04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
Size

622KB
MD5

0317c84292dea03596af1a3490679410
SHA1

af40af1d31cc45b97b75dea38aa6751abedfc018
SHA256

04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6
SHA512

7da1a20ddec32ca22fe1c6a5aa355072aa8c52d7db2f2699902ea5bbf318d1e5c07171f3356858467deee222d4182591f619cf2881b87cae66f166f0e275bb48
SSDEEP

12288:tuWSbwoqg0fitGbna8dQcLk/+cb1q86pJDlAF44bE2cSX:tuPbl0fitGbna8FLk2m1X2D4brr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2628	alg.exe
1520	DiagnosticsHub.StandardCollector.Service.exe
1952	fxssvc.exe
2072	elevation_service.exe
4884	elevation_service.exe
3396	maintenanceservice.exe
4508	msdtc.exe
1852	OSE.EXE
5104	PerceptionSimulationService.exe
3876	perfhost.exe
3732	locator.exe
4972	SensorDataService.exe
3828	snmptrap.exe
3264	spectrum.exe
632	ssh-agent.exe
2680	TieringEngineService.exe
3144	AgentService.exe
3980	vds.exe
792	vssvc.exe
3664	wbengine.exe
1540	WmiApSrv.exe
4236	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\vssvc.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8aa1957c293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\System32\msdtc.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe

Drops file in Program Files directory 64 IoCs

Processes:

04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe

Drops file in Windows directory 3 IoCs

Processes:

04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef3423ceb3abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc9ba9cdb3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041ff8ccdb3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4a838ceb3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdec79cdb3abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e899c8cdb3abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004afccacdb3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021cd7dceb3abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009290a1ceb3abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe

pid	process
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
Token: SeAuditPrivilege	1952	fxssvc.exe
Token: SeRestorePrivilege	2680	TieringEngineService.exe
Token: SeManageVolumePrivilege	2680	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3144	AgentService.exe
Token: SeBackupPrivilege	792	vssvc.exe
Token: SeRestorePrivilege	792	vssvc.exe
Token: SeAuditPrivilege	792	vssvc.exe
Token: SeBackupPrivilege	3664	wbengine.exe
Token: SeRestorePrivilege	3664	wbengine.exe
Token: SeSecurityPrivilege	3664	wbengine.exe
Token: 33	4236	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeDebugPrivilege	4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
Token: SeDebugPrivilege	4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
Token: SeDebugPrivilege	4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
Token: SeDebugPrivilege	4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
Token: SeDebugPrivilege	4880	04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
Token: SeDebugPrivilege	2628	alg.exe
Token: SeDebugPrivilege	2628	alg.exe
Token: SeDebugPrivilege	2628	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4236 wrote to memory of 3404	4236	SearchIndexer.exe	SearchProtocolHost.exe
PID 4236 wrote to memory of 3404	4236	SearchIndexer.exe	SearchProtocolHost.exe
PID 4236 wrote to memory of 4924	4236	SearchIndexer.exe	SearchFilterHost.exe
PID 4236 wrote to memory of 4924	4236	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe
"C:\Users\Admin\AppData\Local\Temp\04dc40556871b6616c8237a4f62f17a3b8fc6871ecd8d5c7a0934dbb03b7e3d6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1044

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4972

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3264

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4524

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3404

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6a3e5c0f44b117b60eba2faf8d632f3c

SHA1
715179b26f5f30c953173ca93a3188833ca214dc

SHA256
187f98d331815f53f0fde049808eaad32a2d60efef6469d81364cc3962930264

SHA512
fb093717fa8938c5f3af39fc640bae8a2836fdb6dd1cc57d37db019ac140e68582f1ec041e65b87a40c079e2ed84cf54a829dcf696e845748692d77e9dd42158

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4d607d3f0ebc0e923538b3b68535a3f3

SHA1
6f368d678e79a7e648ade4ca81debb7e5ebf166f

SHA256
14e5d1f4c8dc681348edc106d90ce1052c08a82f2fb8ae2ecb0a68bc022192e9

SHA512
a3f241e27dda251f7ef5bd900a4e653c4efd769d5a24c86e6f78fa11f5b2f494112cd5f3f78b39848df78d806d1b40f8f15d65380ef8c89a58eeb48ac7a2cbb6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3bd1ae53eff9cd969683e788f225144b

SHA1
2c001f0b217683b0883d167e6188a281c7ce3647

SHA256
4a36b3cc021ae87bec48ece9889ba7e79319924bb5d0c96e81632eabf0a6122e

SHA512
2233fa9c527e87b9ed992fa5a8d1b50386cb373e9bf45a7ea220d66ea1dd6762fb318dfc6337a44c51537a3c6d448bc81bd6f741e810ae41d081b4ade84c4a95

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
af0681145d5326a5f792d35cc4f91851

SHA1
4d220c911ab10f6d438a5fea620791e0140aa6c0

SHA256
41b1392763be6ba1ff3e1c0cd8e0f76657f0cc37cf23b0d36524a2a88d236580

SHA512
f9b5891d30f1668a48178b3907699c071f2e14e975821842299e59c540555b869febf95b7870e6e8b32521cd3793435c7d17e81949f571c36a03b524c5300f6d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f5ee28db0923eaeecc3d656de694a10a

SHA1
b57e906db51c721b473540fbdcd4debb2b07c9d9

SHA256
b12f427c9642c4bd2c71796cacbc5dc6f6980cb4c2d163be2145979ae4118bfc

SHA512
69e060264feb3f49c309992eb35dc597e670c11401bea20d149d52f2546835cfdac2362e12f1d399ba7bf550b9dfb5432eeecc1d501528585e0d737d6a0b9ed6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dabc909c2a5a655256fc64b0ece6ed8a

SHA1
0b58855a9b10c017e6798e2a9d5c5a31f01df155

SHA256
d59d629655948df7c8766384b97caf80ee5d860d2ebcc861fc573f3d1646512f

SHA512
46ab86b7ef7feb6f75c956314b092f7583d53dccdb610625b50493a4ec986e6821f1972d63dd0d71bb80a7f3f782df2e62a64e64811ecce4d1e35c9f72e4ee6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b7b4d29595dcdbd7d8a0ca85e2bc1a12

SHA1
d32bc712aeeca5ddd26a8b09fb93c0f23abc45ce

SHA256
1b2ee1e48616c9082ecfd1c51eb61f25f98ff8df93007b8af00ad32902912a29

SHA512
74373b196e78c6aa06c603fa3dedb787b7ea97e2ea372a888a152e3c4246335971bca162aa3136ca8989619b02eff215b3056f2fb88ebf6bd9a70e5b70cddb5e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
54ac3e5fbac45d12fba2915984df32a4

SHA1
0026eb4920784935ae19e56ff386940c418ce3b4

SHA256
ed70f7de96030e59260fc790d2e484b6910c7fb5b5b83177c40c35d9ae9ccc35

SHA512
72711616db928aa8106603907702b20954aee4670f9d662e57103590a57ba7f716ddc3dc9cbc98db03fe46e2a0ec2b5384fef195c395b23dc398a276de1ff920

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b34544e7e1b387d6385e1e9cdf9480c7

SHA1
d2ad591847393ca3c6281f744108ea9c5af26c9c

SHA256
a2814dbcd262d1333c3935452598901ed012700b7f2d11e20470a6d0ea83e0d7

SHA512
7388604a916efc088c415894de6910b2ac9b8b404e35f0c396b5646294597a5663ab00f9c362b5d05c4273d087858fdec09158d0eb8b1150bbcc9f8555fc7fa8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2defff7b7184d11729417a8467ba514f

SHA1
239554d9b4df3a91c55219cf0f7b6960e2400e92

SHA256
05f4d22876d09c9e53c339130b1caff2a02cf111a7e1e038df4a6404891207e7

SHA512
e206265721cf2044a32356fc66f77dc57c00ba1c1c2f6d3676f9f3d95238176fd76b40780b86b692d7c2db3c08427a8bc991aa1fb744e8ab2c04879dd10b3b65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e0e2b3e163475d4e8b810a259465c7c1

SHA1
5b864d54a5655c769a4d2c0c7799696cd4574724

SHA256
27edc694a2b58d483b19ee75a7c455ae8c045340753d5c619f97a1737d36be65

SHA512
7d2d348c71618fa3efffa6fa3b8368c0ec6a1eb5fadc85cbaf33477451ae32179a62f5df7a1efa667b90854352f256a9972cb64d04e2e764152184f45d919d2e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e6636c5dc79a03e5a89d76725daae221

SHA1
cd4ad6a1da573e1960fd7ec13e8c08545e1b7c85

SHA256
995e10265ae0b96f8f7a0511a122369be6458705bf413b091cbd6af9c6689ac2

SHA512
59c5e95f455598e673d68ea0fe137c67f9b77b74e4151ef9f589c877db8ca9d2697c607fd350ae7d532ff85524526d1d1626df534b8eb50fc54068f3ef2fe5b6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8101e576b46af006589ef8afc6e667e3

SHA1
6a1ef5f10f4868ab7b75d310d657df6bfd587d5a

SHA256
ba22a04882d0c2e2addba10d2d6da1c21d2b41d0a06dc8d7beea30698f524618

SHA512
49d962a3c302d1bde15cdd9334cbc2065b7ea1492b0d2209dd99949bea74b0d8b8e1eeac06384c2bad64095fade703d5bca162013b9ae59b874c8ad4d78818cf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
23aa5e8c20f7972e495018f0757cb97f

SHA1
575c124b6a1eba8197a60475c4b2f095f9f5f085

SHA256
e7de7ffb422d35c1b2db55bf9c13d73056aab94b122ab6acef55f7977444cde6

SHA512
7c57e83048a9c1d8dcaaaa42343276bc77463a4475840b226879630c1578bec5f114a40e6c906bf36b881457b0fa03bb3bf800ad958fdb26267816157e09796d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
27a5db44ab75086aedbc7d87f98d8170

SHA1
20b6589e51ca11c50aab1ed0516f6cabb2130b7e

SHA256
edaea227d8331e435b54d41ccd276b43dd2bdb864a7089c67b90c15421d3add1

SHA512
a308d1cdc09f9f83652e119508b993f6a91f5a9823e6ebc51a36ba9f87455ee7cbcccaa19f6ebfb89d557e3ac3c7287f18149fd8dc75adddae4f631e029a4235

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
31ba0900faadc36b3e19944c3f556fd2

SHA1
86363e072ef03a621f56d4fc5c017b2c01033ec2

SHA256
aac9afd28a5df581bc64353c7b3d9fe5cfde15c397ba203a2d73d409f796d0e5

SHA512
46bf5a8aaf9b412292749c3444d582fbfbdb62a2c0ff446917ac42c2a07dd2f6bac967045abef8f11f18fbff9f95fcfb91e66d8b98ee510122e7251852aba74b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
541882acf0d4582e1535cbabbc62a626

SHA1
0dff490a589464b5273e5344d5d59713f9ff567c

SHA256
922a5c0a816946ea33303d5e6a108bab04ad9e5b9489ad827aafa8a82b593d8b

SHA512
acf30938debff2ef2baff4b5bb2749f4d8d49b9cc9d4393121c1606c8fdb7ad6aaa33d711be64ec6ac14b2936060a7c407eb2d9318bbf04e49a4253e46d5b0af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cc7b306d8542f6335d996999a584d1f5

SHA1
aa3d772698247c576d48430c3eb50d7601fa69c6

SHA256
f6a601308de4b05816c89a313ec044051543fbab73828668259293184dc8489b

SHA512
f022effc1427baa440c88335d6bac529d19c99afe20a421a49db72f33d40cd621f9ac10117028de2e814e66d65fac7d82676d1f9dee3842ccca99c378b9cbd8d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8cbcd183b080bd78608947797e4332a2

SHA1
dd3a4d45df111303ef3f72c4cd1c3481e64595a7

SHA256
2ce2b4f61dd0a7d1da44c725dbb6226faabf1a859052ae365b63e9493a90d472

SHA512
46038b45781e5fe031898536f86ab3a51bb99e3001711e795d53cadcd683ce33f8e0d925587095503959ce0b45a700b9fc02dd789ca116da4c762605e15993d1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c608a14154ca4b29b257da3bf17c09b7

SHA1
07a424b96485fdc4c3c888ba4b65ea681361c589

SHA256
d9a78a210d453c889debcb946a1def13ad9082f5e51dfd3e5eb58d3b0eace678

SHA512
e1b3489e54743d3476bbeee30ece3471077a4ca46ca86d2a6d0447e8879d65e39ff2280d542bb9495f1d435282d4c093f9fe497aeef2333c2104f35dd012368f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
4512c9757a3c94d0d6b67f2c43ef5303

SHA1
319bdbf966ea26e8b42d6997d7cc4fd31661f393

SHA256
4df49e816f1134e2598add2b48f6303809243c17f726c6f136aed44d3e48b92d

SHA512
afe717e1836172f56725038614a9fa2addaff3472452635f3e581178afb50e955f4ea0e132856af47c6afee40f7d994973bda9c45a5c0d076aa145959a7071de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
032aad80e7ff23c79ba11741e7a5ce30

SHA1
1ee78b03821aa53c0b35a91b3e4010354b127ea5

SHA256
15d4f2caeda8b7ce8a7ac22a051d12140bd3c23d4ae9c9d07a875e801ed1c629

SHA512
f4a6c326efca76978bca8053d9946e547a66db576c6efbe48bea39dd3a18d83ab2cefa00038bd5db766294c9115349cfc90759bbeee26415fc7e585d1c07f71c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7705eaa8ca7e9155b1c39279583036bd

SHA1
829115285497d586bcb74b5494151f476209da2f

SHA256
9b10c0f183c63b6add1a997f919b1c5ba64d9b29df1a537f4e1f471f609f6fc0

SHA512
eb772fce07430144da3c33c485e8c4f02401f3db686cfa53afdc47412d2868db6dde61d9ceb42abe250b398a772a0fd1327fc58365783b9853b98ed6ca28d1b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6ea03b4f5ed99ec581fd5937422ef24d

SHA1
b9491bdd824e3f3acda09c39b80a0c88da2db663

SHA256
509c85a726ff0a098becd7f4056f1e10167534777a42b48936d6385787bf8bbb

SHA512
86c496585e2239f6f6235d77e545e030c91ee859cb4465598b372f236c2a0d6046493c76133a2fb551a9ead8fe59344e8f8d6e9a2cf3a998412b6191c4aebc47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
75d3bb7bdb46e9345888f2c86723bd12

SHA1
895a9925e90b55eacd93a9aecfe54ec968313950

SHA256
5a4be2b1bf0cdc7769ce5af592307fff5e6584dadc946f2076b19fec42d0bd2e

SHA512
bdaaffee8c9ffea8471a3f34e1d473303862425aacf841997ec49d5f98f1c30b9ff2d13e6a39d8a130696cffeb5351acaec8e423a6f1dcc81d475c1cd093e955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1a6f0b7953e4d9559d09e3006d00b13c

SHA1
a373e0024eaa0c71e9ee8a4beaf600dd79d00590

SHA256
b6320de5b581c21e7c39b005cf48aeeebd4b70ebfb77d3a02eba140da1b3b9f0

SHA512
620e3c92f406974ee8bf4236ad38450b5f355b1b049484c4bd8cf3f8a4eb8dd82934017c78f4902445b9eb77fa1d6c7c955be7b21d3f48f94d84b0b42ceb9a9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2f67769d0dfef3da9b580c67ab8646eb

SHA1
05e6fbb49efed5108fad31fbd5c553053a4fab7f

SHA256
15f97371ed4f2a62c09626defaa5478147604ce9d802c5598d479d8c9f06ed7b

SHA512
1dcd5f53b2b0bed53126ae7fe1a8e281713e32380af352765792b100fab9aa5b3c7d2fdacbd6bf466ae46a02b380d6bf3aacfbe906d24b91ffb041d0cd9630aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3d129db412272d3cbc17bd33e9c026f1

SHA1
4efdbc4c9b7b0acde7b66d22782dfe50d0314b35

SHA256
ea208262b088f4efe8aa57ce76873d9dc55bae1927a044fd62e89914d0aedaca

SHA512
0fac97ef3561b113002481ea8c02dc82e4958852dfd885c2323beba30e2391c113fbfbfccefdc3954e4cf5aa6ed98515a5511b16c6323f03c05be08232ebcad3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6d351f10dbccfd115beb49512ef43ff1

SHA1
43682e81d50daa98a8be7e50a9e2544f7fe793e1

SHA256
548d20f364d08e08559576dd1ffef5a8acfa1ce6385e66b1764ea91e34568d2a

SHA512
6b1d394f16db55e83dd40b64084f90450a3a311403573abe7194b55fc30f2b8ad37a0dac5f32ca982e56299b8f16927fe42010b3b04ccca7fdf35f3aaed225ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
cfa3d1e37028dbc0d6e260975cb2c0c8

SHA1
d3d0a0911d0f396dd0a4b3cba937fdcb339ba2f2

SHA256
74c140d43443d85e4ceb77722f9eace26379cb39675dc6dc717b69a66678c368

SHA512
3ca23a31448f8915b4abe7d1d82534c35bb4e63f52be25ef00ddfd2deb23c9000cb2cc73a9e7402006b7b1d510e4f5f1624293fce59b0cfa045285ee3c723146

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d3d0dcbfeef1843ce5654fbfb77e7bf8

SHA1
d4b89a0d08bc77ba5a2dd00ad194bf97b38a816e

SHA256
0c301ee760c059f5f4ec05cab2600ec807c77e1aed381745ddc8b4bd2763f6bc

SHA512
efb9e8cc8a86c916d05354702109b77c1979d9f092a6582d159fcc21306afd0a93f225d4a0d132ef0631b4bc1d3d0119379ad44cdf7284e2c73bc4a285658984

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9d23a4763b65bf611cc1b9dee1fb762e

SHA1
834033ba525de3d56f8d5b641d17fd8c26b943b7

SHA256
89a0cb44b86c98bb5b5f9af8dd88d3ba0789b164b131817b04f2e6608d6bcfd4

SHA512
6c7cadba96ea31673fb4d05b6c58c240a02cf02762ab0088489b3fe8c63a98eb7f80ba83b90833039691857a620efa6349e3970cd927c82b187c97da412f6b16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
3c8534fbe2c0e9ca17bc0251d38eaadd

SHA1
32f812864b6d285bf5e9f41905f3552b2b315bc3

SHA256
3dc82e7cfdbea574c04545d062e359914b204371e1e2bb95e36938e5fb28a057

SHA512
a4d7158d83b62e36c29fa9377346417febb48703c77723f91427a27520d0713a9a084f8f01ab4aa5aeaffd0206e660c1b2f6bfb67f02d3fe271012eb2e10e1b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
55681f71e998503794fc43f5956ccf85

SHA1
e5badba239196aefaf7474ca7a5248fa077a77ad

SHA256
93cf062a5344af0948594563942d292a158519b46a8b7f6107fa487b1b82d360

SHA512
3e7d7eb41db011acf13de7b72eb4abf27e6bc6d941397bb1438afa412ac0891af483a8e33952d164e2acffd2337bff13a88fbcb38f9ea660a1cb52bfbfcf0475

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
14d9007ad1acde403d6fd9b4f06f8eb1

SHA1
ab8bf69ec82e868e24181d3eb611636b4f40a101

SHA256
3bc3066965da596a249774560e234f6c7377ec8fe60bb43cff27e6664fe97910

SHA512
b17e2be777f4e7b09bdae810e49cd326e280fae52e80da979af1858b284f359a2df98148f87e17ed9bbc1017e7f4cadfc5b7cdaf367d7e39bd40076093c3fe95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c562a2f81cbac5da05542790c2f88efc

SHA1
949d274b14ab03ab51e0b9f9012df9725b933767

SHA256
31afab4ed15af97742c2889e2533633c52e5ce77005aaca6dc098a8a29f287fc

SHA512
28647055efd967f5ea54b8227c6dd13e82c45267d00d112dd81d241a98d745a1fde81e226ca5c5e87dedfdaf7eac942883f0cd7e48f2080f7516ae74fd9cbc86

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
16098da0573a3910fe80dc06e9209a10

SHA1
36d076c51fc619582465713bd4519d3ff1b36332

SHA256
7114de6b7cbeee320f9a5eb27f7e5a6950fa0d3254949443a0570fede6bf160e

SHA512
989f470487f4238b68e699de06698c399abb4b30fe5567f3b4c17f88093dc971a9074bc0d668709ffa8457a2108de0c85b5b46be0c88764e238aea03cb73764a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d27d128f30f96793f0cff20f35b7aea5

SHA1
0fd70e1559f478ec51bf65e6e915b5d8ac9448d1

SHA256
e771a5f110453d65e1a941ef3c3dc335b0d6e9f54972e9bbce5342ba4014c819

SHA512
43b01a947ca7be165af31f454b418210d27ab5c07165e312944314f96119b1e86099cc95eb9b44020f0c88ec536dd908c68bd5ca722fc2b1308bfdb9a6dcc1ed

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
60bc7d8d950e0412348ca5c6f3260e27

SHA1
a2140f46c3d145ac0fd538e5f8a28d01193243c2

SHA256
158be8dfc11a82762d9e5d57ab0cddcc60aa742526273838291ee5479daa9187

SHA512
767d5fc57bd29f386b88ffe1e6528d4fed30282e69dfc6d48774cd3139cb518d7d4aded48b42b2d8f7d4905c698af0fca9e224670a2fbef93bcc62409dc09b94

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
70551d5e2b6c78387b14a8ff1fe341d4

SHA1
9d0de3aaf3582134a9b8ec2ccf02c9cc037f24a1

SHA256
b23b01dfaaf02411f3e07e4756331648c7cf6fa2611f9da662e48e159192e2e5

SHA512
387c392d394c9931e581193e5bab145ab582f1b51ed3a036ce0f21ef781405d30cb7245db33a8c740d00454f0ac60811a607738f451ec0194158c8bdce2d7006

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a3cf8c280187db5a995839e9a5c6584d

SHA1
9710aa6064465ce7010af565390662add3d6cf52

SHA256
d2ac765126143c5f83892d8cfac6339b26d61c658598081273a0ac10b3f8bd93

SHA512
5b7ea07db6b68e00a46a8de0add91961e904cf9903fcbc540856d7837b28dc8c8964a66f3ec6316429c037b043e74c1e8f668f9f519d0727ce7ad865d4343d78

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
15d028f1f3fe96ad87021f923a468b54

SHA1
9ac563d4a399b20154696b324f0ee94016f70368

SHA256
dc594fb57d72d73fa2d8643b2e0affe389cdaec58a76b4e239b8d39afa0a7c11

SHA512
32d3233517f18d6f66c8e0be942f684a6eba8f7aa8a46c101ec80c364ae357acf2310356885f16d2b03c98fd147df114baf006bfebf2b30bf61fea7e20f81f0d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d3105549ad57d2776c92c737fe7f915b

SHA1
09e657283faa9b2d9718e16decdb71f931251950

SHA256
8156f11ac1466cc4695a5a82a123d186e845b996c27aa3a7c670947c340b80dc

SHA512
31ecd1daf9b93f5c6cad2f8a2cc042b1b1198dcb406aa0782bf0a6aaf5396d134b7d7b4e19d8213ca801d6b3365a5fac7cf2f220c854defc851e03a314092883

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3ab9004ce57e499384da4af412677e8e

SHA1
a314f403279a20354d60144a11537e66efd1e801

SHA256
a4c71a3a9bdceebf583bf783ae0d937c913455ac87843959627dc6d64903c956

SHA512
ada479a791b0c3c4667d1b6c9f0d16b009e75cf131f0c8222d7fc46f253835c081ed07d781addfabf2cc02d024235ef588ef586351b3e45648b0cee06b85b6a5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
679fafd850781c396cd02dc21c266335

SHA1
160096f9ad1cb54d23d6244d9b1195d0392f9fda

SHA256
6fc8ee9b7d1f5e613e23e1d7b7855c36afd5c9d7d0e1134e0d550f3f5b7b1c0b

SHA512
b8380067da53210824c3a01dcecb9afd34e398c7e2f8911e3f4a49487fff79c87e26ac072b4ea877adfb69f4f919de892d644e0f7922d24bcbda14456039c2be

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
44d5500ad2e72bda36af805d7de7ab09

SHA1
8c587eb11bdc9a8eebf9bda53ba429e261f4d3a4

SHA256
15ee79a084218e3e6a3ad698f7c0eca041ded060186b5b5dc2cf7d759f3d679e

SHA512
ed4809084ebc133916f0c999068e370be5808cc7a836d607c1e265e0b9e1f40ae213f5d322f547e64202102c97c57363e17ebf0a4c97c37ca756d0682b4840b0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
29f58ca75fb0860e1a0e715a207cfc3b

SHA1
3433854a0d2ca98045a323686ab91ce8d37660a8

SHA256
c9b1ca2dc6c3a83900325bf0bdd806c8b299ff8a570640a6ca2a4d622ee9c1fc

SHA512
b12fa230dd89d990332d434a21b8f8209ba21d3b1cca02db3be782627d6cc2570f59eea20e0fd02139c18ae4cee2e9b2973ef7c23b42f7c1214d06784bd736b5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
70e83107ccea2587a524d6c234937738

SHA1
c779a9043302c5c3aae9837f9c66037aa3764807

SHA256
29adf63fcaced735322829bce41c14089e5c278402abfda05104bff1e9c7977c

SHA512
f6c1cc9592d8d80fb215db984928a41209d2ae327163166a225ca8b49ee9fea91a2511045f1ec170c46fea6ede1e239956ee7168eef0aa375313695160330390

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e9a4b1dea7d651b0b0583da456b13f04

SHA1
3c681c21a49ceb00ecd23e178b6518a8e24c7785

SHA256
df6edc7ef91297201e5eda128ba4934493d56a3b883d6ce6f7427e460b76ee48

SHA512
047dd878995eb822da3be960de4c6e53567dfdfb77d45355e472b0488a12371c31d89e02ad0fe82629723fe7155f692f529dfa17eba9232db37f4b23935c3d23

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
855d47f458506d73bc6af096ce1c9f14

SHA1
65779877260f5725192dd5cb3f082e3735bcbdb4

SHA256
9f4c6e2ef8af20b164f4b731563b38fc1eabdc47df8f82cd7152f8f746510b6d

SHA512
8a3e3d3a4bde0fe2e7042961b39d8f50a3b0d5389d4461e01e4a701f1bcd5472bb828cc985e1e51fb4a83fa69f5db6e8ee6d9aa549c1665f76d97ba0fcde39ad

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6b6cca7010dcf656827103fda109c0a1

SHA1
47025b8240e446fcdc39ef91181463a2698055aa

SHA256
c1cb45b550cd28f6d99c8ee39155c0b6e860315db48b9146cc2734da829ab69a

SHA512
fac6e660b4c1c854d5463b69ae75dc57a58a9491c4b67ead04ad0d078e7b5338518c5b1e518049d80ef4a7ebb0b4c812649e21de68f2aaf4673295c21a69e967

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f1f60aaf0047bb90744070d819e9fcf5

SHA1
3f62c2736ecfd5ddb097ac65a4e0bab90c769b07

SHA256
d53bbb05402488d2c62d484742352081bca41eb5b03a9e57e82871eb8fb03998

SHA512
1091fa83c9a6486835d471c181c0b5f1f3ef73401ba145be65f5d31b798927cd71f272dd34e1bf387e25cc208711105af96b42dd7c5373311eb2a516902cd692

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d9ff1b2f00390397dda500924d8ac880

SHA1
0aafb438bb3e0373812a8aec910d316e0575df8b

SHA256
5dbf7a3dc54d7c5286767efa8d749e6364103320d1daeedfd10040a386ec43db

SHA512
b5f8087b069458509ea6165b8691be0af7bce272e84f24ca57a6cc172181d8f2a75682047ad6530f09709bb51467fcc391740f6d87c72e1e5e488184eeb289de

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
31fe7b20a3fc8d12b2c721e6e4ec95c1

SHA1
7f7e21cc430f55ca0eb2b6331e045f559c95aab3

SHA256
2a4937cbcc9c0cedd7fdc5fda98a0b43ea07dc72c52d2e89c8c7fa7cdde4ca71

SHA512
888386708392c053545e7d2bd804f3eb0bd5c20b95cbebae1efd224cc3172893567df97810b589b662197f3258b3adf6fa9ddc832abac301c84804a4442ce9e5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
773668e4f7576f1d0d8fd04a58bf2456

SHA1
ab662baffdc6a91d1baaccf2a42e1c038ced8887

SHA256
e17b89b4e06439d6e485f290e3af71cc86fbb0e64294bca18cff668192e21df7

SHA512
362b75358d349f7ec9b53f3190da1e782adc2cc61499d68ced5ea475299cbc17004d8ac7988a7db4a8f28917ab774e4a659d2056951ff9ce7bfc3e0d52421644

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
76cd9844f2bc8e85b945e62efe0a01ca

SHA1
fce77f9663b8d00851245f77dc69eaee9bfe6f24

SHA256
49a24662b400c22f3f4fabfacfb979234c2ce4073f90588a59c7868b6f14371e

SHA512
6352863e97f1e08026e3fa1e86dc3b464e1647a7be5916ef4bb33a40717140b7418f4c2723fc040f6b5059943b3bab4ea323ca621411cf101b2ae017565b9be9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7c8e7205f5b363d66020b7d323c06b90

SHA1
2020d871a681acaec88ad4614079063a4609978a

SHA256
c4b0cefd777312f4696d8b0c47dce5fd13fdf98bd48c8c89d573ab386ac99646

SHA512
195e6d195f06dc2affeb331e0d21a85371454957d23504fc1972f31b44f849edd5e9812912309b5a74dfce4178fa7cae23837e28784104c9a325d6ad0ac52f33

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b14ba1284d2fbcaf2ed4aa79ba503c98

SHA1
b248e97c8aa09bf29d0ce969a235d853029c94ee

SHA256
fc4109bd3ce9a2f84794fd59b6de2e0f493e2202a850ee7cf02f957e363f35ab

SHA512
6afe6721309b4fbf1554e19361734bdb1156ff1e2c9f7311e7113a1def3823ef34f6fae312ee55d76d1af45b9155c1ed4b39ec47617af04c6afbaffe289bd891

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e4bf7ef0f52136cbe092dcac71e422ed

SHA1
8478120ec7d8d390958dce01e20c73b98beb4357

SHA256
c6283ca082431514e2a22efa3b952889a08a3e24a04664ced6aa1e21c24714b3

SHA512
5b5fd018f6f0c11b32a668559951893b1def365c45529c528dc4b34e264369c63f9e8bc5e8eea63696ff4964dc0a4d5dbc74419d050f4546eeadad4beb1de5b7

Download Submit
memory/632-180-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/632-504-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/792-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/792-523-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1520-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1520-132-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1520-27-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1520-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1540-527-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1540-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1852-125-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1952-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1952-50-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1952-38-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1952-46-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1952-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2072-53-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2072-167-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2072-59-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2072-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2628-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2628-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2628-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2628-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2628-129-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2680-521-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2680-200-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3144-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3144-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3264-464-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3264-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3396-81-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3396-75-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3396-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3396-86-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3396-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3664-526-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3664-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3732-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3732-133-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3828-427-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3828-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3876-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3980-522-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3980-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4236-528-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4236-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4508-90-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4508-124-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4880-1-0x00000000021E0000-0x0000000002247000-memory.dmp

Filesize
412KB

Download
memory/4880-107-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4880-8-0x00000000021E0000-0x0000000002247000-memory.dmp

Filesize
412KB

Download
memory/4880-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4884-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4884-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4884-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4884-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4972-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4972-471-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4972-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5104-128-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download