d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
Size

622KB
MD5

8a423b0b243d49e96392376d8e8e0014
SHA1

78fc0ecebd67137303039e921b1d9686eca492e1
SHA256

d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b
SHA512

7ed8ac1fd6efa67ecfafe8df93cc3d2e0bbb349ebdeaec43ae2484ce52e8bd23ddbec46acaf5e0685561b56a14a5ef1922512607426d8380d97faea7abce286a
SSDEEP

12288:vuiqx0MsTe7IArn6xI51Ahl/9EG5/0Ty2LEGQ8WCorG44JmLJFK9yy:vubP+wIk6xI5ul/9EgnQQ/CtJIJFeyy

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4908	alg.exe
3336	DiagnosticsHub.StandardCollector.Service.exe
1600	fxssvc.exe
4048	elevation_service.exe
4780	elevation_service.exe
2784	maintenanceservice.exe
2196	msdtc.exe
4840	OSE.EXE
4856	PerceptionSimulationService.exe
652	perfhost.exe
1400	locator.exe
4448	SensorDataService.exe
2696	snmptrap.exe
3692	spectrum.exe
2516	ssh-agent.exe
4824	TieringEngineService.exe
2160	AgentService.exe
1728	vds.exe
2788	vssvc.exe
2112	wbengine.exe
1208	WmiApSrv.exe
5052	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

Processes:

alg.exed866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\System32\alg.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\632b54d2cad6a2b9.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe

Drops file in Program Files directory 64 IoCs

Processes:

d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{ACF3742B-09B5-421B-BDF2-BEE548AB1938}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78984\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe

Drops file in Windows directory 3 IoCs

Processes:

d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exeperfhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab1d673ef53bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003de26b3ef53bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecf8403ef53bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d30a543ef53bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037b8a23ef53bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000774d5a3ff53bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003219e33ef53bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bef1bc3ef53bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c82cb83ef53bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe

pid	process
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

640
640

pid	process
640
640

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
Token: SeAuditPrivilege	1600	fxssvc.exe
Token: SeRestorePrivilege	4824	TieringEngineService.exe
Token: SeManageVolumePrivilege	4824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2160	AgentService.exe
Token: SeBackupPrivilege	2788	vssvc.exe
Token: SeRestorePrivilege	2788	vssvc.exe
Token: SeAuditPrivilege	2788	vssvc.exe
Token: SeBackupPrivilege	2112	wbengine.exe
Token: SeRestorePrivilege	2112	wbengine.exe
Token: SeSecurityPrivilege	2112	wbengine.exe
Token: 33	5052	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeDebugPrivilege	4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
Token: SeDebugPrivilege	4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
Token: SeDebugPrivilege	4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
Token: SeDebugPrivilege	4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
Token: SeDebugPrivilege	4508	d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
Token: SeDebugPrivilege	4908	alg.exe
Token: SeDebugPrivilege	4908	alg.exe
Token: SeDebugPrivilege	4908	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5052 wrote to memory of 2896	5052	SearchIndexer.exe	SearchProtocolHost.exe
PID 5052 wrote to memory of 2896	5052	SearchIndexer.exe	SearchProtocolHost.exe
PID 5052 wrote to memory of 1864	5052	SearchIndexer.exe	SearchFilterHost.exe
PID 5052 wrote to memory of 1864	5052	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe
"C:\Users\Admin\AppData\Local\Temp\d866876c0ad9e4716eea3b38ad35342457450bc95194538f0af6d4217ae8ff8b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3300

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2784

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4448

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3692

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2356

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2896
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
18c073eddd05be69eb5f22634e0f288f

SHA1
05af1651e45e68eb5623e1fff23ccdb5160d9c3f

SHA256
e9a154b7034efbe024edd21e6caa1af08f95f2eb9b93f10e66e415a9464a5f53

SHA512
2eda78f465627e5656d5b9e821f462726006c477b8a476bb3d9eb9895dbc0c1254783e166552dfba31beb562130b48cae47be2d22a388a3766e11c7d3e1430ed

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
fbd8b777efc858735931215f8d8a1d96

SHA1
ee973eabb9b53bfa136cd349a401b47435a65f32

SHA256
8ea5c6411f1be942f52dab7c8cc8fde63a50c1e9da91e98dc6adea270cfc9a54

SHA512
315689ca555d8eb2a7ee546ffcb9cf1a682375a1a9c715253c80b6c3a5fcd36bdda1786571316cd34b81cf05d8100f0bae3bbd9fb97618968ca7753914d187f3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4bec7483c02879a46536efd90247e706

SHA1
69eb9515bac62cceee4407c9a8e6645f4262a8cd

SHA256
ff1cffa3e0ec5bcb1143b49c0063f3976a551d42c02610134a8b28f7338f0df1

SHA512
99bac89e62472f1df397306ac3d18485aab790d8c29595d50bbf8a32764b6d15260f332826a25f0c16578734d475b6b9d4af93e07c26b613de0eddca99fe64c6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1220789acbdae66a0534dc37041c26ec

SHA1
7d3eaa1dae041fbc2eb6b1fdfbad0fa33dbf12df

SHA256
29177986752ca3d7f6821fc854ef5cb94448a7f5e1acd64b67f1e0dfaa9312b1

SHA512
185f0f6957bba10d9040a3c9c07ddd0622883a121ad74ca6e7db860d281ea20d85e35731f2718dd8da78bb4bcb736d4ca8962db0dd9f1d1093f293f750b93d84

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ed5b6a7a44f18db6d5a63b3ac0386640

SHA1
66ab82e3480b47ea8cf7e94a25caeee8824c4768

SHA256
9a2e57e751d82a039a7fe5f41347704cd3087d88fbf5ca06634f6f667ab40ace

SHA512
fe65ced47105a175064272edad8372f12f9a47442c61d14c7937d2d38c0827fd078f7eefce17ef50eed50c5fb218e904a7f10da7c012807f49373758841a1bdd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9e11e04681f4db82723875a50961d515

SHA1
6cf41e20ef3d157850e7065e6018bfca195054ad

SHA256
0c07690792643687c30ab585ca8dd8b40715d99adceb6a205640ebb3d00da75e

SHA512
211a5847c436ed71f18c9ba17733ca8f413eb27e8fde3c399c43eb2d7d547aab26e6711912022feed5f4948050a3de706d35b9b497cb67037cfe51667f329611

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bf60cfdb508f5cd2d7a63951ba36078e

SHA1
44a7a997e42ab2a04f246ca00ac493327b29e15c

SHA256
a13026df7b3dfe9d4b516fb5823f8d5331a8a932bb1af672f8928c9db3de891b

SHA512
64eaa9cde037c6078d6ea960e3ec91eb8e5f84163583dbeb01c667180b07b797c9c48e3bfcd1a4032a6ed9e0e777ff06fbc5295e51f907d0fdf8e3d4b517e4de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e912dead75d33b9824f7f1205f1112af

SHA1
1145931d11ac1d978e955a9e32dba4434e98a136

SHA256
19520c6cd96c075d4aacf0a4d3568d90e710d6e5b548c5b82f35ef46e92ba176

SHA512
599d4992c1aeef9789f06f638ae3544c3e249466c7f8cbde50ff29881b4806e25382040329e93002c287a1cd668ad9f55eddd9bc18560e09df4dc883611e1a87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fd279cc65070bfa31d73ecffa28a9462

SHA1
9a1024b302c2ac2b65b0abd0b43a46ca0e70a06d

SHA256
0c8335b5fd8280031c4593da76474ed5f65d0f6deea802ceedd7b6f185405f37

SHA512
06172202513de0c92ae4d2d7a121e51e251c0c6162ec44ec46a608c96170597c5c9b7c129cac1ed1764a14d51905811ab7fc59798a80a7ddf240fc01b2331530

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a8eabe7891839c1d2518f07a2e73a516

SHA1
26ee98e725564185bb249d371a07e1a681fd4dcd

SHA256
81dc7ef4ceeb311a045c31c4f92e82b8e656750f7c3034277da8d30047216eca

SHA512
5a9cccd23b43227762faa7d90ffab6b47012790b2cee8adda16bd6ede97087018d9c6f868ab0b22b4ea930c8ddb105944b31f2a1d8b4555059e40bdafbd6922a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9a020c8a5d4c140c4dfd3949f5efe647

SHA1
38766ebf950095938a3b0182152e3077103eb0e0

SHA256
c4ac4becd7decc54baf24269edc49df9e97268ca203d883776c86ffcc60beeab

SHA512
6bd9030ea654a7dc079e350e4803a102055e6e42b7e2a8d12ee8f446f03f4474b03ced8d9156f7d1632645e6471cba7095cb84df9c3abeed33e759ec61802774

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3c3f012aecb570fbbab02c2ac9790add

SHA1
db733d412506196c36c79c8519b6d05aa16402d4

SHA256
9a803d50d137234bb35b9d5c1e554c5c831bfb50c0c9965a56c22a056f960256

SHA512
aee673b3c331753cf377a3335249d33bbae0a07ede9873c358a7f14ceb154465475f209b8f07ebc9d692787f1a3f3183cd5b4fd6554bd32c7e33f150ef5980db

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4db56bacb46e668b894b7e2efa55d3c3

SHA1
814cb9bf53e4c42a6987932e889ff031ed5433d1

SHA256
bb285a03b47bcf4dc9d01e3d6695bc8355a32010ab226e0170ad0ee1f4569737

SHA512
1f2b6d3c57a16cd843125aa905be8dc18f0b870839f49f6787885867c809ef8eb90f49729dc7772b8dce13d28597abbdb186a82b7fc5285ad4fd388db57c6431

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7686221c4321226a446fc31507dce2b2

SHA1
1181d54b02ba0374c2acef758380459a573a98fc

SHA256
1b10c800a7114b20dabf327ff31b11945d17b8ad2bbd7ee822b7dc145384412e

SHA512
cd413d8521bd028cf379799a22234446445cbeabc45bd38c93ec8947dcc6088bda193ce27b7e652e31474f88cfaa33dca5d47cbbb4f8ac674f1375192afb9cb9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b4bfd0e120098da1c6ec02f5b9487a19

SHA1
da9c9d28927a9f79f5738e2306a134d2bd16bbad

SHA256
25c71387b4860c2c4e94552679d5ae9ec026f3c9c226069f03f09c261e7b31be

SHA512
efd0e1438dc8544b531da3c369aa6fe4463506c55647421f67f3172cf532286ae286b2024257af948894fbbe5789d6a5e53be9f300c839c1945c0145bee8fe3e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
9d4c8eb7323eee9268044fd52ecd9098

SHA1
4db079de8505de3167676ab3ca5854e24c56130d

SHA256
b08f72cad09304790f09a2f3c7d1364cf4da55ef0b2a9e7ca3daaae44c90d2ce

SHA512
8f5560ce2f1004c026ce81746bee96820d924d7b1883264b95fa473324adf9f6fc8efd11735a2d2249bce60d2d8a308d42f0809f649cf3c60a6b9847b4f17b13

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
7c5d39b43b9c2c45b696a79475fba8e1

SHA1
e6a00c1707b6b7c1c3f2432a8155aef4510c3b83

SHA256
90abae6421f560c54ccda65bb39a652eb54bfd22a09e2fc83b2d4b8285f78156

SHA512
1032f472c142a2dbf928efd0fb38ef86d779d3e8f5cbeba6a275915bae19da9a04ca525b83b279fa9ac94d0ea92d060dc496e419520876c1299f469b3ea7fb47

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
6ca9fc4a0b25288b78e7b00146944425

SHA1
209669ac806f4518ef7d9dfdfde49711500f00ab

SHA256
a6fd74d4623181bae3ff8424f608415403d38d5422b93e8c68c74e65767ab14b

SHA512
d901f1d6007473b5d66b4099765b22d25bae061051b13ef243199da1565d72d7c0cb06c3f69542b850a9c969bad91cadbe43c69457ede4acc129d64e94d04a76

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
cb93ab31f434f7e8db5d2840e660189e

SHA1
668e53290508ed36ec8bbceea2e5cc8e36b1d01b

SHA256
82c13ae9b2bbd5a2e9bcfb8c76a976a74684c7bce3aeef3fa7d864850cd62a8a

SHA512
b71e96f6d9ab45c40cf431b56b96f17a283b62b148ba7aedf58e8920779e2f879d092508c453decb4daa95ba51e2cb9da44feb10b2b9626f2b614165e3834924

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
38ef0f06ffbd82bca3441eb2774b4a9c

SHA1
34a0bd77db82ce2d1455b3647da6e210ba2aecb3

SHA256
3303d58a73dc39bc748f83ead3d4fa18b719583b13c95f72f737aa647a86538d

SHA512
41e2803afea9f5fde7dfa7ca144c4a694bd0da3265e3f731ac7410119198e1f5c2a568911be0caa7e77b21866bb84cf5a01a2489db2523e032099baf1d9e5dc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
7b4a9ef03f72122f1a713dab9bf4e4ab

SHA1
5b1d4f33532c6aa479fd634e3dda74761ac51549

SHA256
bd8757fd9c5b51b1b300d155d3ec2c185072662cc004b9f5889e8fed30c489c0

SHA512
5359c6dbf9781b8c06710e87f193006ae0f7e6288e360b71c179d00a91e7f485da2c34e7994ca6589c93a963c3f4c499f6144773a59059371ecc6c159c2f8eac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8430f6a61b5ff02662698ca6fabf5511

SHA1
027093dece182e83d727f7f8c454073f47f01544

SHA256
14a91b0ff12fd779eb509f20ad1ee65eae534e4d16ec664b168f5b948ac7c02d

SHA512
4befdcf02a5d197a0bcdf37f680da852eaa83ed161cf1f9cdd18a9879c9e435a247d926282609bc57bd66401cdde969df0503b749545ffe7baf9c24dc93f20c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
79e64e8ee8c05454eb89bdca808dcf38

SHA1
492532c835aca15581cbf064b7abb650f1a13f37

SHA256
84aac46a827e5f5206e6d8805fed86e0449060c3ebb0acd8f1f82540a72595a2

SHA512
1b77e5b71a73508912d6a2a5b580a26e25912ce08e5bff816b5dd192b9653861e05fdd1d0b5df3f5d4d9921116aa1e2782f4538585ca0be4707afa57e616f130

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b27200c70a5ebfbed95f170bf059c85a

SHA1
a2765d73cca7f3b600908892a495354ea88d2b94

SHA256
1d7185587d1b34c396b9923b9e9ec6a6c8f50a0f22a20520c2302c0935b9b771

SHA512
4dfc3fcab07cba54a77d4991c8062b922562221deced681af9097d9840c1f3239700574311d1dc176a09ce8f159c27084f368ab7af88ca3dcc4796be21f33a54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
5a3b44ff8820e661aeaa6d3c683159c0

SHA1
65dfd235ec14185fe6a0c17aae93a2ae3e556550

SHA256
0db5b2a7edfaac4220b2a969f8d6ae5344ba7121506e5503289837d02a07cf5c

SHA512
52596689a113f24a236cc992b107a5576fe37cffee30828089912fc0e29264163bb7f1e2fb297c604035956f53f8537f511348e8d2bc100c312793ec74d03770

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
39ad9b091437c369578e9db749ffde10

SHA1
2439e67dde450be4f5f138ea054f0a547e27c406

SHA256
9faf1ee3fa6fe35de8234b100ea04290a5aed92e3bcd6227f61c104c1c1012d0

SHA512
fb50bdbea7c9f2596e88cfbbe7cc312f9219fc354c1f5980248a107e8be09bb5ec18c103a596ad6091326b84366ac084d772a8a57b208f812405348cee60042a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e4f8a7db5dd14d4ed2dfbc928f827ec9

SHA1
06cee139ee1c3c0ffe2a1eb1a020a7d14c36b5f9

SHA256
c76ae88d003dc532d65d6c47acd19b6df964d5503f51275e7d0845c9265f76aa

SHA512
1308f945003698748795ec69b9e12aeaf24ae0090ae6ee1a6f4e10fcafb4b383ffe31e50d12770e55a08cd9ee6344b3dc5b3d1417055b8f71fe82ca068b11e33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
fd0061e8d417455bb6f8d3bde978d378

SHA1
40ce3cb60f72467025f39ec98ebcf3e394c8ed8a

SHA256
bcd829c1fd1bc044852ea4dc4864f01e083e50ddb065a58b01502b2d74f28950

SHA512
b2439804eae10ec073544abefac086e749452e1b9c8abbcd8679337022ffa60f67ad103e7ddd236b85f323043528c8622cc32c4910c33c6ac5a3b11044acb645

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
67abee32641ed623e1ccd04b54185098

SHA1
2fa89ac0659c388352cc55158a9d23de06552198

SHA256
1bca7abef9ff792c65db358c74cc9dc54385dca5ce83ad86600e219eaf57aaa7

SHA512
1579df1590efe5657831ec9a51e51bf05e8d58b592e6fc29c297f78bc53f1f7b491b99bd92a62bac6e6cf1bff3e1000981456534ef2a4fcc269f7e28e3049d92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6217a7ca97dcefdd4199d3551a6ee991

SHA1
65895f738eb69e58a7925e73f8da53a6c9d416bc

SHA256
7332cf9bb752d0306c83440a65aef63eab7a31d2356acae55ace2e4b3f1357b4

SHA512
89542afe43107e30eb8b3458f489d248bea57d92ccf15aa2ef43d020f15aa3e5ae6a4b807a6fa1d354216db132038bca0675cd49f619dee88c1ab34b80ea2510

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
87c397f72e75b90cec622458183cae17

SHA1
f6167998471794aa1e3ba4b5d089a539a12bf935

SHA256
54199d12ad4312d8436315f1385f530e923adb03058763751024c65d25e84388

SHA512
d373263ce6c575e54324429739b0d3d287a8b512918a09ab3950a3924df6c955bd49ea52b47e64c38ea6bba8beeb30a1fa87896da4b6106b6cd768adf0a6d762

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2f80fac9b80256820bbfcb3034dd445b

SHA1
8927eb61c78758093c728280b01e713128d1d55c

SHA256
cb37ab869d82119eb942f989d9218bf38668c157da524b311a45b7c776872586

SHA512
076ad2942255e852c603f3eaa657176add7dd84dd50442cf5ff3d98225de26aa5393f3a46a07aa2cc20c89e85896e7630115a759b80b3518d22ad6741d8863ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
535797a969a1971570e4d54a4002080b

SHA1
6cd6b40ddb0e33f802621d5deb2817b12a0b35d6

SHA256
10188523edb620e86a2abd3c4f8961f277b23fe50d77818105cc895e375f401d

SHA512
2d291ba8009d54bfa1651b60a690f403d8d955377e168ccc501a1c62fc580a7a5d4999e232212630b2690257fcf13c96a7c8126aa4423546b1163d2de66c5fb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2815a805a040b2776ee524c6cf4c96ca

SHA1
a40ccae013c1e06bd5130b9c58223d3902d820f2

SHA256
a3c81efa85a5570f38fbbb4e1d0e8e32fe82aad8d15f2a8a40d4edbc93de3df5

SHA512
88bc2a5b4e36be61f973e0511b1ec6a70298e5fe392828219e662e064fb356789a50c17346fa01b96973fa4d522009a707fdb95b818d3d239e9ff665ffe1824e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ae7384da7d9cc4f028617d04d36876e5

SHA1
328fada31ad5e3aa594e9c15e2982f0ba2449c67

SHA256
821f67b5f8b5f98fa6c8f6c7e0cf5ce85468aa2850d4fef54a3dd8e187dad4b1

SHA512
53e0f5623ff8aad629222e06946da9477b6e2bd04bbdc4d6a85acd680cb6340e4d81a25c4dc36f45254f72e5b0736bbf974c41d70494742b3ff8998fd969fcbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d80b2380d47508fa649b6f117076b96d

SHA1
424d5e3fdae3a2b37da94d0b2bbb1f50279bd9bc

SHA256
f29dff9318b8c3b8cbb22a395ff67e4456bdb84aeb2fed843fbec2978b878342

SHA512
6eae2e404916226c222ffa90d15a9b02c6210da9ac46dc72fa794a812ab5bc4ee75f1a1ecd8d83b69a822bc0c9cb2324185e054db521dd501164ff0f0d5c2ef4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
906a40317dcad2bfbc2de9ec15d35f6b

SHA1
9118ad157bcfb32dfce925ee42b1cd4e2cd3fa37

SHA256
f4e5145e817f1db884a472670239ac47d1bc09c4ad23a8054b6e0ec7fb3445ac

SHA512
53181577fc37198c29bf8598ab3ebe8e420c75be422ac0ccccb304dfddb50ec07660e7b5a8c251fbec2611380abe1ec35731a238ad509bef211b4711b1fb2431

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
15459055d6c674ce6b6372a4871f2146

SHA1
a55c40fe3103baf4ba4b3833d666a8a4fe9a8206

SHA256
1cd7e9abcee03d38a3a60867cf99b5db800de41264a4e11a41e0fa87d27047a5

SHA512
f2e55d08e67460931579e2996fc6af31ce36d520ad0227ebe5238ed0fcdf9c9c694b418137009bea95de482d6ea51aa803daa98ff6826696d5cb97842b5ac944

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b264bc83e8c5315a55adc32d25ff5ecf

SHA1
260e80500d2b0c430febb367afb5a5482a206e85

SHA256
799f827d914d0f8787c94ebf2e4fe94e9af8fec14f5dc4b99a5f72439cb096fe

SHA512
326ff6d7d8c70c995213727a7f218c447c6889976ef798643e24f0f4773841ce6b1808d6a6b349a193c2527335696a074a8894335e74ddfbb7eb3b71b279f31e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0fe6cc831e0516b676c265a3ba6b833a

SHA1
ad0661595c2d189530ccf07a33f3f10031b3ae3d

SHA256
af57a39700461ea351b0be840ca551e2768e3731d3d5c5942a43d584428527a7

SHA512
e950a3361c18e37b2dd1a82cd13ff57ef4c646dc6d53d591180d9d3ea2d83b3308df4204b175670e170e7e2404818ff7a659779e214dd8a530caf7581f9ef7db

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1d6c2f8dfe174c351eb42712fe1b59e0

SHA1
e778ee0a4a43a522c06d179b488b2f74cea5fe61

SHA256
2819919cbedb95d9cffabbe725625300badd8fea2a943505e757b0e8e4c92dfb

SHA512
d856bb4da7f0727ad549bebd6b11489c40531817ca6fd15fc5c4967e8377db320b7395d9c8510b913c70efea84505f6e1b50e09a777a04bd800bc88cdcfcf1f9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9ad8455f5a5c66900d4f33c2cc2d61af

SHA1
734023616c3775ddce20b80084deb0bd0c90c465

SHA256
761e0e04f007c1eff053bce7a39f988ea00d7c3c256a5bff4a2e08eed7932b2c

SHA512
10bb8af01fd72b6ea2c7f469daf3e4b45e4e809aedb4906fb0dc121da628d6778b8032206eca51e562711ab73187f1023e1c722416e127fd2824b2f35c8fd1fe

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
408f3521da021066c12648de6c908d4b

SHA1
121b420f1bd005151c6e22bcce4792c60a9637dd

SHA256
4c090646ab6a180cd79077d63de2208bfa60bd83cbc461b068a43ed11ee99f9f

SHA512
2143ab65792057d8c37a513b2dbd52db2524ae4509d98e1e0fbd045ab6e7c7a3fcf0619285c0d00764ea8f99310bdedf9f8fa8ac922556b9b6487e6ee6b195d5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1aa8a2b15aac24d3720450c58fc57a78

SHA1
ad9bba0e5a720d13bb16c26c1093db190e79225b

SHA256
68b2263b1452b4ef4dc84f95cac92db0eba1f60b93c34fa2238e66dec4bd8331

SHA512
d87ee3787f2c5e9a6cb56d287853f9bd411f7c677685df427556991c6498255cf94f145f7c4a8abbb96adb89f02100a1cf0537d568e5f767373a675165197d38

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
710aea213a05664acbf9338b293eb83e

SHA1
8c9c93c8a99d95343fe8c65b969293f0e1083396

SHA256
386717e7026b2480bf737e6d2241398e01b0c7280590c00a98b61439b035af46

SHA512
531f3f3f56ed51a8baa386b9814ec94a85ace96f6f750f91fb74c61119a44e1c74063b5fc3a9c951dac077c12a67bc9ca009712eca480b09151d6cb8348b3a74

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5c72a185f87016ee96ea1d05788fa1e7

SHA1
ebc1d192809f191b5e3491e100b84a53e33360ca

SHA256
ce1703c51bedcdfcd96cff9a972d94cb0db65179bfe3f75bed0e2b66ac9740df

SHA512
490e4a4d16a3ded5bb2f6eb9e71d83a332ad6919c0b2648f20816f58718014792bd02c617317e0a1d0e71d8fc6486982911b836f918be180ed760d474946beac

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
30a5f9fb5f3cc84ef0c4ce1161c209f1

SHA1
3496b5bfa06bd2186c00725a897fc8c3d6e0a296

SHA256
b1c7246c25e7f1b3741ef11becbe4966191ff39f389013aebd436086017b889c

SHA512
bb97624caf7d23de98bca29c0b81aeff301441620361ed5d25525b59f0356b65f78888997746954db91fe3dbc69a3f4aecec1bc29ffe1fa7b3891e1cd0415c8e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
273752530b64e89473a576be3a85f913

SHA1
9d027cdbe7a030df50894e4a84850ad54eb83e32

SHA256
0b85758192cc67a102c9db247f5dd354dbf5c724c84327e8650f4500ac1e1884

SHA512
fd9874d456e158ef4a98f662783e796d8f528f9a890a1b91127fd9f5e9d2d63d8b28ee73ddb9bd36e076ebe43968d57abbec30e36c038ae2a5ebc4e71d72ec68

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3b4d28810268f8a02ded20291e1212b0

SHA1
20204d79009d599e6c0978a28bb8e53203f53183

SHA256
24e1f67865e5086994b619390d28efd5c10b643b88cb3aeabf045ecd71952792

SHA512
7759c486e5d2e421a02e75a8626444b5b08623a54a0d43c083b961eaf8ea006645f41eb21d45e494ef607628a14ec06052cff976d25edefc6178c4b2e8a0b796

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fe14c4f2e3162b38990d9fa6211e71ec

SHA1
95624ad92500c504733edf56d1ce61e2022a3261

SHA256
f0ecfc144329e1d5872bb58c734de13a79da77f6be03927d9239c8af6711b45c

SHA512
32b14df08575c792182274ed715027af2055152c4b1a8644580b3dd1b4675c37b2e902f856806bafa23e2587f5ac21f6b90af3e0cae769f904e4ee6a4b0bc7d9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
af411c72a5ef13c55f4a0bf025fee0fb

SHA1
93dfc7850a4cc6a68b9d849e335d36b10ba53162

SHA256
a1fdc25c1edec8c6201733dd0cd5a49372aa815de0f043d523d09b876de9a7bf

SHA512
8662cad85f49f11cd562e97b2ee1d17e6cdd5afd458bf58a854a0345f46f8f64b68cb210bbdf4c4257f9ff177bbfc3f7c1e9ae845c0e921e8df9911448f62e4e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6db4e20b4f6c3a508a52d4daff8ee5a0

SHA1
83f987e30a98e02386099d50f57858a05b85c72f

SHA256
7b5c20aa72e54c82f2679590ed37239a3b64ebee4761d7b56048e9ac317ef758

SHA512
385f37fe1c4da939f2589f528233817088538fb6d0048e57c641f0e5d6ec67d010019df023012f6679b2efa626461c86a514945aaa99ec735134935ef9977ccf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
96b521c4e797793c1fb3f699368597e7

SHA1
b49545d90f4823dfb0fa7fdb12379beee971d552

SHA256
8964975821c6df0be9a65d6b99b93351213a87c19bde5b8422c1a30efd35d3b3

SHA512
3be15dc193276ca800cd303fb58d8f52725070cbdcadb9d0cb174ce0a571121f79b4dccb5fe40d6504f7cae53a2d0a31bc02abeff858613b15a3aacd2e5e7728

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
540a8b4a44742fe867c4847a96511034

SHA1
4fd6ce622bff00eeab8d7d3be59cdd4032d0267b

SHA256
64fdd5b9c624dfaffdb3af99ef09ede700bcd37e583ef361538764b3936e0c11

SHA512
f1a2267bef9bb1fee2dccd650944453ac5f65ac3d41487c418042b7f53856931c80cffa7a2da66effcc59b9cba4b5c31cbc0c10bde9c1e18cccc609927ce8381

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
281c46cf52bbc35014171264ca071f79

SHA1
b5596464e46797793c56240b12fcff238274bc07

SHA256
2138512843eb412b9da0a83443594a4c205477b1c3722447d94d3ab483c0c9fd

SHA512
fc7bc43622b9650ef9287b972f8996fa460bc6d750cb022f499a308eec96a292a3aed7fa704b315a42144211410f7fe0f92c7b774e83be8db2d6bef1f6393fdd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
95b6eb58172d9d57716098a4406eb29f

SHA1
1d06cfeefb367601511b34474dfb55a6b5c36211

SHA256
c0098cc9e3ec16a1beba9f26326c8ce59a445fb473b930c6ee96f057dc799e54

SHA512
2497cdab5382cbb4b64eee17f5f0b5d935f37109ac7bc60ef88827c389cb594c7bb972a17203a84e2c080601355959d0cc8875c308af2bb0a68c0d794f3d248c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
09062c2bf119762c0ab033e3d26630a4

SHA1
52b52234ebb23582bae4cf014bf8c4dfb44572c2

SHA256
d3ee8753413c691cb5026c419745954d071f6f9d3b8304a5a1537cd4cf6f34e9

SHA512
b0e0232d8f0092fa75417d4711f4e246313075e1c0247b637792b36836f82a584eafde2af1cf6834abf73de7ce140721b58758d05fcb46c0dc1c464de910fd2d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
33acf3459c8dd810cd893516aa67017e

SHA1
b32f5b45119613ec70f35f451aeac99b7d592d56

SHA256
dd457a5535232768bad6882a462651a1a2036920cc4d37bbd4afc0ee8e4777f5

SHA512
5283044315068390074fa57decac3a7b3ffddcb67dd0c2b90755f6c5593bfce8ed41d824a4e6ea0e7f4575674630a9178f28ce173fcf2a6b0523e54181357d13

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e6e9a5c7e0455f325039da918d6e3a8c

SHA1
e5f93e6826907d97be4ea45bb8b26be8aea83e1d

SHA256
b145959041f3a004e797501e88f2f64a4f5d04020022b190a93be2d2e5c6e0a8

SHA512
7270a3fd11758c4c60cf867cd7a8683c891868c752b1ad84fc9ed8499c39b4661e708ae8e85abe802cb4e8698ac67643b65d4ae63a1011700fb973f854d46e55

Download Submit
memory/652-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/652-249-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1208-615-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1208-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1400-261-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1400-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1600-47-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1600-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1600-40-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1600-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1600-49-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1728-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1728-545-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2112-611-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2112-253-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2160-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2160-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2196-92-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2196-210-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2196-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2516-475-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2516-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2696-395-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2696-169-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2784-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2784-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2784-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2784-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2784-77-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2788-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2788-610-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3336-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3336-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3336-27-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3336-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3692-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3692-450-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4048-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4048-52-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4048-174-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4048-58-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4448-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4448-614-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4448-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4508-75-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4508-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4508-8-0x0000000002350000-0x00000000023B6000-memory.dmp

Filesize
408KB

Download
memory/4508-1-0x0000000002350000-0x00000000023B6000-memory.dmp

Filesize
408KB

Download
memory/4780-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4780-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4780-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4780-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4824-477-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4824-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4840-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4840-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4856-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4856-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4908-103-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4908-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4908-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4908-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5052-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5052-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download