76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
Size

8.8MB
MD5

9942bb1878603b8dc7d156237e1acad1
SHA1

380caf902f3a867736948a60150048b14b0ac326
SHA256

76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8
SHA512

9402ef3ade67441d3c2f08ff76d1e4d1cd0f89b77bc7d2c9983d6aea3490353d00deceea6787eb1a5263e1fb492a03671ec55ce17937d18fab0a3fdc2e5494b3
SSDEEP

98304:9uCIb+VHJ2cK2l8bYYlQwXm5dKMH9LFjnxymZbROZn:9McK2lPTwW5dKMRymZy

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1788	alg.exe
3892	DiagnosticsHub.StandardCollector.Service.exe
3848	fxssvc.exe
3676	elevation_service.exe
624	elevation_service.exe
4776	maintenanceservice.exe
4904	msdtc.exe
4816	OSE.EXE
1180	PerceptionSimulationService.exe
2256	perfhost.exe
5108	locator.exe
924	SensorDataService.exe
2592	snmptrap.exe
4624	spectrum.exe
4424	ssh-agent.exe
3624	TieringEngineService.exe
4340	AgentService.exe
4608	vds.exe
4456	vssvc.exe
1376	wbengine.exe
2920	WmiApSrv.exe
4812	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\System32\vds.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\locator.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\System32\msdtc.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f7b8ede7c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096222500e6abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000381d4702e6abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b4cb301e6abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d84ec01e6abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b7ba602e6abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005623cb01e6abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e7f4902e6abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c8b5101e6abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051888f01e6abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe

pid	process
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
Token: SeAuditPrivilege	3848	fxssvc.exe
Token: SeRestorePrivilege	3624	TieringEngineService.exe
Token: SeManageVolumePrivilege	3624	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4340	AgentService.exe
Token: SeBackupPrivilege	4456	vssvc.exe
Token: SeRestorePrivilege	4456	vssvc.exe
Token: SeAuditPrivilege	4456	vssvc.exe
Token: SeBackupPrivilege	1376	wbengine.exe
Token: SeRestorePrivilege	1376	wbengine.exe
Token: SeSecurityPrivilege	1376	wbengine.exe
Token: 33	4812	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeDebugPrivilege	4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
Token: SeDebugPrivilege	4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
Token: SeDebugPrivilege	4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
Token: SeDebugPrivilege	4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
Token: SeDebugPrivilege	4172	76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
Token: SeDebugPrivilege	1788	alg.exe
Token: SeDebugPrivilege	1788	alg.exe
Token: SeDebugPrivilege	1788	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4812 wrote to memory of 816	4812	SearchIndexer.exe	SearchProtocolHost.exe
PID 4812 wrote to memory of 816	4812	SearchIndexer.exe	SearchProtocolHost.exe
PID 4812 wrote to memory of 2820	4812	SearchIndexer.exe	SearchFilterHost.exe
PID 4812 wrote to memory of 2820	4812	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe
"C:\Users\Admin\AppData\Local\Temp\76ecf55bf3fcf8637a0bf3d03c8db796e980e7bccd980a1cd621710f9a8dcdc8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4088

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:624

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4904

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2256

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:924

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4624

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2448

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:816

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7d76c68f20622e57559fa75de065f982

SHA1
c0ee4270f08e3b4b7561cb6e20771ff9a51d1c47

SHA256
024ec8952f31d3fed41f27138603480e18b6f755d0582ce346cf1211ebcbcc11

SHA512
691b7e82b7832c5afdf752368854a0bfa248b4ed118aa70ac44a10ed56e64d58e13109d35193c0dbe606f7e6020c787c4ee3c4bb94c7044256a48e3c45bf6289

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
86fb8d42e346ded6109b93f3d8816fb1

SHA1
658e214de7714667af2e9de62a28d8e605a0535a

SHA256
bef889d62a71c7d0de9fa5c20c22f7fff385ff610fcd380e917c66d14f216b8f

SHA512
8542f5a91f2865db8df02d56ba4c92556f3ec5348639f376e72621b66f2ddbc4b8002dc2c1fef18df6a65b2de0952b7f03dee43ab2f5e605a76e874edcd53db9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
de78d186ce82eea04615189b4c795f94

SHA1
751ca775adf3df49638bd97dbf48d689fb098417

SHA256
f4a8d024c7d942ea78ee972ab959558ab30ae7de5db3e0d48ab6c2880f39c87f

SHA512
7e465cf428865b8a2887ae0911925cf9a4cf9c02338f0a47e1e91b97499dcc463b99f43334a379a077aaa0e2b013aebfe7e945437646ba79228831f34b0a7aad

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1384ddb4faadf5d24da70aa941d19416

SHA1
3c4cc2917e49458ab7d1613752f6fdc365b5e106

SHA256
0240db9df11c68f309c43e4f0ca02fd5dc50e3296cb53548838a7f605f5c7ef1

SHA512
75e7ef147c2cd0e1122a9f8c5d2fa3b9b9e8a99df5c8ea415ce5035f3129c419212a90dbcfd15c30af3f63d32a6ccdc02add54548952f7f523ec13527bab15a5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
29f7151f55795469f42f537cd51a4a7e

SHA1
a1f59d84bdae5a7784202d41f815285e68b46f79

SHA256
db821c2fe28f157134aec37909af400ac6e59f0c960b3ed0aaa78da84ee5da44

SHA512
0ba195230f33e380586ab4950b3de155f8a051325913d93b013dec38d05256837d0fb6e02e6578273cd97e85a1a0b560084c16317f9ed724fafd646f592b2f3c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
e3bef6b2e6e8d0b5b1cd5c3fc4ddc2e1

SHA1
69a97c91baa3cec37b4ce506b762244cfe2d8bc2

SHA256
7778a6fe5c8b1940ff65078c227473036a3cf461f09b46bfb02db84fde423a73

SHA512
da6636230ad9b48068268b2e9159c8f5ffda47aab5010a17f193e2c110bd76fd4d974792d1d7929fde7b75500b16f93d5c18d8861523e86349c67e332b4e48ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
ad7ebfecab4e1e41dfecf3d344e30bd6

SHA1
242600d8ecf48680392a748c21e7170223df266e

SHA256
f0407127b326513bc8a06cb802265971dcad2adce2116cb315d0349f22f8ff92

SHA512
5b997b95d6c12e8d7d44db9f72932a3ec2f23210026879ac13e5162df74d568d90322e57ad64f9c31d354fdb2e6432dcfba109bdd96958c34525a91f7ef18f4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
635043ea4dd8d2cbe7ba21b1ac14845e

SHA1
46f83abca0dcd17b9598704bb3d71d909121e745

SHA256
9c55b694b5c71bf30c911421547cb36179a62aee5153016c55c8ab6973038f09

SHA512
fccff3bc1f047a01446640f5b25d012184fdd9d45cad840179b428c2ea6c20f006dee93196437746c1a06199f599cbb1dcb7edb5a6c4debae1299c88235ad5f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6e888af2980fc0633eef4d362349817c

SHA1
ce2ade53503bbee30aaf24f68ef48258ea4ed23d

SHA256
bd2be90ef91371bbe530a108b9f2673f8951e7c4e64ecd2ad6ae53167fefe001

SHA512
49f50bda9b54dc26ea9ed1ed40307480b049a0c904119c1bd2214679c92967da182fec8484ae5c4cdd4280b8e1a7a860d9ce9567c82195d7b9be9293aa3a88ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6e403d6bbdd68ab0639f0ad4468109c4

SHA1
3bca19a32285775a99ece953453797e9380302b1

SHA256
323cb38fff1fe26d5d828dce3247dce28ed3d674115e7f54ac0cf89c098b58c5

SHA512
4cc6e0e4ab183aa2061f3e8a4aa914af8d9233a38a9c2ca94d15f70c1f1cae793b728a565db4eaacda79783590a252ceab679d025c545fff42ae5fcf8710fdba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cb9e52bd45487cbfc3670409d592ea8d

SHA1
b1f4812bbd66d8ac394a0274d02b77004d78aa72

SHA256
35f7285c110cf2eb1f344863af13f635d987e848b0818a48f3cda163f1e2be56

SHA512
5c10988622ce39c86cea14defe623ee7aca14513ea2d0ac30cdc4715633277627af1b0b80d0493185810308143e3924d984b45cb345fd1af018adcde905d7ae3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5373262186b0f489f1da82779484b559

SHA1
125a7f081dc0de89d563a23ff8814bcbba578810

SHA256
b7226511064045a90801113199359ab3b8996a0c3e8d7e27123464cad7cdd652

SHA512
cbf6cd8ae66bd538b4f4006fa21470ba1d8ffd155544d0759709d7355cace9c28b3113ad5d4d63c3fc4004f2e0c357adab8955c72d8eb7050fd17a89734e5225

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
246a0237b661f87a9bce269a2995b80d

SHA1
1ca70d5771a5557a1cf79bc4bd42cf0e23e39a2c

SHA256
6dd6ecc6a9000fe378923497cfa8302538566fabb56f984654145840b2cdf86f

SHA512
3c0ed8646d39fe8c0ba0e629b0a30694a0f2773c9bb6de0fca75232aabc7df9a3f74c34c5ca33d0460cc626e4841bb96b217ab481037e8b7d5bbfbf85ee95b56

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e2e79464174e1384c97c51b9d2efd9e7

SHA1
a46767c9374dac240be5646a31db934146206ae1

SHA256
2c0c409ec1e005d0e98e9123d72a6b4e67ced491b3f0e044ec66db35e8554c8b

SHA512
d635bf903b80d06e9727ae41b83b8de9312e9cb199ba06d3f0f211149e430ea8facbcb7c91d92cb7dc0d43e21f309c43393b967e41c6a85e2ba60f516c29c9d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3ee08e4d759ef8dd4eb5bbd3b4afe189

SHA1
de7ad5374f0de8e5efa58e6563aa7b9e40154824

SHA256
1083ed8c0efa9b8fccaa27a5ef73133ef95f25b4c1d7f540fc0757d089c70f50

SHA512
2dacc3dd2180a192df96fd551fb3113532441e71fd10a39ae01e0f6c4ed909b87ef99c15c76edc21916547f486707cd4b9f469af0d068cadd43c8f8276046b5c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b3c28478ede84e4034bed9710228a0a8

SHA1
1b92c904cbec243c45dc4c50bccd81fcfad6d7e9

SHA256
dcb072e8940cf03f3120a479d1987d441e85ebe417ee1003764a919dc403f717

SHA512
3525d5c69e13af6d22bd395a1c344cbac12101ebc03f276ec5f8dc94afddbd3e44c6e6bf539a7cc2fda4ad47bf2fe4d31234949a529ac977487e0d296e6c9fc0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3938f59a0f5621e0c937562d919bb473

SHA1
d96ea5b333ebe0471b541567bfa3ceeed36b53e2

SHA256
91c0e053ab202805ae3b790bb5a7afe31f0c6d58025150b12ea91930aed52054

SHA512
a3c27e8a60c367da1a19d4cc55fcc04eb0d3755e20d28696d7515a502d82d0d823e6f670146c75e851b111ca59ef185540329e7688e21f0ec7cb5f17f998e80d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3be796b5c8604067503d514351f178df

SHA1
3571bd4ebf96c4301046821d4ace50e0dfee1d4d

SHA256
7e860a4d3cfee2ea3c958ae3cf747e8992caadd6f8a3724e0b116d696e42d83b

SHA512
6b371c70b25494b5c4667b392bdb133c1c62276edbc9eee72d3af030671e7a3bb2a9e95bbc37e567a2d4418d23839ac454bb3885e33a4f3c7ba6f2d78fbe1ccf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8a0e0d7cfd9d69f635e943c5879b6750

SHA1
1fa19c38462b1cff41609a6b1617a9bd5a12a875

SHA256
ef7916f297b724aaed086eff67581ad97964299243ba08b6ab298cff07fa3505

SHA512
0eabf017f5762141c076e8959e06198ddcbc20b2ba25c07ed26b3a3f62bc58b508c6d3f3de3598e278eaec51ba920a64c1ced3ce7f5c39682905ba0e862c9993

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9c591a86ef51b3a71b4fd5b01cb7cd42

SHA1
ec9bbf32c578efb1229e7244e971d84ddc58e012

SHA256
b4e5b63363d99128db38963da03e38a40a399af82123034fc9336ae7231663a6

SHA512
41ce5cdd7965b56ca85eb7757e23aa016b0b4d3e264b56623751dd86a4f0b141d6d1392fdba082ad9aad61899138264c7d3b63517c7c13b6f4cfb2fc98537e8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
136ab0ce84f6d15dc084e1e3d0417eea

SHA1
20f71a2730dbee8c56ac2e4628306791d9ff9f64

SHA256
b3a2aa026e20f31deaf3ebd1d3a67b387bb48a50653e8d33bdb761d6e9910cfe

SHA512
6964468f047f4148ed1951b33040ccdfa2375eb20f44449b5125e0f66751e9e87c516f74b59578b5b3afaa6b45c47a09c2ae85ea0a2005a492b1096a37eb1e8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
762606e92858ec89dc1f427c5ace0942

SHA1
fcbf4440b2181842ca6ca7a7e03d6845590f8802

SHA256
a08f4895f2fae1c32c537d39739fda84b0abf4263c023932cbed4f8cae60fb69

SHA512
757fc55e51d904891eac9cbb09af39befccc955ecba5f127074c2bfbbde32fbcead5e657eac27d7454c00282ec272615d6ccd850cdcaabbfd774a69bf03308f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
d42ca7ef5ba2130df941a875d58b3630

SHA1
8d0b07c001be1ab65c81fe576ec45926ebb53697

SHA256
abaf7cb9104315f3d16717551cb85e00f7da204fc90f4c254ee7851985b2d0ea

SHA512
faaaec0e9b367552b6ac81a4f86a51cf31ef07ba56ffb65efc91fe27f768ab46a8a82b7d830920ecb163a08a13c52d52cf752fc90244474f9d6a4535434b2363

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
3310cccf63b6cdc85066200e764bff62

SHA1
ab80a2c73d11cf302f7fd6a56317a7fd17c306ca

SHA256
d5f3a992b4fb2df12782969b41ae452b7a5bdd27e5e7bf48af5203219fdb96af

SHA512
f27d6c4cebb571f37d4c6694d9f596652e42ac3880fe3f8d93488a53f0bc12ec9256470e155374a88bfc8db9c7f421aa795cfa79f273e8c4802b5144222b90c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
e07a0bf1a1b70b5a0266d3bb7be9bd3d

SHA1
6446d36624a6b8807016692508b02c18339f22fd

SHA256
4b91132a68125836ce00184cdd5ee078737a4e633367264ac22757671c390c81

SHA512
d78ca9bc898fde5b8273dd17e8a138333b8fef5be2b412ec2ab069c6460e008b7114fa78377ca0574ebfd9f415ca5fe498f1a3f551647e2c6cdbe1bac75d25d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
9e27c696aefacbac93742a8cf4bca2e5

SHA1
6550fe912d96b64ece3f83f1e62d35235a23ec13

SHA256
f7807ec7161902208d6e0f89175ee886751f75c68a5c646613f13fdf87badb94

SHA512
08ad74e0207202c7824622620a2b5a7246351ad1af76fa4bed7585bf943eebe87475fc96c8d0e5bc6f6650c6343e4d8aa61fdf1437487db395f807338a614071

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
271cf5ea7e3f6057d80c3f7d17f14263

SHA1
1b82e1f0be2c7fde73164b109afaea60dbe6a29b

SHA256
0c1beb87792838235ad058d4c6326abd9eb2add8ca7900549b6997e9120b5c9f

SHA512
61cd4f7a96a3138107b8b8cb777db43d070841add4edee2e03941be61b0c31a0d3b2c9745f4275f576a5a0ceb788421dec1ef007cd646463230805fa580943ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
1d31efdeb5ad371ff63735d8056ea3c5

SHA1
2b94c8f0109aff56a20df92f7079e61a459209ee

SHA256
cccc09f1d17547fea13fdf474650847abbb7ec71513e059e59bc9cc4fad0de79

SHA512
6c8a128c33754c25bf960a4110d03a8023439577ff48b5c1c7651240bd13132bd8a8dddbef7c861d842ed108c40dde5f29c6b40b4b2f85c94fbefbf9a2e6bc12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
ffa8c46507eae817f91adf6863d1a712

SHA1
6e527853c35959a7ac47efb5ffeec64c97bf6196

SHA256
0b2fbcd0e685087aebe40b35af9ef2706705dc6b384aa5750c606774bfc31daf

SHA512
b6151965e89ad44e37f03a323b95dd0d25b8c2d685af299f4d5927a47cadd7d8e18a930b8e1f453f24eca922352b6962f70319b6f8e04c31f0a21382a57b3e28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
8b30df9fbfcee93c884774f68c00fd47

SHA1
b0bda455f713f9634d35c01413845f284ddcdeae

SHA256
1cc7825eb750201e749e6fc9b68569f6ddd137c379f46a0d569c6cf35d6b413c

SHA512
da5d83698706389ae730a2c412de253cb2ce1bef687afcec6aaf04989f32b9ce8de231f989336fa5f961c27ea7c021ec30445417353a46f1c1a8e90be270d3e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
90ef73159633f795af569dca4ad26ccd

SHA1
012299b54579b46e8096365815568890cf4203bc

SHA256
b0d2ba84d48e3ee2953b43144c5583b2059080ca7b0466836ba318f430b3ed02

SHA512
9a64d45a19d82150bea6d603e7cdb7286d7814fe2ea339ab0c367a8a21ef44f1a793eea767bd385fed246f2cb89055cbfd60a970f78a436c0ed6cda95859d990

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
4b4424b9c43bcf7a562211002cceae76

SHA1
024ab9b519d4f3ebca71d5df9b7f8329dfe66b96

SHA256
15005110c5ec1f78c1243c229432f49559bc2bdd9d3398e687a760bf0d5b4b88

SHA512
a45ee69cdfe756c1c6c3748e1100fff942d5a904f3880fe013c6832072398ca10febd51de5a16d277086790aa7c6fa9d2b0bede3b1c86e91af02b05dae6d07fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
15d4a58a326b503d63a67043a8dc9e76

SHA1
740f68bf48bc17a37ed861bcf211450e5ea40dd3

SHA256
3a3ad7a0897df9a81879bd02f33e880ba859704974e91fb06ee46c150624eda9

SHA512
68f06372601e3ff46f95c78a7ac57993153cd5cb4a741c64f2c4e753124d217a862b68951e5d946162da7fbdcc970248937cb209ccca34035f21babcc8e5ac71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
42a8640bb6aa5095d6cb745d8d4424cb

SHA1
0fbdaf09540c32f01afcaa0761cff22c69e70c68

SHA256
149d8f86c686e86ec13554681a905a61a729920cb7f825ea112cada165b3f241

SHA512
eac3a61f4381d992e3ff575e99bf0c0915f9d601091c78721895a4be9c1b7b8787e72d25c1804c3c74bb8553fac98f102a5513bac0d29842aefbc46463a6416b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
b2daa5dbb08de7605a5ecd0bc4663287

SHA1
cced19488af94d1b5a61780d0673d1eba1231887

SHA256
6a5d99eba272fb555fc13e6bdcf10e7e9f1633169054008e66566966212764fd

SHA512
403b6bdb1b44bd15ba8872ca5bae23213077f1011f55993a2fd2af86fb75a5d66664393af34dbcdc3ae9f0f886743c8030fc9c29286734948e0f74eeb3b527c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
6510dc8855fcdde3c4a0fcfd631a79ab

SHA1
76b470a7974da058be7ec573893a95df8458feed

SHA256
dd241fe3ee82da0c792419390604715b97dddba0b15dbb64c6e5df5b5ac9fa6b

SHA512
3582d9b89d115ee4204d8bfccb465f8dbc09a3d9bbaa30b36a4ea2a637616fda7feb3cdc536dc9b30f70f0851d062c6c269834ce162b97a40caa33b3989985b6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c37ad421041f623eb982f605a48a6eb5

SHA1
2921a7a11f39106a025e030a3149b47a1adc5c2f

SHA256
88be52d719bac4381800e544c8515d6420a352d8c46da50d55875d7731a90cf3

SHA512
dcf955e36e9b223244cf8bfa762e383c418c78d544716f01a7a9d7c0da6187692cbca84c500f502a925a904229d14711a59c0f7d4cf7cdeffd874fd8ee905fa6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
60fd5bb6c394feffd777619c061a860c

SHA1
bede2fdd5b2137f26566eae9a3411987da535027

SHA256
770f1ed46a449d2b1105ebf877e95c9ac78f0db859e7b86344a6c904fd4e238f

SHA512
19533ce0091f2e7571c5b46a29ccd0c002ca76fb6a089de498837f26ef7087db92c971ea3a6b07cff491bca7968ccee1cf6750600c811b10b919109085181131

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
9cea7e9aec0c450a6bdc6e47b53828e8

SHA1
1754eeb4ce8fc30d93306de2cbcde260b6ba65c7

SHA256
0ea798b293336c56cc8df27514942d23eb676eb0472ee168ce1c40e78d5ff02e

SHA512
e279fa823cdaccceecc65cf4ad74b64e0a3586147dc1fc4629cfcdce0999e398ec0351d1fb3b26f946da2a3210e21f523536e2874d419c71c599f55c575bd582

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
be9a208bfd7b94a624d9c8c3bf09256b

SHA1
f0944d92d966cb1da3953186c08f3540aaa71e41

SHA256
10ab35ce6bfe6acefffc674403b1ef108d6002b95eb73cbd9ed9c707fda31713

SHA512
04251e0e0036e8d78c73a9b1111f9aeb77d5575bc162a386820de0107b7e102ef3f96e690a4980f65a2e4434c1182e9cc3b3eeade20adf2b0147bf472cf4ee35

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0cc155755d6016743c810f1747063176

SHA1
e4e7536d2140376a7f93710ebc81bf8edb648bc9

SHA256
9f369e699c06d5b80ad5bed0607b6d4be31f623c954b805c853a615c6014bfc5

SHA512
38579a3e50fd24e3dc569f2abc4a4bdc30ac5475d631f24dfb0d3ea557717f3d545dded750081317bea5e397aa6f646b08b1a89e4c8bfede77f31da2b494e089

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e4bb7357fd7630d2d5fe132ad60a306d

SHA1
6c26e681bebce71bf7b1acedaac70c4b28bc3503

SHA256
90e61b343e263840c3e102e0ac0b2c6597ed53c90e77f46350311c4078424d8e

SHA512
1cc54df337504925d86c4a273fbdc20a4bfc02c17a029a7919cef79352c23c0cbff4a08cbaca2b1aabf487f59b743bf70c189444eec44155c56160ce160b77c3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
25ebfd1b274ff9525fd51c2875e6f562

SHA1
5205a78a2b913aae90e48854838fc67071bcc2e3

SHA256
79143a5e831e10bb39f5aea0f700e7db26cecc6d9c408512f4232568b4a2eb27

SHA512
e5407a11b9e384d12b9e1e2a2b053b604c0b5e36ad653075b119a1ce42e267e34b4c9b68a606438b2e248f353ab1866147d4312f31e4c03c240eec2a45c311d3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
0d94d3642205db8cfeb781cf92d3724b

SHA1
937daeb21370bd620dd8bce412315427d0593f67

SHA256
d9aedd9232ed1f62ab1c0bc19991e012a6ae591c80bbde6414458fb160b5166d

SHA512
bbb424a6f37214144cb54e5024a95b0ce8381c2df9435fef556dd44b5e6a62a33da5a062e1adc89a84007671fed31064a7082d713683d6db78fedfc5c395a54c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
27eaf045c4089d5fc016ce6021cafe95

SHA1
ffb58ae93afd71ed7b52173d5deb01879c628b4b

SHA256
998b2c1eeb9f3cf5ffbb92514b1fd1ab27f98d54da9f023ded9f89803622ccd5

SHA512
1781d2ccc5b52f1654eb2c05edded7ac9c78073c1b32f0291339cd0829b213bd67a4a81999c0b38b24bee71a69529f70569c718fde8bb090191792b10717ab32

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1104f799269810dfe8c81458385d35b8

SHA1
78868026929e9b9aeb10b9f9598d6ce37af1a745

SHA256
2195936f2a91f9155a5f41f0c289064db6ef4fb4aa4ff307322ec283d6b72ed1

SHA512
044c120b9d465afd6a9506f919758ada4e79c888f03d6f7be164e450b8974ca51bf480d5e62481d97468586fb55507c1548e13ea32cee86b7c40cf2b61bda40d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0d4dbee5971e7dc351bc624821db1bc8

SHA1
d173d129f60fc1dddc664bd8ef308be122b85ec3

SHA256
5e08fad3b42b512d8080f96679c49a27d96f8b782acddbbd48c216ac0aebf491

SHA512
ff29726e972c9e18934e1a8a9d309d1189a64421d56af9dcdb3a0b5b44b53934d092e4c2f3830660c67c8bc5a53109fb0f88756ef1fd7000599d9073133aed19

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bc8c5219831f4bd0cecdfc07049f3e04

SHA1
5a6f9a1498c8cb425c46319557d7729f58700843

SHA256
eb8f0a2b88b977dd0230e006f993247b8a8f351a3869c52bcf45574629340418

SHA512
1740362553c3cc4882764f8070ceef8f7fec3654a8a6df62a03d7fa1054043ece4c760a0343000637067ee683b138574a847d4b0d65321adf7e5ddee16ff42a3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
ad878b98217c15ccf0ff60e0a9b85632

SHA1
f4fd1e5351d7fe7f2009495d64b352cadda376cb

SHA256
3b2698f06ac5c9f8083909bba54e3c4aa6680137f192cbe2c1c23c5207125ff7

SHA512
c1c236fe92c1a5ddb237d1976b0b84ca3a446dd631038761c803bba2af84a4ee7ca274f4f44145daaadf60cec3f3603425c21e76c2ae7a897eba2a6b9f880b4c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f987393e545d113cfe1b45cb1f3ab83b

SHA1
40bc209ae00503e95c379b6bed1dc3eb593a9b29

SHA256
25424fd368f1985a8e5b8b9e5d0186722c5b66492708941f4d363e2e50d4be81

SHA512
b0378665402e0f82f0381510cc7562a0d6be8ba4b9d89033b9c23930855f9a3c805632ddd66bc4dc1a86593919c9f8df4154bbfbde392e0b48cc60fc5fb1c7e9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e462eba90724153eac3209619120f578

SHA1
503fb5fd77cc043a2e9b2993f2512630d8c8e6a6

SHA256
a4c54f6dda13854bb84074e2d003cc537d17f8bc70da5027f8de810ea9dc0c3a

SHA512
95c4382a819eee5a790e4fec59e90d432c5d5cd04df05d30c2a723991ba0f92cb1739f5e05f04b7f04a5cd839314a157d4897d744c510ed7555db4699218a4b4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
11afe6a4866418c50bec25529f1f9f6b

SHA1
92cdb9e70b5d5a5cb0e113d8054897920cd1ae3e

SHA256
1e844fcc51488c1d3aac653faa294f577c153d9cca4cd59489ee24897874337c

SHA512
74542cf760fa15f04fbec9c12607c9afc18b9e467bc27ac29c0e8588d21454e74b570ff02f9e4a59ae2d2a6ab9fc9bd2f0e0162b33a8ea7b798b537b53aecd90

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
c7535b6c00c48e13746addfe70c40a76

SHA1
222bb2e65b8e061e29761ab36fcc5a37d9017d83

SHA256
8587ee503d686bf8f5f5d931b52da2ad7c9cc2c7019674779a50c400e4a3152c

SHA512
320041a2bcead4843771cb0070b203046b4b5dfe80ea8f331a44d6ed4805a6f68c23b36a02406c68c9d490194eb3bc0c2b9cb56b887182121c815ea602adeab0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c3334f879d7161dc4dd84f13785de620

SHA1
2ef85ccfc8fa0f286a129fe0a0babf0dbbd5c2b5

SHA256
b071752ea5f6da2757d05aaa4c637cbb2615b19acc13657c6bef4ebc92ab10e7

SHA512
403853ff64b507bccb0e48e58ff1ae4035b702ee5033580f7091a0b5e33302dab99dfa92536ec3aa68fdbb95ee0c0dccca7775f420aec393827775ff0ba9cacf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d8ed9b06c449f5ef5887077f83aa613b

SHA1
91cfbc007c9f6912a02af14ec0635fc519ac171d

SHA256
98bfb8e63273cc7751d8c51f13de5e61fd11819ca740b4f6b1bc42a70127aa05

SHA512
05a7275be4111ee9c146f7340ef4c10306f3fd7cb9e2e32c24883b3d490df6167d6dbd863580f7ec865fedaf34361b2dcac5500c77fbe07b2f53f148ae2208f5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3567cdc17bcc2bdd3ee3cadd5fdae139

SHA1
79c9730184ca2a3fa95f0dfcf9eb3afba8bef14f

SHA256
15e00aa479a1d771ccf21452c285eae480660e9d9060f0b955cd5046a553a497

SHA512
df2228048b1ea8dece1a76e5bab24fe81c8e14923f9095480186979ba790bf9246f804a630efe4c0b6be963c9988562751f2beb0c94861b8dabc0078cb73a32c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c23c262e90d471e4661b94ab891d3995

SHA1
0ace9cbcec25c6a92d474e66034064dd5c85e2fc

SHA256
4337a9281b5a4780f285ef29f3f9860fb30ff8e9ab132cd265f75f540f3c984e

SHA512
a1d6a92bef636832e63e9354fdcd141129b569639db91151c7caca46058f0d39b9f567383f9761383e5a7a8d14a7dba26dd248efef5ca7368245dabbabeb3e3c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
a9d5cbc70a811753c5191b4fdc7e3a29

SHA1
c67602f6a5183de5db81d7b473077f34b421227d

SHA256
f86028645febc3781781d9292d54e88f2e18e6f1926abff92bf5d27fcd944a1c

SHA512
0acd6d2f3c72bf28c174ee3636000dde821b43323e06eb2d29475575d20ad36d81841ba45129c64cf46d63d09031c9ce5f38ee9052c9e38e28c69c87db5e5980

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
4d0cceb1c82f1301202d058a615385ee

SHA1
e996a40896a746516575c0af656d0c4295f0fde1

SHA256
05dd71f6f8cc2acfe40497e8fc48ae9cb941580d3c3af356c2f5af22289e9925

SHA512
528a99eedcd25ef09b3700edc21b235f24e62da77f677b2e6b84e49a60621544bffe42f45193855c5117988a287a69ed6c1df5a7b6b5bb0f81cbe636f9a0833c

Download Submit
memory/624-617-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/624-82-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/624-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/624-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/924-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/924-533-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1180-154-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1376-276-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1788-21-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1788-18-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1788-98-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1788-12-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2256-155-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2592-270-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2920-277-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2920-623-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3624-273-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3676-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3676-618-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3676-58-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3848-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3848-45-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3848-39-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3848-50-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3848-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3892-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3892-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3892-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4172-0-0x0000000140000000-0x00000001408E5000-memory.dmp

Filesize
8.9MB

Download
memory/4172-72-0x0000000140000000-0x00000001408E5000-memory.dmp

Filesize
8.9MB

Download
memory/4172-1-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4172-7-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4340-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4424-272-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4456-622-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4456-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4608-274-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4624-271-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4776-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4776-83-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4776-80-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4776-86-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4776-74-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4812-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4812-624-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4816-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4904-99-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4904-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5108-156-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download