bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
Size

1.2MB
MD5

54f8324c8c53d0a55d1f87c636d063e7
SHA1

f9d4ae7ce1638b2f90ea945a87045601917fa9b1
SHA256

bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6
SHA512

84cccd08a48e34b7b835fbd97bad4bab535692fd2647d7551ff3fc77b08ce787014a5bf0de29ceb66d06162973b54d534d404fbc8784bc3b6a123e4cd2e75d75
SSDEEP

12288:TG16FWBGJXONobVmaeZ0d/5PLdHgpchM/wW9hAmkvnGiZs1dMIaGxGU7:O6FWBM6T0dhBHgOq/PkvnGws1uIa5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2380	alg.exe
4880	DiagnosticsHub.StandardCollector.Service.exe
5096	fxssvc.exe
4836	elevation_service.exe
1428	elevation_service.exe
4764	maintenanceservice.exe
4800	msdtc.exe
5088	OSE.EXE
988	PerceptionSimulationService.exe
2036	perfhost.exe
2860	locator.exe
3736	SensorDataService.exe
2464	snmptrap.exe
1764	spectrum.exe
3552	ssh-agent.exe
3476	TieringEngineService.exe
1376	AgentService.exe
4324	vds.exe
4560	vssvc.exe
3392	wbengine.exe
3380	WmiApSrv.exe
444	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\System32\alg.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\spectrum.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\System32\vds.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\de8d3336d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe

Drops file in Program Files directory 64 IoCs

Processes:

bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exebff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a827b3c7b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033ecb7c7b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a86f3c7b9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000671d24cfb9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092c3cfc7b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011a058c7b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe

pid	process
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

640
640

pid	process
640
640

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
Token: SeAuditPrivilege	5096	fxssvc.exe
Token: SeRestorePrivilege	3476	TieringEngineService.exe
Token: SeManageVolumePrivilege	3476	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1376	AgentService.exe
Token: SeBackupPrivilege	4560	vssvc.exe
Token: SeRestorePrivilege	4560	vssvc.exe
Token: SeAuditPrivilege	4560	vssvc.exe
Token: SeBackupPrivilege	3392	wbengine.exe
Token: SeRestorePrivilege	3392	wbengine.exe
Token: SeSecurityPrivilege	3392	wbengine.exe
Token: 33	444	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	444	SearchIndexer.exe
Token: SeDebugPrivilege	3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
Token: SeDebugPrivilege	3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
Token: SeDebugPrivilege	3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
Token: SeDebugPrivilege	3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
Token: SeDebugPrivilege	3000	bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
Token: SeDebugPrivilege	2380	alg.exe
Token: SeDebugPrivilege	2380	alg.exe
Token: SeDebugPrivilege	2380	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 444 wrote to memory of 2388	444	SearchIndexer.exe	SearchProtocolHost.exe
PID 444 wrote to memory of 2388	444	SearchIndexer.exe	SearchProtocolHost.exe
PID 444 wrote to memory of 1252	444	SearchIndexer.exe	SearchFilterHost.exe
PID 444 wrote to memory of 1252	444	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe
"C:\Users\Admin\AppData\Local\Temp\bff632e886a453665930ea68bdd598c2b77083b5c2dfa74affa0fa86b65609e6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1900

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4764

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4800

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:988

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3736

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1764

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4676

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2388

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
58ae0a14edc8d503fd9fd80fac840d34

SHA1
1f13e1bbcb7c172a3a9a64d6f601d0d73f69d450

SHA256
70954aecfb984a26d2b3fd0589f3ff403893594b6e4271d543f20599c8bdd997

SHA512
98801f3e2ef4a282a3477dbdb1e8c7a6dc2ac0a57113b41e8e72468c4d07d069ea7e040e6857d018361076ebd520f6abe3d702378dafab5ac0c8a34bd6d79677

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
46e7f6c8a17b4ab9a29d6336cb78f932

SHA1
71aa20b4eb432c963853a967066cced5016f230f

SHA256
58e2f3fbd33ed6123ff67ba1ffafb140420c146019d70c6c0ddb22d5bc33bc20

SHA512
7a1c55f26c1ba2d790a65fb56bbc5942745f39364bb96ba33b84528f96041ba23fbdb20e2dca5641e36fd32e36b841dbcd904e9e1389dc7b012ce21be05ac881

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
b6b9136889209c20e49ec28ecc0c613e

SHA1
a3a5db57a34794cd8f66a29a91585788dad3eec1

SHA256
0d1823d70ba24b3b5495b31b47b5aa7bf9932a0c2a41e85457416535b68f07a5

SHA512
d221b36cb098f5803403e2155961614b0b06d0b6306fca26b6fd09219412b9cb1c8094dde144bff202f85e861338fb24836755835b243854bcaaa5b507537f68

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e41e5be1041f687942362566db29cc75

SHA1
0d1464004477b6552e7eee95612451fa294eeaec

SHA256
53c7d2801f61c2bb016b2a0a39e1cf628c7d356064f720a49c4e92fbafe7b483

SHA512
2e3ccca5bf9865f62a88b329c37684bdb1560511866d25b4356fa577bebfe909f19ff386ac256dedfd8a48a68d40b4688ae213311998623b217f65e5a5361799

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
61df159b1f63eeceda93e187460a2d98

SHA1
30fa7158e7f20d370e6a10ae0d92f04cbc90c55c

SHA256
65ba08977cc8c503fb6d6eae5e1b7268dcd794285881f0da2e03b20765bb9b8d

SHA512
c0f10852d4231ce8d3796c27e67ec8687d9e21c6ac3305bfaad7678ea5e4ba93cdc4936418800138c805a066847338d534ea350a471a457423a8f8bcdc396cef

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
729aaa4eac86b1a6a89271553559fc07

SHA1
e303474cf81140659bd39f3cfc5c0479a2e97b16

SHA256
79b9022c4d5666797fbb88cdf3b3e8ae5267e3b61c3f1460a3b63cd3e8c66163

SHA512
94aee347b3140561aef381b57007dd0638229d5b4c9c67be9a7a16fa1a39e0c3c4d86936dfef239c840d39f21347d28df60dfa605dd56d4431e20fdbddea6314

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
0894ceb2ada6b98316a24f694e489f72

SHA1
b9f306021679010e508ae543b961fcbfc4383653

SHA256
443c3722bce0ea5dd387f33a1576b8d82562c114d9d165300ffb3667d30c88e9

SHA512
d6af68686f2f37f3c7e89e2cbb47e128b49ae3473133cfbacb3870f24ed4fa26cdf3f4db40fecc21e75c0afbdd605f24432de90a59d7ae12bc87e02a29cec247

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
2304cc62dcd9cbf0228a122a9517dea5

SHA1
9825f733eec060bf4456bf3f02d6bf8c6f21c003

SHA256
254169c435257a4e5ab816ffdf9bf98ef6688f86cf809552977391d2a6f75002

SHA512
08683ccca42c6c1a8eedafa2cc088c9fc023eec4b7b95f528a2cc77abe7e0f01b070ad464b0ea6bee6f92e6fe950f11bab92cc44e007f960642a136cee6c8056

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
6614825d21017f53b86b6ed68e10eabb

SHA1
2a83b8b0970d4f321608d55febe7d820683c63b5

SHA256
03b1a26505035057ca51192186999b843c2fe4c0de94f546b054b59aec14aaf4

SHA512
cdb6e11e72b459387f446bddf28fb58c0236912b0794ae6cc0bd99dcdbe7d68b2d9c828ee7150431d14d3a38f8786a224333944c82b16a5ab716b714f892f07c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
afa13aec77ff488b8a82ae2a884bff67

SHA1
ea345da0b39949d6e9bcdd45153d81984e05d379

SHA256
fea2e7f120f1e8ff31e0badea788039183ba6154adc619ef99ec7021ce1df454

SHA512
44b5cf96bef568bd2f7240d6291d66885e6ecf077dea2a0bea78df4d5f0fd1850db347cff1b4a110e8be023bde4a9b40ae8eeb47a01a8c5f2c290c133787f834

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
63305ce76665fbae00b7ea58f829e588

SHA1
64d7c60ee1f05cc77f395aad92f3d9d54fd74e66

SHA256
f058cf7cabc3b630db4088f3130b9959a4f198624be4cf6a9a2a59935aaf3d7a

SHA512
b0e341b035e1518b32e3c29e04ef87f3e75c7c97cb778704d0fa293e5baf6684cf520e55f7ddf9253c3bba15813852ed35e54ca8971a32f5966f05a9aa47e73b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
552d577906fac5952d203ddbe7b9a94c

SHA1
03dec89b774151310de3329f00d197a7c06cc1e0

SHA256
6dd571b33b2278973a68159b140124f376c20fa6d471ba4257d01d6fa171ecf0

SHA512
5a115f1d909eefbcd44080854054e066a6c0ecc174bf0ee673e12d1cc24e34dc4fbe9b589077f8c2f3917d2451601cf8550ce8631304783652eefe212750ae2f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
d19c768a0b7fb0c6757866502c5a7844

SHA1
895cdfd84593b695dbf4829ffef4eaecbc67ebc2

SHA256
1ee1640fc9568e5dfbc6ac6a883b2152a55542fb6818de8d7a7305fd950a3d03

SHA512
bddde33711aaa6d58ff121b0b058818d7410c63b2c28ec68e8f7d127a2dc52cf89dddf9cde26eba088059019ca518ab09387bd98ded33a39798d34f11308bf54

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
425b3723c489981841e975d9ccfaabd1

SHA1
804cb3686aec6a52f4b4358ce93e56e89bd54790

SHA256
621c0c44cabdb8828cdc918acfb501801f0b5e34f67fde718e12cec45fc679dd

SHA512
a166cd9569a110cfa628e0f26fe66613b8ab3dd64e47d7d573e7ac787b8c7d9a164aaa482eb55c31b94dff185efbb95c4fce7bc35075f26b36a155bf625bdbcc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2f0c5929f62dcaefed98b338cae7b1bb

SHA1
53f141bbc2c9210188dcef98041643e292f9f833

SHA256
4b0b8f2124f73b683af772dd6a845d8495df83fa9d1b5c2613c8e7bdb7e4d9ef

SHA512
320590280bb1cbc100f79e3266c185a689b47ad74dfc45c608d0fdd17903b16438a68848cf03a27b78a36841a7c48c774f8f2e5f07d4c3f8ad50ebdd4a6b51a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
5253946d2b01d803b0153372ef6fb8de

SHA1
f608e3a1abd492183f37c86cc1e558a3e2475450

SHA256
061be127e956cd2f3c28f93c633362b3095b4240fd1f9575973e13b7a84c73b8

SHA512
dd21dc5904383b7d3504b08ba14992ceb48e2e65aaddad87cd8e585f1a10d29967bf946dc088e0ac31a7003b32b99365980f12d42b3806ecd3ef8d5e28752a2a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
1601a4387f861f18acf41e0b1828f3b8

SHA1
899c98bbba0adf6a95d9c77ff60b4faf228eaaff

SHA256
aa12c48b648057aa2e02f4bc6554a1e8b97215d09e14886436874b1027a2c8ae

SHA512
35062966efe02a2ad53645885c129422419288e28c2cca5ddd9d469875abf36c5391f785f7f54ce1ccb9bbc8e75c16ced32bb595d72d52f687cb51d1f6ed69a0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
9a07c0c51594d10bd77d2454c8c0509d

SHA1
4f17d7a9d6ba0662e6fe7b8608191d45961b882a

SHA256
557f2dcbc569734253a9c86ee9b3167783a1a1e90bbe1d46aa5de260e562d66c

SHA512
142f81ab7da1da717a0d9abdb2b480cf19ee8a6d565ecf0d1c5d1cb2188045969de9a5ce0daaebea8a400059c3d3bd58391d5a348c93c30c94bb7ce69e90c886

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
6fc5b9275ced80aee3e4e8381fa7deb8

SHA1
9194db9f49e9d8093e18b021ea914aa849e77546

SHA256
1d64d78baca70dd4f15b6baf378129e9a43fd4d66ab352cf2ce048807537c7a6

SHA512
51ba8564b74d6b81584c717e47008b8add96249178ef5a7ace0c2d4a6743d2a2aa76cff063cf98bbb13421c509a08aea669a33c7437e008769b85f53d4bb1d3b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f264808aa11147e2c15097c104a0c345

SHA1
832732d045332bd10662255fa0f4572bbfbbaba8

SHA256
ddc6833a127be544d9330f16e71ae7d5ccae2a3e84785ed2b5fbbe7efc1acc86

SHA512
33fd1123d96607470a7c13c7ff6ee8290d4eb5f15be0b51280dcc12c7fb0add0c256448e494e860c94b2778118e92a815a85076674da4f9f1251f80422f2d2e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
ef69e56c2db20307584fb6ce2bb63fc8

SHA1
506d0546653edf09a5e988faf6735c7238b4aa09

SHA256
8bb4c6fc661ac5f73fd347ca92cb8dde849ee9cfcd917e6230553b775945645b

SHA512
0cef28c0a597db02a624b73d3c9f605ff21f945d97ddaae854807ce71c62c38db22cc466d4dcae8594988da639e6e70ef47eb12e2e7b14a0be28e709a7130b5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
f3532a5369793c43acc949d9bdb4839a

SHA1
de5376c78d730f621b09fcd792aa01ce5d8eb845

SHA256
d57140aacfbcd99728dde9689df053b0c90640a791f7d6ba34138a04dd56d5ba

SHA512
5ece6499f135f97ce6df33b682945332f4454d30a980002d6a6361a206631ef5f488e9e41189576338e56ccf5e3d748971cf17d91e19288fbe6b849df3d7cdde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
edb2defdd76f8b0e346dcca931256235

SHA1
2a99e375a0524d5dc423a4cb2766ee78adee950a

SHA256
ea81c54426590fbb6af00114ca6015f1aaa0d16e72855ebe5b97fa8e6abeeb76

SHA512
1930b27b5a79bec48f068c90ff0a43652d96d61189fa3fb0e42c9de3f14c6f81e007f0411463b9e10f9aea02aca4d06d6eedffc29af26a2636153845c8fcc1f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
20f8588a083ff7b7e9e1ab7da8a63319

SHA1
15a850ec9795f43d2fe2c93b59a2c321a500fb9f

SHA256
0864787c6527e80b5c8c1e54d9c3dd9fc9878097cb5f23b1f40fbb5d989e90ce

SHA512
cef902afb78cf8fb5641635c7e8ece6aa3b015b99c87a31fb3309c2a7e41a06a3beae35c72c4607927489299c5ad268df1223009b4675b4e6a797c53906dddd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
99e3c48c579bd071b10b122dd57c065d

SHA1
80f3e087ac2424a419b1b952dd1d0bc4c8d5c4bb

SHA256
60c0c48523c0744c6bfb93aa6fcf0267bed2b6b9bf37aecfcc3eb95560484269

SHA512
421903b532b4220b4c29ed574fd0c08271f72f307a9be6102e1097a094268cd3d007676fe882c45237fe10b60eb31d726d6900074c650d2548a18312a84d48ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
f317af0ef0aef1baa3106040f5eb150d

SHA1
5b5cd632b42d9a03c9c6f3c5d75043c330b23952

SHA256
80154cd1b82b82c66e40b59d5ffa660a599264f6560e4465a3643de418ac674b

SHA512
331b432f469f6279e3fc374d08a112046e63e15b9b7d0b6b4e769b3a25a85757520c68e84a517272e0f0e21470adc684a287ecdd0d89a573f8495407e637eed5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
8ff9c5e798578ee34c3ea883b7dd43b8

SHA1
d4a4932ca03d322b6c4253712aa84d106a7cc876

SHA256
caf314f96861d24ea1d4c7964ceb0ad22a7f1caac63a4a82954f10471dac0e74

SHA512
facbd33431f2d210481d97f15aba87c2fa514ee893bb13631bcc2ec2324a989c52e8a18a7f392efc7642146f012ae6e0d19983bb7b32c20736d6b730f5b58dc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
b2d452a86f7c76f4aab05e24dd966324

SHA1
2d295d00c73ebff73a67178e9832d4a18c2aeacc

SHA256
c8a8a6998e74bc6fcb60b0fde93efdc5a041d29c917ac85652404f3f4330c378

SHA512
17755a83a6b3ae411650cda4ad7ef3836f61ece18f283e7b09f0f5f304e28d3b3ed9f281850c26a6e7b25ab3ef4a692f2665570cacfed839546e2cd6ba898380

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
8f255ba27964ad9427e41435d88c7a0c

SHA1
0816a367052ca0e0ed165b86e37a23bc29c2ff67

SHA256
ea4bdbed0bf85ec0b774b3a00502dca3bd605c5070cd478596d97a37cb1287ab

SHA512
c14972ae9bfbe8f36f94a0eda4a39a94d43efaf5bff052b049afd64b229fc882c5ea3e6d9407daa0a321dc969eaa0df8a0daf0ccb76a72185719d9277d2f3253

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
5f16de06dce87fb6cbe5abeb07345f2c

SHA1
6e1dbb5604dc8e9c4942d05f7f157a4fc1b8270d

SHA256
6eec5725b59cda9cb978e894684651cd529015b2e0735f0b13171fa5bae1901c

SHA512
5b770cb3710cc377356d232430b7bff1624819947ee818ccdd914589eb1aa8b475e967758763dccae0c7722c75d78b4a5e78978dcc207548c7375092958bc0fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
51a892e6a3f864f2f8866c9ff0fdded4

SHA1
b673decd0fcb5acf8ecba6dfd119a0130947f98d

SHA256
bcc1d95b18a259fcaef153a0090e85a99a4013bd96c672c4d1feb4e807b5c2b4

SHA512
cf9e8ab07abae4c0343a85051f6ec29262f6e816143cf196b5ee2a4d2c7ca5d2fdc66408443c990823a13276f3e90ae57b545b88b0828b7fcc30a354e5987a72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
1a0c4f79ce9ecfd2c80b820e870c4485

SHA1
882d285d6ff69fa6cfc44dd6cf60a58e8234aedc

SHA256
db76c09330c976d26c56f4f67369851feb308ef65a53959af6735caea435ccfa

SHA512
e02404e3bf742587f088a297189d1a314708fd76683626def99cd8f3a8c53dae994bd9f030985cdd68867bc123a9639c690806733ad07657eca1bb4a9f195bc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
3978f220c4884a0f6161894e35f10b61

SHA1
bbcf309678edf7f7918ac6e5a750ea74772ad244

SHA256
8efbc6bdcb1d42cb6ea704f32767d97b0b471bfc35e97177c437c54ee74568fb

SHA512
1db035d51f299915fc71409b84cd30efdac00314f376d5199f795ffd5c7d3ac67ec9e47027c78de8ed08a61782b901dd13cb0074e5c2d5eb2ab063b37059fe0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
ce631343d936c4bdabcae6b07e5d10dd

SHA1
0f9b3eba17dec9621749009345b0814741f0994d

SHA256
b8b206b9db267dd816a90e6629f2b9064583e81ba8ec32afc12459fbfc28355c

SHA512
4491a4b7ee7fadcebb03c340f623982c89f12dbec06ad2c68157fb2e0074d1ec3051ef21f2a6b59ce1e9054a84a702d1380da9c16833ad453ef2f67a31f7243a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
c6cbe7b1b2ba021ddaf790e3a1246ca7

SHA1
23efcb0cc9389eedaea23b98ad1f8a7b1635977d

SHA256
d8889563e6fef26f3f79e9580befbce588a8509886b3bd99c0f6f335de62a5b6

SHA512
2a34c1c75df2afe1e32338ff784a91526a25f7331d7c757b38f8876c857c1abbe9b9de82df0fdfe5dbe62e80d3d6efdce609aeeea5b52afb0cf204bcab43d010

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
c818de8df4ebc50eb27962bf69bbb9a9

SHA1
a22d3dcc0ac3d105a3dc7ac477751b0bced1b7e0

SHA256
ef026ad4adbbd42c6313e7afe32fe31fbe7991b45fa37c78432da9ebc61317ec

SHA512
210ad57194e00142beee4fd6a92d48ca0337f2760c9124e891ece4fb5bc529a67cddd05becda83e3414a58297583e4f0fafe71fffcc9171cf4ee90013d7e596d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
5e010a69088042c1ff8bdfe04325cd97

SHA1
93fc443158991cdd0a247bfbb54cce0056861b2b

SHA256
8ada9fec0505d5b2ca30d6c131837af6158ca72d55e615701b79987f832da502

SHA512
be2964265ec46f58bece79aefd3b6020331ea200ac9a1ae8534e5c2e551eadb9803bc91ff042c661a995b0aa68cf183cda654f19111d4cc07b3dec6b06833163

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
2a7f1c2058a560b43915a713e54e5774

SHA1
903f628b4d0fc17ef944d841d1cf782c8792566c

SHA256
6bfcb16639d228dcb5f83f29f2aa87db78dd4aeb4fecfab09d07641937c93eb6

SHA512
e6f36d9f52446a5d9211df458935a5dea352a929e4a6f661e4975294fa1ce1e6d0b539e4105989791dd2fd9dc8c133e009b2b556ff2515c0138b812625b2c4d2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
ef7fb2596663e5db55312c0959f427af

SHA1
69d049a6ed5b4f5a6f57f19c21fc3457b43859c9

SHA256
fb1bb03af48c4fef719fe782ef250cfd1eda62d4e3e1c66889c23977580a0060

SHA512
15201ae27f771bd73b31bfc52d75d82eaad2a3cb9b2014c9e4b82fa401dd6cba5e44c386ee8b14c38649b6d88926516f9fd1d8f8594b48700ff510b302484b64

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b05462c1ee530d98c3bab38b970dd41e

SHA1
1c0f659ffba61045a5dd9cddd7a7213c5277c7c7

SHA256
65b330a4806f956674b8c766bb94f9e884fcf8398522ffd7fcd77335a7d1fe27

SHA512
2469c213ef8cf93d58ca533f565a0e2348fdfbc251239c9d76f1a814b03c19f64543883c8cdcecbd2c065458a0f8ae41019e1c944e8df78f4f299230545b4eb3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
d2cdd0cce8d07c21dba74682648b583c

SHA1
dbcc8019d75f03bf7f81da2d43abe88f63effa81

SHA256
ce344bff05e558763d1a39395a8779066ad2f3fd7f1cf26de4d714770594ea98

SHA512
65ace8f03da6ca655404a055ba2323c3bdbb8b3634a686573a1b41476b0180e2ab8e964ce6cd2bc0886b370a30ac8461ef5b18ae01fd55ed15de7473e7e17328

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8230d2dd36510f3f6c0e201fba7e9ff3

SHA1
825d0334c28dbe6d08257a332885792e9ca8f017

SHA256
cabf956db51d1d4365bc6ef9231abdf4ef285f836e278d89efa25a4311654873

SHA512
d0ca69fd0f3c83e7cc32e1d6be234c93216b5f47b0fcba8a18a3356152ac2a4c506025d8a596c37871d0b5cbec3894a8b558b2ce5a6eb671fedac3e08c29e79f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
d8b2562b2e767101ce2d021bb1fc88e9

SHA1
ad9f1563a96ca8cfdf5a8ecf75e810457a5e35a7

SHA256
6b86e483d59ae04d413cb8fe1abbe6715586e7f18c731f2c8016d7803a967a99

SHA512
cda3747e5775acf7ec10a90d58e0e018afb35807a34208fbcf93d287c32d8f6696703ad2ac307953b7f0204255ae7aecc222a26a270e448ccbe0f5da67d76e7c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
da02d19ea43426eaaa06439e9a77d947

SHA1
5ddf2683b5c07db457944a1430039526f771bc49

SHA256
fd1f9fc1d0d627ab6c7904889171d171d9ebc50b5110424b07b6fb6572d5b312

SHA512
424aed02324dfb05cab93655a4d96b9faee5f23c24f2328f8e1e3e17464bf81e926677eb6fa3ae9b7b1eb2ca0b4db7d9fdb3f5adf7c33969b00e84a0d1d42f28

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
98805f2ee912c3bbb05873bccc2b4987

SHA1
383d149aa243284560535d8610dce1b558eec79e

SHA256
803c38925141fc123b5cfd1b72d0c3ef6a45fd7d9257b9c8bbf8e7d728590c95

SHA512
a0796544a01201b9807e61d5bb1fd7f84e344a53efca8864cbffb67903c33688482da87bf815aab4cbfd59e5be93a23803fc846fdd708aa900bda7d20f8af60a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
900388eed97a4466cac9969c96490638

SHA1
95babe980e6e97e3e89ff4c34e13e70edd8533e7

SHA256
6af7f6c5fffb274ae61927469d553ea4486fd2a2036cdc642cbfe700165a844e

SHA512
b29c5d155edd80e061a4b0b83c65ae79d38dc641199e797c8307689ab900d7057e37578b16f710ecba85e65b892d0190c3116d70ce850535a3f4fd230f76243f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1acc018b62aea77756cabcacb1052c31

SHA1
4bbe73bfe613ad3c2533f928b137eebef6479d1e

SHA256
d42fb9eada81958a4e6e6e7a7ed8e828105dcb40ad5b9ad3a4cf1ce321eaf974

SHA512
78ab0f6c5664dfc7f30782f5caf3db805208fa4055bd6c2e782e7ebb0fc4ee88e9937fbaf0894225c8b7342e60c51b764d5053d4736eb718463d791288a78d21

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
78a3c35cdfb66e0e8916ede90a1bb57b

SHA1
541274732bf474829f47a6c5dcf94906df66c2c9

SHA256
81bb2d327dc44761171f29c1ab8cc6a0d400617adba63d6e4385fd3897b65a89

SHA512
fbdd610d7e86680a7e3b4ece4cfb103a4cf5fbf546f96cdb1608980e88f20fad793eff949240cf326bc2a1158749f6cd15351c8335f0c1ce7d9636b31faa0373

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
5ab11d91d63516f99c7157bd6661b321

SHA1
e30991a8477a152f1b0be11866d5ff856ca2d8cc

SHA256
ce9e068d9758d10b172bf386d870db05306e6516abf768308c7546c4b5cd6610

SHA512
ba008b5ac09c4382e06cc5ec6face9ac32f7cadc55423a24cd104e66cabb9fcc92e1ecdf4717de0b3c011bfbdabe1138385554e3a26084cd18baf950ee927ca9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
031e5c77b5f9aaf71b1d475ab70fe84a

SHA1
500213781a8d6162e0b447e3ed1ed07c87145bd0

SHA256
007de68c2b62c256606450ee22594b5d0a7ecefe9a18f8a8887e3c44705f1944

SHA512
874b399073ee555e1057ffd4a7efbd05c4c653885ff93d5cba725538d89a0ccfaa0656390b7d496df1bfb349825df9b22e1fce6b524668504a6b32d750ad3a1c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
239c65b74b0a26fed5c0717a68074b99

SHA1
3857b4a9dc9a7ebc2c11c37bdd49526718a7df91

SHA256
7ab433f966eafc61e9ac08f66cfa465fbd3e949761d188597ec4e373c230c887

SHA512
57c34705877a5d805408d09adb268480ecf5028850440b13e3a95b2bf839b58874e6f241c531be86335940d10641d3a502515b952161ee13f87b115725d4c51c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
c101fc56fa2464e2defbc0ca336ff01d

SHA1
212636465bda2969230e567adfb94b3798788912

SHA256
b1120686b9b31893bcbbb6c1b07cbae7fff7fade9543ef53433bab7c7ca0a074

SHA512
e3a5afd01561e9853623de38816caf11d4a0c41af93468a8a05abc9a8d13565420e702af62db9fe988cef627bd759bff3fca37f71e2167a54b0ee45438a46cd3

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
aa08ab33bb4e4398c5ced4a750d348ba

SHA1
9d6c009087a5ba1dd9d17e18243fa1b7a146421d

SHA256
86c347b575c6709eccbd10e6a01d9de61fbb1ed5576a5227979c8111b824fb6c

SHA512
2480cf67d4c4d9d8b4139174d9a84587a96ca6c3c2e5213a97fac0ac2673a2a219450ff6b9f148f39268bf6944fb69e8644d2a8d569b0411c7c2818f0eb016b8

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
7f7a2b28aacb90bf6121423fec402f42

SHA1
53e0ae3b7ab7ca297cf47fe4bb1b4c913d4ace89

SHA256
afc1c18dc803c7d76eebdbfb334c10d247f677b91e17ad883ce80f1922ef5004

SHA512
d2aeeddc586287344a9991b182d5d7b2c22045574c7da2d62014969565cdbdf09af6cfe7d4eba638ca911d27ba19050885eafaeb7dd8c4fdcb001c9236397fd7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
e066ea6ff29db89cf8b2e969abf83959

SHA1
78405d316afccc67a6606a4341837bfa21e1dd4a

SHA256
a2b36ded696cb90901a34613a5e9094f84d5668cb7c713031b1436c5af973bf4

SHA512
0ca4674eb5f6f16865e84ae4901b137f36b1671f5b51eb56650f552af83af56facc9cbb32a8046fdc2310e684604174c762fc33b8e5384461b81a8756de20ca7

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
30d45e62aded50296fcc9d044e8d3263

SHA1
02a5dfd82ce26a18b78ac03c589ed2beb9d7dc88

SHA256
a59d6214b5c26bd94cca0777b12b9d13269b8f6e862ee9fec5d084cf651b912a

SHA512
3f94a9bc9ff2293e340cd73803630a0f54224971a67dc386ed07ab0a0d04d8962fee44f19898f2329e294414aac1532f89506f07cc0f09804cf815969406e7b5

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
5b66d97a1124cacd68ed3cdd83ec7635

SHA1
c6d3df1bc44411f102c5e123389347030633ac63

SHA256
9754c2e0e4e294fba44cc0fdcef5e774c2a6e332852596e02b0078d186d64057

SHA512
858e7869ab61a0105ecda10161c93b5cc67940adfc72c079104af7531ad4da07f87606cc808ef70dac651b0f0f877aa52015195a8b375e9d8f0946d4641fb38e

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
d7d39f2e3a7a5fd73f8d289c4204bcfe

SHA1
493523fac0902360218fed86707654c9240272df

SHA256
717bea94ef32fd68380fd3af04c89a73d37210256104e42589d6f9f3dffe8839

SHA512
5cf672ff4409bae6668a1dbed9c6af1c223da14d7f38daca192f27761b857879cf0809756a661a62f97ad1c1854e3522789b405e8031e9eb28771274e31426fe

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
b1f23b6b289b2a7b598276039c51168c

SHA1
cabd2da58453a1a84f7cd9f6b3a094ca941c23bb

SHA256
43153f4a6d400ca8c4b602972bfb65ad835c5673fca3eea50fe9dc71bee04b2d

SHA512
9b4115cc87a15373147c8286e98abe69d24b0e35e06ddb00a73709a4e4f396d53089a2d633ddca42a7597429783ec4e4cd42be2cab96498a9d50809c4193f89b

Download Submit
memory/444-563-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/444-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/988-126-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/988-239-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1376-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1376-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1428-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1428-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1428-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1428-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1764-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1764-520-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2036-131-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2380-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2380-130-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2380-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2380-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2380-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2464-444-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2464-164-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2860-141-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2860-260-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3000-6-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/3000-0-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/3000-104-0x0000000140000000-0x00000001401DE000-memory.dmp

Filesize
1.9MB

Download
memory/3000-8-0x0000000140000000-0x00000001401DE000-memory.dmp

Filesize
1.9MB

Download
memory/3000-9-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/3380-261-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3380-562-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3392-561-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3392-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3476-200-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3476-557-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3552-181-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3552-553-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3736-556-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3736-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3736-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4560-240-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4560-560-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4764-76-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4764-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4764-82-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4764-87-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4764-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4800-105-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4800-91-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4836-62-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4836-175-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4836-54-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4836-60-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4880-36-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4880-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4880-35-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5088-226-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5088-116-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5096-50-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/5096-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-40-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/5096-48-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/5096-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download