40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
Size

904KB
MD5

063d342191946db08a625949dada166c
SHA1

9ec02762ab043c30370fb21befcf9239c8373b5f
SHA256

40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc
SHA512

ffe1623d5ab50646c6fb599a8e2241ccd2bb4555d0b419e9920d14a0154fe8a471aade439332b1e5e48e640471061fd7995504ef3b0649a75d8d6c0060571301
SSDEEP

24576:hKAyDZTRW8fde3TduSZpUR0GHrVQ1aW4mSOgv3isi:hKPDZT88fcpAHrVQ1/fSNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4736	alg.exe
4724	DiagnosticsHub.StandardCollector.Service.exe
4840	fxssvc.exe
3536	elevation_service.exe
1676	elevation_service.exe
4656	maintenanceservice.exe
688	msdtc.exe
2924	OSE.EXE
3052	PerceptionSimulationService.exe
2640	perfhost.exe
1336	locator.exe
4472	SensorDataService.exe
3488	snmptrap.exe
3508	spectrum.exe
4752	ssh-agent.exe
1652	TieringEngineService.exe
1776	AgentService.exe
5036	vds.exe
4436	vssvc.exe
4084	wbengine.exe
3284	WmiApSrv.exe
1828	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\System32\vds.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\locator.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aa9e15e6c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092ebebf22cc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dc968f22cc0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000693719f32cc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cfc1df32cc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f23538f32cc0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a67c0f02cc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
4724	DiagnosticsHub.StandardCollector.Service.exe
4724	DiagnosticsHub.StandardCollector.Service.exe
4724	DiagnosticsHub.StandardCollector.Service.exe
4724	DiagnosticsHub.StandardCollector.Service.exe
4724	DiagnosticsHub.StandardCollector.Service.exe
4724	DiagnosticsHub.StandardCollector.Service.exe
4724	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
Token: SeAuditPrivilege	4840	fxssvc.exe
Token: SeRestorePrivilege	1652	TieringEngineService.exe
Token: SeManageVolumePrivilege	1652	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1776	AgentService.exe
Token: SeBackupPrivilege	4436	vssvc.exe
Token: SeRestorePrivilege	4436	vssvc.exe
Token: SeAuditPrivilege	4436	vssvc.exe
Token: SeBackupPrivilege	4084	wbengine.exe
Token: SeRestorePrivilege	4084	wbengine.exe
Token: SeSecurityPrivilege	4084	wbengine.exe
Token: 33	1828	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1828	SearchIndexer.exe
Token: SeDebugPrivilege	3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
Token: SeDebugPrivilege	3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
Token: SeDebugPrivilege	3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
Token: SeDebugPrivilege	3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
Token: SeDebugPrivilege	3000	40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
Token: SeDebugPrivilege	4724	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 3120	1828	SearchIndexer.exe	118
PID 1828 wrote to memory of 3120	1828	SearchIndexer.exe	118
PID 1828 wrote to memory of 860	1828	SearchIndexer.exe	119
PID 1828 wrote to memory of 860	1828	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe
"C:\Users\Admin\AppData\Local\Temp\40e5b807fec50f0734b0c8ee98a876a8b06d74d3ead5e342e6cfa5ca2bb640bc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4416

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4472

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3508

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3120
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4404,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:8
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
f0b8cc27141f1c35f522dbf3f1c8c7f6

SHA1
d23145c5c4f907b24a9ced54c56d7d07182f9ade

SHA256
0c97e12a71420d6c6dcf09d881fec864997b7ca4ef62e98405d0dc0ed4562022

SHA512
1e1803647106abc31e65359830013c8187775d6262512b6b97a69b52e6fdb334411be34b65ac7835eca0248376e227725fcc408689caa20149d5d8279a6b3f36

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e2b0b88553ca63c502085305528e78e9

SHA1
57287e75b8a564ed4745a6a3784b037428af3825

SHA256
d01042932895e946c468d71fa07c59059b4289ee65d4698cf8ac250d8c0c8441

SHA512
aef0fb99afa739330c7e86164db088d5f477f4474d430f87b0c0734639e05d44535868ab176621bdcf44718c0d58328b466e11020c743989f11374a813171ff1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d6a2f04a9968634fc456e6a0c7a37e1f

SHA1
a7fba75271c936ca2f2a277f27d617138de22cfa

SHA256
006fbeb8a53a6b722b2eaebaa5f008d08bcbef7258f885718a3286b186462686

SHA512
5c5ae337ced4f562fa4b38bcbc9d9628b420366fcaab9192800d6e4d2125f379318e77ec35adaf081b5f27781e39f88aa6e08f40ca7acc8b86e7643a95d52761

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
aeb630c9a4c4ffdb5d510df1c70b59a2

SHA1
6ce6f4e0e8e995dc9d4f1385fa22f181116b925b

SHA256
ccdafa6802a99d09e8399416053cbcafcaf0f148ceb51ebbd1f0371cc8785e85

SHA512
5d52597a0fe725c22c951df145cea458c641ce64edbf1a1a4f992b3f1c2cc4f5e0b11d5778e1deafe3258f9c722eddc2916f9fba3204a377c6b0db4bacea0c6d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
abfe68c9aa19173a5618d473e9e30071

SHA1
00466445ff3642c4131a2dec352995bfd51c5422

SHA256
9eac7772ad4ee6e7c7fadf32358b4c9c072b3495bc17d7ee5df92dea4701ca69

SHA512
5e3f1a3224407c9a1bfd122480d17dc2021764e04bfd6f2913d7a2fc6552aa6ccfd56a34538c97a3ee3265ebf735119d8d795df371a2fdca582e026645236663

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0978eb43b38144e1b835d4969c5ab84f

SHA1
78286a570ff11ba728ccbc56637b20fa5b5e3812

SHA256
284077c5a6df4fac4133edc2f9ee482bfc83fea66ae40b03a6dfdbb072017523

SHA512
9aaff9d99915e24b5c086c1461b2637001c849aa837447c3772914074a5369d5a5dea5a116aa6cf35d92e9bb1e01f24311c026358f064f070cedcb391a4149aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6f5692be34843f996dc0c63f237e121f

SHA1
ea944aba1aacc56c448b0ec21bcfed1fc3041d79

SHA256
dbe62f2c31f64a7e3400d4380e61a180b5cb067daa881f5f8c7363a46350f4ec

SHA512
2c917b74781de4fbb4f2f7842564f84b8f1a45e1fe7e8da7984a8e01b78e40d70b08fe6c52847ba3a7a2270e868d01ce03577b825e42db0987ace14e66aef29e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9d5aa712551fd64f3dd5878b7313930f

SHA1
1ce3a56d98ed794011be75394495e97d6f92542d

SHA256
e4794f071bba7c0a2874513b200a98b6bf1058e88646ef70ac56929fe86c4793

SHA512
d1533ae05fe2941f0c810b53f7754fd5687ff65643798ad20ecb97bae9d0baad130dd2236af51fc05eb0ab4bd2da1bc97e73c68bd707e8ee53237ccdb3bb3164

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b0fdec3711ea52c99cee0aa6e7cc60d0

SHA1
9e65a8258c608217a841c5e90c5d29ef592faf1c

SHA256
ad15ebc116570172bdd77d3de61a470877f6c7b8a56e72e82c8ea00adeebdf43

SHA512
8894f6de0c5d24ceae35a469319e2f7c138d6a3df040c5c403e5805523986f0867493885a88caf836ce856415b26e07dba4a564b704558edcba2968e814f9bcf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0cb58d8415d8d7f4dd7a4d088d94623a

SHA1
9cbb98770dc727a8f026c40e7d2c56dd1349e05c

SHA256
13a867b4d497f8f1761b98828ab88bbdfcaa477a45784ae4228c4f4161c9c00f

SHA512
7a4438a51461a20c34674e790a51baa325dc53c607c9b43550ebefc39d2c81d48bb9629f4d12a3fa6933b69cd7328db2aeca5fedda77656e4be3f02ddcae0a6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
48edec24e250443dcc46dbf096a24273

SHA1
7b926505b7b20135b4c15cb952594054ff08a555

SHA256
7f7583fb53b2f387f26c341619e5e5c81480e0cc2d6a46a8a03969c5862dfeb0

SHA512
7d18e5e76bdcbe1e9ddad9e63c8b0f79ec50165f0dd6011de8c1f606fa644da68462c1cade381d7a4a542895d3a03828f1c3729f72b7b68ed7d1f44b08f0527d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7efca3671c3c9826ef7833a727cff580

SHA1
f1af5b12587a4aaf775cd35fa2112fb95c29563b

SHA256
c0edffa65099cc01f8c09368d8acd4a92cd04778f23db488665545858bd64a2f

SHA512
20dcf2b55fb54f62368e7e7d65ccc864e025cd9fc3100fb1abc71a2057384183b283d94e116ce16a19da78ceb9b8a2ddd7a25855f1e4504f3a22c1abe6153c9c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cbe6c1f273df05f03017ea4e82cab18b

SHA1
44ed5e3c3f55f4d7c6e278dea51d776ab7ca04f3

SHA256
55613ca5fc0d7496bc33896c5c7518f6ac72eaad7c53136e852591965ce7d21b

SHA512
02cf7ff65a37f75fa8ea0094c9919afdee70f16b8aad671c2f6bfad3bbac0448af83a222b8f29703fe9bbc1c97f0051cb11abb50e4f8cceb9bbfda537e95fe42

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c22673cc23869bbc63320178d5dca23d

SHA1
d688cc652b0a034b0fc452ced9426bd35bcc7b98

SHA256
c44a99ea47460500ce68f886dd4b350ed136e63953dd87786d5f6e88a570a265

SHA512
15282e98a624b6fb165578df86e974e105d81756a469a6f7f84c9c52ee445d3d6a5962327be20ca243af6ed6587835b4eab06df54646ab2898f73dd1c644c264

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
123547e305cf8b65cefbd09f260fc4ce

SHA1
9fdef430ef206a1691df1afd2c7f7c998d800b45

SHA256
c6eea6831455e9ec380285a78dcce4717aadccee0cdeec2a9a3b49895391a9fc

SHA512
eef6d0a9d6552f72f90d462a494da604484f7a67e912a09b797166576bf37c23d1abaac4e415b10881f7fc89052322f8e8cffdef8a4242e9da8243500178185e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8219f25d84899e9e1e47c53a15cf74fc

SHA1
bb44a629f82fe67f0cc00393bd81f7403857f265

SHA256
882607d0dc3a6498dd0f4a63fbc26a0a1f9cc0bbf1f13bfb60b60f2fcffdcb63

SHA512
3a95b11a4f79936f259ab9ec133d1b1fb2a05eb35838cdc2182d594e2a44a0f0512b8fd5b75eccf25fc9042d4376c65849fc6dec4aa26519bcafea6faebc8a48

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
92eb5b042d7bd36b5165440dc7212a8e

SHA1
cbe3b62e6d079dc7910ab94b8dd972f51c0e79f9

SHA256
10adbb705719eacfc3a123b9f15869d96082a4e9f5a3dc9714bcc579f2b7a3fb

SHA512
1e1485c3ca1c2177f4be3ca7e72d81d39c60f9b510456f2c1342458ae33749540a41a7ef90407b0ee3bcef1f165c1341c8582c3a1e3089eb5e3762fcfe5153fe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0608608068eb55d805b5bf33d4875fa9

SHA1
8cb916652016f9bc6545b41f81ff69d83dc40ea4

SHA256
95dfa44a3fc81342250f9f6f3c78738cd658ecd0062128f47c3f0738ad42a504

SHA512
e1ba85cb8ed20e6da9ee93328875f4720b5b95bf5034520013857b346f28ca2f476dda850dcbfee5e09f2b9527308873b40249c0eaf66de9a272c8fc7b946813

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
957f8ab3316a153e472c526a49bc9ba1

SHA1
018c593c46133c5c8e2aa35b9e9055435e0c4d92

SHA256
6b64be052a4c31d17888a85831b7b41f6cea0551442442d8904958fb702bd948

SHA512
13b507c7df97d2265bbadcc897929d616af225a85847e227c235e57ba78a19eb39c89d831c2f13c4a907a8dd427d15fe7019f963e12c75ebdd8db1d11e7ca047

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a7d46aeb76dd5ac41e2dd5b094723e0f

SHA1
75fdbfd7055463ee69b5bb34f0c614cf33881bc9

SHA256
9a51fccc274269419e12af158dcbe57ddc7d0c6c316aa073febb0b1536728c61

SHA512
9515b7d2c5a46d4d419d919d803acbb937c86c5a749c537e0068a273600f3159e7795ae12f4be31ec16618d8ffaeed23da5350839ee0a2ea28dd778cfd9c9c55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8c6a2fefb0628d8d6126ae6ecf987089

SHA1
bf3055aa1906c14769814cb37a7d908475193be9

SHA256
8cfeb8d528ca346bb8c60ea0444cc9684be8402fd5edd653aaff40948948a08a

SHA512
2fcddd33b45c52a010106dcd7de8dddac24a11098a8a0f19e0c1754604d9beae488516620b8d15b75b0bf11a0f064b45fa1bbb3b454d12b57cd4ba7a2c9e1c7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0b3e8bd4c5aaad552da24fb350695fd1

SHA1
43e2c5c9d2dd006872e6a718dfbe919b7693c309

SHA256
a4bb2d2d7c614b3221fcaea4ff7a66dec94dddb277b4194b3d4c843a20ee9bb0

SHA512
44c89c3a0d8f56c2fb0d17228926353b1c59f8c4faa510631950d5501978deec531e48e120479e12fd8bb6de515946ef29ee73b20f22c6762248a17c94834ab9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
8c09112ac07f07b1d26c4740eb748711

SHA1
d3eda17bd7213c8ddcdfe33307f091a27165bd0f

SHA256
126bf3958c084ff3ee8c4e82a639c5313418cf7193a96fd6db7309c905911c03

SHA512
48dab28bd61f20f8c6010a1f23dba236d6428b04e5942a7f36ce84cee952c26c22647ffdcfb21751ea309a6b8ba7918657bc7e991cf59faa44ec90bd06ea0d79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
38ee460f5b202a3a395f34355ca87740

SHA1
0c8f7cbe551bb10cb923ad0fc6b09fc2a37f262f

SHA256
f268a1e57a5d8b79cdc210c3a6835b33f54d0dd2b5e6c2a602cdba49aa766ea5

SHA512
c72c497cb5df83c8aa65d55df08e34393ae4f26b63293b92152a9306c2d6c1d7665b4c8b5a2985b667202417f2243aeadfca836d703a8064fb0c4966eaf2b2bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ae8c08fef29632e63b59c783d7593053

SHA1
fa9be1f129b5a44bb4c770a4aa77f55a3f85ae28

SHA256
47ef52ee1742fe1d0d68ced53da72fc17483a2158e5e5d6e037cf4ab5d06ac81

SHA512
774d9ac3e93d32f145fdbf1f1e08ced271c352a9b5817b666d2f4bb2073cd3e471278d012c3746c780b60c5d82ec53f9ac31ef1c3ed0d71df6667292c3a637f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d45756da8d879b5cca1107bfee4b6962

SHA1
3ab89bdeccac88d2c9ad0d92240ee4151dbdf61d

SHA256
80c685b462b4fe5b701ecebabc1a41f0a044c0ae533bfad9d47106226282a958

SHA512
e42b71d11a5d8f4854c27cc5ad0a3391183fb83780b3a708fa0e7307d9303fc6a23b4fc9a8292bad144ef58be06224e048482601089d434527d8408ef389ce59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5efa7bf40b47716e75451eb84f9e330e

SHA1
ef5bf79cb225f2ccb4766076c1d02abd306a1494

SHA256
045d0767ba6ab95864ffa4a759680d5086e02bdb172554c27eeee82724e7ad5f

SHA512
cae754596ea2cfb7858a8da82689b6c76b0653c6c706f3e68689d6afc79186c931c828d7f6576d8c69fa5ec8d91791a0d09f1f45e4b6b97bfa7ce960f50b99cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2a88926ed18aa20e57455dc66b8dc3f4

SHA1
4d810c533cd9440353356709ac292cbcd7510fc2

SHA256
4f3d2e0b733aebbb048023dee2a77e212c84a2d226a6a35396359aa6aa759811

SHA512
b82b8961e44aa26e731062db103dc5ed8b1c4238e650cdb07a12e7849d8f0e17c0b6e992f89959dd1d9376e12f3d9e4d97dece179093b5fb32df1e150ef0e89a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
84ac2330de468d59a386e7d23cd671cf

SHA1
9e0b665c6827ba3c808216e5aa8edcdfe4a51f8a

SHA256
cc1fff580834ceca1feb60ad8a7d7df172fcf6adc27ee4f387941bfc352fb043

SHA512
6385bc4ffa9653e3c9cdb236b3004d5d4e5e912a83b9fde692c490bc465ded5034481a90fe96a7d3dc8c389f1a49429ad9308096ace423748574c5e0c963f134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
95122dd050a616499fcbef42c0584794

SHA1
719301b0cf2f019231b45cc3366577013a6f8dce

SHA256
f787c0e941599e91bc0d1a596dc1a56556cb9a610652e294af533fd6e85781d9

SHA512
6294d15599924e2cf6e68fb13c68365f1bbcb8fa754f6f7e210f4628a948269ac33b3afff65230ac5dcbf4a0f9563107f5e7cf0755414618fbb23829c7815f1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
52bd24bbefc2038569c56507d8527ce9

SHA1
daf67563fb9d3985366624550c5c144a4a802c87

SHA256
3b6ed38b6fcfda35f9435fa7b964477c1a210bb49ec061bbe0c789b46b5a8126

SHA512
48226ad8d5b06a9d6d5d7b5f0c19d9b0183eb67011efa45b8927ec5769b4d71fcd2df270967ce7bcf29b46d78a43a5d5a2b23a919b7860791a5eea9fa5cf4f2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
fe2b42a0e3b1fbf06e0478ccdc7cd80d

SHA1
a1881a3c80e4e470137bbfbcbf35454dab2eb855

SHA256
59868db3f01253caf67867079f039fc1dca65526aedea2f9fb6a655dd7252bf4

SHA512
ebcdb481d9c82e528047e39f8c5d80d489afd424d2fc2606f491c8eda01c073ce3943d8b3c47e4f29470cb902c940cb80123e2dbcae39d4720deb193dc0f58f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
893bbe9ebdb712b2d5c5d7b33889ea6a

SHA1
e99fa56344cc0024d29286482995c9991b55332e

SHA256
72cded0cfdb3ad9d90500381abf5c04efb20f3f8a277e16c4ca7b6e0af000d5b

SHA512
60efab419f0d6843999d37b35cf5b29d0278fb06fdc812531a08192691dafbec1e4bf33e0b7f05af929f82828410e1aa40a095b34b1d087f09cc8bdce667da9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
703932c9b908f81ccdfd7e719660fbee

SHA1
28b1d877ba4e77cb705ba46f655a07b4c63a057d

SHA256
fcf54b340a43721669e74477a00f218c4fa2954b83928276542520e24fdd223b

SHA512
8a8c82510f33a9e9f7f7418194fc8aa844da4cb4fbefd4d09a653cbefff48041fc17e06477224c9f9f6b719db8323904db421a45cde6ae2c08fe2ea8a97fb267

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b0887e856e0cbd202403efc9d723d36c

SHA1
e642bbbedf32d5d47b4bedb686a79e58751e1c5e

SHA256
93719b0017386208b69d1d61e028d1eb1d3a0b0b31c1af91699a4158b430e7c0

SHA512
6a072bc1b9f2eeb11ae343c69abbb37fb11afcf7372b894403779c387cd2cc95f2c3bce2ce0666ee7919aef5b37beeda363cf9b1fa51f697f10816accf6e5958

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
123f7777b7d2a2faeee8b6344c111af5

SHA1
eb12ce2f6f1ba97ee3896c6aa6af5e1a1f4f2f01

SHA256
440a4b5fadae6f33a85e1efd0aa575ab765bb7a3bdd69b8c3898b950f643a013

SHA512
b403715488661307845c4add34207a0b0bd88adc316a1d3606d70119f924b3b3018ed39c51c64d0597a7890ce6c5792d1ff807369d11b367761fc32e9669fa6b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
08144bf221ff42423da14cf1fcb0464d

SHA1
f6ee6ac693a8427263f6623c75983bfaafce9aba

SHA256
9258b4151c3e491459b756f21fa0d43270daede8c4dcffcea916960d1a36f879

SHA512
c90b5913f3518ecb96b9be0ecd130f98cf57f6f5138a6c2528e1cb4693afcd9d793135dbcb338f59d4f2b9166eb5b593efc854ea59a21f75c3df42be8fbbf25f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
4f45da2d607594b5ccf85f60862a2233

SHA1
b64991f2efc1c2628b9033f7f8e239d352df5c61

SHA256
54bb7f4228b85d19916c56929d65bc4be24a00570bb8a21343e976d22a0574da

SHA512
9fe647efaec6d612e2f4b24e5d7637742bc611be5cea904d139d0da428efb1c5ee0f14f313da4b7f6fe0d3d062ef45bc9b11595501724f3e36030990e1c8d92a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a14c6a14628052d6bd201e03d2e67164

SHA1
c865a3fc18901e2c7c26bd1aa1e89d4858391e5c

SHA256
f18181ee3b782055f75937f76b3484870f12bc726a3670803500a347afba69e5

SHA512
bd526007729da9a04202cbbbe086e412684fb29b422335d81ed19023d2d3179375c10e66f895e8f052a71cffba85f95b6992edbb5caf07ce90518d0950da255d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2d94145659e8add0144393663a1057d6

SHA1
d04342df9cc3f87e275442a7bf5d4e39edb9067f

SHA256
43dd832233cec4c372ce8fb5605b26854bcfa63e29c976db18d0a1d4cb971a64

SHA512
8a6bc3ee72c3c1e77828627904ec4de648ca6c9d52b50a9c2e7b693ee6c63e6913f5e1d5b11b36096b02651c24b712ec8a0e88fb752a046c28b9f4a3f98b6cd9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a351776ab3406a0ed3ebe6232e3f1757

SHA1
782b0ca9f3f99f838895b48506f23f54e5246cee

SHA256
5078c2e645bd7891ddf78c81c67b9e78ced286fd1ef92af1f241a57660de4021

SHA512
f43d3e88b5fb6970faabe8c40dd8a8b3b8dcce8689ea522946aebbfa62b5e53f617fbc2c35d4a828a1560e80b6b40889239750e31c798bd62a6f30ec499490c4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
485026524d921be0eebac94800f57a44

SHA1
0bcb0b2c3f9cf1e9dbdda0b4bc6de2b63e4557b6

SHA256
438d08b9750fc8ec3b628ff0663d051e3bf933408ceaeb0491880c8c85176a39

SHA512
8db8db8a61d9106879ec90b128b2738ef525a4d0258e460f87b64055842e4072791eaf332489f2e50e5beb8368f6cc39be7acf0ed90361b89a17f170c7865d28

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f3eea8f2b835af5cfd0c5c40957bcea8

SHA1
6e10668dc4caa39cd362af4b044cc9f265c2b34f

SHA256
8f1ca9c0e3e828c6348c4745c42c03f9a79e11b95b05c4168ddb8305cb223261

SHA512
ba6c05fb7d661fb1bf11e527948ea0ab2552e95576f540e5e367e8c5851a7fa86e5ae5c2e5c4e0901fbc3f70dea23fafe4b805907f45f76d298dfcc2b4b18d69

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
52b12850f63817d38884d28e4f1a146c

SHA1
2945f76fb1491c7b036fea66f6b6b62b8c042bc0

SHA256
1092a14d3f5c5853a196fa3d453c5739f076de4b500b0e075dc3546937bb51dd

SHA512
284b834fe996016f80b82ab9214392f5d8c7c2b83463f0a9d83981d6d3598d1f7e2792da204e573f0a524d2967301b93f1eb9e5b6838ab69e0a4329fa244a96c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e13592b4126f3c8454f9fce4f2f37eaf

SHA1
2b5f53a6b18470aa2f5a81dfb2453d7af9159691

SHA256
904e88190f68a77dbdfc0722edbff1d4598c5da4a9ee2ee8cb8370217492d08c

SHA512
29670c721380219d37d427d38b6544b72f65020dba07e4956146aae5f03d44284c6d877acc3c6910a0dc598e0a0a0277b6628611d9c7527cc475a9a180304b85

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5632e4cb1ab80e3d4cbc45eccd30ecd1

SHA1
c98970579aa89611faaef14e5daf673a3203f830

SHA256
bc281efc7cea205f7a7bd83c6c24aaa4ef9948207496afdd15edfe4f3fb65163

SHA512
fa1ee3310caa0b249b5553a1b1f82b15055090e408a26037013125b867289c461d3b8814502d56669f45d9be34fba1c9d6b1009ca6a63a1d9c21b14eb84ed663

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
64614fd12fd9d65689fd093b96c5e2fb

SHA1
eddb15917113858a6b8dc5739b48b1794dd35140

SHA256
10ed72dd08fcbcfc7cc83c3c9751d25e073efb5ec2e0f2ce11c9404ea1a73c8e

SHA512
4c1354cf85146b86b3fc5a59ba8951fd8cf5e916caa65e535a427530acbabd43b762b36d66480128f569eccd7172f373d76af1cfeb064acb867159ecb318349d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a8300459cf0fe46421ad13c83ddfa122

SHA1
056d107f44e81eb810621f2074e15ed2cdeb6d5a

SHA256
55c087e45e51a0bf76fe442b23a2af05e5114414f699b96b07223b932301d828

SHA512
eae163e946e6e9093a63cd5d7b2ec337f287cd893729258a4b8a002fff4067d7f67c15b4473c640ad354a3ca23b2e5f01b1116a5b372f816865b13d6063b37b3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0f4282a657f1c7bdc95bb519e7fdf54a

SHA1
3df8a7e2ac4bd718a950247257751bc1a631f7df

SHA256
432a30d8638491ef89e3b1ddd60c92f0dca1faa7bed1ffa8df47cfa427f60bef

SHA512
16af7fcce675526644ee8b3d92e837fdc85b341c2404edd19b6429ec77cfe54fbba19b100ac8e37d97462477accd7d428483c5dbdcf52147d037b32f4087f650

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9f558fd166ef2ed0684d11f29cb02029

SHA1
bf13726111efb9785cbd4a292cc17604dc8aee6f

SHA256
d72f390f3ef0fe37338eeb20a2e3c59f86efb5ff86474d28ea1234faf7aadefc

SHA512
18fded1d5d4add73e1cd531bfaa74f46b733aae4c749408201b9f47350c568a82c56335f89f47b08ab6de34495084a72076783465fb278078fe21f0d5a438847

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cb12f7d50109a02b31bfe945fa02e37b

SHA1
ea4c23e7caa0cea7fddf232a6e2d1b256769b108

SHA256
910bdf40575048b08c4a99b9d655e9704bbfdd51b2263c3ef30559b7127e2fd0

SHA512
d74473597f4813ace9ba01e35f7c18801089cb7756ce17ccf8330c99dd9fbc9bba5073eb7bd0c8d4f46b8cfba0e66b37dcdae873a6d9671f6fa611671a847a1c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
74e6868894a0c3fb20b411dbe50d61fb

SHA1
bccd5e1f17c42631459068e895e8318a97c00d0c

SHA256
14c5f58270084222b2e332051980461eb700e11defddc35504da3d2e594fe97d

SHA512
77fd6a53a059e1f7b43ddc07eb5c09318f2391dfdebf0b0621552fb6da8bf72af3e2e1966931011b46c697b7a2af1ea83df10a835c2f75ba8c863c0e9d66d58c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
106f92357339c0b368cd00c6a0512b6e

SHA1
4a9b6a3ae7cceee8467053a018e573a22be03291

SHA256
e9dda733871f8599f3a7f1b209c7e614a31cdc4e360731ac47f1b0df8fc06624

SHA512
e0911ddf5a07691b4fbf7377fc46bf46e1b387db523394257ed22ec7c81df6c4de7ae4d5bf48e26d0d791e30a12ebdad312f9505bc7a4cf944388a44808039cd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
af618bed4a3b92c17047da9d6e9f90b4

SHA1
d8e8386917c54fb0c4b4c38cda83dc99945774ae

SHA256
94792230f4dc283473579f88353d4d2918ecf557ea3392e3c09eba298f439b49

SHA512
ba172a6675863a3e8055f6a452049f54bf5ca9e8653f0a7e32750db80bb29ad9f39bdd2df9c8bea6b21a2b57d6f22e5479b2fa9a695aa30c2eee00715679d4cb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
99eb1dc5209bea47a9326f9ad9efdb51

SHA1
69887de720828af93201c93443f703b90a87ccee

SHA256
90f1ed7671d91d40f73bf5705dbba797b24d3c554b3e65104bafe48e45542adc

SHA512
c586bf2f2b0990ccfbecbada8db71f5572504a615ff4c59f2e3552657db7e99a9860d9c3cabe2b7266a87e1adaa27da5af67a18766b46750e91185bc9c281fde

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3df1a98692832a49b617b698a358a504

SHA1
25844214570a09bab68e00fd13152d7a67c77bbc

SHA256
05a6ddb3099d6efe6dd1824b754a65001eca277da3265f4860eeedcd3ae868ea

SHA512
4bf08ebe0e46ed6c48b376eee7a5294c9c4e84cdfbbb62ad26b7d2cfb65328156049b04c2179469700f099d3550a1896d4c37464ca5b2989c6998a404b9c7107

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c8d33e00265b021e987a7f106ca77a03

SHA1
45db848fee8703744ea83ab4c9e60f241456e3f4

SHA256
72525915f7bf4b17c65d43ac1606e280a59e57ae7cdccf47b503dfa7d9da7f25

SHA512
ac0683cbedba01bdf19ec854f58b8feff9ea1d5d1413903c0dc07001f8eed34718deacb9f1a13d2412713cd8f0ef1c5898cc9ecd52e0176b77c6e48618e6f9c3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4fcc309f08e7e7b5ba69026b49524535

SHA1
214092f8b535b39d1bfbc71554b16b83c8765414

SHA256
690be68544babb9c974a1178b19a52d107d153894f6c9d3639db4d8958df4ff1

SHA512
4c749c8300d81d43efe1b24688c3f508c8d6af9fa775ea86c66a95fbc2d1b365797fe358ebbe299e366522b9ece4b664970514c61ffd114fd7c23aa3d3d6d482

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
64eb5e3eb9225cadf6a63c0a698198cf

SHA1
a7e054d1d3519c9c594b5742ba92dbabfe65c1e4

SHA256
345522953f3aee03e479792faaf778b86a54f0cf6e8fbdb46335cbbbf6635e02

SHA512
faf0fe7955d88a8bd4570f9e0fae94a502dde97bdb814e51722f1dce2ac3389f32c91f14683d602689ecbe0968e446ae075851fa4530b8e8e53bc6f84ad0d519

Download Submit
memory/688-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/688-72-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1336-335-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1336-114-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1652-155-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1676-52-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1676-54-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1676-145-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1676-47-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1776-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1828-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1828-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2640-109-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/2640-104-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/2640-171-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2640-103-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2924-162-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2924-87-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2924-81-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2924-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3000-6-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/3000-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3000-76-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3000-1-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/3052-167-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3052-91-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3052-99-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3052-97-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3284-445-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3284-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3488-121-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3488-435-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3508-437-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3508-133-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3536-35-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3536-36-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3536-42-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3536-130-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4084-443-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4084-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4436-440-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4436-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4472-367-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-64-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4656-58-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4656-57-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4656-70-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4656-68-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4724-27-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4724-113-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4724-19-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4724-18-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4736-102-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4736-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4752-439-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4752-146-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4840-33-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4840-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5036-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download