0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Size

843KB
MD5

9948afcc96455daa9c51fba881b68f70
SHA1

efcf5f02dbb4e809bfe4fe6f4b50d683bb92a61f
SHA256

0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4
SHA512

ee0858281ca19aa70f373563bf459b28f9d709faa0cff3ceef7ce00e2f9b18534666666514ab761b5d16be15665242384c1481c598e0ec12cedb259386906fcf
SSDEEP

12288:sAUmhTPzU7kXZ4+/x8J7ct3z5htUcQ1MlhrmQgwwJzt5+7fyZkCtXFiWZF/3o:sA9hsU4+mIJz5IcuMlQHJxrDiSi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1876	alg.exe
2624	DiagnosticsHub.StandardCollector.Service.exe
3996	fxssvc.exe
972	elevation_service.exe
2360	elevation_service.exe
1116	maintenanceservice.exe
5080	msdtc.exe
116	OSE.EXE
4520	PerceptionSimulationService.exe
4672	perfhost.exe
4048	locator.exe
4036	SensorDataService.exe
4768	snmptrap.exe
3528	spectrum.exe
1628	ssh-agent.exe
3488	TieringEngineService.exe
2020	AgentService.exe
2816	vds.exe
3996	vssvc.exe
1964	wbengine.exe
4348	WmiApSrv.exe
1412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\System32\vds.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\840dd552c9b3195.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130421\java.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c3df9355bceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083b087345bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.GRF	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph"	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph"	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0FD490~1.EXE \"%1\""	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Token: SeAuditPrivilege	3996	fxssvc.exe
Token: SeRestorePrivilege	3488	TieringEngineService.exe
Token: SeManageVolumePrivilege	3488	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2020	AgentService.exe
Token: SeBackupPrivilege	3996	vssvc.exe
Token: SeRestorePrivilege	3996	vssvc.exe
Token: SeAuditPrivilege	3996	vssvc.exe
Token: SeBackupPrivilege	1964	wbengine.exe
Token: SeRestorePrivilege	1964	wbengine.exe
Token: SeSecurityPrivilege	1964	wbengine.exe
Token: 33	1412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeDebugPrivilege	2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Token: SeDebugPrivilege	2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Token: SeDebugPrivilege	2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Token: SeDebugPrivilege	2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Token: SeDebugPrivilege	2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
Token: SeDebugPrivilege	1876	alg.exe
Token: SeDebugPrivilege	1876	alg.exe
Token: SeDebugPrivilege	1876	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
2868	0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 4896	1412	SearchIndexer.exe	109
PID 1412 wrote to memory of 4896	1412	SearchIndexer.exe	109
PID 1412 wrote to memory of 1620	1412	SearchIndexer.exe	110
PID 1412 wrote to memory of 1620	1412	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe
"C:\Users\Admin\AppData\Local\Temp\0fd4904da69b19ddb94fd499cf309f142046d78c9d4cae91b071bf3614cf0cc4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4544

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2360

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:552

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4896
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
331ac65698e148e24dab5d26ceada634

SHA1
ba22614038def268b4905a47748eeb71a320c039

SHA256
d3e12daa042d39ad7b806b1f39e8913d7782ab5edaa88bc456b08992c2f252ef

SHA512
b306b168261edbad64c2e7ec69a3e0607f3b057ebb16f804dd0301c8bff659d7e1b50e356fac0e91a409e25d5a8c2936c0580243156aa70c9775264482b1e2d3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
abbfd377925c6d69a6604c4f3999e1cc

SHA1
feacd4996680c2f91d23eb47c2cbdd4686cdccbd

SHA256
78e3bba00c97f0defa4c7bee40d9c849f9813f35dcccb15fea4da455e6d951d2

SHA512
87eefa49f46b9805c0354b1fc71f325887dd447278b4fdcb496e9e59d5493106ed774d7801b4628168bbd7769a9e57ef89dac22f1a3a8674653173adf6e2cf08

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0a0c764b4ea6ffa6be2573ce50d125cf

SHA1
9223ada1bda64c623d4d458765c7e7e0bc224302

SHA256
c49d9904a50ccd7f2d42f6783002c1d5b21916b27f2495dddbb8afe77701172b

SHA512
b58f386b1157710042c77d080eec6b6f3d71fbcc7a531a60b5d9cc9dd5f8673792a4fe78b69189cef7e538be8185e2b1f4ee3652c3d26e412eeab70909cf0fb4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8e8ccc2d9b6e4f1ba77153b9d4d1650b

SHA1
71a512673969c089c74b750076282b5fdb21c8a2

SHA256
a644d8a5961e7ca1bb189bc821acfda661e276e8de10dabb10950ad388564be8

SHA512
ea4467693139ed60fc4f6283b2e17fea9bbc73c13912dfccee9768ff8923eebab56fc404b8f0699fb27381a9ab36e1a664c5456835a53979adb21281972240ac

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fa5fd81aa257a233d10501882acc8181

SHA1
bdf8934be6d6a636cc4a6f8379dd5a81de0cc998

SHA256
488713923269661fbf10fbc08940a0fa121768423f9ecb87b446c7789a3fc48f

SHA512
c17533820e38fddc625d1b07dbc0de56ddc1a53001d40f79bc23ce900733ec00228d1f48ba21cde1ac241dd6e8be466129bd6aaaf29ddf1b0e701684bf8e38e8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
39570487a86d98479fe7b1c143dfad55

SHA1
dc643f906186451ba2a39f740becbcf13b5390c4

SHA256
c76051dbf1a15398ffa3f1be3ec6701d2cfa7d22bc7216a7fda0bbdec238b2b9

SHA512
7ea70585bd2c497c2b1e76afe2d7d869a0c21ffddae803980f1486f27b3174817954e6e4d61c2e4dcbb433ce2d00c9ff1f8e2223d4654e8e39782a25aa78775f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e209b9530e1922b877cf2f5f2a495ec3

SHA1
5b2595c54e9524af61346b388d12be74ce822df8

SHA256
cd02e834f11d9e827792f62358ac47a0a9fb3524f44b3d5d53dfad152c238509

SHA512
1a6acc964f48328b192d654a90afec3fa0e902c5c708a891722e132b6794d9463abf14bcef4e6c4ce15a85ba628885368384ac1b9ae2a38c9fa341f5afe3d208

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7fe0969e12932e123a17293f8edb262a

SHA1
48d46617ed24ba69bdd5b8ad065bba45d622bdfa

SHA256
73a3f5befa548053a467b2645275576bdecd98c05602c15112dd3d33041d77ff

SHA512
7972e64dd66d9c62cd0dad9812665415743402d3bedf9313c4a883a53c1eef8f5157570adb981eaa2c85482f1f0481d0caae7e98a2992c80cd6cfeab18f30e40

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1f8894e03640e1a6e8c426e0765a9db2

SHA1
6f9b786bc9c4d708d8b229483cc9ba3b4799e741

SHA256
cfd91d90c592dbe75beca07bef28f717e2a6cde7347f79de80abcf12968a4989

SHA512
f051d9d930f1aaff9455909a7de355888f1c0ea7319346c2f89f41a0f2889fc933b82c255414d6ec8a43fa51dc63830802abd413735bda4b24fb4d7efe7d3a1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
40478af1fab774397e73d3538214da0f

SHA1
87d834ec4d89f42e6dacc0fed2274d5cd7a3d491

SHA256
2507f126d7d1b9d45c2eaefa48c4c48b0c9bad5668e7daeafbaee26c421256fc

SHA512
c5ebd424ca7c507c96baac93ed245931474692177f5d39f75085acbf07a43c3ec1ee3b5bce4e5ca5521772175c9590e643eaaa3701f5323cce1727be8054b802

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e2a5d08ee75ffb35825145ba123175de

SHA1
8844b19b91dd5fc0d7dbe9d1b8b6f78fb6235df5

SHA256
ee19dce92ead36b23b9f822ad0d11524b483a8b190fefcce1deb47d0b2466c33

SHA512
fdedd8a68d6640131df3970d51a47d41d6389f8affd75f1c74676e0639def9e2ec682c3076ba05800fed5b7bb63bcb666dc74aa081abf83bcdba030f852dd1a6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
46fe5560af874589ce42a37eb3095b32

SHA1
a6334dee8fc166f6e71a3dd5928f22066c65b3d3

SHA256
fa8a6e6486dc91d203dbf75f1743da3fc23fd8e58155d50189038080d8bd0977

SHA512
5f3d2cfa3e342a6ae49ed9d2847f5ab7c8d5a69f358c2e6f801de9e3a487e11f8be8bb60ca36394d1b59d34f5f8280907daf7be0a2dfc1e983b569e8b4202ef3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c65c35cf73fb6ca26305898ec0c50729

SHA1
50652ec98ab8938c40bbae7bf18552c569d66092

SHA256
52e4f68fca8fe12279c43330584324cece502b454a9e9e3d67a68619939cf4fc

SHA512
bcbb08f62b209e15ad0bb564c6f00803d8aa36a33dc8f1d9bad3f1b56ec304998a4496f7c26952e7d2cb2ef988a2d028061da5e09daa27022e4797b9d6026faf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
eacc8a10b9f39a097e0d36c18cba04c2

SHA1
731640455437f6550aeded034106f2e0e87d662c

SHA256
7f51a7df0eeb2b4b8ceb35092ce1575a1ccbe9a505de0e805f9099cd07421f72

SHA512
17c54681bbaeb40475bc787396117a41c1370e921b6fc112f77cf90bf5ee8ab3526b312d197fa324e9dddfb4a97db83e3a111321569e50b81d9492d83215653c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a78c40fd653bd43e45a2f63467118b48

SHA1
0eb08831c8028f91e79601623c458e54f51324c4

SHA256
7d6461b058f599ad491b761b928283b895e8f762a3808948365430a3fdb80481

SHA512
b040432d69d99f40425b6dfebfae4ed20145dcb32e3a5de3047a22d99ea8c1dd9fef9fb3cd4e949d2132a1695b73ff20c04e2ab486fa19bd45da141d10d7aaf5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a99b894c66b9da2f7bc26161cb90d8f2

SHA1
90c3802e1fb9834e8dbec865415132750197186c

SHA256
74b93eb089f6a3479f2fc022fe5872546ecc6f7446a17c57666d6520c02b5e50

SHA512
ea69bfa5c5e9264c432bbadfb5d3d5e66e1d48cef512425f060a623a1f1f032760215806dc7834e0e71e677d8d2c36023f3262ce70253a4d21dba456d4234c3f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
261c479a9881d5722634488e1cef8efa

SHA1
5b2f158343a3118c33a780dfcafa052a1464080c

SHA256
d35970e13a7ef412b8354093bcb642a1113342ff421ffab890990ef82ad093c1

SHA512
4b2b73c802b2f4b84ad5a68f56bcb47812cbf800e3ef1cfc997fbbd270357b200ec9b3d2842f41ade2e35545fbb92290b77b19ef8ed6eb7b8312fa5757a01526

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d38c61dc177b4719398f8601b8f197b2

SHA1
6db0c373a4f7a18624260a6385fa8a4a1330df68

SHA256
1b0204f5b6066968e7bf82c9a6674e5d89cad14b1fdd940c2c0d564065bf1648

SHA512
9e3fee7d6572c40a882e31643d1bc9ac30e3044143c6f2ba70586f4d9acf22c1dc1aca81906a65d45ab1521fbc73b0946f7d1b7ca13dc40e1eadbcd427e51911

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
14f23a7c440ae02d62cba6c9c98ec6bd

SHA1
dbc64c23bc80a85cea617a287cf40c229a751852

SHA256
cb557163ec6b01706c129f7ea17d618e78c4bfa1c7b7f44901484e7660ae79e2

SHA512
825960c2807c585c24642ff4366e4e653b5f349cf954cc8d4b0099d235bcbea6d004815078c6dafe759fd66c2a7b2259d8860abed3057387fdbbc2b25cb7ee43

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d6ed592e250ca6bdd211a987fd9e6a8c

SHA1
0e80d65b0f0ce1b9e5b88fb2ec805b0e3b0d20c6

SHA256
0f088dcffec8faaa1e0927bccc23db5c06db02eb58d892d6b2fc9fcd173c5b19

SHA512
1f39eb16927fdef66a1716de403b717ccf9bfa9109a8036372ab3b6cc3f98c8f4806deae8faa2431473adc19e8917bc2893a3de6344fdab330fb01c621349973

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d19acd66ce7f61255555c0891d4c75a0

SHA1
dc84693fbf5a82733e434912d416cd98e733b8a5

SHA256
210c9ff52b626a5deefd2c414784b96829502dbefc6825f30347a36b2fa2828f

SHA512
f9fa3655fcdc942cc0e77948fe03b621b427123e1c6e8328f67c70ddea113651165c28f217a47b96b9190eaa62566f6fa5198c96ccbeaf90236981823ae5f562

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a34afa233c03739646f784def44730c4

SHA1
660be756354e08edaefc0a2e15f029e461ec4f8f

SHA256
6419ad53e033e385ec5894db18b8fc3972779ab0d088fdc7c8b8619ca235c8c5

SHA512
93b3b95a42104cceaa99539d663bf8db7123db261215c54383b77b91f911b52966058c59314076ef5755813dfbda0ad65ab260028573ee1c0ce345ec8822b1f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3c2b95f757bf3ff8cc8954f4e8bcc99f

SHA1
2b03104cde9077ea69888c7bd7bf22d24e06f67b

SHA256
b05bf4b7dae8535f52fcee2dd0f46e9db52141c3b838cc452fc808d3da9294a8

SHA512
0c345cba1d83088cab10b2bcc3c3c1cc628805dd695524c018d3722407d6470d51853c53c844008c5c8c30ce81105e2d4b30fc6518181e81896179e4c8be27e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d8434a5adb2509019d279e26f67ef95d

SHA1
30870f229bb4fa61e97cc9fc9d50ada43054ee07

SHA256
b80d0293f58709f0cb0307b48ce0d54940dd956ebb2292b4a2db23cc05523cbe

SHA512
cb00fb01a15fa2e2912c1258178865b895c2e9a59fddcb2dfdcdf582bd1121e2e7cad6ba3fd4fcc90ea7e8a148bd4725d3161c005fa30fb7c5fca0109ae7d317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ec67d90e4c245dc4a5488058cdbabef7

SHA1
e03ffcbed6c2d1849d701e266ec373f8883b4eeb

SHA256
fb3db5d60314a7ccc6d41dfc4ce2ebcb4f6672a726540e8bc62885ecd7606e33

SHA512
4f0bb151465489f09039145c4be20640ff59d11ccec6c853c883e39afa9f201c64328d3e7ef61e7f025f454d18c764dc25d6e49a756227788e6a44ba633d8c94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8db04eeeccbd660a674713e8e39a5e78

SHA1
99a803c8b6a278cc54271581edb9c64b2bf4b6c1

SHA256
7a1eeb7c86e5cc443f17912ce8e2a8d27bc768f483974e20678768b6bd8972df

SHA512
38f82c4451fd3d59488a1069ef662469d04ef72d36abfed07088863527b2c16dfc3d2b2e0cb994c37b4827029cebca6cd23107c884427a57626e152746e0e6e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d3937c1458bfd3d743b28956a7554847

SHA1
afb08bc31e35a50439db8174f9d59668a87a2645

SHA256
6d5cae7bd70d376c4acabbf5cc7ce018470972073f8f5bf63142c537e86afe14

SHA512
31f9044abc73ee6e559448ec7c9b4ba957692c74b7d950a767f95a3fac52c900964fe7ef2937af84a26001d566945072c213c9a4c7962d2283183c246747d4d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
82e1e7ea784f81e769e8f446027d73cc

SHA1
16ddb2051d7df8eecea452fa4f94ddcaed6cf147

SHA256
7dc86e128ecf6cce9caeab37f2c1cfe292568b43b44ae52f6c2fe760db43ce1d

SHA512
b010fd0d5e149f79396ece0fdf05c2811a35bece4e4db90ad0888c655ed47e410adab446fde378d1c0a916fa0e97e764efc81ba0ee02c362b2835693fe5e814a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
14d9b4cf420e0f975982081c3ecd1867

SHA1
fbc674560bef9fa4f34d2b162bbdf486afb116fe

SHA256
74eb1cf5819781768bb2d306bdab624d694f77215542fd2539122d6afe740ba2

SHA512
da9487aefab2e3f9cad0a5d146d2bf1753bf40c8af7617d1d55ccf4e588e899ab004d38cacd8a1ec1965e20334512bb08fb3ba51899c7986fd0f82774a2ca81c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d75e139e922325fc2d3a304068b2a5bb

SHA1
bccd024459df562d4c1f58587eda906f8c75a697

SHA256
dacebb928554440794921de80e487413f86d8b2e203d044f756eac9f6b828092

SHA512
43ea1c6562a869976a5ba754c5e927ec55379f040bbdbfe0c018833d6a029fc8c95759cdb76e0ad81e5d554819a294d95c85dd827c0a6292108d5edde3aea9fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
755c4922d7ad6fb2da2a3738064d95db

SHA1
fc6eb38a502a0ecbd341162ccd45276af45c6483

SHA256
bd5bb4bbab2308e31cf1112bf44a82e66d94f19afded295986838251a1366370

SHA512
92ef7dc148e0d6a404ae8a03dda28566487e2e9583e9f2f6dcc520b5d9b185da2bb1a274bdbd5d0995e53afbb082b88e3dc0151c1508f07a982da7a7120bfd30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c06008f327bec002e1be89602fe6f858

SHA1
bc306f11b590408ea9fad01086aa760e91f3dccb

SHA256
73b7eb22711aa232167b29b2db20d62aba0af43505e1044e953b1f2d7ce97925

SHA512
bc3ab9486d111764a177a0d3a01187547afbf15e3edd2f030c5f387ef174adda82152bb0d1f49fc670ee80529159c9919982113b7f49b77df9bfbdf233c59a52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6827139dd570cf6b068ac1b58b652f25

SHA1
0a98686e751279b43bad704ffe85fb077d50fa0c

SHA256
3a595ec9e9b573781aef14a3f732bc641122a49a512ff841142592f06f7907df

SHA512
1df5479a1ea770afb8632b9cddc39d8a451dda1028a9c685f0c55bba03b502d2a583c396c34abcf51e80a939b5233aee78371e2df29d4c9a9ed43a23b9018508

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d37669ef1f00cec8bbc445d2ab7658aa

SHA1
736f60c1cb72ebf02c719f48bc1bab5edbc1306f

SHA256
9e67183314a0934da893246eb260e56768b0b4115d547b13a5d295f9958590f7

SHA512
96b38279b6963af1dd62c41d183e522553f0810e7917e83d50a07ef09b62babd62698725dbfb6146d99fd7ddbcad4b16b109e480e81d435a3f596b3d7c19e02c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c1966b4b8e2194a65313288ce3c63a82

SHA1
121906fa3f3589ccd7e5e07115fb3d39256565b5

SHA256
948741851054dbea7717cdbc9c38c5d61ce4c5d0a7880067b70acbb580e93a97

SHA512
50e4ef2da9575af40722219617e356b4799a89968b2021b6f28456c958464ef472067a1a80c727afcd8645149412e2b2b4c4ad62fb5121fd8063796ae613ae74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
188aa50b09330c7932d45fcd1eeec8f7

SHA1
ecdb9a5ce590d3d84925f325a48be22bf1183b7b

SHA256
ab6322ff818cf6ef54acfdb921036d70783e8988d62699d94ceb489a59d6b276

SHA512
147ab093b632599fce471f86cbc00a952a3f9abb6ec0cc387bb213aa30192bc675cd19d980c2ca6cc0f542e1a64eb9da17533962934d0a4a4746d5a27b4ece89

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5a1cc501ca536bfa3c4b89e9eefe96ab

SHA1
b9ff8d5298635e9879d8e710c0aeca93ae8548d6

SHA256
24761c92842ae1359af6685b440de9916c607235171deb9f13583790a7da5112

SHA512
191f0f7456ad2e9d6ac662e5d938d4faca3bba997ceebf1ae0f948b3561e9228a0aa28af3fd815834c11bbcd612277fb90f0f4b8d35fa13d84f0886cd09389a5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ef60b18658a3cd9787e942b455360007

SHA1
ccab863342a1dd48a206b11dc921fa6dfd53df34

SHA256
b7fda636ef886daf72287cc552ba6fa86a343eb227336fd4776dc5c64226ccb9

SHA512
280cde586b7286be2f8c44655d180f46cf3ae284fdda54bc81997036c78782cca07cdefa12ab48a280eaacc8cc9c7bc1d8e0cf5e5b8c1782b43214bfdd73757f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
24dab4d2a85b2857e3ccdc8be4159fbb

SHA1
6dd220da621a0a487fdf9a5e2e96c461af9c5df4

SHA256
69a92d61e2caf6944302e0ff25a1bba075e5782bdcca879ab2c515993fd7623e

SHA512
9a58c0a8884c9e7ee5ddc997d120f1f08f4685db06ccf0302948b5d2c84ebb8c9f8e300ef9ec8505acde23f13e6563246178c6be95cff789b5a1c0ec8194203e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
012cc6bb0dd3faf947062053987df0e9

SHA1
cd05da6fb964c5a25ea92a35a10818312efcb544

SHA256
f7bdc5923c52fb7c2f06694815b07f76d87f5f87038f3fe31e9926b7cc6f6899

SHA512
6a63d48e61c7dac36f6e1347770b361ef0f5fff9a3d11c4c63866aa31246f4aea2befe25ff0651986aafa5da40d27e0ad60e24061e066484f087c5aa2dd4bc4d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a696c4ec45eda3dcb2780191881bf55f

SHA1
ac88cd44636052f753fd76c8ebfc1f2c81d208a8

SHA256
60d5a0e7216bb2ac0a917adad9f65aaeefe424dc21754d4d6bedffc8b063e323

SHA512
5549c4a3d4927f0309d9d9a01b1a4afe76a3c292c36055b6c2731138d11087b388108a775f4757aadb5b836e413097c8b36bbeb2fe26cd640ef7fb740bbe2565

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
af8deaff4b8e3e426eff0205e7001371

SHA1
ed4cef820c27ef31d58428894ea72a95e3913b0e

SHA256
b3f7e5fe0462590c1ff83589fdebc24766438bea25779b896e3c39a513c34f48

SHA512
5920d5766ff36cc1a61d6d185a28ee59b305b7d544b288ce2160ff1b394c9b960ea3cd7fea085ab0fb87223f74d9bf4cf459275b6ab396bc621a44f994a77cbf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ddb82fe04d7d813938ff5bef36c977e7

SHA1
a8109a23a29cb41cd3ac857151abaed49c284ec3

SHA256
ee3577d0ec488f2202afd8246173fab76c8c249527ef53ff640f81d1dfe1f9fe

SHA512
4d16850dbf36217e9fd6cda8ef4dd3e26b67f40d10e3c5b2a0e1915f9f7e5dc2a2a5b82f4200566a683ce65e70f7c794df508919709ab99af9a240ae651ee79f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
db071a3b0652dec1179aaad813e59e19

SHA1
af1c3e489331ef19266397a56520232afde7ed01

SHA256
5d3d0eed007a5a10094ecdbd462772997ce213f4b41a9e28bece9f901d88506d

SHA512
a4515227095124401f6660ea18ad9a03570631293afb3027dc56a669f47bcb3d4e2c47dd4512df297532ab3cdd29d6d1373980a65c9fba65e03c98e23aa22240

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
313b3ca42659c51edc0283a8733cb36b

SHA1
745bc643f133e8885f08ab629bf8609e66f6a736

SHA256
111d7f0e33eb608d7cc1973beb330d97f18afbc7f31caebfc04976c015a93367

SHA512
2c46a8bf5836ce439dc1d78827e97595582b91566cb67c50bcdb838f9f05a59377d113dcadc3edf500e2e68d4641ddec9fc91a728903584870df4b56c9da43dc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
35dc7b80d4ca850ec184d9a99a3cb6ff

SHA1
acd9fe777bab405d04a5fb839a94424593fc7530

SHA256
e3ba021bc84a2148ad64c5ced6705ed7e407880b39d72488f0bc1e13ee5f2917

SHA512
eb45b067dcf57d47a027232b70910f90112dcc4914cc347dedabaa95f811ec7492f46263c9653c90788797465918b2564fae45e29dd1fc41bce8884e62a54dee

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3506552ca5c0b84acd46a417b204a89c

SHA1
2d70eb062a1d98630ffc9ef12a36eea4266ea7a6

SHA256
51ad2b1ee271df1cea259e8d253e89d79774f8824f290ce7dae9dfb8a8a0889f

SHA512
2b252716ace97080fc47d3b3755cad3ca1231411c3830a8e55ae2ff251426c592db85579a8a0e0a4b1d8650b3e6c55f72b3ba3f477f503d83d1385dc593ca049

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
da9f3b427e6ef839ff6ef40acc73c2d3

SHA1
fcddf697b2b92d2ab569cfacddb2f35521fdb7d1

SHA256
775be5a4f81b34821a0f3813219e922f65f638e4f878b4c71388a3bbaf5dbbfd

SHA512
29418ece27e8fe696d590de5279585105211eb0c9fbc50b80ebe23917bd9a6b1909dfeb04a7b88239faf877629478a757645e85537a1b90e8af7dc3b585e1929

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
643cab20867c950a33668feed06eefa5

SHA1
10adce3d17a979cf6a53f50d1f8b64608fa5baf8

SHA256
be19fcbc4a7a8c0c3b78d1c3b8df75c4ac5ad7cf6270418c949ecb49d6c15b62

SHA512
4db1b903c1ee127b88a2ea43237a3399f0841d26cdc0c5e373859638ca7773384663f98f87222e0cff488861a1021b598a4dd5dcfa06b9906b07599b6f0ae4b9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
334f54292dc45c6aed0b948293115d0f

SHA1
e280226784ee642e2c5e4acf95d92fef7bbcc5db

SHA256
a5c76b84a332b07e2a02f196dd86ce6c3a3ae3547187b6d89cc8b85da5934149

SHA512
782963ee096c1e58aa57e4e0f9efa66a5798c402221cba6c84e77079eaa5da0e6f0ad03c4b5efd472e659355f088eea9bc62e288ef5e2b529fa317946509b95d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a179ab81b23df2300a669e01f5f66c26

SHA1
1639b9fed34da942dc9d50469d84176a1de137a9

SHA256
5d9fdaa2c3e8dad06fdec290b935e84a103020490c2eac646d9369538904068e

SHA512
bfcd21230fffbe0842369c8454a21f905475ab7b463975085d9eb41cc74a83983edd4a92cc096c8ab0e35fb72c75c3a7adec3866b215a7ca8e593e8eca234104

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
00064317dabb3617afaa47eb49ac8cbf

SHA1
a0a56f363a0778461081260b02048f5c2945474c

SHA256
7372dc0aa2e27e112831f93a68ac3e5451b41a4b10e0feb1fb32d9227e7315f1

SHA512
8e2bbd3b012d12f1cad838572bc2090f8be2b5eb520e184679240e5b0cbac06b230e44bd66b618afc91bee30705a70c602fc64a14eaba7ce310adbb0582b5c30

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9c42287f52802a6554c54303fe762a5e

SHA1
e372c46fbc7ce4700a0ffaeded1140a06a3c44b3

SHA256
f905c59740d3b533ad7dc1f266e5f52d9f7870d438641e258e73465422ac2c18

SHA512
561e1da0f753c0bb945c7503e382a973b424d589e209786d0be6751756986e67bba1603b5d1c2904b0aae17895d49c255fa57caea6fccdf3d4cb52498cf0e34e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4b8ea1dc85caa378676351ad73c7956c

SHA1
948547befe71f8f346b065b6be0f6e2c7dd8d5a7

SHA256
df37cae977bfffcf12e9271cbad758d5fd1588a77d3a2d1e229ac9f1b166eb1a

SHA512
74b8be1c0e92f5a82bce6613bff1fd9a53cfc679740708ab70096a725cded67c0ebc35148b0ea4a26902b9954558a3b9e2825b8f28ffbadba4aba07c00f7e963

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
27517b330f4c6f1780eaec1a1c452a07

SHA1
e789a839edb5695477f001d302b5e516f0b7e9c9

SHA256
c88340470932655a98fe1115df899296ca03b6490fb5123f7c7f0d422be96c56

SHA512
b326c190687d185598ce6e372ded701d71b02ed1a2173b4e7f5cc32eaef14359e7b36895ebaf21c2abefc0979979eea167e64864119dda556237ce502385d43c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
18f054211bcf250c12ff1f99e5a5d18c

SHA1
80fb3e7e1dcf55dd89f3c3fd575eb1273cb32aa2

SHA256
4cf8d1143e787027b9f457474ef307f966325509dc81ea125430a0a5d0e4c7a9

SHA512
bccfe94221b50934bd4476c8d72de8b64700e0951a4607edbe3064a6da852c3df2717da40e9725e6bc3aed27d737b960ad9cf9240005dd4c3b7b22ff0fd80504

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9bfb080a3e99a5affd99474888a0d6d3

SHA1
59a48f87cbee968d33ff6fdb036b11d322998ef6

SHA256
5c2d45e7c01717e658c5fc55c8345e75c7d9ba52f99fa590e937033b5c0bfb0c

SHA512
98b33d357c46c99428a98188a7e78956399c205598596ab46224d78765ab0822ddd2b0b1da34ef9a392ca327213f3f87b8d59bbcc8dcd3f6b388cf598daa23c0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9ecd7b231022edf67a5ddfa70be9323b

SHA1
12c5ed4e4c808de94e06598a84c5e44f4f1ec95a

SHA256
e701f7f83a24b8e981c690597f8f809d2b148f75db8b92049055f5bf590a79cc

SHA512
f24d2cdb3d224f678f4929813cadd6ea77e198029cb56014219d12a257069be62166a62e29f52d928a1e5d02418d9068fb6f212acc0e08da350deb3be96d0057

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1f7fa9c962965dddaef3a84df0ec73c7

SHA1
75ba411fde483c83009153f067d25acacddedc2e

SHA256
f1d60bdf1285ca7527c3bf6fd50b0a3a77ec2ab060f8bf172265be5df3b471cf

SHA512
947f3d42f39d995d6068de72f828ae5a57a2c2c32af1298a26a2c5d85ce22726b03ea4959e75f6b5cf354a8e7ec906d0037afe8edf01f76abbb11056284dc3bf

Download Submit
memory/116-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/116-242-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/972-218-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/972-52-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/972-58-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/972-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1116-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1116-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1116-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1116-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1412-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1412-659-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1628-617-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1628-182-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1876-177-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1876-13-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1876-20-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1876-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1964-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1964-655-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2020-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2020-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2360-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2360-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2360-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2360-230-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2624-26-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2624-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2624-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2816-653-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2816-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2868-9-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/2868-1-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/2868-0-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/2868-155-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/3488-652-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3488-193-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3528-178-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3528-514-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3996-654-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3996-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3996-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3996-49-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3996-43-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3996-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3996-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-614-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-254-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4048-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4348-658-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4348-255-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4520-138-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4672-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4768-446-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4768-166-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5080-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5080-87-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download