b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1

Analysis

max time kernel
99s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 03:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
Size

1.2MB
MD5

b93f13d7d838b4020ea28f03a7efec4f
SHA1

3083a655c3dbb654005cca69a9035fbb38a386ba
SHA256

b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1
SHA512

41dd0ca1dc241aa2903d757aae7b76efbc7003e55e1bd232e7b07c17650704a2688153f7e7150a12004ca90c76f1da2de9aaeb77baf51526996ffa84b7aeca67
SSDEEP

12288:luexqTSgZG5GnWMBUKZGYaJ08vTZLfX+PdgdnW:luexVirnlBUKZ408vTZrX+lgdW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4620	alg.exe
2476	DiagnosticsHub.StandardCollector.Service.exe
3912	fxssvc.exe
3372	elevation_service.exe
768	elevation_service.exe
4476	maintenanceservice.exe
1904	msdtc.exe
2380	OSE.EXE
4932	PerceptionSimulationService.exe
4748	perfhost.exe
4960	locator.exe
3124	SensorDataService.exe
4612	snmptrap.exe
4472	spectrum.exe
2008	ssh-agent.exe
2704	TieringEngineService.exe
5064	AgentService.exe
2920	vds.exe
1908	vssvc.exe
1616	wbengine.exe
5084	WmiApSrv.exe
2572	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\db608502c9b3195.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\System32\alg.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\locator.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\System32\vds.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130421\javaw.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000546d880fe8d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fafbf11e8d0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000888a350ee8d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b408f0fe8d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040e8940ee8d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd4c590ee8d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f807a4f8e7d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a85920ee8d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
Token: SeAuditPrivilege	3912	fxssvc.exe
Token: SeRestorePrivilege	2704	TieringEngineService.exe
Token: SeManageVolumePrivilege	2704	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5064	AgentService.exe
Token: SeBackupPrivilege	1908	vssvc.exe
Token: SeRestorePrivilege	1908	vssvc.exe
Token: SeAuditPrivilege	1908	vssvc.exe
Token: SeBackupPrivilege	1616	wbengine.exe
Token: SeRestorePrivilege	1616	wbengine.exe
Token: SeSecurityPrivilege	1616	wbengine.exe
Token: 33	2572	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeDebugPrivilege	1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
Token: SeDebugPrivilege	1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
Token: SeDebugPrivilege	1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
Token: SeDebugPrivilege	1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
Token: SeDebugPrivilege	1132	b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1532	2572	SearchIndexer.exe	110
PID 2572 wrote to memory of 1532	2572	SearchIndexer.exe	110
PID 2572 wrote to memory of 440	2572	SearchIndexer.exe	111
PID 2572 wrote to memory of 440	2572	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe
"C:\Users\Admin\AppData\Local\Temp\b28281d4babd9db7733e5f6906fef9c89c72ea2f70f5c2ccb329d94dfa206bd1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4620

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3148

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1904

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3124

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4472

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1532
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
aeca74193379c4f61a5d532f22a892a1

SHA1
ccb19ad85a6689f46b2a632e73cc6e722f731074

SHA256
439673127e498733d09a65bfe089aef6c07163e07007e0b4ccd8323d87d4b60d

SHA512
0060ac2039938fd1e99f164bf991a5c292d3d24e121efc52ad30c5a6983bb2934aa6d796889ddb6ca0d38fe1d18dcf010679151486de13ce669c62205d1fd9d7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
42410211f79da41e8578786e90844c27

SHA1
2f228ceb32b63d658e523dfb87aca2daa6e48421

SHA256
1818684f5e35309d55422ce615ca063d44c720c75e1a62679fd1dc7394f6e303

SHA512
50a45664f33d59dddc0ce4250b8097fca3de486cf82a58a890f4f5aca535b72fb1e5b2ff119c6998afe4a7542deeeee4d5c4c0e912876fbfd756a8f8cffb6a9e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
87ef36d49315ee3c14f1bddeda52f120

SHA1
7b414526244f8fa68dba247957cdd9e800fde6f0

SHA256
c1a5ec84d3e2437c12f35787c1a67a5eb62e10f5c8db64dca8ab67fcb3da2101

SHA512
75062211deb07efeea2eb4b6471cb2153719e1a32e68f4578ee467d02e0f98030937cf7de1f3a6f49bae952bd8ddc8faa2711be096bb4f74a267bf229a86a411

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d29f3d0dfab6e88869993992c1825762

SHA1
af2f8928a118ad0cfef3e663a51abe0458764202

SHA256
eeb7302b862c0ef78f8920cd158c8aea8511b958b0dd9a5188bcdca74f4584dc

SHA512
66afd7f1e2a134efc6b1e2b5f8909067b443d0d16c8164631e81e05fb0290d81dac14ed8fbc19e1da18ab49b5393ca7e9614c6621787dff37fff8e1243aca781

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ecb0c78e475b75249ddb421f4d9d1e5a

SHA1
37b8071911f0b2d26833b0f98dbe095eaca6d77b

SHA256
efc1975306dbcd6493fd74016a43b36beb5e24e2da7a34144072560140e221c6

SHA512
e98a89a81841b9ee131f95b0197c5406b2d362024fda5b628a55a93f24a5fddcc8bb4b3da1a1187e32d1c24442da95eef4534da4283212cd9aa6eff7e36661e7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ebf0efae77cc4b98b2b6b21232ab9b2d

SHA1
d651ad6cbdece84d8502372844eae5e577d4d790

SHA256
3118e2cb35932fb09f02d53e241f42cdfc2d6369e66508fc5c2029e59722f247

SHA512
4780fa1d8a66c701a690a9af1344dcd7078207df9f227ac3d564071edc5bcf33ce575a34ca4e740912458434fc7a4444b6975bff030f52b174589b9b6f4b9f16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
027a82b1d0fb14811ebe1c13198e0df6

SHA1
afc6980625735280b23157bcaaa60132bc403a65

SHA256
8637553878b07dedc95b527c14a7b9b8b5cd3da6616c892637187efc0ef558c9

SHA512
d0b81d0cd93fa2de26f442c528d25de083e9c3c0513ac17f775c6db73a205faea4210a30e009017c83752660a213336458f10cb9cb5764c007218a86ee2d2d86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ebba292aa7ac3d052db709b7bec03f1d

SHA1
e13042c91e244dca3d35a3e41f700e4bcf3f24c7

SHA256
7be05b1d818ff7e20e3a478d0b42df65bfd38c946522308ce4598090a8ab65c4

SHA512
34a481d387f0ee4c7111df70a79b3095906e94985f3cf3cf92c6625e23e8adb25ca38569bb3b7448bb72023a17357bf812c6dc16b38f67e417a520ba5a209e0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5f5e7396160b704e2d3bd5439dbdff6d

SHA1
f4e54b62fa1c66f996eb94d146a963883c7dde1c

SHA256
2b678e5d6d1f3d4712310c088ecc872bfca9327a815724327ee436de723cb350

SHA512
5eb71859e8fe0ccb0502dcb902d176e8f47768d7647cf75e034f1fdd5ab61961ffae353b2c9a00447abb477d3c70f8b44a22824263fc293788545b18649ddb67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0f642520ca5b72561273b0f448f2b96b

SHA1
30979781bf1fdcb7ec2f2fe4859f51cc043977b0

SHA256
1ec7fcc1bc7a0d09bbf3e0dcd461b2cefbdf4be1910c1d769abbfad7d3023bb7

SHA512
5a5a931cebac8a4762b0a41b1ebb5885e1bb23b9098fce407d62e9a591d737a166d7d9f02181d272ebeed10cbf92662354e057fa456885fdc4630cd42aa719f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4cc0367dac2b3281fcae9a10e756bea6

SHA1
4fe2e6c3baff9215bd26da5b2d0fef9a69b08566

SHA256
cd6d4f81d0e6ff361fdb4d4c30fa043692eff471172507dde38b6c3493921a09

SHA512
3caab47bdbfaecdd9b96864ccd15d1a6caadcc7542fab18161dbf9cc24550466b0769a50dccd66f727b6afe26a3d98bd5a846c499df41e2b75e637ccc5a15efa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f248b7ea007d886220b80a3809a6bc4b

SHA1
cc22e40fa321bbf5cc437f4880358e94a550e2b5

SHA256
339d4b17fbf51d7ce7711208094f6b34734b8d8832928f8e21f5f85f5f839ce2

SHA512
71eaf02f95eba3c1f36cef9f174c5cc63ac2566dacb4b98976268184ff59b2d9a9f9f9e196a1932f2899d5d789f7f3081855c64f004b5209ff853eafbb2f72df

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ab91cbe3ead196815e10f20ee7bd77cd

SHA1
03c256a8a725085a6e64fdef85e303a5ff2ff89c

SHA256
a3272aee391d224a02416b37788df9bbfa7d0143364c7e7c522f68ebc115f412

SHA512
175497a9fa70d00bda90c8e239ae2acdb623f235028ec0655bfe3106a73404d7c3d31cef3240530ce7ea9611a930a43f11d75aab666ebc4958508a7f1d16282b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f6d2e6eaa3aacb49bb8f7b0ffd90f12e

SHA1
7db2ceff545815db82dfe08fe7fc93b63dd7a789

SHA256
fb869ccba362694aaf189bf89f88603a0ad093c082c6040aa6d4d9920302eee2

SHA512
51094af3370535ce0b02fcc6739c1711087d0b47805cf43aa407f538d524c21fef60133801a28167fb744e43114152dba42add45ebf3e7328ee980042bd9ea57

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8358f6a9bd4908a6096184f7b2ddfafa

SHA1
b3bd934a1a3cbee26ddcdaf5055d65c16ec4f307

SHA256
6ce94ebb8409a582148b887ece262d8d40092a78295749dc644d7393c046db0f

SHA512
3456ee432e4bdcb0fe79b9fe565729e42b6c6498aecd26e94879018785e496a6e128bb6a4eb29318acb5e794f0eca8fb8defaf0b01f5cfead0d49058f96a58f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a4786b8717b8c260308fdfef3a699aab

SHA1
4fa78fa118c1f3bdc2bb5dd79d3f6672afdd68a2

SHA256
dcee0464d34c1f57df9235dd91e0936ec065e56f092ad55240b4e9e1eb7f94ec

SHA512
eaf10a7a079c2844f9bed4a9f602a372406c96589e1813f9522524a9664aee7dec15308574757e1fa1eb1f64f4a7e9ddc14086c92276033cac7fe6a57238f7be

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7540ce0a2f8c2d547d206975f115f1fa

SHA1
1672e39e4df0c4397c1e9c8239374a119cca5b00

SHA256
a7353db538c933693acd57ae72e49b3e630006e73e1df47ad3b0b4f906d212de

SHA512
dac76ca50958fdc04c51220443bac64ffd086e22f12907e87b300949f51ca39a988c5eb614753ca894246d346e49f8e9be2f3399eb323d152c2335b39e6fb03b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
450ff25178e1119df761381ea6482f9f

SHA1
f8774f17a94d1f5440b0111f57b159166f84b9d1

SHA256
a09a0f033bd05ffb7081759298ab7c1ba4e4b09b461b213f42c4a0e6dbdbc2a8

SHA512
ac1ec7ff59f231e3e48ced3b66828295d323c921e85c2f39a65de2ef55d97d0b3167208c296ddc00fc849622d22cdd147e51699064e6e271676da91e014f8625

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3571f06ae7dcfd99f3bac23edf399915

SHA1
378702bba2209920dc92979f00eb935f189513c0

SHA256
45f7df10f8eda007758358629832b29c5b916c03a9fe06d4aaf9c9e171332efd

SHA512
3ee43be4dc03fdc70e99ca87567c542f1f00a8f6b2caee9cb08f3a7f68b2a350989e70b8f095ab8aa72b8f2eec629aba72c256d99d0a00cfcbc3adc06009930d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
92ce1990067d42e3fadd1a3f0b0c5398

SHA1
eebef8a46f000578f4b9f8585d7b5f1c04be4152

SHA256
2fbc5a755c9a6a333fbd7edd42c58bbc50d1e19465858ed781a45c92b66b428b

SHA512
a713cc3aab49c7fc9d1f556624e32c425053550a8823be924a0c4d62dd92c5d683d8cd718656afb25cf882cfe863e00162b8b76d4e5354cfd73fbdedac0f0a48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
cf58d2af795d58d86fadaf8160df5382

SHA1
fea4e250d9e1d240b9074da50746cefdfcef1b8f

SHA256
01a00480146a0ea15881d7d047603d0064fe86cfae7f6be738a815dc74bf05bf

SHA512
1b39bc530779bee56d6a7c0a0108c27a0d303fc24e862eb967c44580632d20f66154e51e6622a9a5274cff866d7c102f7d37971033da54495207409372027055

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
87a09850e2a01d57ff552b2b374befc9

SHA1
4a67604e417eb1d6cfe4703dbeeaa5b218b82059

SHA256
5d195992acdc241b6757cc1c543ea89544876f597864c8b917dee398116c7326

SHA512
519899a87ba850db91a81ee24cbf7470935b4226fb38220bfdb4afdd47da1222d507d2571345c262d924223b12e9e663cdcc3025b5b91502b68730e68abc7c26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
272b24dc9bf5d2939d1ad2581cd325a3

SHA1
043cd0084830860bd7fffd543b9241f1154dc8d6

SHA256
f3a2b4942a02335774a5d827e19ccd0394c2bd1fcff3c228689c6934a083ec81

SHA512
dda1ec73a28d3dae1a84a68d4e81cceaa7e3c327ee965aa8db1eee9a6d390ef88cd7e7d5109e4c2f6636c5483ff1b6aefd9b4f27d59200e9c6490b2572c92651

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e6c0c811b13a8048842c94dadcfe6c65

SHA1
8453e3993a87c433b981e728ff88c0096d903aa1

SHA256
6f0b41cd6b1713e5b8c3298d512131b502812f7dab15bb9b5310320ecb2971f6

SHA512
5b11c6fd2dcf293e99332654c9ee056466d63a5d92ed2126e642c6e2516c77457eadfb660f4b39a9135e6a9215f0f84b0eae0ce20cdb9183590426a79f6751d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
950ed2d0d577a34c04727beea2221868

SHA1
910112880736af73e204a1ce5a7fab58812088cc

SHA256
4a7f81fec58ef2601d8c3926ff399aaf6db9d2feae2c6f0168fee57b77255c8e

SHA512
0f04be3fe45d221bb1096abbabdcb2f96311cecd74fa4e3a16846b5a6734480042d1019303c9aad4dbe07ecbc735f0c7724f3b8eba837a64900c9de9408ed977

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d4a0d7fd95591ed642ca12a2f580a6de

SHA1
14ed2261413c756407f0c90274b68a15521d1675

SHA256
bd78c284a27395920eaacc25dfb192ff558e1a7948988c63fbd1f8c0c6c267e8

SHA512
7157b4af42e9c42ebf4fd02cbdebfdc3e545981aa2df72f03dddee4cb2806bded15966c3df7a5fe8366753de0e43cd2e3f51b22282f025a4c1c085e6e0c41e50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b24bf7b20be608018c528d329181ef41

SHA1
c165551c7024c16cd53dfc0c021f6c968f4f10ac

SHA256
164b1fe0953dd046ec297e865bea03cd85df612bec977581b0afc5be2c55cf0d

SHA512
f1eb407e5b8ead26432eade842bd17313fdf4d568443fa2c73d0befeeae7221dcd4629425947c3881b03f0fdf9daed46517859724b96be2f8e5e392d4150ba4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e273cd62e690cb61d5e5665dde31df91

SHA1
8366397777e6e35e0b9860b1298fed7e9b173cc7

SHA256
a907926f6e46ea6dec0b5ac70d6ffaa57c284c6f944ac6afa5f6d12d3565d7f6

SHA512
9a4007c7af782ade3af0f24daa87117df63b582c95efe2b1cfedaa0ed93a9cda89f3309f20b7ed7d8c6296043f1b2fe971e3adbc6f98e74e3f69d99eabcf98a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9e3655d607762f11dbbed908f00e97e8

SHA1
a9f91f7e6641f17efe31e31a760a2fc51d2183b2

SHA256
b6d04144342631e80075f73a286092556be0a2ba9dab6aa03642eb73497babec

SHA512
8a38b884bc585465254ce5fffa68cfa255ac5b53b20a54c2a741eb739797a099a92354c2ea9eb1210b38d5fc502beb038ed068357e81a9123da26591a8a34c65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
625076a2c1ca110fa9250685540240cf

SHA1
127395edb8e2e7b46f671971d0ea77e98919f4b8

SHA256
77d71c9fd9c19b05d82dadd556267c59a2611212780690f9b08061ba0d6bf5e0

SHA512
5c5d7b7134f40f981f488e9b0591ac991dfdb25bad06b086cc16c11c4b9d9b81e8a11718e71e1f34f7b29701efd53468825361dab2780b70c1e6792cb2eabb11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
941787b8156f1b081b493b302205cca0

SHA1
7a39e4df962207ad540fd6e9b37c211b8025adff

SHA256
bc4aef6af927ca3303b03e58f3ee27f07bef4b9108d02b9869f40f101407a505

SHA512
19642436c6ac998b67e8da71e330136ff2bfb240768ae8bcbf3c29652b103a9ca69479f1ae7f2247a1816927741c4a9f391b7566a41925937d62ccd6fae3e3a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
8e59f3e43eafb1c0381444d5ecb70254

SHA1
1647a99c2b37852f33589d0bfbc4e44d209b4987

SHA256
4ae4d3ee0c8acc31a9013d87e060e1a50228c56511274ed2ac874a45d85279f2

SHA512
01e321090288aa1fc970171894eb4c98ffeb586c62faa9a20cd0b070cfabfb110086d1e9362dd6c7f0c2da75e0039bfaea5050accd88b57c48d394fc26afbafe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f2ddb85076bc2e7eda8d77dae7534010

SHA1
b3a8f236b8a4e3f0fcff67af255d10efe33474c4

SHA256
f8619f153aeb8eff8617dc9ae207cfbc08b5dce716e2e5d7214f30fff1703494

SHA512
80a3a685ff52002ae510fd0b02df11a899f39f6cde5ed95566975f6d0270b5919a68dd897801e373643ee2e9337e48f9e7e65c91c5dc323a87e1b041d8787bd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
759ef4407c8e385a7e6261cced043821

SHA1
5b16bc59009293900d5d75676e39f789715756cc

SHA256
7a946f266d8a63a85edb5cf7f0a28f961b9d91091af451234ba244404d7d1d11

SHA512
2b75081b9981b5c3082f0a530d2cf18e8aebad39815eae749aa956ee993c2b91cb60585192de42acf057aaf1ec3cef2609bb94c9b7a066b53c6e37ef9b7249d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
af47996b184e006b39993256bd3f9f0a

SHA1
251880bb0961eca5daca6d3185dff0093765dfc6

SHA256
5b42611757e00d609a352c5b8fc75c3576fa836a053d75eb24f97ff4aea44e38

SHA512
19095d720b10dd8e3f49a1e295ea52fa195f67d56424d1df21b39f605cd0e944789fe1ffb23518833d130373b7559ede3a5a9923e1d7033d980eb659ae5b884b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
d73c68294c3330da326f4bad8d7b062b

SHA1
738a7c026430084ee3dbfd220415c02b44a40e9c

SHA256
473a8634bf9d95290cb491708e7ffed9230b91f8b7bbaf6c0de9d5685676c70e

SHA512
e79e38d845eafa969e492f8800bc480df74898537bf65616b230e40ef617221f52517b0d0785bcc6e882dcf9878fc8903fb313069c3968cadc4a888ceaa3f5bd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b36906a837cb3800acea75a148e3bef3

SHA1
b46a9f51d84bacb2edc2215b16479a19c3fcd560

SHA256
8e371bfc462f302436731b7db1c96d0db3146dbb281efbbebbfc19c1455aaefb

SHA512
809a87be753c558bcf82ae226856dddf158461e6628be5e7b09f3cbf8cfb8ad6d52f47e68f2b3df200fab3bd6491cca4ac285b9306dddbe2e5b276db3d9e5e07

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9128d0ce486cffc5760178f2b2687dd7

SHA1
190eb82f7b13cc5c08d9d4c3eb2d8b57e4e1cdb6

SHA256
1d3a4421bf9d3d765c99fb555444330b7067bd4fe1085f0e42dc9c0e9f529715

SHA512
adecb2beee42a17e8b0712058dcef2e9be509867e7394b63118cb9f05c1031cfec7451391ad13b2a5622fad5139f6eae2bd5c1aa21a3e7dd74265580b6143755

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ba9842c412a65e9c9c5dd942b1274c27

SHA1
2621ffa9776b46ce36076607d42f277c157cb7f4

SHA256
a4a1b71ff785f6f1e1a5bbc681f58ab6fc68943b5ca6762bda888fbbfcb41e1c

SHA512
c9cacc2d3fac6df87825c956e8ffb8c9dc577ae01c7b792781e2df3658e7f2c12ffffc9cd1d24aaad2672b34340a4d03c897ede083e3209471e9b3d262b21e02

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4746bfe95c0e1ba9f53367216fd8d04f

SHA1
aa4b33c907309b3b436a4291544bd9e271736bed

SHA256
5e443a8ab1b5557c747273b506e9e94e557dec6dddb61aee96282db4799cdca3

SHA512
5a412384bc09633d467ac85539585ded7befedc65b34a40bd8b3975aa893e533845e64da96696865c0f9b9b640337aa6f651b891a24d99df5485b77c0362e603

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a30f7c83d41d73bd5bbab441f0fc6944

SHA1
3b980e1f51e52c34b35dfccf1e232528f36621ee

SHA256
2c0c634d3cfd5c3bac887b193658742d6c1b7afb4b744f0d55589e3cbfe89a7c

SHA512
a4f333785546baacefcba334701262d6b0c1923351243645955dc0931854897ee4f79ce6fa698a29f0bd4cf9e0554ed52344ff38c5648e252f4a0810a28202a2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7ccebabb2c4ecbcc1e6e8760dc32d5a7

SHA1
7f261c4be0f3445d4b9e98bdd02e1ba885807ab8

SHA256
9147c698afd052f282949e79d3def4a7125cfc683035e974fd3d44bb4ca98a2b

SHA512
9e8276a2875bcaf8623e0fe98269979abd0dc4067d1019425805f7cbbe3ad4b5504984c40ba2a33abe9c36f6c9db8e1b03996089de1cfa21fb2a2fbfc27f3901

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
840f669d28359aa8983793cf09e7407f

SHA1
3c66267079b4ee807ed5556f79cc889cb4e74d6d

SHA256
d8734734aaeacacd83ed6660461f754cf571d14fda86709c42616cecc3896343

SHA512
9b9c61daf7b08f6238342d666cf8b02f02fc9627507918ab369cf0918e13d8ed8d936611dc81dd5839666441fea59e9ad2e9a435ea1933c3705bd463d6dba458

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
725fbbacf7d59dd374584e36ec0c918f

SHA1
42a13c1c994d24b9aebd149d3a8b5b85dc1334bc

SHA256
2b83b47b79144c9433d8f34b51bebb86c4d1f53a6cec2da3bc4b22263f9b21fc

SHA512
7f86040d177b3a0e0113caa1050ec54d69e07f0a0a583646eb37a85e56c8faeec7af7db8156b5031c31a44f2ae6a37ebbe9e3068ce137bbb0c03261de0cec3bd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fc5f368711e063264c3d97d801d52e6b

SHA1
eca50ad7de879d9bbbe6b9234721d310a116cc96

SHA256
6bc98d585365af2c98836b80eac6969806cde3325b82411aed748fba0a0fd328

SHA512
9cd8b98a5a5cfa45cb80f669e8c0ebdb4cfdf25dc477a3c6a7cbe667003dfdc642f9f38c57631a0556813e4bdeed8c070d76eabd97b4e7e7bf50ef2fa97665ec

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
558204b9bf7da85d2c1160cbd3e506ad

SHA1
d51d134461bd8b9749cfa7246dfc61dd1516baf5

SHA256
864b79a17543cd42530317941d2e8755c4c0c9f909ef005d36fc63640465ccff

SHA512
32b5ed7e0e8c6836ef3b832955f006914d8346fdb5cf2c553a7f1de24287dcff4ea38604306b1200123bba310222512c8d81ae634b0a17c17140a7ce3543b216

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cad8dc1d03186d56e6f76346bd683a9e

SHA1
374fb506dba1fa84372e631eca9e798b0641f584

SHA256
e6ac9e483a9a520a067ce9e896840d763041d5118bf3947d13f8ad89f40ee62b

SHA512
ddc3985ff3f5aad926a13104b5eb0654fa37f87199ccccd3aec3e2ba38a20bb88a06363cbe0727f82a5df70d1ca01471a25ec605d505989d526c1ee5f9131050

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1292f7bf64138f66a4226ca702edfad2

SHA1
45388043ce5742fd74b9d349601c9c9957318f81

SHA256
8b6d7f938e51497c0f90804e4046f366dd36d6510e711d474be06928eaa68a49

SHA512
7fe720874a095bb7c1f19dbd2ed7c08a1ad98b767fd5f35c7234897c5d7376748790a76a7bd2c5d6145efcf13759c79e264eed99cf52a986072d05c057318d2a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5032f57b8967f643717986d34c8b1fbf

SHA1
28b842e779f61d2a1fceba6e17a6b746691ff2d8

SHA256
b9b877564dfd0e94e5ac3472481580ec77068bcd93b9f00355e6681e63cd76fd

SHA512
470a81bb6bf595281740d58c31fe4bc3589c9fe7b80b2c40ce50b2626e8097b2f739b3bc08c92df6265573d5b39cbaa9e5d041b74c641d733848c19f913543f4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8c4ca2da62a6b74de99da43c6fb57634

SHA1
85226b43bed0bd002119a6bc2289294fdb1c62ea

SHA256
19eba8d353d1b02e60db4dd3d6a24ffeb5ef287fd0be84780bcd8380e9fdae10

SHA512
3bb3fc0d868389f91a4f8f42ef77cf5539ffe833b60efc69c3f07e4f681f5423b90c29b5d8154b1c4f59726c51f9e9151585ecb29f82c429a6638df12185d401

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
88ff1522883556081a031e67dd7a9859

SHA1
2282ef0beaea3c442fd5be42dfd82ecfddd9cd88

SHA256
a5f5430f37944be71c58fbde5c91f26815acbe7c1830e631bf4b14d5a08b5c20

SHA512
6cb60221ec7d52f4cb2e2abebf5c3b7e07d0ebb31a0ef1259b7c94b3ebfac1deff1272bb448cb62efadea425666685a068f3c2fb01605f099d6e7efcb45cfc3d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ae0e35e2ba10f62c9f60fb684b95d58e

SHA1
3e3bdc7aea101d3b5f2afde38a6eba13d03c4dad

SHA256
993d122d9828e7a911243cae6dab14a27f51e1a263237f2549cebbcdaecfcbe7

SHA512
dbed11b8ad0f922b97a34cb0488a78d9604d2b2cfad2570465fdb18a289205851d5a72906720e29bfd9bf4896eff69b00c490712787566e74e5617b25143c320

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f276122804fdcb5c43aba6f2c1381246

SHA1
f67e7be99a59ea39c5d048254af4c229f261ee1e

SHA256
4b69d252c527ed88aa5dac8eea68ed40e0f039b9bb025de86182b96f2600d0db

SHA512
3befd54c8bc684a357d076268ddca3a5c47669e150e9a680e41160bf8915aedf3c2343a8fdccfa4342de59af06ded3f9531e8cc598e76da1b27b882d1ba0291b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6afc4af40d291bc298d8735dfeebc1dc

SHA1
8e35209242bc266c6dd985c1511a91d4167b7c76

SHA256
bf18a5b75e2b6578cafd22897cc0ac3ac5378d60252af88b7918355b983371ee

SHA512
38000730b6bf7d3ad3b6e32439912c794c16c82f6cb5ce6e552dc3275a467c5d306675351222b036549d2bb6da1ecef7e6fb61b6c7f8a7999e62af1680e2184c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1678b36dcc7e1d26aa7e042ace77b1ee

SHA1
15144c74c7c731ce8bdad19d75ff73f8eedcff0e

SHA256
f3927866548632658154e59817b8e52983717f1f18145c2679950144b562f863

SHA512
5aeb9b976f3325f88a3f95015fe1b90ced869941fbc8e124e198c8d139d57fc1914d2c2d2379cf624790d38fe26bb10d3560e4e0ccf1322ac181bcbc7f5ecb52

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
68c54f938c6444671c7bf46186b51f68

SHA1
ab28c67743690d9af8e5e200c4abcf56b45dccf3

SHA256
a027ba02f1de34d6583c7c23694d0bf0fce0f923f6fd1fdb54f7bb19f26b4ee5

SHA512
407f73b6b222855729efbba101c079e1ebf520cb1a7ee52328937cad512f77a129792d4043b4e0bd93355ca3fb00d518f53839eeaa4a163c7b478174245e8fee

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
527c8e480982296287f7d2e775dba8c9

SHA1
d5610d11331a4272ba738d6857338f2acb0a0f1c

SHA256
2084e89be85fdf2d6c7d70919b763939c6b21f3fe384c026cf49365ebc9be1c5

SHA512
ae7671f104e02659705c68a529d7b9f3dfc102905279624d0b33d0c1fca77b3fd31efbcffed1c3138c6e64a4cc929c843e1af0cf1df0af21a4caebf33bcf0439

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7aeadd96c6be242051bc38518f3f0adb

SHA1
c1f7e01b628358ec391b097915cb418a18350639

SHA256
940f514c9ff3acc1a7ba34dfc7b016c68afe10259b1c5763921cb222357cf113

SHA512
597da82fa2ec323d38fe40fd0d0e89f6fef09a2d223eef05400e66d906005faec3ed341edea2b11be14ead70f8f3cb23777ee58c2f984ddf1c348283f8af51d2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
5ef4ea4f321e30a0b968ca00e1c35cb6

SHA1
851227032101208522f21f30e006b7e934240caa

SHA256
01f04439e785622aca7d86538595fe16a22c9f13fef3fb468c10d8202ebcb7dc

SHA512
61145490782f1032f946d928188ee168411759b97dfaf309690bdb79304fc3d7bd907fa175838c64010167d19eada4befed9f27074902f164ef49a8ca87ea66c

Download Submit
memory/768-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/768-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/768-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/768-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1132-7-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/1132-1-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/1132-0-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1132-82-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1132-6-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/1616-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1616-491-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1904-90-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1904-99-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1908-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1908-488-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2008-443-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2008-180-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2380-216-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2380-114-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2476-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2476-117-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2476-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2476-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2572-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2572-495-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2704-454-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2704-199-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2920-486-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2920-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3124-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3124-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3124-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3372-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3372-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3372-52-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3372-58-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3912-38-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/3912-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3912-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3912-46-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/3912-49-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4472-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4472-412-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4476-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4476-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4476-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4476-88-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4476-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4612-346-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4612-163-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4620-113-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4620-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4620-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4620-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4748-129-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4748-240-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4932-118-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4932-228-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4960-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4960-252-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5064-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5064-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5084-492-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5084-261-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download