593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
Size

603KB
MD5

70f6c11af880dff1457be74d31de9550
SHA1

e9707994cf2b9d9516452a75c91dee6784af7287
SHA256

593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3
SHA512

ba7f7e7ac492a6eaa89849d1ad0ddaa25225aa6ebe90161a683513b7b5b73583d1c8c0617f1599e870877391a3dec2f1a07ca98c68701f65976b572a2436edcb
SSDEEP

12288:PAvFvIxn85c6S4Hb4849nIYVjIlCOU4hog96o2gZ:PAvFv65gcTVjUCs2Vo2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4544	alg.exe
1036	DiagnosticsHub.StandardCollector.Service.exe
4292	fxssvc.exe
2128	elevation_service.exe
696	elevation_service.exe
4896	maintenanceservice.exe
3972	msdtc.exe
2276	OSE.EXE
3448	PerceptionSimulationService.exe
1248	perfhost.exe
3672	locator.exe
2800	SensorDataService.exe
3992	snmptrap.exe
3404	spectrum.exe
3752	ssh-agent.exe
2004	TieringEngineService.exe
4328	AgentService.exe
2856	vds.exe
3640	vssvc.exe
4968	wbengine.exe
1520	WmiApSrv.exe
1912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\locator.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9487e1e0c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\System32\alg.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\System32\vds.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0ea797a26aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086a7387b26aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e699a97a26aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2cf207b26aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006225947a26aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca00f57b26aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb2e807b26aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008953a67b26aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003487967a26aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084af7e7a26aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015d7857a26aeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
1036	DiagnosticsHub.StandardCollector.Service.exe
1036	DiagnosticsHub.StandardCollector.Service.exe
1036	DiagnosticsHub.StandardCollector.Service.exe
1036	DiagnosticsHub.StandardCollector.Service.exe
1036	DiagnosticsHub.StandardCollector.Service.exe
1036	DiagnosticsHub.StandardCollector.Service.exe
1036	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
Token: SeAuditPrivilege	4292	fxssvc.exe
Token: SeRestorePrivilege	2004	TieringEngineService.exe
Token: SeManageVolumePrivilege	2004	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4328	AgentService.exe
Token: SeBackupPrivilege	3640	vssvc.exe
Token: SeRestorePrivilege	3640	vssvc.exe
Token: SeAuditPrivilege	3640	vssvc.exe
Token: SeBackupPrivilege	4968	wbengine.exe
Token: SeRestorePrivilege	4968	wbengine.exe
Token: SeSecurityPrivilege	4968	wbengine.exe
Token: 33	1912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeDebugPrivilege	3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
Token: SeDebugPrivilege	3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
Token: SeDebugPrivilege	3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
Token: SeDebugPrivilege	3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
Token: SeDebugPrivilege	3592	593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
Token: SeDebugPrivilege	1036	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1912 wrote to memory of 4352	1912	SearchIndexer.exe	SearchProtocolHost.exe
PID 1912 wrote to memory of 4352	1912	SearchIndexer.exe	SearchProtocolHost.exe
PID 1912 wrote to memory of 664	1912	SearchIndexer.exe	SearchFilterHost.exe
PID 1912 wrote to memory of 664	1912	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe
"C:\Users\Admin\AppData\Local\Temp\593fda089aae168b1795d9089fc6feaa09b0a82d8a897857de3f918c51675ad3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2988

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3972

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3404

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4944

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4352

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
24fe44781588c6fa49c358a1ff780f13

SHA1
207001c607455c6e8c3a43db914bef75920f245f

SHA256
3ed77e9357aefb0c09f26847f2b4c9a960bdde89e548550c305c52f8bcb9d813

SHA512
ea0eedd973203623163cefa9ebfe7b190a11fadb7ed62c5e984d792cb87bf6e350247f4765a8ab8bf7c1fc299acf17bd4c870255116605130fe8e9f3cb0d3eec

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
73c7bf9f573e1a99c46045d8f36b6c5b

SHA1
21fce9566f971451ee07279562c3393d78eb7f52

SHA256
5d96df13020f0c559854279c4fb6a586a267dd7d2631cc695421e01cedef2d13

SHA512
0541eeb4d0201b893952487fdca569e330f026bf6d22345b2d994269d5438989aeea29eda22e80b7e785c0863651abd32c154066549fa4bea5ae03e550a75724

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
d383fc7b0303dc167ffdae1751fbf598

SHA1
b3eff991608ba40b63e7c4c524bd21f359799bae

SHA256
4025d0dfba41722bb9d39b128626379091962e2069bf493a34b481d0525bb5b3

SHA512
b3c8145c8bcfec8f56bf6c0667db380f21410d8b444094acaf77d0ef2e5a561e87f1eb001c065ab3e3e26f89a029c20e0160d9007542ee0bd1b984c25c93dfef

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
496981c65a84df4ef7878c29d5a4ac5e

SHA1
9ad13415e1249514e21d9e6e3b6e4404a581b7dc

SHA256
2d5173fec9f8f96d86ef378ee099a9edb43f4c7d1e54be5bf4bb2f1d53381e54

SHA512
a1fffed7c3c1336e7c26378b576953a4aad83af5bf1af358129f22ba9a40cfd31e19df994796aa698e91988d9ff28d3fc273998218164e686329bd78b3633793

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
59654cad09f8c9ecc3dee3e11dd0f7f0

SHA1
6810bf1b86cb55a5d0e347b8ac13953a5c565e68

SHA256
edc0dc2772f218ec4ea8a149b75115ad6d017434e2e683fd425e2b847752cebe

SHA512
6cf6dcd56e7933221a228dd2ee9c523b360a42a4f486a828604b4eea8065989bc5c8a25ef6d9cf3869884351b7c0b2bcd9944d2e07419898345ecb561717cbfe

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
83ffbca5bb7f60af7783b88709d3cfe9

SHA1
fa8cafe54eb6a3830c0382d61e934fc4e92496e0

SHA256
787e0f1a224b619a8fcdf9e9ac5307753c0d4912383d7e9fbd1b77d534a9bc8f

SHA512
329655f00423283f9635e34baae8de195b74eb7a9d4dcf5795aaa066d86affbb505622c1ff7bd885b793d0738228be9809389d946368a90d06e7fb2fba563bd8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8fa3affdf1fe743677d2180e104361ed

SHA1
11b7f0b3f8bef4a38f89feb790d1199c1d1c6adb

SHA256
77c9f94da166897dc7d2dba0ba1a8e889de61a5d171c6ab41884dc8b97089db3

SHA512
ed3bfad1ce753639c8f96280af94aacd7154cb9ee9279d9149cadd277b89f20c9cc73f820afdfbe0574aa82c5f71e6396aae0d1714dd3a2a46b8220ee3ae0193

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
7f3375c0f8531bc03393bdc7afe52563

SHA1
b7f6be02d892c442f31e3d53b1483910af2a01c8

SHA256
b4a85dd52b4ad2fe4b4d29211550fcd9a6933a13bcc46d8797c4769655c1d1e2

SHA512
0431777b0ab758d3eeb1f72b7c9a69fa542d3d31ab2ed0e8feb9b8720e2010ec2035d5ae8bd1743a957901b5979c927c297ecd07f2fb77c6490ecd04a24c3c64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
4308de043542df6d26456c08fa6b5630

SHA1
a8ba8ed743e2171a3eada3a9531ce49faa4da69e

SHA256
37d8150e7f8c21a433302ba08451e0b6a942d42b334463f1eeba0e614f42e20c

SHA512
6e73786e66b9b236b6dbf0af17ecae9bb32ba0fd4ee27d56ede5970a000be332814d145240829b5e975109c18ddb15ea483f83236d4b0a684585075a2168a580

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
2cf8e97e6595c3b1d569ec83692871e5

SHA1
83307635e3baaa3d72b15b3780287ca5a9ab61d7

SHA256
eb72fd4e1b4feeea871fabd4c824240b4cef99addb904886b8af310b82502b0c

SHA512
4a94bd372f55541cb0576ede1d32acd651285ace4aa8febb9f70ac637e63a014ad37f8a5b63a1eeee8d2832aa2bf5a65362599ea74bcf69a8894aba61025f6b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
b0135b580de8646fc815b079373f1194

SHA1
d420ff7c8d45b2f4d74de4f2d4e905f157ad41e0

SHA256
d50e92d39a224197d75e4b5131f473f30cfeb79e0c96fb8b846f93ff6aa29db6

SHA512
4731ae62da1cead923c57a3ad01a30ed0294be0a4fc4a46df4662208eb21378bab644f5b803586e8616cf798b311c5cb22c02a03819c32dacf067c864e5737b8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
96fc8af07194dfdc4c9fae1bfff4629f

SHA1
e36344382e3486e94e6c5aa721eff2f90ee6dcaf

SHA256
90af2fd7855b10d124c4e7119bb1bc064f661f2ff392a3fbe6377e821bc29461

SHA512
f53b5b3c8f4c8d215eb7b6a3571b7d792da7883a8f5e832fe3ff52b4079a7b501442d2fe56670eeeffdc1a3092e3d2713e92dddaf787243877554614c064e21f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
030c2225939aa30ecf669091f77b9cce

SHA1
0b79545191f61175e2d3af57fb5796efc8b989c0

SHA256
8872e7cd44eeb278a5c62398f0fa73c816e4c276a47e8f6eafcc4d7588113323

SHA512
6b158d3bcf63bf95c296b0ae1418859e3615d53d8eedb0cddcb63c2aca4b58dec3469beb0db2245ca37ac3a5844fa68e56a2dc6aec8a53972d523a0cab51b599

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
ff3efa75cd468f0d004a1c460b94b836

SHA1
34c378f2a8b62a759fb4f7e0d8e63aaa26502ac3

SHA256
7a3679f103a18478469a5b9bc035616d32b1ecc3ad7e754267e56da0d4c963ff

SHA512
4e8ca1f3d08818bd2f8cca5fbeec8c8b05d0e0305b4315da6f2a56d8a17ebb8fd25ef583952f0df30265ea1bac93bc292ed0ec5cc14090fbd576cdbfb7e37093

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
a39c069e7a5cd073c380d74442fdb0c6

SHA1
fceb817fe3ad340e5164f4b46c4f9d3d05bb2707

SHA256
2872ea6bab3307896312ee9c64aa3bab49cdf5ff95c1599abc53f0c8bd269b01

SHA512
48bc251778aae147a5608d818387f5a55e7b3d28b8f4df5f25d13be60aec26e40408c45d0c9a0ea1608cc89513e4963b3fe338e968a69aaea12537f5c0f13cfc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
36a3750b052ee0ccd19325d50f26ac7a

SHA1
2fe24918e14486263fb1224f55548c781a4c1318

SHA256
a0852fc79b0d1c1b9d8f77d2eff4f13118cc2913ab458e1056dcfdf343694daf

SHA512
4714dfbcf3a2e5f9aa33c4cf278f4702ce62b72a45ea0471cfa0fe16f126ff1c2df4932e260fa94619c78963735487ef9ddf5677ab4fac74301f2db765774556

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
65fd708a40584d41ed7cf0cd9ab10e5e

SHA1
68e7563ab2a466e8940de21b1ad457f10e3c7892

SHA256
2526aa8896a81efc27de2c22d13ae0eae19be99df897c6a5ac63ed327e9a4415

SHA512
76f503986d53e66b0f5437e586e9fdedf37fbfbb52fa7ebaafc45a60164a1fbbced2d39cdab2b4be69e188e71054939ff84ba29fb75248ad539609b57325e01f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
dd1ad4d8deb9f473c0820e766f49385e

SHA1
e39e17cac683e78d637753f0e056c8a7e9054fef

SHA256
63a529ddd34955dc1a0c0490752fe33a91122ea99c86d7c7ee32fd491825a48b

SHA512
3f82a8e1ad0cecdbcfbcaa25a2902400c4d5e11131e45f6c0f31e2e22ce8d5501216a0194202fbaa36f2185ce8e30e79a1b16de2d523d4a479dc6faf849142c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
1d5b84ae73d9e2fdafef573cb4f8354f

SHA1
f8fa6307f9114200fe442a04d0c8c09eb64729ee

SHA256
18e4d98c303d0ea41de33307874cf45b9186ee1be136c81587a5f072c7af52c0

SHA512
e9946e4ca3ec1de7e6b923681e75c316dc76f87b9cf4657995a216f820a49888d6c125bd6cb935eef3a5dfc8cabe9510d6d2a9612496fae047321c4c540afebf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
70267a05208b8fc91118267a9227edf2

SHA1
cfd86bd032e83da853382f739360226950ed274b

SHA256
8aa52d9e8ea1a4092df92a13fb44104feb09b9eda38b13c542526a85ee34c9f3

SHA512
d6aca9e0e2f6c2e59aa52ff2ca569149c6d3f9ccf508babd641f140ea53390002770a61973472f1eec84b528fd10e3f783c8d5ca9ce8e9bff47cec58259dff4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
bf2d1cc9f50072cdd31ea2011bd6fd82

SHA1
aa840c83f5b0ee9876bcc4cfb5abbcfe6967aa49

SHA256
052defc4ddd7190e88b4c6d306b51634848b56b58110a2bb80a3dcbd3c2bc7d2

SHA512
3067eba3e1b638aa1814c0fe171b96df8396702604e2480ec5078d4cc596a3d7e7959f35e53717e79692fe340d4f0449caa2c1a720936c3c9b2a99e5dce7f353

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
2286f25d5ffed16e0cdc28fb4ba34a20

SHA1
977758004e8b0f05fcbbeb5b65d0273143e8d1c9

SHA256
38d06ce0bd464a895134adde60c1ae319e060544eb009586378d1696529b2cce

SHA512
4f86d050479c826dddab3c5c794a598780bae9adb71a3726f5e4f34b5f835efc257ad3500500ee52204e370f24be344bf95ce8db545c19b85235b147ff762ce0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
66defdcab702881a975965535cf36786

SHA1
e5febb5d9e3d5945916b39da1d67126b98c13d0d

SHA256
21a8204884c6e6c3a6f5c346ecf9fb7e7ae0878ddb4712709d3b83b2017a0b2a

SHA512
280555b6db25c03d57b9169b562c667e8d3da34b684d1d0ffffdfb81f52f89b0efc3faa8f8c86740d82eb163f892ce5b700c89a7ea03fb7119760d0df80e1d58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
e6553c2a0e108210fcc1980ddbdc1ea8

SHA1
305b4a14d3e74cc9014d2e0d7ffbcf3f34f92f2c

SHA256
fa7a9f2b2b152a2f9c207e7b2deae18cadc76bc09dd5b433fc94a788e82ed34b

SHA512
cda37eef2f45282a11130c91954042e83887dbbe6e89bfa6b6772f954d5d2ebe4d18d704e0a39b3c0e198db7fa3faeac11185b5ca52714094940a03aa99cdf7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
553fe62c90a9b1801b5f4421be41bf57

SHA1
4fb9c88dd8387efc41b879cbfeb38a866d56f836

SHA256
c4888c6a3d2c76d01238f1dce5d125ac2ef0afb8deaa4bfe4e98f83596e3e301

SHA512
304ee18c2875ea4f78d385956879363282cf9693fb53201c448fcd0f23880d9a48e08510ea8c6dadab583fb8925fb95a0bbddf49567d001a0ebdbcd0eaea50b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
c2a83bf52a9697fbf0ac7ca9a479686a

SHA1
f31ec7fcef692e6136870a18eec991a6f04c3468

SHA256
4ea508e1768d908d9b397c9957ed5740b44586179cfea871a2f19e459f86fcb5

SHA512
be7742a49cdd1b4785b85d25b4ac490f1d16850629f47c8d7f725cf9122866412e05aaa1dc8d098239e16187fdc95767270110cb5b811dc5ba16cd94b5107d44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
0617fb641152d822d1893b9a4c71a992

SHA1
5b9708d1693055b7cc299cf9fc1eef8991d95970

SHA256
e6d97ad76148eaea82ee9d7fcb048c117a543d0896db14144dd12844d4b4a49f

SHA512
b67f080c4d233a228520a637d471ef3ca29a89c25b12703279afe19fc9c3074c1e097578fb46a71ded742901b5b0d1e296a58becbbdadb2d102c62496a7f7e5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
414fe9a4f292965aeb27812beb234ef3

SHA1
d287ecfb6b647b2d759aa727250a9b912eaaafb2

SHA256
006b651961806bbf8545cfed50f4fdcb6b14b5c98a4759230e5f428ed085a673

SHA512
502eac5fa4354f69c39484e574a4af29881e423c2db3bd590325d6fbb73035d9db6d7485805c2b70ad0c2813f3c84e9ccc43bcc8e6a65a9077494a09baeecdfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
6731f0f754ac2cd38bd037377bc7833c

SHA1
0241d9c6d9bc81c32e85c5df69e7ef96becafd2c

SHA256
93f5c9334b03e8cab18786581c902a327b327c0aeb811ac143dc49bc130053d8

SHA512
9726fe7bba9c44c8d3d48ceb2a8a897b6214daacf3dae2b5b7b5d4cae569c9c27205e3fe302b643a767d1cc131295b4df537723b0be98f2992b7b4fa8d9b2c48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
43d87b6e5f0426ef33f3ad4e813632d6

SHA1
c94b3675ccb2085e586efe7613b95e0b759f6247

SHA256
c75541121ca285361441ad031dad46a2b13c995ffb4cbc84aa81b049b5e72f55

SHA512
1c5fef96a9a42e5c36aec438aba8b504539a4e869ce0cf1a4775c8fc8765d5ef736124dc65947ee55d6d40c07c97d42f8add9d558e67799c018a075ccf4b9e23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
578cd35eaf471c923ae143f31832b252

SHA1
1d67e623a746e21e3c467344520068d3eae72bd9

SHA256
b9fe40d06f9157c2746f5fd904a48a09b19a18eed29a807748826f1519461118

SHA512
c860a0a3c80d4d123d120f3ac365a2738f813ac4d943e451c0cc40c5d6d645077b2f5b1c643664e773ffb6871279c42d5131a38a4f832922e50904fe81d5a446

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
3069715b28d43dd6ba1bbdcf4ccd1a1a

SHA1
a3a8d96e79da6d8b854ea0f49240552b9b33bdc7

SHA256
efeced055fa8788f823b881ad90c6f52c55a8fa7321909b8d00db68843024a57

SHA512
654715b4f3d5b3da21e0034c06cf492b79574f79f1a125c41549aa3558040ca15b14620544ba2b21fb25d5ab9fcbb2591a6661774ed9d6bf421d71d3943072d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
a338b01f18a38cc8ee0334bb9b148e66

SHA1
707840fc50a3a31d9d1f6cd014b219e2e2261412

SHA256
3668cbb159eb1f4687c7a3a5f29dcaaaaab4c9e2deb7f99cb3ad02d2bffc6bfb

SHA512
416a252891755ccce1466c76fe8ce1766f0956668f3fc79b81d660fef7d049bcdac00cf369e1c337e67b287718f63077b9a5e3ae5338a0ffb5d459b1274e57a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
1edcccea2b4715fa2d50d22c2ea4afec

SHA1
c46aa72282014599ecdd37082e2cfe409223ef74

SHA256
5f1bff07ee662621888b6bfc9c556ac6c9303c4b794d02cc5b4d76a3a6bdedd5

SHA512
a1a25c7762e5b4c5124a92f146bc40ad6088e902642a954392e44dae0b408140f96090f1df7cb418115155d51b4de82b798f5612423abf4562859c9f203e578f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
03e7d88ba1526c666b16207ce36efd2f

SHA1
294ac031a61c22e7fb2ee36b4bd11c6b33bf3ab3

SHA256
0400954a93b34d092417dab724b0b0c13becf8066c0df572bb43fba40f429f7b

SHA512
4b89f8831bb775ad541824a78f46e913060563cb914b64d471fa92f8b7105c0e51087be7fa801efde8e943dc8c919335b1d89bc4374a685f96abc6db7fda4125

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
09e0fdb95273ca0cb9e6eb47804dce56

SHA1
255a28bec74645fd706286f0e1d3002a65395608

SHA256
05662d61233afbc78b6c8d4e07bbddc0a9237697eef9fe44bcc320ace4893391

SHA512
296871e750578838d12f39c170df031c9693d33b7dd88f842873cfe97f502c71e83857234084e260f8df11880a25b4c19a8555babc3ef1e2a7ae42038dce0527

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0647600a62ffec4058f3561f031f35d3

SHA1
4ee66042fd57bf74cf5e03a8aa57a2e7542dd05a

SHA256
b9dc91b5855d5a24008df9887d8a86c3ec0ff5814968d4cd32483a57e76b1628

SHA512
17a1af56277522c74ffa099bd0065992a338f27f69741f91d089fad03c1bdcd283ec77c2a2332af2018da5929fc7fb572cb543a47cf9d7f0d88209e5052d005a

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
b7a940b1469416273e798f23b9fa812d

SHA1
66dcc91ed6ea270188ad3254f538b163e5257ce6

SHA256
ede8b4560475571a31dcc21e0688f2250bf82497210f3035b986390d526d684f

SHA512
4595d21e5c5e69f020c4bd79062384025a876644e98b196d726f725e1ff2e0e1405dc7f10378f898aa58030bb63d6871b64e0f384f49588dfbc9819eb4702b23

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
858544ae5f3f499abac8c3d203dee357

SHA1
698c206924b9a8359c9a7c6a00c5698d32878bc8

SHA256
89da9ab76c9ba67658a9d554880f3e4b8cea6a75d11132d0fb9c1985bacd1712

SHA512
023728c75a539e10e3f52054d9ae6e488cab2676748f0fe1d9e2bdccc8e0c3be2a2b595af7f8037ff93cddaf4abbdee6dec2f6f9647095f41338c52700932328

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
220efcc3aad346adfa95a371fdf71053

SHA1
78f414c9cc0dbb27eb52f5ce5f67d82373fc0a48

SHA256
ba14cdc2cca0ac30dbd23b1de06dbe17e45d9b29c4829e25f8ddb4e77b8507f6

SHA512
3254efdc8cd9a2f9d75a0854d9d7f0b1fd4dde142d7f9f881373c3939594a096637c419dd1acda18b5e3818e228603da76317807098c270fb36713f4eb498963

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
d7da7002a4317695c25d6c31b286badf

SHA1
2fca96d3e3597c012d1a2c9cd045d35d5f36db45

SHA256
ff33feec807d5221ebef09e29a4de2c31338a88bcc60861e4abbc2a6710ce909

SHA512
9f7c088de387beb1b76cca605e16d825a7525465371ecc9faf867121c5bffe1badb7380b4f7114102366793ce29fffaf04395db643d1ead90f69749296b22dfb

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fafcf96de8ef0f3cc4e5396b83c0782f

SHA1
d319db470bd2b3f992ac5754f091169e55182b3d

SHA256
1cec6e832d3e1709d8fda6f755675f80e10a91f8a49d2dd0823b9f2a4c29964b

SHA512
b9a5306765e0d06325443c80abf57b3713485a34022985ab8a3b1a27f1d3ea852964d9c8d3d6780604efa5ce04db45fc2f5d9e3f4b4a696a98287b9b9564783d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
36d967e8815b1944789fa2aa76e12919

SHA1
43de87efea1d047ac8a385562f85fd481801f35c

SHA256
9e108783c7a219ee6a926de4dfe164b62264df90d559b283c96991e8dd42f540

SHA512
98b4bc3b5ee8a809dcd93a05723cbf533f2128fdb766cdd274646117dfa4ceeb4c57b76e0c598350a62586dbf9f6f88563030586ac57434dc9dae28c7b10f9a3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
d1ec8969a4d387cc103d11af11d2a412

SHA1
7de650629df82e1430d37f0f52013eb04c8e02dd

SHA256
4e5bb06479eb7222195cc576ebcd00fdf4e37c47a7b42c1e0a9e67166862d418

SHA512
bc94061567cea67e9c3a84aeabed60403bcee0079787ac23376d00cab19cd094c02778a123fff30c895ff8d2b3236d6494b62ebcd0f6513725cb39af8e6ca34b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
44e207e5874dc822c000bde9d0bdcea9

SHA1
f4022dc058fc4139f106debe1d4e4445f603133f

SHA256
cec1ed9db0bb29ddda28f4fdba8cf9800a509d5a30df56d81795e35c82a06579

SHA512
0e29debbdb1e9a03ead928150ec29593db27b7733dc2643b043b3612344f1b2c3834d335ebb56844a08d689569658ee2826794d844c64a7efba4bee3e790bb8e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
3124885dc3fb211fdac90336c39b2f26

SHA1
73855f537f576e807a04625b0942824bd492da30

SHA256
fee3a2b30fe96fe0ee95674e53b0aeda30bc1534f368781a576a4dc943046948

SHA512
7557512b3d302388a8b013e08ccf933bd09c615e79c86e15beb772b9b9ccf64563acf96342ee5772e62e3537f0cfcc2eeba51d135d0c2ec41cb57cb0d655b624

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
e57a975214a547aa465ee2211fd4fcca

SHA1
9da0913acc30c6cfe9f3afa1347270c3a24376c7

SHA256
ac7b8a78d20ee7c7bdb2f83c7729de432d2b8f22edee1e062c36fbd8a09b66da

SHA512
f3aba1780d51cf1611e496aa75ce6335a0ae89e6f4773dd02c1ae68abb665c305c9c0715891218704bf5f1768f53266b0909dc8844c88a28bd52b8c180c9ea57

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4e1dfafb53208b6bcf7cf76af97909ca

SHA1
c00c7a2d33049f47314265ac42327c7cc1ce3ed0

SHA256
f1b1a6e4af86cfcb2e12be0e528ac0cd60faa4d40dfe5bffd5e6855b98f22ab1

SHA512
13a979e78c2bac219af2ea4d7d29d9411b4d4bb2d993e25cc3f12fa0fa56a921da96af26bf88fe758724c94dff8391b92eef16020b0e0df7fe98881d69b9d4dd

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
5c0be774c4a9816d1025eb75f6d9e90a

SHA1
23bc852384e26479fafd4c6f40ae0f08f99059fc

SHA256
ef6c7a4b31f944a714eabc49d4f27d7a508d569dad88b5dae84543f7c2c00906

SHA512
33f535dd4e95d80f1e149e090a3254184886de2b33b41a5c9c760ca48ab33368dee9ce1a004f6495e348059a4191d9f7a4a37bdf08a06e51e17a1161d61458d6

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
13323a9aac21769458ef9dd87d741dc0

SHA1
20fb88edbfa045547eb7c817759be5d1acadd583

SHA256
c2d45d312d9dd937bfe1aac1d3fd0d667a3cbceba1c0ac9c4fcedda38acf934d

SHA512
6a509c244e3f756bd3646fbfb8d579bdf3da7b7f772bbedd7b159b967cf2ca12703c0b0790df9fb31c050ac6ae1e1a589329bd9a30e4af62c4fbf5d547b1a693

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
e17ce70c347e6ab7645b46e47917beb6

SHA1
12dadde6d30fce4a43a51c3db2ecd98e31a548a5

SHA256
2cdb233cfc97da38b24069dac54e373a1ea60ec06eaf03f385610ec34447f072

SHA512
2e19c814c9b2046db8a1e19c5da1f7de1fdc9d5f3e3583ad53f3971feb607a68e970b8f49a2182b3a998d26d2777b08d3bf6cd4a7bc95233e5253b3701ead549

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
0f907b1e2593b5de45fb0a2078f4b224

SHA1
aa8dfb00eec7ab008dbc4af2a4f30309d7b56294

SHA256
5c13550bf0ab0573b7a20997cf003206d1f2a28647c7c2370c82a484301c3c20

SHA512
882b36833553758a805d25a4b5bfbc4a7dae3489b6f3e8d30276abecf39e3cb7563fb5c63dde07626da39c10d774e81f4d573f8803c7fc4c6b59d4e47f0f5c70

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
fcc47a04eba2fa0be1d5e7e25f7ffd84

SHA1
6438b1c99eb09273752e2ed70253e4599e455c09

SHA256
6d8ffa2a7fcc655cc9cc1fae0fbcd4ba4f0b6a7c7ab9a39e9b5912adfcb78d05

SHA512
02b57ca18fdcbf49dbe52661c7dbdbd6689a5fdc67074969398decf42779cb0999fc3f263e5b6af5c7c2116dc66d8112bf71f9f6f57f7d7e53f9a4f7819b21aa

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e3a5e908ce17ddb5d8f90630a7cf95bf

SHA1
23d49be0d3a2114e1c9bb05e48031001979e98bf

SHA256
c895405e6a870c1c2a064ddcf9df0570e8a98489e6215e505b3bf8b67b07fcd1

SHA512
b3fb6f83b2566833f6e4effbeb4f360fc414d8b7d7b60f95bb8e6cb0fe68f919a72026a4742645fa3b4f4a205df7bbf8f643633aca07e0c56ec407b692163157

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
ad7766c396569e27854b526b8947ce9e

SHA1
f1fce4bd25708cc33a24c04042d229844323e607

SHA256
9fbabe29d781217081a8f4f44439809da92abfd9ab6710605acaf5a17341b6d8

SHA512
496c667f90267532232f6d1061368413bb562dff9b9e0f365b513749e3ee9bbacbb5728f399f12f8db36ef7b8291da6dac704a94efebf77bf50392e73d630e09

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8ea40156a92bd2884106328a43951319

SHA1
b9467f0b352d8cfe1457d1377875234fb4ec8ea6

SHA256
83f945cb798e6b7d129447c74e9997a3f6f84d96bf261cc3e937a6a0d667b682

SHA512
7e767ca77a5227737ed2fe3c0200d98209ea5d34dd508c7f0a9bb725e8053850022e9b46cbdf8e77a67b06f0ca102d2f40153cc47e0aca8840ddb50e50245cb4

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
3461c00826f68b7de00ca564a2529010

SHA1
28775dd803780eae1b60708759488a4621e6c5b2

SHA256
9e7b8894a9bb818f2830f7ef32e4e4fff3bbdbeecaa3f6cf5da9deb1701a5e87

SHA512
9b000415c7f62dd81b0c00b67036de8172212d368f7179ab394507c98c69e6b3d6fe9333e50c966f5c77dece4e827d535c5e9f0a8f2cd6442d94d23e11028343

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
c22dceab518ae0ed03de8c653a10013e

SHA1
e75fd4f55f4ef66f1e18377dd48597a5e7433277

SHA256
cb9474f7a72b89428292bc825e4a9dab6bff2c737fa4fb540f36cdb5968875c4

SHA512
f2ac12755ba897bd54cd52f267e5d1cd2b6985de8b888ef6c8a8f4dd7f16ea5735c85624454b7101550ddcca24a823290fa2f8606a275692a64b007922cd1ff5

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
8d20f95d9c6131c977f1b4ffd932887c

SHA1
60b35625f645c41f2fbfd3720267dd8232537652

SHA256
21b3bcec1136100cdf43e53a00c672357064651ee3ab3a11969e59b33e538a13

SHA512
9fcce44d42f5ed9998e793cced5bafaa1811cfbb4885333a4d963b6ca62bcfbb51030e678c08167bf582c0a95bf7705a2afbe2049f690d0de2b2e32af58e927d

Download Submit
memory/696-494-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/696-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/696-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/696-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1036-390-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1036-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1036-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1036-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1248-138-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1248-96-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1248-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1520-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1520-496-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1912-497-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1912-200-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2004-164-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2128-32-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2128-39-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2128-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2128-491-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2276-79-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2276-136-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2800-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2800-487-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2856-202-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3404-162-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3448-137-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3448-86-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3448-92-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3592-1-0x0000000002080000-0x00000000020E7000-memory.dmp

Filesize
412KB

Download
memory/3592-201-0x0000000030000000-0x000000003009B000-memory.dmp

Filesize
620KB

Download
memory/3592-0-0x0000000030000000-0x000000003009B000-memory.dmp

Filesize
620KB

Download
memory/3592-8-0x0000000002080000-0x00000000020E7000-memory.dmp

Filesize
412KB

Download
memory/3640-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3672-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3752-163-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3972-135-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3992-141-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4292-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4292-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4328-143-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4544-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4544-389-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4896-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4896-61-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4896-55-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4896-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4896-66-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4968-166-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download