a39dc2175

SHA256
bb1fb657223c23d284f578eee7450019e09d57f01c1d4942308810eb46a1c2db

SHA512
d291afca5c799797d15e5428b081b14dd37c9ab19b19519de91d1f3c3ea24fcfb81154ec84e6bb93cf47f403e47ec44d398856251b5f39fa9569a3d24f801423

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
e95f7218b47c7dec7a0b60f3b4bdae80

SHA1
e88fe12a19f953890716fc3bf937f7718afe92dd

SHA256
dfca067ca9abcf38a7b4da6b6dcc6578c44e927fc9f34669520bdf1a44fdee57

SHA512
f8abeefdfdaf9d0a2b354ca56dd6569864302a8d1833b815314eb46fd7df534ad080b01398e7a8b7cae5d47477081996621cab29104814be370c433e6d45fc9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
62ecff64c04e3ee547d11fdca84bab2b

SHA1
dacc727f027021c57208fa82d64eda3ad13c7cd4

SHA256
5d79bb290cfaadb1a99b9119c5059a375ac88dabf3431079ff27bcefbefbab00

SHA512
5fecae7c9bfe56eccf6fb3d53e166f281b729fe11b7a8efed70a07b6734a6a3502614d854e965e0e9d976072e34543891cd41e660159398fe0a104f767ae6bc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ab7683f7323aec638b74d424a417f5f8

SHA1
8a052bd1f56a4e14643d61db381554c687ee6b7a

SHA256
892801387fdcc67e4e6cd82409cb098b626cf446f81f1f19a4c12ca746db52d2

SHA512
2202a34b689caa3dfd4ebeb9685c970223a715f979e31a41e45e2ba3fac54be5b806c42a256b4a91672e2517c9d80899a80a9d8e0a54c866d6bd76697a5eedee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
c8f1a84cb46039a3957056893849a229

SHA1
87b27075c2697caf671ff3d211be9042a2b5d1b4

SHA256
b37f23219fb9b6dc4c90594a6bfbc252f3f284c463549903d3457d32b0fc03f7

SHA512
9242c9af09daec4d8b1d5883bb84c4a1419f038698ca1e8b173cdea58caf17353af49a4b3c2c135880ecd70949147572c0371053c4dc52c07d2c429b6eccf931

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c167ddb163f649a556f93b4aa56350d1

SHA1
612849ab89e1fb90d7becd55f979a0680fb41758

SHA256
2f43e2454538e4e7312939c6ed4d9b05f20e575ba29e46ab28938af9ee1cee93

SHA512
9b59a8c37c0322ebdcdf0e8038d36852756ddd1a227d5df1ae7238dc23a30f43fb0ec8555205f29d96b89c4a8cd18b2aea27c97131a5d30f51d7642dee52a2ad

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
32bcddee47af6a282fe054dba1331218

SHA1
53e3e57641de90b27de592494297818433df48d0

SHA256
cfffaccfaefb17c9880d2b4a94b5eaec35ace077925eed20b038a58696f50815

SHA512
5b19cc8295f14610110f7efea5c17e49a1fe8f5e9e7daac8eda92e6f4d729d5f2d934b591712022ae3d6fb051b29f0d13c04f547891d389c99ef8b5bc5489769

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
017b1a368a735b830920a5c759177b0d

SHA1
0ecbfd69652ce6edc13d192b6c76aec6fe6e6e82

SHA256
ff75335378cf934a877157b115a675313b3346b9b6da468c75a203eba90ed042

SHA512
62427b6055b1c9d022e82fd861e64ecdaa27f5ad42391d77af92cc008cd20103ecc6059512da73da93df749443c0f73a43b5985f96bd4e84417219424f75e3e6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
113b466ce447173122f92a61f9db9975

SHA1
ef5667b55cc92ad613c7f11f07c30b2592e96e1a

SHA256
ecc14dd9a44c3562176d563862d142797ee0341fdbb6d8156b67ef5a000fd3bb

SHA512
2f49b4074c01977bc05275b396dc36e5b94a56c1c044255c096269a1f2cc9828bafc92c05b3f28a5f95e16e444a69f1025e259e45e1512c256e8f1a617bd82d1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
02be9c876a801a9a8b7dda15f2f554d5

SHA1
4e78ecb525236e086e162f41faba71bd44e22ebc

SHA256
76a2980be6d2eb662581b4af5628b49a07e84460874b920262d0ecdebe97f037

SHA512
5136bde617abaad250873cadad8a35d7136ed90e15121f8cd9097f63e432760f66d06b20524b9bce3fea1f09db33d9377254417b1807344eca20ab51fe5a5ed4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
0093969cc420893676fa266231022594

SHA1
1869842c8b2bea049a8af595e1f29336b38938c8

SHA256
3cb5926988ec0fc17f679080f6bae74851c687d2ed70210c9956438b1a797573

SHA512
44c35667731d1d93419c853de35fbb2c2e0639a8894b83838e1364609e916ed577069d3ad88a8c358532a033aed9d959072c73967b67554909341bf4503c01ee

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
29be464d4f0825c9310ab3b32180714b

SHA1
6ac87503716bf833eb190ddfad3e5d26d57a4388

SHA256
6cf395147aedd2d41c68543932d2204c2e8fd5723ca7f338673a54f479d6ef01

SHA512
e346d15986d177cbc64777f21d601cad811e1cc62257531323adc881df215f0d110afa607ba24c7c6729ac8ac37daab92fddeca610b014d008f546b249b22c30

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
d349c01f58183785c6fa6eaa51064d23

SHA1
e1e0994e81014d41bc039526f9adf96cbc130bee

SHA256
5c25729b55eabaa727b8e2429118135c666acd904a25035dcad8bad4915e1506

SHA512
214893a36681d7c0be07b2db1d8016aaef68963de530c79d40318ec1031f207bc0eb9dc94897bbae0ddf49ce6cb0ef73ad37a48102b04d4f1390ffc4083658e3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
7425e5752b2f95de4fdf493e1216b39d

SHA1
908695a3a8072f42d28f13e26b8b25dcf8606be4

SHA256
160d92140b41b5984cec737f77f80e2fb4bd0790e9f00c6781eff95eae1a14f1

SHA512
e4996d3a972fcc9a17e7bd03e2ad77d8de7b4dd24433b48993382ce73a7eb28287455919024834d087fc842548c2edb994e42e2cb3a82a0cd453742e584ead25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
9903864e066894d5aa16521150f0bf26

SHA1
bc735fb117b74c3b0838bf10926a85f21532308e

SHA256
3e8f80d48bbcdc9a9c0cc7061b8f43f30b330afe9ab767c564d3917c60097d47

SHA512
67bbd42c549b57ae5535f9ddc9e20bf3d30b55954b8232c1abfbac51b0820021e0cf64c45c62acb7fc76423acb25c1f8642ab0dff7c108b66abf7279e6512722

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
39ed4cc1f9f4b4e7ae6a4c6e8e850a78

SHA1
c035da8d4218dfef1f694b3dfd142ac94201e3ad

SHA256
5ca99f1f6056ce45b0059a724fbe0f4fb2334ec3115341e98bf000c503ba2ccf

SHA512
bcf34d0ea5071324f3c859e819386c6013ab04e03227d499c9ce9bb5abeac06d8606f066db5dac93891e802322520fe4b8279d785d3447da9f5b02686b5b227d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
2e94036ac1a76cd3cae628bc472479bd

SHA1
1f2ac860362a856b59e005a2126df1c8b263376b

SHA256
b32a61bd7fae9c3192ae75859a3b652e1bc6f73ff7fbbebf39a96e8d208393c6

SHA512
762ae0b9ef9f7339f029acd319f908adb3f4dbc7002957707abd5990893e9b3932601e079cd1b556b5cba7efcb7d6b5ce4d1458fdc66758833451fd921499459

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
73332bc3b2e0af84f2460642267c24f4

SHA1
91647f83efb8a50ece7651b9c45d5067898ddb2a

SHA256
d95604acbf0b75528cc6312019ead6715cf51a19e23f300c1b0751a3c6251dcd

SHA512
e77e94cb50e18bb8eac318cbf25ce2b6b35cc3d59f9bc220c337bb20aa3204afc1d987f15c5c185e3b2be0dd69331a3578c6ee87719062c186a7486f9c1d3947

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
a8c8dda2326eb51fe513f4e6a9a93712

SHA1
12b59cdd94473ad039b38d01c6d7145fd9056510

SHA256
38b2fdb1bd82da9cbf7e69e8966d6207414e3a8d951b2e7b633498f7bd17fed0

SHA512
49c8fd1bb601980af692599f9cd8ff4494e4469e762ad611d989d81f16fb6cb043c4310c8a3c1e66ff729f576f7b07acbd6656a481c6f738d4e190390e219e4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
125bf93c33a97d97487cac88dca7b89a

SHA1
30ec2342863229486f92ea26a0a0d9f9fd6851d7

SHA256
cbaf30605c4f101f99410aa4896f50f0840662ed2301e9bb7808079a23bd00ea

SHA512
7fa45aab8901d3b628bbf8ec61b9a3592956bee89c470d8449789c2d1709cdaaa7e3558aebc928847ec322ea7dc3c707173b45cd5fb6ef449d715b502e6c8b20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
600ac08ae02660262601750d344bc7e2

SHA1
b0b07c6dd7dc0b30b16754b63d31a13808f5c56e

SHA256
69cd9dec2b05e2e635c64aa3fe3c44c68b5744917eafa992e30444bd4408e353

SHA512
216d3dae473e06adc6d57973445b4a5fb83398e67a690735bc0f86ccbecba6caf7e9479980a7fe797bd5e2640e799ace7c21024c090e89c3a0906959704b2a11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
96f862a81374df36eb8808a00a489613

SHA1
54c368cfae77ee43a6273cd3f43b8eea609e1cc2

SHA256
727cd966a51acb75903dcf92508055b2f69e6445397704c910d8bc26727595a0

SHA512
8e32157b8f50a342bf823bb9cda6715448d35658c75f03e679f663d3762ea2cbb230115c8bf76f4f935688c0323b933320beef858bd0541ca95ec32028c63c85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
70a4865d47af7f8571ff43db24525f46

SHA1
faa01787a74dc7478d7639a0b5f7ca072364e735

SHA256
b1574d34f6afeb630b55c31acb897a0e8651f73771a5145acf33647687780dbb

SHA512
89e7e923e4f039a0c4b2ebb7e9b8158b2077f8e06411bbace5cc9d90b48ca5fa10a6d1f8d87fefd3f79197714b8d0354d80bcf734a206254eee463d2c94273bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
bc16a38352d263b8729f759126751737

SHA1
2325141ce486a385f31aa27b7592f17a3b2a37cd

SHA256
e22610f4a2f50127a58202fd10c08bc2f346ebf45e6f3ee931650d39ca00d89e

SHA512
8bce10e9d5e68f0094d815ca639b121944be450509e3d5f1d2033718dcd4e439338d0e44e10ad900520c8c832ca6f7f4c75dbd9ef2968ab1b7493b0e505f8836

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
76c6a797b4df9b3d696cb657d02a3642

SHA1
6b5eac4da08912d3bed07a79392ccdd401a7a7df

SHA256
a165664cdc4cc20e93d604ac38dc561be4d3e9983c220cf8925f53e85d905385

SHA512
bf5880e792882597b7687b24ab0b166a5526a2ae1ec5ace379f2f35560073207fb2eaf928d334fad344ed0206923109a77cebdb0c1d86e19c8c5d38c5a4d3425

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
d6a2ff96bcf8d90f5fb68f46c88bf67a

SHA1
d5e4df79edc1a5325ac69636ceaca367fa29df51

SHA256
0e8163ab49c28a8bcb220f96686a1129f42787d473aca0d4eaf302f6755fa803

SHA512
0ab702825d0b1821fe28f9c27f03d91f83a2651a67f8c9640619e3427e4c516639dc461b8c0ec1e71b9e871d26b32976f6fc635cd3e671bd2463b13e31bc15d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
deda05a6f0c96c74a00d261bd4b05d60

SHA1
a0f93fd9d54aab61bbf97c6645d806ea1bf63363

SHA256
725c2d9f6bcae45478c97c44e22f36cd41de02d9707cab3c739f4e8961616e18

SHA512
de196f038abbb9eff8118680b7ef18d3a7bdc8cad9881d395bf0822b8fdd47da96e858e4a03e5f4499267727353b863514c6025a6bb5334027f6d049b54c684f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
add0936e7c78b34bd9bb87a20ef82a57

SHA1
347e0579f368640798286dbf58aff6f3252f9a38

SHA256
387eb5c47350e99c3b3847c5d6f7526338b6a4159f6f1b384934d0c763b5418a

SHA512
331bd8f737d2d1ff70a6ef28707eccf4eba1d3ae10e4d23a74a376a1dfa98c81f26eeb0afaeac1f5db824fa4140c7322fc4d195254665f07fbd2ba96d1b4e787

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
9c967415664f11ab7facf58147537484

SHA1
6fb933c9e5844eae510e71b32c65f2c29023f137

SHA256
5a22169500a2b623fbe3adf7c458ce3b6910ee547ba13f8be6a5d4a6a0b3896c

SHA512
8d36da1b143861ac3a51111d879d4f6b220817b9340c27270dae25bd5be6f0ecaa4f8c3e322d3588c75f49a796793ff3a1cd9f83b6d6aacb5c26509938f2e7fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
a8b43d3372caa54c19ee16c2329af169

SHA1
1d47af8a1283cce1c745ced198977d31c457d8eb

SHA256
6c51c52b5296329ef845735e6bedafae37bfe460fa71c95206c307c52de374dd

SHA512
1aa11e3a1a070658bb2e54f2ee08f88af4b7a8d4f07acf34ec5126386366c184519f4ee4d743afa9a086ee463a44b6b9e4b1d3818d01d7a583b95db3e17a2233

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
7a884a3a49a6c8413ac7dab0b2fde283

SHA1
2565c84c500fc7d9fc9f20a6063472a75a9f3c06

SHA256
2a019f3477cddb4740ce311ba818165f707331942f12fd172f5a2c2877b2b1ac

SHA512
68bda0427dac08bf61dfc59a8303278b0307bc34c51696457dc793553620d8b06f4d7345a0509eb540e7bed688ae2ddfa3ad13b9dc0c52fcf6a6c61e3bc83f7c

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
f6ad41190685d94af605823e7e2c2912

SHA1
643b99d527b62f5d7d320b7e1d3c8d6d47f1e8a9

SHA256
132a5325b4a4cc177e5d8d4540a3a6a2faff404bc5d7e637d8425a65ba0970dd

SHA512
d01059a35a9cb668349dfe8e384d2981f8af1b0ce5c09c5a8fdca2025b6da9720588e458d41bb833824768529f638363d60f875e92fd03f4fe4350ebcb098618

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
92658c6068210fb047a9e05bfc3b612d

SHA1
fec362af3d7d7133af16b231aea99d9d9b90066e

SHA256
5b21ea8380cf02680092e18002344281092cbd26fd6866a71503663411949c94

SHA512
ee4c1a9425ba6fddfd570f4341a4be17f14377b8cbc85d6476dbd04654c112d4eb38572b4f02617308251f9d0d326df75fc623694b75f869ef0a0587a0c26fce

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
5a3580383c637ec63c742a82c22707c4

SHA1
c9f032d5b9981c91ab1c2469b6a8ae5c039f2b73

SHA256
3b8af22526e6b987bebb90d7a0b132fd63f47b5e02db837613809da08a934165

SHA512
43172c9057589eae637f6b545573b3212aa39a536f2d4ba99a49ceb585129b0ee2ab6a34d236418ffb80215e65dbc15a62b0f48aaa2b93619fd26ad00f873697

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
ad2332e006175ac7a7a3bfd9e6437eaa

SHA1
bcacce23bf19d522df1db1cef118a80ea10700b5

SHA256
e6bf8d0481904cc0a877b674ca2c42abf933a9a22b80ff60fda82feadb383740

SHA512
cb2e17956342166435d3a669a641115e4a14e3f0db2db0733f9bb8bdfb0c068f93aea08fbcaf22f376c90a9e42481b0ec68105f3ce885459951983d16a2ca6eb

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e0d3d634b308b58e1252ce22cee02800

SHA1
a464bc46b7912b474b9cb901d5c46f20fb8fec36

SHA256
4d045acf50bcb235f4531f978d7aa662cbbd4ff2680b12e77435cdd793bd30fd

SHA512
b2bb14b1b9ac37f229e380816862c9499196236753f912f3cf4c66a05c48e0c44efdc64875f24b39bfa6922c42cfc4a2b11d6cc9e3f57c66df584ac2e9d023fb

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
0fa62d2967de58a379250be6a3686726

SHA1
2c1847210f73b4941bb67022a7906a60c46620d0

SHA256
f5b93f107790ec0bfe54d19f6097d84957983409db733c99f8a9bf413ece1a01

SHA512
37d6e6698310cedcbe88d34fddab58af124781aa5b3ab870bcbb9cc1cd9b91313417f09b4e2f0007f8d33116c14a358168e072dee328375a30b23ad1b2dd5b6f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
49c28992581d9a7dda9b0ec0ebd4358b

SHA1
e7c7967c75cb1d9f4ad773122a6a28e9b74b1e1b

SHA256
ab06e936dbe96e640299bcac0268a066de8ea94187973d06b43a6e8f00b3dabd

SHA512
7da422a2c86b81ad3eac306d7b89e621e718bcec218d6bad3cafee7e4102b1094e417790d43b63d32862cfb6a61561a69b9b1ccc7cee56df31b90e16a8b6370a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
ba9f1dcfd8244f7456cc78ec57e345cb

SHA1
bd48d7a80d875d65bb4460a9f86eec9b739ba41f

SHA256
7662ccb7e67193ecd4b559eee1fc91775224b092e296f13917ed549dee49095c

SHA512
63398d2d8fd66399bf7fe39ec1df0a28c95b91e3e0cb2e241744aa7535af5fbad0d6142433657ee953e04b65ac92ab40ba98f1fdd826a9058801a3aa4aea902c

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
8cab97fe98d9b08f112ee9553c37dabf

SHA1
80f5c03b619be4b1ceff4a207ac6a76e9b97cd70

SHA256
d02dfc9b8e56f1399c19c96951ddabb298d75c617e0bac74951d04da100df85a

SHA512
948691278be696f9d46a6bf2944f514cf7ea423ec6a6f6db514055423b9d5e023da8656e4ce90972984336480c85314680e7d5fdc189dfa169e57b66f2028279

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
cc974d5a5a2ce10d219eedc4fc33a70f

SHA1
25a542c1ee53b66e9e3641d41ea27c26a0cb8b38

SHA256
89d7f89468b3179ff3f002ca445e164521b6f3dd8bf0c1d10ef5722493c9545e

SHA512
802cede6f362f00fb48382a9a55d8f922101fb53fc7d979e9c519ffff6ddfb6047278c12c1531c44a04d2987b24f2e35c75f7c25a7a0970ce5e768d9ae5e70e6

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
dabdaad4264ab536e9f20df9ac1ee630

SHA1
ab25f34e78182a4ec68a70172bc6b5448adecb32

SHA256
11da43a43ccf4a8d2083cf3d6c5b05b19ae7a1126595fb9049069d735ce02ad0

SHA512
e2687d24da838c38fdc327e20c1f152c7081d881cee37e27cdb9006a90083b09e5ca0ffbbf5d84301ee6e9cb00246c00ef18be34d67769f6c98fce5b974967f0

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
d33c5efa51f666b8314a7b2a680c1105

SHA1
ad66994c6610de726670d43ef511bc9305f8d344

SHA256
bf58b53352d19285052cd3ea85f178c98802d24f19abe39dce1805a468f7c693

SHA512
b2fe85c28c40986c0f9af1425c6575b7ac13d1ed4116d1234c37a42616f703480cd6d35216826cefc11fff759e6e7c299a8a9c4b456f0f2ffff029332e5c8f7b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
9924e922eff5a458eeea1fb0422af59e

SHA1
8cfda600c972a2361a5496c4821b1381061d8b6f

SHA256
f984c935ee35fec3ae42fe850c4a849615a5fbe316a6ebd24c312e80c5c1f6fb

SHA512
0b9fb83cfd7d842e75a619043f361cb433d30b20b1ba42c60d22a5a145426b9630ee0ddb2ba61beff488d94f9f4bc7a7ddd05f0ac88e135cf329a8b7a17f7c40

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
d8407109ac8f17bcf47d8c08ddd2145e

SHA1
2cdd60b3252e4fb2a2517df9ecc84e235ca542a7

SHA256
d25b47c13b78ee37ed640cce912772860bb3fc0801963b0b86b804a3112e518f

SHA512
3af65fab7d30396fe2f4c490e7d50070742e0c8ff504ad452955d6e47a2e7e07c39a25155f9971c3f50948701db74442caf58a6725c98673176ab7284c5df1fd

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
ba7d2d8e30fc60e4625224db0aeea0b8

SHA1
fdf527d72c7e812c852ba5650effe7c2e7377eb9

SHA256
3488a09a534528d15fe9379979e72a44972595d8a816bba576f0e6a2ac3a6011

SHA512
fea035378215f0eede962dc5ffc02bf9ba6ac4b23e7e6564ebace6db480741aa186b0f562c327e0000b25c6026b62cda826185620e9908a371a0e45a9a99810a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
80e9bceb631c645ddbf4e74dc626c966

SHA1
34b8ca1a104289214fbe1d53bcd968c900d90cb0

SHA256
d265ac3da74bfb3d75d3776a5221885066641b75fde8e806f29ae87313036f23

SHA512
22883ab59ae891cc17bf52ca4139e4f69c9c26ac34818ca0b8b6723676710351bd2f0b75b0430f5bcb44795c3e8f44e42183e9e617c2dcbc0a5e19f0b34edebe

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
3b0f725013690c9653f18891bdef3d7d

SHA1
0f80acb298d7c2cfbe4fa82f316c82d9d1c24717

SHA256
76529c7d13391b3e14dabd2617e37cbc3d2a0cd1ccad280008b0795e5f3e87d0

SHA512
118d2ebba675ba756fc93d5549e98d9815284ad3d55df91777b50ed9b3047423819a8162bc7b3335a98ab0770194f770bd1c788623c7a50723d0e1a42bd72701

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
330ccd6f85a87970b8faccf787699b32

SHA1
9566fa4ea5146c0270389d63f670121db7e5e3b7

SHA256
1d9c0112f9b7f52c8348559dbe3f3912a3f13ec3abf9dc3b05e37feb66cf0aac

SHA512
b3073b4d2cdeb861adccd27d5b19802d834a77130b7038a836e6b1b8d61502da4469658ecad73c0ed7ded95c37beb95ea8bc529e74847b5fa9397f81a0540a43

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
2eef939c33c1108107828b1bc42e9902

SHA1
42b34c4a4550c236d64c5815a58689b3e485dd66

SHA256
748865dd3366935b06a2c172fb9c6916d770f9a7175f2aa8151bb8427093f06a

SHA512
6505e762779de8081399154546b103d0356904f21e5e7a007bad05c56b4c29d5544071c3b9213fb06b367b571522acdbd2e4bc70b7afe40c0a3d3b8ffb5b89eb

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
b18da26daf4dcdc1fac927111c4244b7

SHA1
acb0e38b57be8bf19698227bb54f7dd1a29a9c11

SHA256
e34635bf34abf2e92f2c9c97dfec7f4fe62c9b5de780ec8334eda20949a7f3df

SHA512
ac6222e75da6915efc0774229ba416390f9199f982662bb44779a58322c1e8b164d6903c33ab69d0c31f67035eaf917d12c1c8b0bb4d151e0f0d31f867ae8f1c

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
53b5de8f295b5a6e88d478bcb8bd493a

SHA1
c791caa48c5d84e2cdd343ad1e33877e41148496

SHA256
525935bea2891df8194e9583da969efc39e7fa43db07f9df724ee87d2a26cf8f

SHA512
003680a802914afd0ee727b760867101c4bc7cf761f71bedc565a57038d671c25f362a1fd1a0b6f62b7873e4821c556fb1374edda25881acf5ede849d64d3166

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
eb7ca16ebe2b91744ab55c442779e6e6

SHA1
45f963b5f16800b75c6faf0ceefad7724c18cae6

SHA256
3342d2576bfa63f23afc33f71ff8dc48a4aeae551bd8a573e574c35778e24d25

SHA512
182e6650fbb7c066c090dcc8bef52233c19df64121ef2c6c99c287a421675838955754c5abbffa7756526459f61868460730354ae3d42a377157b96f374b5d81

Download Submit
memory/396-40-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/396-1-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/396-7-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/396-199-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/396-0-0x0000000140000000-0x00000001400BF000-memory.dmp

Filesize
764KB

Download
memory/396-54-0x0000000002A90000-0x0000000002A92000-memory.dmp

Filesize
8KB

Download
memory/396-38-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/396-53-0x0000000002A90000-0x0000000002A92000-memory.dmp

Filesize
8KB

Download
memory/396-52-0x0000000002A90000-0x0000000002A92000-memory.dmp

Filesize
8KB

Download
memory/396-39-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/436-200-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/820-532-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/820-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/904-55-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/904-527-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/904-56-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/904-62-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/920-202-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1304-203-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1412-283-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1772-35-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1772-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1772-27-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1772-522-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1920-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1920-205-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2264-275-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2384-278-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3700-78-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3700-530-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3700-75-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3700-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3736-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3736-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3736-467-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3736-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3812-204-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3864-201-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4020-64-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4020-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4020-42-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4020-48-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4020-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4092-271-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4148-534-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4148-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4472-533-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4472-279-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4524-274-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4852-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5052-81-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5052-93-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5052-91-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5052-87-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5052-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5112-273-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download