b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
Size

1.4MB
MD5

10f2aab2c91708d1152e73e8919735d4
SHA1

cc66429bece7b567c0c7b8491f35c8545e480fc2
SHA256

b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36
SHA512

3b1e62e3c03825abf1b3299a5b68cc138acfdec69551c02af233b571d68c066c0c204c31afc263074f8116d8c10f7d05fbb0d4a52146327de911934bb291277e
SSDEEP

24576:GsFaaQ4fDdHplFfC3bQYfVXP077NnmkUv+KzF+yH3:GsFaaQ4fZHxfC/9uSvN

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
644	alg.exe
3368	DiagnosticsHub.StandardCollector.Service.exe
1452	fxssvc.exe
3112	elevation_service.exe
1672	elevation_service.exe
2564	maintenanceservice.exe
1616	msdtc.exe
836	OSE.EXE
2216	PerceptionSimulationService.exe
2764	perfhost.exe
4000	locator.exe
1524	SensorDataService.exe
4512	snmptrap.exe
1752	spectrum.exe
2928	ssh-agent.exe
4852	TieringEngineService.exe
3896	AgentService.exe
2128	vds.exe
2472	vssvc.exe
3968	wbengine.exe
1460	WmiApSrv.exe
4992	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\locator.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9e4bfd0b36a5b05.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\System32\vds.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\System32\alg.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{63FECC1B-8F0C-4431-8BCF-116FCD47AD2C}\chrome_installer.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{63FECC1B-8F0C-4431-8BCF-116FCD47AD2C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\java.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f9d89e0ebf9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028a3eedfebf9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054b6a7e1ebf9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c3fd0e1ebf9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f57d6ee1ebf9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000563e2ae0ebf9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000567bace1ebf9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009004b6e1ebf9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063618ee0ebf9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
Token: SeAuditPrivilege	1452	fxssvc.exe
Token: SeRestorePrivilege	4852	TieringEngineService.exe
Token: SeManageVolumePrivilege	4852	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3896	AgentService.exe
Token: SeBackupPrivilege	2472	vssvc.exe
Token: SeRestorePrivilege	2472	vssvc.exe
Token: SeAuditPrivilege	2472	vssvc.exe
Token: SeBackupPrivilege	3968	wbengine.exe
Token: SeRestorePrivilege	3968	wbengine.exe
Token: SeSecurityPrivilege	3968	wbengine.exe
Token: 33	4992	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4992	SearchIndexer.exe
Token: SeDebugPrivilege	4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
Token: SeDebugPrivilege	4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
Token: SeDebugPrivilege	4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
Token: SeDebugPrivilege	4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
Token: SeDebugPrivilege	4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
Token: SeDebugPrivilege	644	alg.exe
Token: SeDebugPrivilege	644	alg.exe
Token: SeDebugPrivilege	644	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
4692	b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3012	4992	SearchIndexer.exe	111
PID 4992 wrote to memory of 3012	4992	SearchIndexer.exe	111
PID 4992 wrote to memory of 4840	4992	SearchIndexer.exe	112
PID 4992 wrote to memory of 4840	4992	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe
"C:\Users\Admin\AppData\Local\Temp\b987c637aaf1dcb5b87cefdd997e10006bbc75d1297b2ac58d23b81b03e6ce36.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:8

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1672

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1616

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1524

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:60

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e644178e0452aa42c731d90ef2e102d3

SHA1
ad9da533b98281f16ccfc44da9607b58909c0fa4

SHA256
c0cb6d2c162093eed741441939050d72650dc446b8559bad4ae2f9fd0ffd74ec

SHA512
d124e53346dc66558e8cb2a3a45f9e9e64a9a56f705e42fa4218d3b61182e192cd028af8fe26a8e449c2f1b4478e865dd67c25d6ff84fe51e0a5362626b580ce

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
cb117428a646583569446f5e7a78b613

SHA1
425d1abf8eb83c385d7f600274b8dda8e6f4a16d

SHA256
0bcd8af12dca3e063e1f7d3c39c7641b42dffcea0cdc663e352a74c78ce9a2a4

SHA512
8b4abc18e853c7e4e0efc62698e5418b5051af1ea3caf472e1dbad59bf8a02546639710c901f9be13ed8d2d2fa957f972258749cee2729e8a32a9d342f527dae

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
e0ac82b60320fe4bccd46ed78f966cd8

SHA1
a17513740027e77370e2a16051851d27bd252395

SHA256
94e19dff44ca3a31636483bf1ddbaf84a52af84f7e24384001a739e4d64d56b0

SHA512
694a6ff495fe555affa860235d2d7addb95088f4deae015ca87aa1d975eb74be4652ff0a928fd208458f8ca69e5842df4ec3cafad7302621668637e49f9a187e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
50838c8d08c89f3eeed5d13c76514f10

SHA1
d5857864a7d347c322de6a6d19c06af3882044f8

SHA256
b97aecc5ad336f7e63998e7a29112ff22e3d0c54353491112437ea25a645d440

SHA512
0a037955b6f4b0c40ff1c472065724ec587372ac55cbdb35f34af309fe1820d68abe3c69e9154e49f00b44f6a03a46755424c099749b8758f633fef7bc2dad89

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f80d8a5fe7137a1450df003efacf8967

SHA1
a2f0e106ff5eb0aac96c3ee037e8db9ba8b71218

SHA256
5519d9f777d1adde2ba80c30ebab12b7f04e99381335f3c6f12eb22aba384024

SHA512
f83d3bb9f59c5ecead18f68d06aa131035ecbfec2baff2d06d439c8954a3a01479211f13a5092a2d982936712272502b034df8a0f3a9d5dbddf89101a1070a9b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
b005ca83ccfa2232cb3f4c07d99edd2f

SHA1
3b7e9f2a05e00e7df285a63aed0b36ddfbb83042

SHA256
3f537b3dad06b3eaed069052049861820eea80d23f5b042dd5d1f037b79bf354

SHA512
548c572b6b20f747f9fffe9f7c88b81615ff7b871c085545e9eb0b7db3b2dade2bae3d0382202bf844e63de943d04efa50959249f3457ec8a6e92cc6d3bb9854

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
5d71f2916731edfdb0170a692e927926

SHA1
e502b45dcfd4d6949d9da7d60dcfe8f4ea5832df

SHA256
718850203bd260e8f63df81fce25534321fbecbbbdd151cec55d027384f2fb0c

SHA512
d738b93875c1b780f418ade7c715e727f895b0f76571683d5dde06dacf56aaa33eb15388133f729e0fc1dd10773ff6d4e14b87578f56bbbcf8100f8a5e1977ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cdc386c99dfd8cb67bb895e85269960d

SHA1
5f9cced1b9e2f2aef67df003129a9a4b4ae95b2d

SHA256
9c2fd8d64aaa4bfe32208c3939cd2b5277f4f677601537eb762e1398006df9de

SHA512
e6dad8d7b0408d2ed1eeae44af63a2a42dbf5310e3a7264d1c172e7c7a504a058ec56e3e638a145df1c762295f647edfe4e62fb443ab1a735a61592a2d13e226

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
e220a3442cc7994cc44e9d42ecae9155

SHA1
0e000312890b90dec31efab6a1aeccf144648c14

SHA256
6bdb603e49a7e7ad04487115130d36aa8bf71496627a45471f49f0c980c91f88

SHA512
4f1a3e6ff9f21e5a1dd97f90973305fb2f5f5498ad876d44001f7c23bfc6aa39a3caf02dda85d265516106f6adf3b1a59b330301f0c616916c396efe003e8418

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
926e4bc2356b419faf59063c4893236a

SHA1
2c192f12912d6ae88591b3a560c3f7693da13569

SHA256
7d876fac58ce3ae21fb2b63d0f856332e801dca5be7d152851ff2c34cdbf0867

SHA512
83ee704e79032222024058a6faeeff972aa8567401fbd6c39eb1cfeb128bc7f3a19a231c503c35e680172964b80f720ca9314228bcb791e6794304a79a99336c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f9d2bbdff7008a19aefaeb3a27641cf0

SHA1
fefc9f751b0c5c08f5b788c81c755ec9ed0cd6f8

SHA256
a9c848efb8e3828ce955ddbfafd78cb3fb7f1b89f1cce68cfedef40e7af31556

SHA512
e0f9236bc9283c573e998d5e0dec30b899887e51c8b82149c22b623d22d6f49abf3d4dc2e74c8e37136e480c888428a3674b6920f53e1f3933a3da01e346216d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
88910f811d154d83c51075354e4d53be

SHA1
9b7f3d5940025e5967569ac404cc77b821c80ea3

SHA256
b1ead5b0565e4ad5b3e3d3c181b91e947f14f92e73101df1ffc07b9a22875800

SHA512
85fd323139b36101f0fef5e77513b21e7302db587c21abfe9b1162b2f281d32c4da0896f9b94b71134f2e99d0c23df4346510045fdcb0fce4298607fe4fc62df

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
f7c0f7eb17fb9cbe67e6857b49a13215

SHA1
83a23369feb44161e7668dbcc346f9925a898814

SHA256
58c24a92ddab13528ebe7790bc13b20e0564afe19d1f535c6f304da94631baed

SHA512
4f7a0f657e306ac89102d72b73cb81ab059c009ef80989518a1df4f139e2ca7c320e9c6fcb45fb1007eab2f6cf6f86572e58b8ccc1f347c8a8021cf7875ae17d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
7ac1b8096f358600e58a4d2562ee3f43

SHA1
7b6bc35daf8e1fe1b03adeb073225fa79226107d

SHA256
7a7d2239e0dd4aec1754cfc410aa3f5c1e569df457e63f709ae1db5a9c2cee20

SHA512
4537ae64dace25a5e7ae0c47cf8820cde577135a632b156e3861cefbf65811bd5dcc836f66ab3c78652ba7ae2b9069f81d9ecda0055acc3e76310ec9cdf649f8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a8d3ecbc452cbcb2fbcd8ff80444f540

SHA1
7f2fc69e2cf5b58e005034c03b2419f67e6f4a27

SHA256
40db06d694fc47d032867049cc08cbdad6d3cd89e28e30192ba573dfa3002411

SHA512
0fe773d2854bc8c8efc85161ff6d8f3592d93dc8933414af8b77addc92e747aab6942fd69f3646c000a7845c5f6381fc0b570483daa56143bafc16fbb7a5f74b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
85924cd8f098fa8601e50dba7368b715

SHA1
6f54218f6c8b1d65f2fc5ddc3e3f6db821979637

SHA256
a36ee4accf3467a5b41595a438f9f5dd4c4c09434152edaf32df7e89b97bafa5

SHA512
8ec14fc8a7823785c16d30e93348e3f0a5bdf98da99240419e3d698ff4400f40857f706190c4665e28b31be3e3aa3af185b07d6825108cb8ece388969811c4e4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4f5816993366933f5799ea34b41303ac

SHA1
0b7e384649448158c5f61f01b48e1f2b3bf639c0

SHA256
50b6b30771a93138cb3905f211995b7b35cce73c0132845a60b127fa9a8c8efc

SHA512
74d743193d188bdc7640e9afc389d286b5e1ad6e38af9024ff96f30f6a71eed15a713c8f1684224337dee083325a0fd34763b23b6958cb764acb573f7fd113fa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
82631ec7484f9993a5bdec60caa5450f

SHA1
56571676baaca31396a46938a52edfe1bb772b8d

SHA256
7a800328660a1b2e6b6ac586bcdc80614f690fbe01da7dc37e0a0669922f635b

SHA512
19fde28344e8aa286ab74321f7b7f77296888d2ce10192d36bd590fb75245949750c727355a40b5149be9d532e9194969ca96802fa41963b8e32cc3e45004792

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
43ac0594b5caaf26861a9bc9805b2839

SHA1
2f0447525501bc3dbe3a244c0426f0139466c3c0

SHA256
5e70dbeb5a447e028ae2489bb9034fd30a76d6cd63cd299c2147398c6c0a79b1

SHA512
0d1817f724f1e1fde48de716c8ebfab7e1482a906fceeec929cea21537695d682ca71b64b316ddfe5724d95c8e0ffdcc2ddc27eb3dce5899724d76555fe23329

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
621786175cc38c78fa54cb9242941be6

SHA1
2b5b9bf365e47ce54591cc311b21c15cc6a03117

SHA256
5966eb0120a0af7c6400d767a86a2ff367d08c3735e57fba80975515f1bd26ef

SHA512
b2c903054b990c6af655dad7538e27e21a6df6c48c7a369f99d2a41b92b8c3f9e75b282a790e13839829f5513d5642c19772a79f1792589c122092ae0a50d1f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
8d26e5f03f71c9bbcd1a2fffdc1e40d6

SHA1
901c859758e8b6ef7cd0d38222a1b2b50977c4da

SHA256
76d1a6ee120e9df731673caa8a7d7441b84af420c0dfc2a9b8ab176479cd65ae

SHA512
0a423e141adbc0220c04236c1ea605e90fcc040717a5125f7eac698f0c18df22863d6765301d4cecadd6c71721d6962000e5edc946a10b8258c08bbd607f3043

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
dd1f9607c2415f45d13c81b93aac2a23

SHA1
d0fa8e8c3a0bf953afcb2597d12e173b64a8900d

SHA256
c1392059b07ca8a7ea126072ca1f69e6c5ada9bd06affa3cfe6d47f5b04f6147

SHA512
947c48a2c6d47d5c19dcf9e5b3e87855c0ff9da276562776c51cbbf82036ef45f26294e5879723bfa6495f92f6eaaf450be4beb603e081ec928ceb1b6db8e54e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
373143524c462f631654843f73d5b5c0

SHA1
56cb75da97aec541c6ddfd4cb38cd0b4cffc52ef

SHA256
0cf5929bc1944ffd59b8b9dd89daa05fce62df46eb7e055f32e69b7f928f2a52

SHA512
580411fa825468c0040c2a811f32d6075699fc046101fdc9c7759460bb65e2e9d03b37db726dcc508f9f3cc7b4cc7e75532acb5cbd3f278489c1e8fa71d319e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
ccc1f591d3a93ed65aaa8f2ec3b533b6

SHA1
b6b0841c34454b8f01c4d36a85d490928cdbba3a

SHA256
d4413acc16a8463ff743e844177f1af49d7b89aa6515c4e66d03c517aa315d5f

SHA512
69d45dae2a818875237da623b1b1da7938f39675a614225810cdaf9b39c0a729d52bb5f8ff0b022c7d445fc5bba8ad6e417b49fea947124211bacf4750523883

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
eb73a1bcb7ab6af1107e1645f989111c

SHA1
4ce9b5a2d161bbff1ad1bce0deadace16dd6f53c

SHA256
2fd7ac582c91509b419f1fd2280c7dd6b6668bc2322378741806dec16789d6cf

SHA512
d45de5c5e42f102487902203dcebd5d4ec54d9634f5800af1e00f7d71f8bf3b4a2e889243df9a8c6f5a52f24157e5a38eaa689b29e7d94a5c52a0373d7fa6ff7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
01b70b2db0c6d210401a2bc87a4200e3

SHA1
b071d2246670e0c841111ccceb22e2baaef0f61f

SHA256
6c9c2efd7b17b96bf837f08650e9c2ad9489ce8d959afdbd4402d567f6c92386

SHA512
b7315de9a9c746315f3b206cf9a7106845bac44418e7fd1868ab113bd2cc9e52147c0cc3eaaaf81930c125b6b08295e99d26aeb051f431fd50e9ac648fc9a51e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
9df59a510fdb4321c819f85f497a3a49

SHA1
5e898ec14936a266b2faf0fda13c5f074207e5a8

SHA256
8fe87ee6e0e8414aad3897544cc8f78e29b3d926bb1b76e4d56b59c8c09ad930

SHA512
66267cc6ee837607db7d92048b4669a07620ed1b45def3acbb1ec62e612552b9d5bba0662792ce906e3ea10e73904c0aca0593c835f238e2674c94edea71e08d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0dd4d8a38b0452580f35ba5ffa2c9726

SHA1
ec07a8326f4bbbb2e17c7607ca2850b8e4e45735

SHA256
16e567d68a4abc716d1431737d231858a6d6f7c30fe2d2b34fd39e2b8f05d60c

SHA512
39497b4392177597988cf4b5e05d83d841197abf10d21e1143682dbf3892eb6f21abeda7d5cf87b8a0333ab949d93cc9c00dd2734678b643470fb16fed69f7f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
99e53948ac77b22082aa5b0b57f33340

SHA1
c19afc3c4ea603bcfae31f98e658088b64e29f43

SHA256
a7968b25b0ff3e6cce56a8a82bd50a00f89fb52bc1d4d5dc5c28c368ca8e1fa4

SHA512
b26f3750037fd9ebab779d805be4d2d597034a6144342b593678dee8eb9777be9ae3fffff2af9919fbb6c4db08a172673a09ea26cf3b6c0d4a3a12b0e33fa05f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
fc6103b36e2f5de109de9db5cf61428c

SHA1
b75802b5e7b1717a06f13f0efaada066db3d4494

SHA256
a03c95bf7b1e27cc14e5aa6855a6a0c81491ecf1312e038f2a64dd7c3131ba28

SHA512
4f879f9e44dbfd6c95ea8c2bd5cac510c990d4fe41bb5240604724b75e5a38ee06476496dc3b777d1a3431b43c8625b5432be2d935b56284a5cd795131522933

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
775e41007e71f791a0872bf6bb8f5197

SHA1
69fa45b150755a976fa36502c7c4169d939f5eae

SHA256
3fe9b9b4da80d0665e8952002801dc0b0c92dd4da48d7a832c5abd5a409e0c07

SHA512
ad5a01b91adffcab468f93db4e3b8f066d81e11362c68944272109697c136b3b40b2b81cfcae6ee0ef311e2a787cd24dc1af0a1d132b8c37dbc5c2b426147fb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
e86b3b22fc9dbabec590741f7acb764e

SHA1
e686354923114a5592392f62c02499842c1f01b7

SHA256
444d50be2750573e7b8b82fea41e7ed36eeb9a3a11b7916d3f02d7d3ddbf1da4

SHA512
f8a233d95e88d5332c28b0d3569f251df6b872741d918b431e713b048f8ae2577c462aa9b568f9cf0e4c3ee1ee875c0fec2b8412640ce3ab3d8a6d63af016b20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
fdc610f4fdaa9ad07692ff0227f48cfc

SHA1
dc5184ae9a9e2a1b09615b0ba1d563a17a2e930d

SHA256
6fc66cb35235e7d566c803199739f4c2eeaa875df7e0991e2871e5d3435f4497

SHA512
8a94a12bb3c2781f3bf437ad392be599ba465810def5fccbad94f55f8d76b8e00734a9a95d4b700870efa52d44939000f0144fa5067cb0cd4c4ecb5b54e9679b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
934a45c764ee9848c11fa55ce2cc769a

SHA1
61b5b48cf52e0e9d33e35267a164acb8a4b14f96

SHA256
b6e8dd80c0b96eaeada90b1140f57889068172140b6e273e3112e00c594881f0

SHA512
5d3f3487d3449daec5ef6c6143bca6bee6de5a6cb19c8edc49a4c9027eb0d6e4badac64828d8fc19172dff950c02ee2b04393094a67064947b4a89a7d4c62e4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
05b8eff7ec108df4dda471a145e64cff

SHA1
4cdd8c423017de6bd3d3f2a589e975feabf9de50

SHA256
b1abfaa0f4d0c4fcdc7f2d133e936de9e9f7671eefe6fedc90a608fe8adb8f8a

SHA512
36ad08aeb7557135f63f9efb3422c6eede75424d5c4151aa49014e27df936251dff574b4a5e3ee3b390b78de75cbbe81e9e05e6c25e4c9a8c0d30c6abb6ac95d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
6b3d170072c935400909b6d8cd5e98b0

SHA1
0abce42af143a3eafa783400ec5d0c7b2f91d416

SHA256
f9840b0b35232300ae12d473af79dc3739774c58d2df25c9c3ff083dd8f61e59

SHA512
5ce49253c70a7f65eb3a47badaba2a71db4d1001d0281a07490d8f73106924d9695a176dd116d1fef32aa7368baeb5ece8a3b4ab7f241f11b95a1ede8d62166f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
afbfb105c1f83fbaa64b2bb1c4d83aab

SHA1
45a1f100580e61a95ffaed47172014e42975739c

SHA256
a0a6195ea642e203b16a07a35dab5f407e638570e91b8467e87df11989ac426d

SHA512
b1358eb4cc81ac648601f908cab776ce2ef8fd1675467cecda3d2bfdb89eac01591f065fa4e41a93558e21aa26297e098908f60646b9611864cca0e85d6febc3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
bd809e72e23d89494a98a4cec3cf4c1d

SHA1
fd001fda97b74afae50cabacfe2202cf8824bb9f

SHA256
6355cb7221889f868931da38e5680be202512cf86936bb4bc2f12e319fc768e4

SHA512
81d4d81619dc9f30ea04467f5511b0a2427ba4d5ba43fc4d5d04e75505d9bfba8cd369f43ef42f3763bfb8b06618e024933192f2391e61cb4a54757e9b23b08b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
3127398af6b94fe8db58ef0dccd83335

SHA1
f5f72c76ebac08a5cc92b39e46ec734f88cb7309

SHA256
354261d486c3571fa95ec827d15ebafb86f53b387f5c8be10354f98624c6cea7

SHA512
82c42e4f21a94ecaf561ef54871f9662d4f18f048a4ed8f93d27726de980a33a26b59afb472a42a467ead24356ea608eb14c1abfb152c95c999b74d043b51519

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3ac18fece7098b3b8f17907fc2816b55

SHA1
efce2ee5f2e3ef2e5ac21b154321b3dca43eb380

SHA256
e9bea5505370fac37dc349772f43cc1dbece6c6cabff914e587792fff60bcc07

SHA512
3011248939b814207492ed86069b11bc067534bca3e9569553d79fc67497eaad19c552f46f5420bce41497dc99ad1538fa2977f05c00f6ae7a23673baa432bfc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
b69cf345cacb3be3b4cc846ef218d861

SHA1
e435dc92310609a90ee1642943e3521be13acbf0

SHA256
1818e92fc36bb624666e17cb913ade5360cb3bb819ad54f4edfab0401e38b173

SHA512
1343efc9c98ba87fe44b235be839e448dcac585275185cdb4452106d5f02529c6212402ac14abf72bc44e1e245f51fde388d6bd1203e58e42884206e0c284911

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dc25589fc5b28eb31dd025fc70ecd988

SHA1
1d42637c56c834f9071f792ccc58514fe8c577b3

SHA256
f73590aacd8d7895f6406c5f6982d095a4e76969ce80093dad245191aa9a9711

SHA512
9781c0bd0b6bca098db1700b0b4b3b47a2f9a8e0785e80e7074937aa721e68498cab29813366d5222f80869b3c9de3c3cb27e27bae41d4619937e29a30ecdf22

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
b7f6fdcb6aff7cf6accc9c802f64aaa9

SHA1
61374cc456140d696bfe48997c06fc0738d5ee30

SHA256
8d26d2d4cd99a62eb83a63035989c19d3d8cd87d6cb7f61cc05a68cedae97574

SHA512
3fc59d3113710e73a26810a6f942170ba93045dd32402083157c43c5fe36a5032df668e8fcb7a47b17b2f1d613eae033bed3f51b8f361b2ca258c46514125bf7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
be0ed40fb73bc48ab12ecee5c5326640

SHA1
82fd94c6403b855913aa14330a224b290ea8e955

SHA256
f1a15cc004f09ca3c362339b7f0b83967aa17ff7775e0105c7709958f16624c5

SHA512
fb0832b7be12ef9f3247621dd2a3b3474d81bcbb7eab285c8d07ea3920c9345bdcd55524a28c63bcb336aa55f373c876a84fdb83d705150476bc099ce33296bc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
ba58ebd52d46c4d5d2eb08a58c0bb154

SHA1
2d0e48d51ee2e2c65dae5e4f959c93ef92ec4b55

SHA256
7888d1a17f17e286380147064428f79c3a707057d735004bdb13f47f836dfd11

SHA512
e24d0153ab542deafe34e129544589298abef005e1bb7b6a4c038bc690bfdbc25e6665f0b1ea4cdd37b1c84d185990b6f292e3eec073559c776fe77f466bb3b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3df212d0fdce65b0e91c088275e30174

SHA1
5a8ab7de3af78902ada9fb1913f1ec7e31e0c80c

SHA256
c1195cbc042105cb2737f6ca8ed3ab6e56931b1446ee6fbd8663d36f2e741c27

SHA512
993205d764244507c334d84e1a1c0eeab7a797a0fa37020d6215910bd0b36d7e6aeb9c99ed2b59672c7f6da3fd4e65e5defa5f99fbc6030e9e4cacb6564540ea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
692cad18cba8f89eed7f74e32ae966a0

SHA1
da7c75ea9911085c2553146c6eb325adec978220

SHA256
099489b93092df557cbe60db771ce7f7ce8a34f45a9ef15003f4892e2aee75d1

SHA512
0b255df7159e09ac1fb3fcdfdfdb619e86afd9455c5151686f5efc071a1247e688df883b541d8bb9238c2369349ccea3d2ed42405a5ce327b7d805893055d0f8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
226efeefb6ec92be48f32dafc4c50ce8

SHA1
94da5840fcebaa6a82ba8f67d15f6e6d58cb6510

SHA256
6525f6295a62fe8211467ff502993bbab096edb642c4414770070c7a7f11b769

SHA512
5e7558207e1ac1a00b413dfea21baef5f721257ca1b345cf29b0069e3c5840007d6907451943485480fb0e43f739c169076260208568511d6079597d5004e334

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
45c67d436f1dae30c0c8b74d03d5f415

SHA1
193268f7f87dc26ee3f3ac9e0bc25852a8e987fb

SHA256
a3defc1d441e42b2be77a41f9ff152e35b6bf9631cba4b290c760e983359fa41

SHA512
d20d777847f589b057c15b5bdfb718ea5136cfa8c5c89c67a8ddd9ebf7b0051e937109b4807f4b0287a9f3e8c3838c21d0d2801054b6e96b9522baa691901210

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d21b23cda6b91f4582f8f9a2885aeea3

SHA1
03c369217d8089ca897170725de717c035a47e95

SHA256
7d818d3e245c0f54bb92f55888d1647b7d861503266120800c8ded8f165cf121

SHA512
6cdfbec154a67d268648d9bf8029dacd03e44f47053fdccf2f9dcdaed454dd5f8bcbf67d61223d7146dc1f48b899e9c8b4a14ab18dda3d2bfb7f0ac70d64d695

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
8471f4f342016e02096399909d3abbc0

SHA1
acfcba41d5b2d295609b10c2a45f3a1b9f349cb6

SHA256
6d29fa6a48dd7a48e59ae444ff78f2ec7e4dae97c518d9924cc1a72cb82cca2c

SHA512
3376c42c66dfd64901e978628f5fa3c388f617744400d4e1bff0faf307f04f0791a67ed6f3a50bfa6ebaf3b4ce85c30bd4b420851bbde03f1417297892f06c29

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
610f5f2841c0b678b0da2847c8042fe7

SHA1
2467b833775f2286bf72ce6e8b59b1663c6acd5b

SHA256
1c82c6d168f06b660de36c715f986512f8ce06cb54eacd2bf8e65ff74305d6ff

SHA512
f86bd727dc863f46b22568cd24ec561d4ee0f1962a1665ea8fef4dac203e9058f7eefe8c1d9eb1d5461047116dfe859a13e0686202cadddca89fc9b877ceea4d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
a7c90056d17a21f76f6867dc21d3af7c

SHA1
9a1f7a157ee716e9547ed78bcb92bc4bcdeee89d

SHA256
45058b4e9d255fca609a8e311a03c20b6f12b76e72a7df00b0102c7573cc1344

SHA512
be81a66d7a57e35f012fc43b2ebd84f615b1e4918ca427c41bac998c69954c1a29005af35b014023ce486ab854de88dae2c2282f94259b94549893a436c4601a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
131b5a1025fea65d93252c830aaa9078

SHA1
709413a2493ae5f7077a694cf89e9ff9a6a16856

SHA256
7441ed10b3a01d9ad2ddd060f01cc04009fa0cc045d12ccca9bf2044c217d9eb

SHA512
536a3fd1a6cff188f015a64a1d33a6d924382095358f0eed2e71dfc23fd40c21e75b757d20d56f5e7b4d5005693afbe994b01ab5dde79e5789be699a3706f341

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
b130ba283a6ad3a7405cb091321260f7

SHA1
bbff86b9235e990e44417b71dc27fbf59bfcef5e

SHA256
c3581143b310bfe86e6915bbc59f98656b4aec21eac28fd684dc33a048f114df

SHA512
be24df9c028c19d6f69ff3c6784511e7847f15ffdbebc652ec4f9ea2e9ac515861ecdf9f5312840da4fc3458bf04b3a12ad8e261bf9f91208ac63fbaaa6e6146

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3d20316a5e21efa62eb5da26c1816112

SHA1
5834ac3cbac0c5a95ba54c793feceef7065426a3

SHA256
386fab5ec6c7f39133d8ff09dd79e034751daa9e440b7ab08142c3c3059d1944

SHA512
c9f08c0c4ebc4e070b5b2f856e0a3a5127f46429d186f4582a7c69bc8aa571ff5512c659f8b959515526b755e0f030925424cebba5cb9f89013220de62b1e89a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
17e6ef04e46821df7cb3adbdebc925c7

SHA1
dfa6b4f23c38780f24a0aba8f22a2a8e0aa59e78

SHA256
b3a9fe62dc1a258173227569399c3520b0759c73c6753908d4bf40015e9b4b8e

SHA512
5f2834dde60cb9c7c86fa05a6b1ad8dd9c4986835a055810d3df0a50d11f74d5b91d534f7c420449db3b0d1d5dcebd62a4a6bf0e83212eb2b29ab99412069410

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
f1d3c0fbc498111cdb1afd46e843b94a

SHA1
5365e50bd595f816af08ed861e9c16eff98e92b7

SHA256
2314e8845ff56dfa1cc84f3091118a72f8055f4d46ba770e5567e479bfd1ae03

SHA512
29c94c58b37e94bfb89c664022b5a3ff834052d9b4900bc8417ca5e7a4a2b5ba6487d52964e40ea6d6272a4909233c39bca69c81776f088ce2446f011a6d0103

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
77c1147b4dc5cdb0012db36906a14be7

SHA1
2a23eb539b0e183edf75cfb730c76b9bdc2c8948

SHA256
a2d2aefe42afff3b5789e5b06fe9b7ff89e7ccc6d83bb871bbde0bcdc8da0d08

SHA512
866dfa9f49e991fc105e3ec0e5163a54342f2407da93b1fd180d84ca5b509e2e2b907177dde305d5589fe6378d209729c05f6b30b275a9d0b8bc39e27e6c68ba

Download Submit
memory/644-128-0x0000000140000000-0x0000000140283000-memory.dmp

Filesize
2.5MB

Download
memory/644-22-0x0000000140000000-0x0000000140283000-memory.dmp

Filesize
2.5MB

Download
memory/644-14-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/644-23-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/836-123-0x0000000140000000-0x00000001402A8000-memory.dmp

Filesize
2.7MB

Download
memory/1452-41-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1452-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1452-47-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1452-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1452-61-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1460-274-0x0000000140000000-0x000000014029F000-memory.dmp

Filesize
2.6MB

Download
memory/1460-524-0x0000000140000000-0x000000014029F000-memory.dmp

Filesize
2.6MB

Download
memory/1524-213-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1524-522-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1616-90-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1616-121-0x0000000140000000-0x0000000140292000-memory.dmp

Filesize
2.6MB

Download
memory/1672-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1672-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1672-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1672-466-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1752-215-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2128-277-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2216-470-0x0000000140000000-0x0000000140284000-memory.dmp

Filesize
2.5MB

Download
memory/2216-122-0x0000000140000000-0x0000000140284000-memory.dmp

Filesize
2.5MB

Download
memory/2472-272-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2472-523-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2564-82-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2564-76-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2564-467-0x0000000140000000-0x00000001402A8000-memory.dmp

Filesize
2.7MB

Download
memory/2564-87-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2564-99-0x0000000140000000-0x00000001402A8000-memory.dmp

Filesize
2.7MB

Download
memory/2764-212-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2764-519-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2928-216-0x0000000140000000-0x00000001402DB000-memory.dmp

Filesize
2.9MB

Download
memory/3112-461-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3112-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3112-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3112-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3368-36-0x0000000140000000-0x0000000140282000-memory.dmp

Filesize
2.5MB

Download
memory/3368-28-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3368-38-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3896-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3968-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4000-276-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4512-214-0x0000000140000000-0x000000014026F000-memory.dmp

Filesize
2.4MB

Download
memory/4692-0-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4692-85-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/4692-10-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4692-9-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/4852-271-0x0000000140000000-0x00000001402BB000-memory.dmp

Filesize
2.7MB

Download
memory/4992-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4992-525-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download