05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
Size

622KB
MD5

15b1b3e0fd439276b6ea02e80e82f60a
SHA1

274d1b480dd0734d69550382aac8db282d31d5ea
SHA256

05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6
SHA512

684a09f0dab336ca0596e6701dd8025684a6a5b634125d857f47fab3974db7ec2a44d3c6ad228baea09346a5b3e6a2f49eadff20a6aaaf1ab046842cea43d16c
SSDEEP

12288:lukoH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:luv2JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4608	alg.exe
564	DiagnosticsHub.StandardCollector.Service.exe
1800	fxssvc.exe
1636	elevation_service.exe
1264	elevation_service.exe
5000	maintenanceservice.exe
3732	msdtc.exe
1548	OSE.EXE
884	PerceptionSimulationService.exe
4596	perfhost.exe
2868	locator.exe
2460	SensorDataService.exe
4328	snmptrap.exe
2492	spectrum.exe
4076	ssh-agent.exe
1376	TieringEngineService.exe
1944	AgentService.exe
4988	vds.exe
3792	vssvc.exe
3940	wbengine.exe
4592	WmiApSrv.exe
2340	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\locator.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\spectrum.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\wbengine.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\vssvc.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\System32\msdtc.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\82ac3f86b3e2edcd.bin	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe

Drops file in Windows directory 3 IoCs

Processes:

05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8cf2e933dadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050d7d1923dadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b37fc68c3dadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a43b3c943dadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000403c96923dadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3a746933dadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099040e8d3dadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe

pid	process
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
Token: SeAuditPrivilege	1800	fxssvc.exe
Token: SeRestorePrivilege	1376	TieringEngineService.exe
Token: SeManageVolumePrivilege	1376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1944	AgentService.exe
Token: SeBackupPrivilege	3792	vssvc.exe
Token: SeRestorePrivilege	3792	vssvc.exe
Token: SeAuditPrivilege	3792	vssvc.exe
Token: SeBackupPrivilege	3940	wbengine.exe
Token: SeRestorePrivilege	3940	wbengine.exe
Token: SeSecurityPrivilege	3940	wbengine.exe
Token: 33	2340	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2340	SearchIndexer.exe
Token: SeDebugPrivilege	4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
Token: SeDebugPrivilege	4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
Token: SeDebugPrivilege	4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
Token: SeDebugPrivilege	4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
Token: SeDebugPrivilege	4416	05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
Token: SeDebugPrivilege	4608	alg.exe
Token: SeDebugPrivilege	4608	alg.exe
Token: SeDebugPrivilege	4608	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2340 wrote to memory of 4748	2340	SearchIndexer.exe	SearchProtocolHost.exe
PID 2340 wrote to memory of 4748	2340	SearchIndexer.exe	SearchProtocolHost.exe
PID 2340 wrote to memory of 3116	2340	SearchIndexer.exe	SearchFilterHost.exe
PID 2340 wrote to memory of 3116	2340	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe
"C:\Users\Admin\AppData\Local\Temp\05cd5e3b23ef15a69251baa1c26de849234500dd13711d7ae48955f12d8990d6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2204

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1264

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3732

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2460

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2176

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4748

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:5468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
a56cccaff3675ee25383299078a957b8

SHA1
283c7ef6780ed282a0ee117b66e40787f44aa585

SHA256
4e7a7ef885fbf6974bbb6723b382a5390db1ee009d708129935f61343da856ad

SHA512
6272e89878fbbf8da1eb685732a5db05bd57c11395ac3e5bcec73760149bbc609da803fbf1da16bbb6e480e84eb833c6ccfb53c90aabecaaf32271d1a7311630

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
35204568382061edd3cab39872191521

SHA1
e0cfe610ff5b3ae6a3a2d56152b31e7ac71b8652

SHA256
cee26dae2bc9b2d5967f6bcfd62004d65b357e9c0bd00704b8d6005279ca96b1

SHA512
0e7e4db896796c313f1df7c92be9f873cf0ec501a94b41b785bf77ed51f17c5c8969d4947e32158070f9b56bf974bc7b23387d0c14b7ac4e16c4e9ea4429261d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
a42d7ddc894859abd904978916db8720

SHA1
646fd64b71992b78d698cfd85df9767e07cb5d69

SHA256
f1f7e8d272edf75bf5a7e50d3342152ee793d89f16ab38cf9752f263da4d9010

SHA512
45e4b2c85ba969f32844fdb4e6d16a8349c92eb9ac260954b2d735e99ed0cc8900b2e7add5297fd183591acb3c0281c9616097afad32710d0bc45f879c2a393b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
605be15e4fb0f1dd151ac51c9640c250

SHA1
c18003931f27b3bde30c22aa199ebdf0e79360b5

SHA256
05dc14b49f4d1fee3983381b142cc80bdbafd68882424a65ff19925d08b71163

SHA512
87f702d3543f9f318d3d2650f25b1dc33339ad0858561d4bcfbed9fef2870e3b76e51afec68774463f03ece4ce99064ca7f9ce72d9d7efefff266ebb443e88b6

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
de2747e0f09fa12a1d4abfe247e33858

SHA1
fdc96767acb20531bbe988afb38f1e4de8e38921

SHA256
648ab08b4eeb5dba3ba6814b792ac550a961190eb87564dcd206a8d03d60db57

SHA512
8a42116f78674c249e21f1544abab50b5784a2d47b469b781206c6b0b1d71d3e4b25d8db6eddf3cddd47b93a60087b99edf88710d3162fcd444282c4db2064a8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
784c2088ccd70076e47ecc3469cc6f87

SHA1
a2ab302a465eed5697f20c06d7cc84a119394b9d

SHA256
9a3967365dd6f332b7af867a3ffe66d26f0d664d2219240ea42e5df40149b433

SHA512
3b940fe024a885481073a125c8eaee6dff2217a3ff446fc4f8d6b5fcdf3a7dff3964a0d75378f21705a2158812199f62139c6aab9d90774b80f49e384f2c465c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
76e0c9a72f4a0aafa977633a64de4876

SHA1
90faa5e22917c1d79423ce5140661558f328d478

SHA256
fac88263894bcd2fde1b8945e2d7368a8aa01116b3694df44d8ed081d5d8d526

SHA512
e39be3f7c904821653049de97f7ed970549ba4d05928645e9d9f3fd1cbbde2dd21058e6a82517dc6eed8ab7b28e990918160c69809c2374a32ab4b824b152b0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
4591bcaa7f10bb6072069a3870beaafb

SHA1
5ef886777977835b050b1e762ac055ded43fe0ef

SHA256
cecfbc565301ee0375f67c86b8435f8586a8d774de15e0fad4e9401b1bf4a851

SHA512
15d461b3a3f939a9dee3d2d23ab307923ddb9f41437a0d8a4682cd39982ac175db0e372c3cbe49a9cbd9c0d8623079e14ee7d6d993e88773c0e3de3591eb8cf5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
2e26bf3357e368e1cb364a7b1d38c9c2

SHA1
e008a4f4b1d649c969dde616d825f004146cbb3e

SHA256
76ea6c04542fe4ea1eb8f543b17806186e870c39df61acccf3e40721410e7211

SHA512
2b9550c96f0dffed923ac455de7450bedc06aa905a3f5d92c9000c7cab71096ed0cf24f0187817ce74e377c0a2c2d2b5f1653d52018c600c8b4c402bc0fdcc7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
84433b56ddf8aa10b4bc6d4e89c80a34

SHA1
b63dda6140185ababe07a0790e6e3e4b7c7196a9

SHA256
6b55c98c36437f166eabe47cd872eb199217499f6f0579de3df52d0d7f951aea

SHA512
cac1461ed387aa6a5ee471604941f0a686af4c2f8bc23660e77b495eb7a1704df0945a51447be1e4a6b82a7836a1b9b98a91864efddfc969b297a73d3e780c64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
b0c3ec4f02793b8689dcae4263da49d5

SHA1
4b5730846799f817cbae44b131732178003b5385

SHA256
322b1cbcc3469050acffa9f82df2c8043e0bb3c636f45f25242585086bb1a2f6

SHA512
72cb470fdf11308552f831b7d6414030dd8756a20bdbb6c597b4529e1b23c4e31dbecf62738d3051f34ec0510a39da0c5424d7084a606ce1d95428aee9f26d61

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
bb252fbf85ddcd1b2f0d0e7dad1fd669

SHA1
f8ff583a571b06e7f2ba5229f0eaa83081a7f7dc

SHA256
6d7908c5c062e1ed715d529916069cbbe821746db0a032bf2b8298539f3307a2

SHA512
60125d5fe365bcfff5dd12466844f1cc77eabf095fa58ffab1d50841e8aadb4a350c7f32d1997b0d45af1a1bdff7286556f6de11d9847c9a3e551be99a52a561

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
04b4a07194f9ed39615ad0978503c9db

SHA1
6f4b1775a6bef6a9014aadd03ae02e7aced382a2

SHA256
ce67b6328c74d343f8711e7398f2d9b5baeda052e7e0f50a4b421e1b43986acc

SHA512
616a6e5d4f2f4a16b65e7d7d44b5e3a27614ebb5c3eeaff0764fd13703c0c61e6e2a6352ebd63e06b14c5ff60bb626f1ac70db65c3158b12e571af3e7af8de48

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
82bbf03b85b06affe341cddaccab6b58

SHA1
414164f1e5d923c2a1ea27aa13b1a5f54ac181e3

SHA256
93e5e356d167af22d7dd9aac4f5de08fda0dbcb9dddf0a3558f3a6bd42dbe654

SHA512
58324bb39f27bc5da1c1da0920b513dd465ac5f82c74aa51013f83b2f2a88ff5fdb78b95c39a58441dfcc279b883d9b118efc5f86df454984d8a7b50172a5674

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
250e350dfd75ae560fccff9cadf8d468

SHA1
d1528d5bfbb103c6f9c7bc88e44817307dac0ecf

SHA256
71d32942cc7ea398d3cfd634b89526208cce860bfe394d7d5cdf41d2ffbc0059

SHA512
907651780a222098384d6b815b3cbfd69e82cf060356a992ef8c80347e98acead8da880b608f6d7f54426d2902b12df5bbbd1a8240eb274ac57f69263993115c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
5196baad5f45660b3872e4d9a36bd6bf

SHA1
5b80ee5b50d38a70d62d93e7dec2d4d75c9b10fe

SHA256
f6b6593f9a25db2c2c93fc31bbecacbc749d859c167bbf676803e5960cd4ec6c

SHA512
ce49910cd1a3254d32c4eea07155f97ecec4fd37e725616901382b65505815220d64d61243823eee0e2463997aa9a1053fafdd9b185c1df6432b15c07ad64d9c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
44a96bb290bfba1f9b03a84b86a82c22

SHA1
f6c623f02725a15e312f7efbf2a2d4270dcc4226

SHA256
9405f6e30837a3b7c253b380c61928e2ef900811db9fe0a2cc55eb6a9d09901f

SHA512
c6c3a34b682235d10befef0358f37fc8d1309d3f2007f616f3835cb159c35a754b31192899a10c7716f74c86e2b883ab58af4dad5815616ed45afaf6668a87d9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
8692edf3dafc4bac4ffd091a0ad918f2

SHA1
1b08820ee09dadb03339541fd2447d04aeb6349b

SHA256
7728be962c5d29219ccae1cfe64cbf179292d45991dc51911edf6e892e2afe0c

SHA512
65662508c7e394ef5bd6b717dbadd7770ee8633ad49910c5958cf291709f9e2af4a3cae6b88f8153e7c81786a702cf8895215492b32fee41e62f3ed272442cf6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
ccca45c539fa6d06943be42e87401f77

SHA1
79f004f5d2c441a230e5028db0198290ed0a5145

SHA256
60bb217658701d7cc98af8f41b296a9909a251f8db9482461e8cb6b2489f6549

SHA512
49bb7560ce8f3fa6bfa880624fe4b453a3358685b2cd12183e1b6d16063adc3f9082fc72bcdc4ded00bc80e4bbb62db45666899379f0d4ada8a7fb6de5ffef3d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
064325a1791bf2c0047d52a803ea0fd3

SHA1
0a984f14dceebc95a6ff4d9dcc586e1f9bbb2e9b

SHA256
57f1bf9814f786204045f3acc4094d6cf1d4c7d97de73820d0473b77b1dd1573

SHA512
31e892d12a3b63cd8edb539c7805703b3dfd1650060e92fc7f7ecedaadd9952970e394ca416ac52028b9df19f470158da8cbf6565bb788cc2f8c0774415f75b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
a1a6b8ed2e2607c9928dcde4ff7f9ed3

SHA1
7dc859002dc9a37d14f935f0a4495e6bcaac33dc

SHA256
37a313b11939ea7aca4f55f22634f6d6d0de29ced195ffbb4cb27a954f2ce085

SHA512
dd135ddebb7e0ef5f3d3a8cdcd18c52f5c64ddca803ceb67450d1f87c1d17a79585efae4e8f5d3ebc14b8576c1740131d701939b466a58c3cf8b3a56c587b90b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
973fb117331934a312fb6dd0f1d7e767

SHA1
2ba26f2fe6fa7f60fc91e011f79c65ca904a23da

SHA256
f4bdd54b9321c101564aac1987d894f4e28b1b8a77e48c408ad59111e3f9c918

SHA512
b02166ccdee13ee8306809a0ba09e3d22b3355ab22d16e74b0583fc056218835daff59d60189468bdfb01c36d51f269ddf0714fa88cec8b90ef1dd9b6e217ac2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
7ff4259c9f4896caf7ac1b7be3ded55c

SHA1
ba9844d14c9d1c3a40acc143e3e670a793de25a9

SHA256
0b27fe39959debc2d047353233ecfef637f693d26738445cf4392fa52acb2b04

SHA512
2d3ca0aaf7a271d319e43582355693ff9b5271d80c02d0a39e09e165f4a4ad4cb7a33bb248cc266940c698542d8834a7fa6fd295ba4708cb5786b028e61c75e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
b6e83fe013fe76fcbb0dad67e0c61973

SHA1
125e9aba6ad760203c448d1af0cc17e1be3a5839

SHA256
b89f9a5002ec2a9dbb69906f9ff763ead364297c256c04a24bed8395866fa94d

SHA512
403909f3afaec5c84671db1d349291a8e6b7da149c70af1e6a7d474c01ea39ba4a3eb08131383068074e32481d22acfc3f5724520205f8be99d6313ba7e16c97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
822011933a8b80c9fe15e09c7c7bca5f

SHA1
5c5e027d6d741ee3877973a07f8643881c4dcd96

SHA256
b25f9eac622823f20f7ee02184664a484be96b91783e26f45e2753781e33b8c2

SHA512
f7f88774d937c4d3f4e05499ea41562fb6ac40a0051e8fb2d3bf051fd8d931a9af6e6a3b5214579988cf2d06b29df465efeddaead504e770e4a24a4ecb2125d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
a10eafe5ad48479f57b7d91a7dd45361

SHA1
ec8a642950536f1ec717163143f6903c9bdf8257

SHA256
ba2ff05448b5157c6c0971cac8a712d35565ac65b42bf5c9d14eaf269cc2f6f6

SHA512
93182cea45de0a01402250bf01810f8660a10e628d14e205f2b6dfe23a7bc90643300c8685ae6dc1a9f42d8357e1698582581ed482fecba6a4b078a073c85cf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
a5b4d12f0cf9b20fc975e35c47d6d28d

SHA1
d93b1529062373be7eae860d35c38858972166ed

SHA256
e3c4e9ea67a35990c0adb6402bc02e4fb04f17622c3c83cf79358cdcf4c143f4

SHA512
c29806993a3bb020b32576da318fe823c48c067321b1ef3497c4c812b96a34ecbc3557f0e641cc04d298f084eb4a99c4a8f311ab0c60adea65adbdecd3c806b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
55ec4efcb356e4890ca29f36b8bcdd75

SHA1
c0d7155bb293012284a42a71bd8b8c6fcc60d498

SHA256
763f52c8ff9ee8d2177077a581a009de3f851476ad733a8f08b566920668bda3

SHA512
761aafd4a83d6dc7f56354ee90fe9f1e21aeddf3db78c045f2049c5f35666ab1d7b9c28f2b0d04da34d58b5c4fac9016193b9f3ea1f398ece17e2ed9cfa3e3f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
66b043f6f7cd867b7623321e22a13bb5

SHA1
74445b6174bdb80e2ed508ca9877e59cab04d586

SHA256
af286cc1038d772743245a45de259d0d3cd7a7eb620dbb9e641b6217148f9a8e

SHA512
707c9ffb174eebf67fb26c369f73fe6aa5b4af8913f26570005ac52e690b2fd33a6e10e512938dda5703120e935b452d2c4f9f33b38a4f80593e26a007ffd707

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
203fdc2fd3e35d7a95bbd55307e38899

SHA1
49dd5c5edd83b8e065e4e6c5a2c413464491e0a2

SHA256
4843b7fb6d988b2c43d757f7c19f0a4e7d0548afcba90a3044b08706080cb27a

SHA512
56029e11903bd058c2653db7bcda5b65a0463f6ab8c4eb60dc7e828737d3f60bd7be266faf3304e0b5e0aefc95b538ab8c4edc7940c6993301d9947a09415626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
238c26c7c2cbc97940ea0bb64c71a064

SHA1
6ba4df440ea0a9e550c3852ad63913289589ff9a

SHA256
1591cea6ed3965a3ee0ce29b27926c036114559ab66e290d4093ad539d3ca923

SHA512
c6a1210a6e5efea0a520e59ecfc914c0c941ee55e860399162fe3f46046eb7b9902da8f21ea6fff81fd34d03ef33c97bf22daa4b375aa8ac7b5a6974c47bf49e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
f4e6f69274c50ad3aaa7d53457b2e489

SHA1
fca2c7c758d0a479913293c8a4b0585627ff3c49

SHA256
51d09f307474315d8ada07a88110d8ba7875a3894709da597ea3f7b743146c87

SHA512
3467a9c937bcd4699720701b6942fa159e0affc5fd4998dfebe2a0cd1403a86728bf84c34b927e8c32332eebb736b0d02d414be76b81b7b37b0141dc29f0bf8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
a0be1831e15b521572f0e7b78ad9fd71

SHA1
7053193cc8eadb22fbb19b9389b7cb2fe455360f

SHA256
8ac8010cd01ed25f74d6f48704f741c690d20e10b912b7b27ab3afbf2b646cd3

SHA512
9ff6212b45e2e8ae2c407f7d54bc05e61572e45486377de24f14bc6c971f5b6156d0299dd6841e5580995d37adeb5e2a430c8c6456d66a2b18c3525c195548db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
42a066a50a5e1afcd395e6a4ed2a8422

SHA1
529309d56c86bf1725827db93ffb2c91e28d00d3

SHA256
ef8348d3770a55b4e6c29338907e32ad112ac1bdf48b29331a3ad61aadf66520

SHA512
7a9a9d1db4bd6e191a2acfecffe1eec6fff63c3cde713a3b002f12fe1b4b0e584c6cccd9bbff9f8307148f1b960d9747591ca89ffe4a4ca1429dde61b4295f74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
243882d4d3ef586fb2616b530e785867

SHA1
1f5b522fa6cd27472b94b8a2df6e132a88c5309b

SHA256
82fd5b9555faef1add2edb8a0342c06ee7d43a6180ebd8b51720859362e1361a

SHA512
68fb98ac3e01d48bb02005b4aa5180090a7451facfb41411eb82a67c99685b335a82a2365c9a58fae93c0c53c8256447e79681b19abcf6e99f952fde72dcbdec

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
a2e1c264971001030c917d6198d6cf79

SHA1
ecef2f3751acff946fdb8c5b3ddce02a16a49d3f

SHA256
919e332b927ecbbeb1fff108dd9661c05dbe5a3ca7e7c558af704e1b9d60fe50

SHA512
2aae41ae4044e0cb1ccb356860b595652fa6354cbdc648e8936ee377a7e4ba52d09e2c960c72bb26ad3824968cee0cd5d46fa848c21bd5c2745270dea7c9eff6

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
696KB

MD5
5fd7bb678cf617ee853b48d63dfb5d8b

SHA1
3bfc8c20a1a4a778c75fc56d736ef26425306749

SHA256
ff31416dc8933553a2a2e80d271a28b4a8733d71bd068ffe0dd3c92fe25f0975

SHA512
87b98263968c46e103e59b964f0161bdaf4af46c2da5c954612978ae738c5a7a5b16b552390d4ac1ab2fbb792d272639d850519dea8c9e82719067178c37104e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
97388bb897f49f55cb1956ee513d5e22

SHA1
e3e90e853b86b03cc16305d7b2ef3019600dadf3

SHA256
e7b21012aaf94170bc649570fa8999c5be3037dd0e71eb4ad909583961995b0f

SHA512
ba5b3e10eab22baa2266b9d21d2348b889a44fb6cbb380e697f7bde968d3ca5f77312253e3a1a999a3322403c37705d4541baa93e1e6c8b1e2db8023a94e1bd7

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2c23d2a281b3e5b228886639c107f2cf

SHA1
da43dcf67bbfb43584bd776689f2182f82d2e05c

SHA256
9b0f4ab479e1e1efb31e61d1c33235102031bc91cadcb90d0e48bfb5332aa9b2

SHA512
2a6da46b624b538a00f0ee65e84f2bc8feda63352dac8e0342dc0ec4a7d7cea63a67671084339c44ef73299374acea86ab3eb5d587c210af96fa026c3c667073

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
f4af4f883de81f91cbdcb02578cc4f10

SHA1
8589c819a44e4fe2b8aeeaee450af00a409a716b

SHA256
73c2ca4f10cb4d0e8913cc5255a24ac6687c88dd60dbb77b75ec0e3af7c9aea2

SHA512
b47dd7b214f65804a411df5d4ea51c3f44daba925bc505c1f9d8185715e0123819dad854db4a7f0eaadb2a4d9541801e675b2ff82cba0fc25812f520694e6fba

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
ae19cd3ba701a745ec34ef2a94fd9677

SHA1
bf16ff85c045a5b834e2cd15a57219d391b6717a

SHA256
1ff4aa742ec35bc2dbb3021dedb529518a4d141034d73c8ce8074431357461c2

SHA512
e790c9a7573043d0d2777543815b73a11e409d5d9cae8fea02fed18612f7122af73d887f4b8ceb2ac1d0cfad197e3f55aeacbf521cfe2ead190f2aea7374b90b

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
e6c2b232596c616f7bceb1e5e44236ea

SHA1
d48f61b01070a95c4db96512bce400c23eaa94b1

SHA256
6e3af4681b3d6a863d7c701d129a4a8de417ab50fecfe51c6035f5ab057e4f7f

SHA512
89c926189a66960b40b91a7d30fc1988d9e15021ac2b19d7ad3b4e13bc2ac51d09b4377756c0b28d0a3b5aaa2f0ae0969291ad9e0a06507b38ca4931beba54ea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
639f223edce3e9e80d1f6616c8ce6fa1

SHA1
07f40adebc0e453ca5d443254d9bff764d4503f4

SHA256
53d96b73b69b02227ebcb5545fcde0a74ac451d7bb9e433cdf199c0257f0e2f7

SHA512
58504b3a833b3c191937be5d81ade63eb3f9645bb1ccba7cafee18a9f661de83bf45340630cd41a3bfa1c27c47b7e1550b96d30846919b90307a179871379b27

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
1a70ee6b0562643360a6e7f0940d5033

SHA1
d34ff997710c86eae5f251dbf497352c1dc917e9

SHA256
f70ad5705ddb6ad9e9e0863e58eed1e2a027aa33d0ccffcd25ee53e5ad0cbd04

SHA512
23811e3d913096f0ded2e2dc542c89d26b6a66cdd802b445e3a4228ff0dac5295dd12ea17116e2292649c959255db2e55a7c7346ef8c4c21f6313ac8d6335f50

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
8ef8ccc7856f18223cf1ca9873859178

SHA1
4135d0afa1c8918adfb97ee02bbc2b5cc5740467

SHA256
60cf851920d2c50b2c196bdf028a1f39c8bf4ec200de2f153d26bf5f36bfeb0a

SHA512
940de46d8761f87ad8c61475e8c6206796dcf176c4e94b76199e926a7c45c2c7e63d77261e3613e1954f7c19c9b3694ae84c28a7dc56cbccf0a2c14b75154660

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
893c438bbac1705c1a39f0e714806978

SHA1
9c919f8a3d4759515af954b8eccd06eb6754ec17

SHA256
5f327620eaab6bc0a69442ce30afb3371ed304f8f3e0926974bc45fba9dda664

SHA512
c83d8523cd3d43af384e874b30600628ea98711c6cff6db9554405f911aa8f8a7ddd2476969a6aaadf1a9f68ae6e31b70ab5db73d8218e9d59b1c7b4a093de99

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
12e1d517e861a74e9ff2f44cf822fdb7

SHA1
76ac8fe7e08ee0ffbacc9810855cfb332a352db0

SHA256
5c2dadb276db15e88562c0c3b068198dc46924343493e189615faeeddbfda9f5

SHA512
ebb76c7eccdfcaa20883d2aa087bf83dd41846f83ada45010e92852994737fac81243a36f6d37d09938167738c2bd478932c13c66a1e2df6bc4ba3bb685ac636

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
1e7624d77301be9283679d09f7791c4f

SHA1
dcd06524415df7e33e7697011d31dd14498665c8

SHA256
88afbb01e0ded07695bfc579a946fb303b6bc44ff4e7c928dd7141ce1d4d3ba2

SHA512
1a1f6bad6c9d68eab6cbc272366d7e3439ebff0277df1e427f4ab65fdb8a8b76b86a70ea4cf6a86f78e83908e4e7505bbe42c892b68805f52c7762d8f343c23b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
dc30807a5dbddfc3def4c6f4c7043ab0

SHA1
ccdf88821d5a2ad7dd0489dfa7b6239abb39cef5

SHA256
ceac559366a4a2feaf591096eca66f8abee50fea9c747a566c02616030389780

SHA512
c24eaa9d3de76849cef6c415748d124b3e6d9120f2e26f32ccd4395abc423cbd68b851b3b20e013c0823f10db6aee9b78a3525642ccee86ff4229f2bf4c1acf3

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
6d58682e37635cbbf78e0c0c892bf1ac

SHA1
b8a3f867880f27ee6855d39a82687d85066e2aa0

SHA256
8d5d70e8cf1437120ae6ecde6e2e6e61ec5e60f86433307476ab1fafc77af98b

SHA512
94ca23102868c70a7bbeb2985a4dd661a1f7a5c8575293357c2b4b5d0026498b053588e45e8128a8d49ed32a89abf37a9d3df4ea42cb6e125fcd1e027e4e7b35

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
38be2a98dab67fc6781e4e332fea7e07

SHA1
2f7e8389be9f04aa2b33827162320885ce99201c

SHA256
1746be357f8b79c45bd7be8f14d4770ac1c7e76d3a2f3062a3363eb82d39010e

SHA512
b59ceefc8411d618787de47fe8962d8f181120d03169db0e17636050043d446deb458d61e17b4a31401bcc4c1c632f86d52b5daef34b8f327559374aadc9c36a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
0628392247ecf2c6f4543a50c6288dba

SHA1
d1b58c6c0ae5fce617f11c789be2f954ceebb8dc

SHA256
4a3007897bce51127b1c1b6d185a18918a70e04b175e53fcf85ecf3c49938890

SHA512
07d1bacea8afa247bc201d50f5b24072613c60938112dda428e463f1326516f22cc7fd1c9c216751224106e0f8cd66f8142f95d2e155bb0f9749f793b93f2ce4

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c8bb72831d867e7ff4c80f6836365576

SHA1
44c0cbda48cefa53c1ad5c5037059dc85a990940

SHA256
f08265325b5dc0a3c5f9886fd741da86dd5ce4b64f7adf006db208b8e5414e23

SHA512
a2b1c700a427b8a5b6ebf9b0eab90934c8494a937423d663045c65c982de3d16cebf68bce04db0ed12366da5be0a92ca972b102afcd0ed994ef4b0e1167937c4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
d36e6d13fbaddd7e5551d27be4897d13

SHA1
50dd5aecb174e5942b9b7f8bd50a30f0064a4c5a

SHA256
5ed48a164770c80d55c42e183fb471656d64eea1a847e6c58a8de1e83ec9d0a2

SHA512
eb5211a17ddf99f558c204fe3925706b8c778219371d63b7c1c436335143dea887c23264a33a07bd970fc72f841d279ed1d8aded5f60e99551ba3cea60fbea0a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
cdc63b8736e9589dc9ac47918d912188

SHA1
8a3ba00439694e84dd11d0f18b69e1b76734fd35

SHA256
cfb50f62eb7bb9c2e8844c9754989dd2cff96330e1a4c4d990a51b439285274a

SHA512
1d4b131aac0f577f83a776ea406c2e43eb311e9d4bea3e2a8e0f43bc653f17be696c6124b7652c134b79d82b04a79860b607c586dd3bd0ddbc7ae170074f5f35

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
687b9985d94d143c7fde360d1d29a6f2

SHA1
6a406e0ff701ce6ad7c047da1e147395f7295f68

SHA256
4a7b3fd28536ea744d18a4fd87fec1e79ab2d4ea8c3d202b7cda4e494b3b0352

SHA512
a2155122e71077745a659ac3938bb65c7e0d30f763018dd15ec8842743b33695c07f7c261a647aa084cb4d57d17a19a01250d99c8bbf37002c956f24126494bd

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
dbf904b2a0cd953479de8ade38d18986

SHA1
9c8ad6b434b2f1d4c28cc3de87aa04a649999833

SHA256
97af1a0ada31fce0a9ae305f054e55f5a625af4e550ce0c87343a5d47d32260d

SHA512
73f961310d063e123b3eeee808f5e2c9418b1399afc2d374bb65084d9c7d3dde239ca742e3398e7be2506abf5167a2d7528f6659d0115171178fd89254f62857

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
b8cd2066db79ff494a33d5e4e5192cc9

SHA1
509acd9543737a5f6c78be290f30f9a86e17a0e5

SHA256
feb64a52e4958447a87f5c529da28518d2da705d750a7391ce026eecc0f69bca

SHA512
607d46036a7e6c600fcdcc7f19518f989a6066d5a284e664b1108d88c4b9d08963de7f96a3e9b2702680541701f42822e4b086e731ea22329d006da935857583

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
38d48f85c9b772c364cf3643a2d2f093

SHA1
7ad039abef7d3059be2916e73911fd4ed024ecb0

SHA256
e94f69f71425f67d9950183b1e0d79e45403867563d2f6ce37fc2bdb77efb6b8

SHA512
de3353ae745ce6d89dca41f6eb66e39291bfbc0a625db942aa125c48116dbb7b0dc8c4bf663a45d2622695ee1464f4b4883df0c0d78994a4a44b0ef68c285ec0

Download Submit
memory/564-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/564-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/564-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/564-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/884-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/884-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1264-178-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1264-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1264-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1264-71-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1376-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1376-442-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1548-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1548-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1636-57-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1636-165-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1636-51-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1636-59-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1800-47-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1800-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1800-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1800-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1800-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1944-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1944-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2340-497-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2340-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2460-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2460-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2460-399-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2492-392-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2492-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2868-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2868-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3732-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3732-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3732-91-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3792-474-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3792-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3940-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3940-476-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4076-432-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4076-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4328-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4328-326-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4416-7-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/4416-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/4416-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/4416-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4416-62-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4592-480-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4592-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4596-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4596-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4608-13-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4608-89-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4608-19-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4608-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4988-471-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4988-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5000-74-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5000-86-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5000-84-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5000-80-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5000-82-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download