ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
Size

603KB
MD5

c6e0cee49f07af9c887b75a45d5702e0
SHA1

fceb153076f9e56603e248420f3768e730f38239
SHA256

ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f
SHA512

f36e5972c3955503ddea9b32fb2070112b35dae4cfb5841255da7c0852a0a23cfbc3673374018f2ea8bf4781e35bb0d091c4c4f14f05da1eb1a2687feac13e7a
SSDEEP

12288:wAvFGJNTpWSgN/wwRN0UL0G/TVOo3HC75nSE33b9YvFH:wAvFqdCN/j2GLl3iFSE33b9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1124	alg.exe
2592	DiagnosticsHub.StandardCollector.Service.exe
1376	fxssvc.exe
2064	elevation_service.exe
4984	elevation_service.exe
2168	maintenanceservice.exe
2260	msdtc.exe
4428	OSE.EXE
3740	PerceptionSimulationService.exe
3044	perfhost.exe
3224	locator.exe
1420	SensorDataService.exe
1860	snmptrap.exe
2524	spectrum.exe
4404	ssh-agent.exe
1796	TieringEngineService.exe
1088	AgentService.exe
1856	vds.exe
4380	vssvc.exe
4872	wbengine.exe
1376	WmiApSrv.exe
1532	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\System32\alg.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\System32\vds.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fce41a62c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe

Drops file in Program Files directory 64 IoCs

Processes:

ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe

Drops file in Windows directory 3 IoCs

Processes:

ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3b3c1f567cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063ffeef567cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000668293f667cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ac93cf767cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fa054f767cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c3747f667cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa1786f567cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a8cbaf567cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
2592	DiagnosticsHub.StandardCollector.Service.exe
2592	DiagnosticsHub.StandardCollector.Service.exe
2592	DiagnosticsHub.StandardCollector.Service.exe
2592	DiagnosticsHub.StandardCollector.Service.exe
2592	DiagnosticsHub.StandardCollector.Service.exe
2592	DiagnosticsHub.StandardCollector.Service.exe
2592	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exefxssvc.exeTieringEngineService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
Token: SeAuditPrivilege	1376	fxssvc.exe
Token: SeRestorePrivilege	1796	TieringEngineService.exe
Token: SeManageVolumePrivilege	1796	TieringEngineService.exe
Token: SeBackupPrivilege	4380	vssvc.exe
Token: SeRestorePrivilege	4380	vssvc.exe
Token: SeAuditPrivilege	4380	vssvc.exe
Token: SeBackupPrivilege	4872	wbengine.exe
Token: SeRestorePrivilege	4872	wbengine.exe
Token: SeSecurityPrivilege	4872	wbengine.exe
Token: 33	1532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1532	SearchIndexer.exe
Token: SeDebugPrivilege	3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
Token: SeDebugPrivilege	3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
Token: SeDebugPrivilege	3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
Token: SeDebugPrivilege	3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
Token: SeDebugPrivilege	3700	ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
Token: SeDebugPrivilege	2592	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1532 wrote to memory of 4868	1532	SearchIndexer.exe	SearchProtocolHost.exe
PID 1532 wrote to memory of 4868	1532	SearchIndexer.exe	SearchProtocolHost.exe
PID 1532 wrote to memory of 4568	1532	SearchIndexer.exe	SearchFilterHost.exe
PID 1532 wrote to memory of 4568	1532	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe
"C:\Users\Admin\AppData\Local\Temp\ddff09550d8ba0ae38e6a7a291f6decd9fae585d39705b72d27994ffca95349f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2312

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2260

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1420

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2524

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4904

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4868

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:8
1⤵
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
Filesize
2.3MB

MD5
504b295fb6ae8a8524969421501ac46a

SHA1
0e49608add128948747f4a3c7111233ac292af40

SHA256
117fb98d62366093ca2ae3bf518467be6269d47b51833d19b16be08b5e2cf666

SHA512
51b92053963cc7d3abf9b8cb8e9f4518fbd31ace4c9eb3f0002f6a2e7a1035bb06039a22f71a0ae63f697e0b789eb2209aa5c387aaf0709e2135058d1ba6adc9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
155fade01aa92b957bf68c8bcb273784

SHA1
7b00d4823330e25f3c2cb7788f36661335de09fa

SHA256
73cf71188826afdb8f55c8b00c8be3676d8ddf6c77c07ae860141c888a18499f

SHA512
058887070eb6a8735e4bbc110134c0c040865d5a4fc9fd5e5682700e1b226ef19729fdda86debdfd0ba7d3c0b9c25613ec8c85fdabb56310421f7f89f4f2a065

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
6d31c04c8debd9917ad83c6a90acd323

SHA1
cee01c6cd8349877112b56e9881151bec8bfc9c2

SHA256
502248f71e7692f6d26b7a500ab608500d73f2ed2b170c3ae0c649905abf3280

SHA512
d49eeff1ecca8412f335be1f36d0c7c770a4ef468c4d282c3b2bb6b4fc357843bd5ab5a0e054193757bfb08cc4feee3a7497f6e46454d3c5c0501b1492219fd3

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ca100cf1c7a9067dbd08dc4150641dcb

SHA1
63d04b95504c9178a36882a47f453c87c44b8eb7

SHA256
ea32375022487c0e2de9619a10ae1defc177cb53de5614c286f44e520aa55c11

SHA512
96b02eaf03be70ac2e9c47b5e44e0d4957d2664167ca6ba7a31240e55372d97bfdbd980215fc82cde236c780a396f0ec91439b6c2d748d2e882c6e58b01ea4d1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
4f25f5f14174aa9a459c8beed69091e5

SHA1
5148b3fb17fcf32d399b31aa5792f7967863468d

SHA256
16cc530d30190849a566e4add100980b379fb73355e16680a9e7b8df2e0bce7b

SHA512
51564da861ab104280c1b730047d3730aa1f7469bfec6479eb8fc21c3b8246e86b5e74392abd779cf253e9eadd97e26428d8168595590829b17f0dbab54fd57d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
171be67b4b0ee81369b4a47628c91017

SHA1
ecf5ca7e92a065393935cd32f561bbf397c953ad

SHA256
0828d79c72bc2cb72df3356faacde9e0f735e665523196ea22d5d3a940858640

SHA512
c19abe4be7892d869e942483803e985bd67484366ec441febf6354732c8d6225ae1a481222c57b3d42dc5d7ec121ec668f10613044b76507612ebc72eb82b601

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
1d3c6d1e51b43b58ebb4d77edf8f344d

SHA1
86a0a15cc7ebb70bf1f9bf6e73df0e6cb487e4c2

SHA256
2d9556f5d8455d82abbc756f4057cb5a06a46904e777e5a1016e48425b1ca430

SHA512
3b2515eeb789016a2f47ee78269c849c45a521740b149a0afb2851a94c65b3326d4c4140abf3d59c4f1dab005472f5c970b82e0080c85b37bda6050c4f690ac4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
bcf16b4e525e5ea411bb8d7e26480393

SHA1
ff8b505e1e9aa42855e410c47b2a2666d6646b50

SHA256
91170411b16793002c1a6274d50bfbb210637a97280eab428e5667c6810df39b

SHA512
19d071f36a55fb3286ddb082c7f6230b113e390f3110e27579b82de92ce6e62d17e535707013429611d06e6e66882a9f363c5ce5f9b3dbe860ab2aee1ba7334b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
a4f413230b947c401905c893ae597092

SHA1
c89728f1d343e640b3bdfcf083cea5a404ff3916

SHA256
455129fba9fcd77d7cfb1ee0f39ac515114e1aa85e716732c3bb3e4567ada46b

SHA512
67a7bcafe2b2f5a3dc0e2d0b2c508b2baefb6a0012afac55dc06854b01750de0364b7cd036c1734bc13f7a7b6ab54c307523ec54d5931438c864dbd5423e02e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
7c5042022a75a3be7c0d410a50848d06

SHA1
12c68901219aa3ea096fd9e4f42698d87c40d941

SHA256
e93d0135ac3ceb5a0318f3973273475f705bde2c4e4b9af93b66681e63cf2d64

SHA512
8bffab18f57b1486c41ce3ecd1c62dd9eadcc15df0b86ee46a824752c2140909ce80e1092b36e12f849b7c72aebc43dcf5e5182a41993a7d91f34fbead96bebc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
58ab63d111b730ad6fd9c5750807031e

SHA1
2e33083831c22f913d52aa6ae4168101bb40216a

SHA256
cf672504d3b95200829da6d0cdd2bc0cddd2ec4def376cb0befbad68aa361a12

SHA512
45e3fe568ddc039ae2d66f22cb4af909c485541647f0052d11adb5bdc465fb24f068806cbcfe476ff9a45eb017fc24373c0384047d4c63197107d241fd78baa5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
4d8fcc25aefc83553671a844b0ea4208

SHA1
c405ac0339ee07189b56e7c51663407f52c617ef

SHA256
88d50252a7e5bc7ae62568687b6b8ddc9387e0f35a32e1b487a16f3c1a6e9d88

SHA512
5acaf7e474e40a3ca5315e1b455ad77ff789b66768113e03f57b7afa560fb0a665873605fab0b71a165ef291f9be174ccd509589b15961a093f8f7db591ad351

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
93f54c31ca05fb6f95575fc962453d7b

SHA1
0eda72e0fc76665f2b20452afa8ec211eaee8b11

SHA256
b005dba230e11f308309bbcdad9b0bf817b405b7564ecff3cb2b09f1eb2bc7c8

SHA512
8d27e08d194f5de2fe8bb2e578826d22e9f21d7c6d1ba73a90703b06d16600ce0ebc825f59259ed2c40548a9da7cd61e28b3c2c26bfabdfb7c97a39f3a988a8c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
44daf8d08792a605bed4d86b56f91572

SHA1
b4ca4d36a487ca8fef222254861614520375bbad

SHA256
aeea4d3d3786032301a0afbe03b7f2088bb88af0fa2f63a56bcfe824ed357450

SHA512
aa582117ed45982e959a9bc189452068b0b944bd08c902a29d068ee044187185da68d1c7cb241a67eb03ddf407d292a3da2100077c4b65812870371e04fc1741

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
7d7e9f7b37673cbcbed6dd54105965c0

SHA1
38e249bac9ac3d0d73364077f0a50c640ca2fe7f

SHA256
34a6942c6a2c5d6c65094f79a64c92a44a5b0dd81703a3a8ab90b8a9bea6a168

SHA512
ecbb65396d80eeab321179698c507e74a2899d3987fccfbd6d3a3ce68041176a610b29c14099976b39cd8b5f435f23e4da4226ac3ec4eee44cfd4a6c01232033

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
04dcf22236d523f7a1fa5f3da14f3cbd

SHA1
942db192d3a8a424142ff0b47dee0b6be878fc0d

SHA256
113d999701c098f14529e2eadefc8a6aaedb83103567e4260dcd44a5b4d58a81

SHA512
6dddd5d357fac3a85dfbf6b208228c6ff48fdf36db8943db3b6c48afda68a55e17dcb4f10342a443e67675e3516a3e5303660cc16dc582c7f0d5471b25ce653d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
ff7c2ab7bf43b69a570b3745d61a2f3e

SHA1
bfadd00b09b245f46de793eae85fb784bce9c370

SHA256
70c50b949f78d43ffb190aa4ab774bea866b69782de348a6767ae257fb67b8de

SHA512
facb605a0af63dbef59b51884a904848feabef7c63bb779b143ed51040ce9e5a999b02507e98720455aca9ff0b28e1fabf37242543ce5dcedb4c772dd2af3845

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
d0bc9d969cbffa08b2c4e224f200db3e

SHA1
08d4cb107147ceb2e56b89e4d70f7de2be7b74f1

SHA256
ba757920608006162c46d502b7407a9f77583d6730e53ced15239e51219c4d40

SHA512
fd5a71203b7afec8ca069a7cbe3188db789762cf07b06ea91aef17856a4e739775f5a9fdf88e00d20d193ec0dcc1436e480c3c29c4ac7291a3e7d01e9fc71f76

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
58eca0a5b74a4cc89e04a23f0c02efea

SHA1
3f2bba23f5cb9e300d8b95c373859fd5d7b7971a

SHA256
10b55c2f2fc8f109db78098e5aaf6ee48952e3f0da0f061eeee2acc5a07510d8

SHA512
3417e575675ca5c1465f2e12886fc447e3882685e4e00717c2db7bab4cf944585eef24e111f1b319237115cd41957950d2bc8b335e5624c3436dc237a2ff8542

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
1d1699b6f0953b0c285b8d5e918cf31d

SHA1
b252137bd9bf0e20d88f6cc7318899902324cce8

SHA256
92401df5410b0c3b0d159ccadde7cbe59a0a43ff045bc2e791898425e579d8f3

SHA512
e377ad2babe5c4dddf6144c0b08fa683993488154f64ba72eac5dd5b86e93ae3dfab8bf1ee199549b818a255f1631c7e1ed03d831f2e7d94d849ad43ab302962

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
db4dfd15e3e34b942d9b1a5d20357ef0

SHA1
3914392b22c36bd09c6e4e9e4b4aaa829f66a0c0

SHA256
f5cf7b8ee6880f570a43d16815f5d28edfd85f2a830350c21d064431febf99f1

SHA512
64e4dcb73e49056ee3e5545422f2ebe57ed4e7effb66e3599d11baee06117b6e4c7bdde3ad67b6fa04fd7dab2cbd18d551d889f9c8d6c514149cd8a81692b4f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
fccc64b8ed12c91128e082429a11669d

SHA1
547fb82fbb044fcdb1bec9fcdd35fd9250983a6d

SHA256
bd400d820727257bdb3e4e8500fd69e900252854d0803dea0e9619d6f22b4e31

SHA512
ff908b21ee0f1d2b1ac53ccb75925f3623a7136028ef23e4d4229fe15119efc7e672c5733d3660a83817289b88fc82711b9213ebe815bdc0f83adf15362872a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
d07b8fda59ed8007115765f7ebe06021

SHA1
99512a2fde8743ddc2c6efc49bf2e3f175184ad1

SHA256
952d5096e3f4d80ea851a6d75445bc3ae2fc81e22f5931430c45e285bd1a6d87

SHA512
db487cca4dfedf3982a35e1cdf2bd79d45c3d18175ac580d1dd62d3a010d4610c0dceb8b55dadead1ec33b17d1060af2f764425c0ac83753b2730c2e53a45cb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
99fd9688a759909d8922110189c4c211

SHA1
4c430251280b0896c9062d101c3d8222ca482cbb

SHA256
7ca96ed41d7c0aaccf22ada562a81fb4fe3e605fd9cfd150691ec319d6eed4ab

SHA512
28360f7d82c7b062c7ed2d39a55c194c072278c163a1c668bdc10832de329e1618ea55afd6983ca22df620d7bb8a047fa224d436f1323f451980dd1d530870b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
0c5bad5c7e61832c50b7fabf340ef486

SHA1
a2243ad0db703010471f2a301081728c205445a9

SHA256
6f0589487e52f1ebec0796c96ed28b6c14d39732286917884fbbee4e44d86111

SHA512
30705460fed8afd6cad20f042cd1d0a9bad7f208f22abcc91302748162680c20ad5076fd78fa139e0a0af86555717732791a778e4b44c86a749501a3ca9e2d51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
10897a71d8d23136fe2e66b680ba8ea1

SHA1
caeb5b4e0005c532ba29388e6e66d0fa0ae8910b

SHA256
cdcaf05b1fe0d5b458cb8e4e2b262616e4bcc14361b8b4a4e51c3cd45c777f3c

SHA512
2278a1b23006d28f473951b53bfdc893a966f5b6e8ebb7bf890e5a46ae445eaf8fd00c1b1596b927b9f44dd6f47cde34e4e12600fcaccf88d9ac0809b922a0ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
f1064e3f5c6913ed9863f1d441643a3a

SHA1
030aa75a2b35299dbf0be69b16067a4d64a86df4

SHA256
22e40d987476f59dea816c83732246fd3bad37d853803a2a43e0390843d3ca3d

SHA512
b286f0ba357c577a7f60bb211de8097e9249d8df134f7589d2cad12438afa0929ec2c1b0c5c57466e9009ff9dba57ef72506f4c692baba441e8a4c58d88c2782

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
28e5e54207b139f358db6504578a5af4

SHA1
334df9a09770d755d4c63de7d6cd5bd0fb2cb7b8

SHA256
370fd012f9d8f60cb578173c724d2ccb5ba2f2434c733b89ef96da8d5bd19d98

SHA512
fb7f6dd1cb753f6315bb6e8624a7c2f7e32eaa6017b70e3ddbe554faaa8998a947f218840b6f66bcfca3a4fd532d9e058b0f0560e34f3ab646d9f22671263f3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
f54991a38c3aafe0c48fc0296ba6ce83

SHA1
112cf1f77dc2248bea8a41b34b58f7f0b1bb510d

SHA256
ef72283143d2cf92fb5c7de8fd559e04785019a2ff0bb6b26965ec4e2a3dc5b1

SHA512
adb4ada64cc1643f4fbfe91f095980d15741f1d7fede278f1f7d31f9f4ce26ba2abdb0233e6757852c2ea6e3e562469b4fc2e01d5533d0b252544e89d9edb410

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
bfa37af7509fc9f94571f94b93e9b981

SHA1
931470a8d71e71eef88d1c2a5b216af4103beadc

SHA256
fef5f8eb66b2cff6cd1b44ff78cbcd8080b7cd389bdf017fe579818606e1f509

SHA512
7102849ab5f1f7d2ef17b5458ff50e5c73b00851330bba8eb63c0b32801a6787dcd20975f7158ccc21f0d107cb77b1ee8328f0b90c8a3cd7f9e5c58368f69317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
e55e7622da292def8a5b1dde6ee142d8

SHA1
3eebf849b9c83db85f39f39876cadb24ae87acf0

SHA256
d328ebca55cbbd2570e3d6dbe4ed1b2092daa83550c77dd5be815a31bbe5e4bb

SHA512
b6e0bf57dde99639ebb6c432048924bd1ee5adbccf485e761f84e4d8089fa20fe7bf9e6bc33e691c1a395b9a1d5c3aa582e2ca8e12a65db65fe9a3184fc75f2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b9af684a8c885bdc0e1471e6370fc39d

SHA1
8d24d7336a66c69bde67a8daa87978548bf7a05c

SHA256
dd2ceb33eeba6a882567c0cf45bcdf543388267d359cf35cfa6338c6f8c1e51a

SHA512
783dbb3f3303833c09329dbe472cab4b2414c367805368f376e55ca5f7d6d55b980c923ef32b26425e8856f9a60eb0cd6068bd68365f82d47abbe36254b051d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
35a8a944c57c636182f40d4065241c9b

SHA1
09daf1ac5dbf0126fb463e0f2a1cfc81c56e09c8

SHA256
371d9fb69a6942ab92cf9e530732b21008f2fa2b0f84e4d2001f4e606541b832

SHA512
67a5af7fe239221b8cff0b9f18ab14a139b82d0080bacd2f747259c3cb6302e5e1c28fd54875d49893b7c5467ef63453d31ead3875519eb45f6273e945b6ec4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
4e03801d31f6a4b20e504c9dfc7c672e

SHA1
5d70b092f8688bbb3bf699e392b9665c7d6a0d35

SHA256
49d9a4030bc16b562c64a7b572cb664d249809d1248a1376edc69dd820846487

SHA512
952d2fa7b1682644b34eed3f83f523a18a7b0c36850bd615bf525bbd2d46e6e1ff456dc75258b9e1bc043a0d901e2513c5b8a2691fe0dbc94f261bb7b3c38307

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
0d0d6c12ce95bf050e5fdee404bafbdf

SHA1
650c4280309320f056dc1f8f92483afb83d36264

SHA256
2f9b86624ceff367134f35d793109e80047dc297a88da1941827f00466df943d

SHA512
ce9c324b0d75075a99cd3dae66409eeec0dbe61acb6fac762fae05f0f7c566bc9cdbcfcb8431d472d5e1701ea47fd637ebef63815d2d46ca3f6a1dccc5e4687c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
1f7177bad1ebb0fd97704cad9a005b36

SHA1
c211b2444ffa4a1967ff6d66e23560eb3125bdfe

SHA256
fd92d7a70a969ab37973c0d5298cf4659586fac3583001b57ccd6ff2de8d1d14

SHA512
34b79678899a8ce75cea3bc16a9ae96ea3a51f459abe67cfbae1ad4988706268d31730e6e18f8d3b61c6a2e3573d9fdacbefcdefef7dc68fc215d19bd6b2b186

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
4c9cc336a4a65933605577a80b4afb30

SHA1
d4ac4ab46d236a86d2675ff82ddf926300098788

SHA256
b306f23cff385d4cf3045f747575f1e4fd413b5856d56b76bade99aa98ded453

SHA512
3d4140ecfea6f6e51a5db63764bff790c3e6e9f0dcf9a2dc7d4e0d7930e505cf819178adf764a4a95378345a76ebae208553e1b532fa65ad12a1c6fa708e0d88

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
e35274573356cd6bd1ce816724cb4f6f

SHA1
859e30fcab33e658c93bf4d3b5cae052ae114b1f

SHA256
0bcf1d2a3b3f3c6f0f92be86aef904626082a5d0a897be3885584a2a133bece3

SHA512
1cc5eb41790bf90e537100f949acdb40fe8a87c1d15b5aa26c473e46e4862e7b869bb892c03270750fac87cc03838d071e6bc72f9c11e006d55dec9e165f1319

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
695819b40505c66e4040c1cf5a1f02f2

SHA1
5240c40eaf43e44413e747325633b2dc2aaec01d

SHA256
a325580b127e09d5d67102f6f82602b7a2b6952657e9cb53031239be4694f941

SHA512
c519b7ee6d24183fffaefa07cec73f3078e5c24430a1a971c7b85428e000a0f24b156e1564f3b249e66e3b8ca36ab7b2ee297b43b649fdac9cd8f4e7f5587487

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
9357400411bc3c94afd9f18231298d3b

SHA1
33be2c00a2fc29542ca8ee2c80ff7cbc3a95d8ab

SHA256
2d673a5576a45f8725a9d89791a30f31ead0e179d672773b06d69fe9f142c0c3

SHA512
57df68a7a67d173ba11157f8ddd34f844b61b471ac13ba79245ab33bca2bc2749873b7b2ac496e385788470d234b72499fedb58bf1dc2274601503f9f6513e54

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
672d9966cec34e52a616444b85b09509

SHA1
c04be0c5ffae92c4095592c1c8215606a5b0c897

SHA256
eecfafcc29d88da0e1fb0677ee493a1673d9ee702560fd75159f818aa23572fd

SHA512
be2b4940589cf78ecd5816092affe22ff7f3347f123288673fd66e0d9395d3837b5ef58751b03b4772d4add5136fe0eb2f069b7474db897b759e698ee8063f9f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
52eb3a67dbc6aa513e70eec1d22a0165

SHA1
95c25c2b515d943dada455b553517aabbf1334ec

SHA256
d4e2ffb86cca37bb06ee6d99a18026f8d2b52731667360b2bb27bb95157a2cdc

SHA512
972d28ab3c39114ef31c66dfea08c5f6a42d98f5f18f6bee1168c3770782561a2d26394b83224390e58179ebf58d40acf1be25c74f64696e87f7d834d58569c2

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
22cfd2ce76341ae6798a4ef81ccda148

SHA1
7dd38cc43d322758032dfef6eb304803fa0ea40a

SHA256
1c193538715b3eb9479fa11b85938b76ed4fe98a5cd5b311c28c50dd4b488d93

SHA512
daeb5fb55bce734411ff86d8a8173f84fb2020ba465c3ee7d5106ef556d0d68048777113936fd977bcbf99aa321721e68f8e175483ddb29cc37b08ba31206fc9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
82230c0182b9b11562b8dea85f8ec15d

SHA1
103e28b41c46976f4971d4308fea73f0751d1102

SHA256
871d729a8fa0c234a616d3bbb5ba1d8006931b108f708f2002d5a6c4bbaaa1f8

SHA512
5e05016cfba862d3985ebbd858851b13695efd85a0e3a8deefaac37522850115e413098ed53ea99e7d25e81f1ca1135c758619516fcf532bad2f46e1f4136032

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
84b9513862705c1cc9d7b2b3f0f0e5d2

SHA1
1ffe692b6626fe2b2bb9bafe5d77f263937cce31

SHA256
ae2a09a35f0c8b347c741d1f01a69699aa54e6829ecfe48e7702077e8b7d2fb4

SHA512
15a333045690d29836e5ce8d96525d196f25b7242f4f54b3f5ad0c25a30449122c46a5a9e1c30f61937c0128cd59f1503ab6d3957d692867997541a77826b7a7

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e99630c9eb526978429b2d9449b32e70

SHA1
b9da99a9d5217666153b78e061614cc8dce9b0d4

SHA256
bcdd468250a32b0c69935b76b95be807aaecdbdf943e69f5d6a3c20fa4076133

SHA512
b4257eef6caff9e727913415067ee28ad866b7478bc69221c9dfcdbbaa4e8331bd5657d426ce81cbb07021ba0645ec00b2079f2f776c8f60fcdfa15a26f95fbd

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
758de9b7d3a69ef2c081850d924c8e0f

SHA1
911b686907994009b9c406145c8c34d51ad1ad1b

SHA256
a931d2e700115b2bf72e55a10a7e2926ccb47e1eeb8652ade74cd146362385e0

SHA512
fb918e7c8b98f13451c0004196c65786b32857e526e194d3ef764544ee1e39e31088409fb6cc81ffc5127cd9b2a79c35faa9471bc4ee44d3ac79bce626dcc37c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
7ccf022d4fe6cb905443f931ddf7e13c

SHA1
0225aff215b038a00bc549450b3618fbf3b55221

SHA256
2701938e9794fe5bb5a51b3d55bb0f83ef2807b8396fdeccc7cdad9d6ff17c8c

SHA512
a522e555cd7086f8265fd2989f6af9e117dd99b71af64de8530206bfd7f8f57cc60700db43854cbc76e79ace81697e86a271e815211ea99927858f9a613af3f2

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
cecf58161f92d4ea3e19f7ecf22a805c

SHA1
c739ac5a3b21a99bbf3d7f09c4d000e5d619b45c

SHA256
3adf5bc312a7b954c3f4971a982adc640149ac6a915da79eb76931f6f977085d

SHA512
5771e8196ec465bb2713b72b521ba9da0dd7e48b3ac4a4a2f64f5ef6ae9a5526a23d6a8bd5e4ece54c3676ed3cc59d654a22919835e277fae6703085e29eccc6

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
7347ce4dc368011694ec46bbc140711a

SHA1
c14340e28c2d4243f26bc0c17ba88f144c0f13a1

SHA256
7cabb9d037c2cdb8b59c1f5c0b4624137067f1412fc01ccca72141005d95ab6c

SHA512
5a39272ecae373af5ed8fc7b78893f9b203df743b2a51556a51ecfe154b11ffb6999a6ca8989d64c527e3f244e0736437118c7199ef9ccaa1ad6b10a2d8739ed

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
3347cf01f9b6a2b8b4cbf82c28ca301a

SHA1
ae2a3b8c0a045f8330dba1a307f0c3abcf0726ab

SHA256
29e8e708a844aed20bdc6126d1332ff530420a9e861a3b0d46316fcfdb84130e

SHA512
4e4d90e6fbfbce2679b51542971ed7a2d9d5e17dfb34e679745d2ff382dbb719baa97cf7bd7ae40a689cfd6fc5e5ec60d7d02e965158061ab4ed8e0dc0273c80

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
6fdb4d9f1ca4e669b3176f0d9d69ac9d

SHA1
6d9b722feeb0cca2ca3883b9ca089a85f18d9bba

SHA256
a17835125433404568ccc3e44bd36c94409b8028b58120f92c79c96da6c42b9a

SHA512
415d61503b6b7abd025c63754721aa2b0bd12f20e42c53983fd38fea5842f480d83be2eb62e8f36f8d5f1a11538a4bd308841443a9c60d9d92f62d21cecda454

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
dbb7c0890b053e8517601bad65a5b44a

SHA1
b98805036c8f16e7a1604e1d3c4da0dd7ac9a453

SHA256
edbd5c65e3460f1bf829c97fa8c351e8509cd4697f34d6b874e358af7d43ddac

SHA512
00adc822f8f48e9c57e460a42d8061040c61255d60ee3476c49d4ecb6091e08da6298e53cb21613ec385650352207951ee871e1301f3624f46e442d26a169eb0

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
83c2346397872f19c4d068b38818e2f8

SHA1
413576f42d4ae17bf5b55271d16c92a888e11381

SHA256
af9da3d3f269a063b4da042cacb6ef0a80d0b5ab74dd34bfa030d9a3f59fcc38

SHA512
1e0d069771874326e24c2a46d79cb28757fdc4abdc3f367f74579f6b5732d619ffe6c5adc1ae9ff4db9e7b63be0b2b879a37a2a30fe998ab5c7c5ef6e5c3e92d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
8b24442052b9b62f3739e8351ba6b633

SHA1
9eb42f719934e9e1c1b0b2ff478b6015dadfbf7e

SHA256
40417089a9c09468bc1281166ed0c0b2b927635a2ba09bd6854da18eafc0842a

SHA512
59145db2f56a1d4b52944a1eb239e2ab2c70fbc2e4d52ebdb138bd4addfadc74d784196f5dce0622647b589495d0f95fd939d67c7dff3f84b843534ff845e00a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
2c955bf609d8375d6ec3e6c86e8953e1

SHA1
2b65934a06974b4c52e65715b70d5367e49e0965

SHA256
fc8533187860d9b44fe9040d3d72b85d78e2cf3ccf545385fda5c7d72286dd43

SHA512
9199ba19b48a6ad367d0d93e90566280f51ddd011ee02448807c65dc9f37a071a4b9dc20e335b201d261a7b3210282778088229d91c985a1f146047cafd84ca8

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
34abf45b81c52f525c4c747e50041ce9

SHA1
f3997a8009715a54b5cc3a32d5736128a962748a

SHA256
9a0e8306477ae0e89b96ea095f4ca7d61ce2edbe8e79016bd0018bc204c4b9c6

SHA512
8e6c5d96773048284e53baaf1cee0bf35bc438933ecc2c45f14423b2cfb696fc49731ff9bded7f209bc46727723dc598d1d37675c9c69bef9e76c8238337a752

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
ac65488b994edfeec6a881e6b6474df4

SHA1
ad8868a7ed0d700cdc3422a6ba8945c46aa54797

SHA256
46f438e3e487f562aa6a8c658302bf00ab124b68330a754360078c31a40b3dd6

SHA512
47cdedafc65d82712faaf8c583b8861abf7e6229e830f94e0f4e08d63e5d7ff17011e119178ec056bcf1b75c89f89a304c9666cb5875521de14b8f87dc8e7ef4

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
4d0cc3ad423262126dc456b9d46a46c7

SHA1
f1de50e91e6c90dd6c52b29c193ea7ad6dac4e2d

SHA256
060ceca5d18a76dff7bb2fa3599c0ad29b7cfa5966cbf729b32280c9ea262d97

SHA512
365dcd5d4deb089f57ef147a4d727b6bfb4351c188f00e382b34e96aaa9c565ed142c02d7b1d3b4ed845864515d16a37a7686c797b03042b1317678473e31d94

Download Submit
memory/1088-137-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1124-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1124-150-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1376-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1376-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1376-201-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1376-399-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1420-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1420-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1532-400-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1532-202-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1796-145-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1856-146-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1856-395-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1860-143-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2064-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2064-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2064-391-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2064-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2168-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2168-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2168-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2168-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2168-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2260-394-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2260-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2524-144-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2592-167-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2592-16-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2592-22-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2592-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3044-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3044-100-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/3044-95-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/3224-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3700-6-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/3700-0-0x0000000030000000-0x000000003009B000-memory.dmp

Filesize
620KB

Download
memory/3700-1-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/3700-119-0x0000000030000000-0x000000003009B000-memory.dmp

Filesize
620KB

Download
memory/3740-84-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3740-90-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3740-147-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4380-151-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4380-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4404-148-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4428-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4428-120-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4428-78-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4872-200-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4984-48-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4984-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4984-42-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4984-393-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download