fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
Size

859KB
MD5

4c31c3c4af2fd026ac814885f80c7f48
SHA1

2de99fcd9efd3fd14ff33d38585a52d22d9c368a
SHA256

fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f
SHA512

022826b6132a9ac83d0cea4ccb0e181e3406fe1fbc9e9380b448258ea5e322e2dad88f32cef4bdaec0ad9fb8ca99b8290ff5e0ca6b8bd3cb887891a202602276
SSDEEP

12288:WJOCWgO22Pek3sQ3/m4mmqmFrfBCgiw4bivhqGoj85sVPL5qw+Do:pCWh22PeGscqMrfUgYbkhqfj8uqw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4480	alg.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
3712	fxssvc.exe
4048	elevation_service.exe
1132	elevation_service.exe
452	maintenanceservice.exe
2236	msdtc.exe
1116	OSE.EXE
2028	PerceptionSimulationService.exe
228	perfhost.exe
952	locator.exe
5056	SensorDataService.exe
4552	snmptrap.exe
3756	spectrum.exe
1456	ssh-agent.exe
1512	TieringEngineService.exe
4256	AgentService.exe
3264	vds.exe
2244	vssvc.exe
780	wbengine.exe
2128	WmiApSrv.exe
4948	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b93c01454ba38143.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\System32\vds.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\locator.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe

Drops file in Program Files directory 64 IoCs

Processes:

fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Accessibility\Blind Access\On = "1"	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001282654473cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053322d4b73cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c39fa4373cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006be80a4473cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b73adb4373cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003712f34373cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be74f54373cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d93b64473cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000600a264b73cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe

pid	process
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
Token: SeAuditPrivilege	3712	fxssvc.exe
Token: SeRestorePrivilege	1512	TieringEngineService.exe
Token: SeManageVolumePrivilege	1512	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4256	AgentService.exe
Token: SeBackupPrivilege	2244	vssvc.exe
Token: SeRestorePrivilege	2244	vssvc.exe
Token: SeAuditPrivilege	2244	vssvc.exe
Token: SeBackupPrivilege	780	wbengine.exe
Token: SeRestorePrivilege	780	wbengine.exe
Token: SeSecurityPrivilege	780	wbengine.exe
Token: 33	4948	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeDebugPrivilege	2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
Token: SeDebugPrivilege	2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
Token: SeDebugPrivilege	2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
Token: SeDebugPrivilege	2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
Token: SeDebugPrivilege	2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe

pid	process
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
2220	fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4948 wrote to memory of 2256	4948	SearchIndexer.exe	SearchProtocolHost.exe
PID 4948 wrote to memory of 2256	4948	SearchIndexer.exe	SearchProtocolHost.exe
PID 4948 wrote to memory of 316	4948	SearchIndexer.exe	SearchFilterHost.exe
PID 4948 wrote to memory of 316	4948	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe
"C:\Users\Admin\AppData\Local\Temp\fd36255962881eab2290cd3d289b396ba7ef76d6c59c11487b2f0938fdb6555f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4400

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2236

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5056

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3756

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3244

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2256

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
1a1359e07ad95d89786c3fc4be538b78

SHA1
58a0ac572d466ae0ee7c2dfc85c841c82029c7a2

SHA256
f5049784ab6e852e2e3feb43339e16bc000dbef0034d1a85268611815d46311c

SHA512
d07d8d2c2e075bdce598ee88b8234ba34b463d36f7410f63b5f1b7ccf8635651fde359e2c4e2de5ae10eda78c524924b3d7100af80b964d3661f0176ed3d0e2e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
7f6e3caf373858451fe4ca30a09f12aa

SHA1
605435c5d969995d83681fcbc13f17d377a6c19a

SHA256
e9cef4dc14ba8f132d3cdda5f06311fb0d492a19735b62bface7494889c0d6f9

SHA512
a5a61bb2696dea30574fc317f62b893a7dd22bca5b2f5549cfe815645a7ad249269b02f20cfe174bb2e38d01759c473521eb1e57296b8ffff17024f020cf1f2e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
dfcf3d4c5ac0668c3139388c15fa2d57

SHA1
6081c18705772af90c8e33ba5e84ca74a0e9f149

SHA256
fc3c629978cc930caf73def7c96868983e442157137bae842265d125be578bd5

SHA512
7efa584617b04754ab8dbed85b0124473a988c96b73d9e51f88c484318e977059f57dfa9e05ab72684842151bd8b0d063763cfd032f766599ae920b45445fb10

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
0fac5f40ac8a279fad41c841998b3008

SHA1
d9071f32c71569f18f68cdba8f523b4ae7e62946

SHA256
30d08886c40bf6c5fa11fa37afb986e189c1423f1b86b342aa7d29e8408c9788

SHA512
e96d59e38fb55183f2b2cdd0fc5060bedef82e402faf611ac5ff65c4f889085a136f4d2a749b8a4e63ed927e668ec5f7d2e2cec2d7c79866fbccb4408a53a86d

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
a01faba3d892a5e61c26869697b5950c

SHA1
e65180ed4df111bc3902db7f3b43d6a42729c6a9

SHA256
2fd77482c27672289f7adfaeb616a917b3439d96727d6ecfcbda65a8f517e25a

SHA512
524ebdde2e8b0d7c41ba32316c7bd669d9dd1f106cb21ee1393bc5dd57d2eed4d1ad2f4b5704abcf6c9413829991c742d35413948b233594bf1540089e795719

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
31ef490caefcc2e68349e3e08fcb1d46

SHA1
bd0f40f35395f0d4d670ac0ec8b00005097b66fb

SHA256
7d5a16f38a81f2078cfe66272a1ddd125b24617c1bffc088c03f7d99c4497096

SHA512
d66ca36f62dd340ed4a9c980a8df54aae2e8a53be33435736a4eba5bec51ae28158d716c8e22b525684ee87ef286e8839ce5c9daa63681fcab0de7cf1f6438b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8579a3a58ae8f9bc8b4e08cc65f08c43

SHA1
3d78d395380bae6cffdb719dfc9e1708579e9232

SHA256
4dee3fa43093e2d35aaf2491b41498d43fe75c9e84494645272f56eae2d3a76b

SHA512
f93a66d5150b56905fd35fc25ccdefaa58e40ed6c798c368f51b6113714053a65b72f95b9bc359404f9a23e0af7ceff38d8af42d314f14404d3aa81d9c04a13a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
583b04bded38b89abc7d95ad4ba7df13

SHA1
81679c79d0f38071677f8fce324df9604b94856f

SHA256
70a79500c591f63514dc1f452042f874703a953b4ebb9c98e8f6fe4f8f5ff4ed

SHA512
9c4b1cab89b0d5cc2953c9758bb03c5a8b7c2922f5ea82ba4fbbfe46ce4d7fbe7ad6ef892411b52e8af2ec9fb67bca6bae578abb5fb9642b31d7b423402a690d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
23c0e09806265a57bc48d982a8781b5c

SHA1
fe63f8716bec04785701d11a1ced2ba9b2f393a2

SHA256
b413f9f9072e696ea850f9134c15894836ef454d0a814b77689a75632d8f7ef5

SHA512
c40f52c8bc331086f89f0b1745fe5221e7823756e154ec2ae02d6a73df12573f1a48b9774c220f18d76df377ab65c93580338df2e6fe0c60ffca80074d2366a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
25004ac17663bc1a1cd5a7205d7eb7c0

SHA1
597f7e72dbba8468ebaf85acadaf1b1996acffb2

SHA256
cd37de609ee31468819dfb4db442ca28bed2c15180b3c5ecd8199fc9109998b1

SHA512
5216b2d2fa026b3a65b99831a8238fe49efa07cc2ba351425d2b8d7fdba9846ef4afb5261461c80bff6c9bf7a39c6a453393661562cc0e2dacb8834a491cef5c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e84739ab322e31e9ef88d7f25f478d4d

SHA1
7748a4cf1764b1d540fe5567d3108e86a3401314

SHA256
46d004c530f9a522e6712a6b49c7204f4c988044ee9cd68b1e9d228a7fa3edfd

SHA512
e7e03af7b3f771f9e8ebbd0143206c426278f4f75a379cddb8871eb2dcbfabddf4ccd4f6693a21ed15c21bd89d943c345f19af8305657a545bc28772e768f895

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f9073cbbe7daedc9fdc6827093a185d7

SHA1
ad57e79ec266c59eca9dbd3f97df4f2ba0921c52

SHA256
1c94c9dfd72b0b6e784c4a8b45b592c8817b86f962cf21f61e40b9b53b240906

SHA512
92bb3e4cdae40f2ac95ba912b9c1cc5af34c902e765bd7266ec5cccf9cf254b5377b06db70112ad9943c7dee8db39a3736c6834ac2b9b122920426b13d4d9483

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
d7cbc8b836d5053081fd2a271c28defa

SHA1
813cf22a6973fb957960b440a1f6ff1e5c7b1d8b

SHA256
3040c1b00662b7d4fbc2521219dfc994ed7d74128a163e81404d63f1f94b3ade

SHA512
9749dd2e8ba22b1cb6483dbd76006fda5a959f3cd6182de62d5aa0c6da07657c6df40a1c6d51c9e1eaea3c10ea43a3a4e34f7990037f2be73d1d60fd28209572

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
7176e1aa77a8e56244d63b8f828b36a5

SHA1
47e835b1a23fab520851f4144dfedc8121aa97e3

SHA256
d6362002420a54ec41c169389473b8d64f9b70d2c350e43faffb4621d4dab487

SHA512
740488872f934acde27fed02434a3b25906d240432314c186b3f62796b202b7b84126b2a1f90a1f1573e163f26423530cee37ae57b204d19102fca7f377dcf67

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
75b9a38442f5c5a8d9fae964e8213d15

SHA1
82ae171e7f728759d9abdeadb4be6d3ef39dc447

SHA256
cada6e380b74822593f8e782ae525f470ae2e13eb55a5675c9b74ea883f96282

SHA512
29eac7aaab611df5c325f2e3edabd14c6fd4c68753310c8916d43e585075142e1a1ca6f536afd724bd20409c5cf8b5364ffbb7c99fbea183e30d8a5f6d7cb0aa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
7756671c8e22be950d7efbfd106c59ef

SHA1
a2113cea8d32fd119e4b43e68129a5898d13873d

SHA256
b540e2acc6e2e368496aeae40e63eadbb68f255ca44e06654efe3e4e6a0e27b4

SHA512
45bf2605493ca1e27878b3ed2bb5c7890a6813360c87fb377796b0913057e19088a81317724a168fd39b84a56f3c383a60f9e8fc2062fdc7b35106c8e127045a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
b568f895e5c02c035050663eb465a052

SHA1
4700a21d70281d95de64c819bd744a80a3179d10

SHA256
1cef0c4af1ad7db2f911e3dd852414f5154b6cd89d293d6f63f5738123125c36

SHA512
8402e5c314458ab746e8f21eecb773c9ebb5fa2a46681e47fd5e4a035a87470e673569ae3071f6d07b077367b6de680ea91bfd1b5c2a4c425bcc416c1866aa2a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
5860fafd368fb3dd404016e1b328b4a2

SHA1
12c4cf2827ed8b36e1f8ce362042f6f31a1d80e1

SHA256
d9c444840862da8e81fdafdc1383fe9146a271fb5f649a387442878911d5b86e

SHA512
ddeedc52524906c2c22262f30ae49069fe3da9f43559eb86b01d75378629f1fac92915bb8c96b95fd2bc1eb41a153be2abf37e49ba39fbcd8e62b7b844c1341f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
0ab8143cb9a0b0180cfbdd427652988e

SHA1
a0ef3e07c28c8345316764d0244e3a025e99818e

SHA256
8b39714202f6c8f6427adecba4635d861605ab33616ba334a5240d9d11c9b1df

SHA512
5eab6b62e41712797e24405cf0da3865c4eda484a641603f8a9ed3d3faa3fbb450f22b6cb40074a8e7f1eb35b3a9fface24b3645e4e95da1c40025197be5bfd5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
fb362d7ced96b917c20302cc83e1f468

SHA1
86033bef31bb38b683a415d3e70df9e2355e3089

SHA256
c485f4fb820a54e0cc53a4079392f9db4bc1275be7ddaca1aa6fd5f6a444abd1

SHA512
2772ff66a45ea5631413fee656bba0c5a9e4ce635d6b5afcb9834dd16e57bbde879448790e426d538781438360ba861c728988010e6a8594a29592070e49cd4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
7fad089901852c3f50eaa4178ac61c7f

SHA1
3b938f589c705a37abcbd68dffb547b76f28f65f

SHA256
3c2abc5ab3805d65fdf79ffd29ebe9a5033ff54715c9855526f5079c49dcbf89

SHA512
8b49744aac4e9695c53bf87c4135afaa4325be67c7f22ba2c9cb545020c32b085f90064e11dfbe751ebff508afb74e7b4f7eb8dcd558d41d3c92af27e7c3b074

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
1f0c780c5616a164e837fe5e83f915f9

SHA1
5064e27d7097f07406770f9b946d0da5311451d9

SHA256
f15d634a0d652bb80fe9d819a4b6fc10d7aeae2564ecf3c5ef0cbe157e2bdaa2

SHA512
95fc8e8eb70571deefbf32797db3c19e42ddb54813517aa66d4fb3c9dfe1ad97047dc246149137cc9765c68072171e2b67ea9d780542ffd8c3f93a06e28f6018

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
0cf46c9509927a6d7bb4ebd419e7405b

SHA1
c599e23d12906092559f196bf2138fd78ce379ec

SHA256
2acc2f6ab1536dab89b56740dd95bea06a945a40bc5cc14b5579fc9e39584089

SHA512
69e00b6f753c9a61b06d1eb1c9dde0cfa629a20bc98f4057acf72d14f575eefe3d52e00da4e957c60c39751c6e4b5a77af99f766c76c058d034a91e04d846dc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
d63380637d988f82b156340987256f1d

SHA1
c5c997ba6755aa6e26325343ffec8d40f8bbc7df

SHA256
dbd280053e325c361be84b4990b83f172b97a97117b32feb12ed26ba79988aae

SHA512
214cc2e992b87105fc6514bc4fe39a1a30bd9870c79330d60a813662609c5add55ce838839950b243402f28fc63ebd0f95f3e94da241683ce92e5b8be4bbef57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
87652b7b26c6ab53da13c0f374228bf7

SHA1
fa803fd7a714680755d033e94e6a14ba6c83b3d1

SHA256
5a9369d129bc8ecef25920544f029f5d8d007670d11a05b2089376bb3740763e

SHA512
aab04fa7bc7195438e8615455d0441da85cc77da99dc9da27c4c7a144aaee33393648d7c4673c8777509cefe4158002bef46c9f8ebd3740a4560a4ea509ef802

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
3ad6cbce1225c97f834f57295fe88de7

SHA1
ffccf0d465a0672b13362af1840685e39050764d

SHA256
247dd3d456703a3bec5df15cb817fcdea5c2a29b9967d4c925705f1382b60ed5

SHA512
8b1282b2834843c57785fbf04b353090e21dd2e77212df0c4270c065bb5075e5a1e1f235f18e7aaa28c4a1c28fcac531e8a50bfee60844266b01b75a6af37527

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
588796d6f42a99453083dfe6af678244

SHA1
78ce386f7a64b72bd80a8d25b2291845ac5c3460

SHA256
bfdf2cd2ae8325e7f6cfef5eaaa653b6a4aeb092d10989ef0d82619e34ae745c

SHA512
246b33a3687c89ef2e377a94b9894f9b6628e36bf8925be10ec5fe1316d35b2a358848d7a33ffc5e207b3a59b98da43c01ddfe3bd588f147b7099fe288343944

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
6ed84b8caa16b092debd62b88673f6b9

SHA1
f4b702258a9a76a455460b2ac0c0a3ec7c51c2b6

SHA256
ea79957150bcf2778e67483b803f2e3ca1747e1a7c1e000cb53228f993a9e3a7

SHA512
a242f1962da0104d2ca3f25f3ae6c7113cb42461663f805dcaebf82dd188eeafd11d9e1b1d78efe1f22972d51482281110890b629302ddf1ef8368ff72a91ae8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
964ce5ed461f583ea1f11f3279d9347f

SHA1
bac761f0095fc5a0cecc49203f8da66b5fe50021

SHA256
f3a617a25babf341e96738d15127cc2833a2ede2b434c2c79020db09336fc885

SHA512
d6e8001860a3d881bfd5cbadc3b037b119874a6064e11c9f0427b640e3c51630ca3ebc33e6b32612fb75862d11e2e2accaf24c1d737cb94b209598294407decb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
c9f80b32ac47a539b357f91cf4de920e

SHA1
b1045e68f5911ec91f3555e49bfebf6696c3fd18

SHA256
cca88873f55651e0d4cd0a5707e2d85bac65b7e207d14a1ae1a3e0a67f1d5fd9

SHA512
71f9df1782e79ad7566dfe761c0119c761307f3cc895f6c0a82f8b3bf078e2aab2d56b289cf98cd930bb891dd1ea910c390181e1d4d18ae2cb843664c1f4397c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
da475ec1a485fb5e8aba1b7455316626

SHA1
a218edd58b5f0b17ae83b626251d084cf2166147

SHA256
73889b087cb8fa0b3214c4ad0a0538f0c49c8b6a4da7c5f0237a6ccb3e97e72e

SHA512
8bea892cd19bb5fca2c12e578d8537cb55bd613e0e2326aab750b76b74b7a05144c09de01d94808eb1c98d69770aa68abe44a2996a2ea7237073e7fe73fe1114

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b3023401a70cf37c868f47f155b259f5

SHA1
179ad9ddc1961e3721f7653154cc51748e36b1c7

SHA256
b050833bd9f7cdae09743a741107f947cea95aa89b147daf58184f89b827bc70

SHA512
edd005440b5d44d0b837ecad5a6b65048e611a493cc940996fc9ec1be12e985a1aa63776250d2d893bf2e7f46af26ebc6513cf6a021a7705aa64844bd7d1693d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
ff1fcc29b3e2bb9adb3ac2c3fa704248

SHA1
938d551358964beda257ac47fb708cd8033372ce

SHA256
b752476029f206c3861e3a3ce970e26cbffb1ef1616ea9832d2078665d065206

SHA512
8594439946d3f0409e48dc2f943f7133895ddb8ac5d1b658383202c13ecc265ee1e40a0082b8880f1fa434a63e147a4ba4f0c8c39cbc4e3720e49d22d59c0f7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
b453bed3dfe877a87254e31745cd5779

SHA1
083a1fb9f0d529a54d6e212ab44eb6f701dae707

SHA256
258d395be7c72641301ffc6f2fac456b38445ad88c0c81b6e050813dab46a545

SHA512
6fdbbe7f17493b416a6f282831e2fa5ea86f3b3177f0f3793efb6acc94ca9f3a308303c3b0afd7f1202aaf5e7a1d2866560b7d804554f4223fc78e80b7440aba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
0dfa20eb907e310eccc4779eaac33e59

SHA1
c1d03df43011179246daedbb1a28635b5427453c

SHA256
ab4bbcf3be91ec2ef7b05715c00e4dfd66c641715f929561fd668b761c0194d3

SHA512
740f4ca0fd11618a96bf8eec7157765ba81e9b497e039d47a1cc9936d0751314d50b1d4fbc366adb8adc310d247ad3d09aea7ee004abe5ba64cc0529164654c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
58688ef2ba72a4c5dd5115d952c5965d

SHA1
71b1a7dd6868e8f7032a45395bda177532bac5ae

SHA256
eec6111768bf2f2a734f265b1e2e2b3019c4f5571c6348d60a7417bf37a33741

SHA512
32a81bc811be08c0db156e7ff7b1a420c17cc8b732da2432007e02c0d374e64e038e1908dad0f217e4a4f0cd07c43ecac4ea3f084955121c06845e8fbe148dec

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
75f25d8e76f9816c24f835b908107cb6

SHA1
1d0499f0f9f5e0e78fd9fe580df67ca4b1d293ad

SHA256
18c7286fd43b1d604efcf4d21a3e73b094b8e87cb85bb83dbc1dc4de8748a15f

SHA512
d80b10304f077e06995f99239bb94498589020e94386811590ede705181d4eff380b745c36a0de572b88a3e983ce34c25d7eee9d5c5afa0ebfe379b12a1c458e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
976836e0e387a4a051055edc3f862e0b

SHA1
9e9e285d681914c8d28d367f6a29a78b9665f82d

SHA256
853b98a0da4f8a5c498362eaf8598ce5ddc49056df083740854570e9e02f2c19

SHA512
6cb26e176b4e9bf73db302148408091f5622c782e448063c90f9e81c9e96d28646ea2ee861fc9d4436d37b1a61b517e1f32376d2a9260989222d4554c07ba280

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
3e7f10241bfa5ec45f976146bdff9bb6

SHA1
36c6966bc018e4f2ffa7a764b897e3fa3c23aa85

SHA256
56f1873b8321030af5e7f99741ca3d7e668e6ed54aa8c731f18723df353caa38

SHA512
74b1a89e97c9f5c044b14724ca92b82f40e978a2cf5e89e034c2c00e6c25dafc1d01874e8e016c22cafe15e21f2b36cbec7561978a30b73bb30a48ef999e8daa

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
004c30435be7133815d4e535b56b270f

SHA1
ff00657f86b6532bb67bfb23b909780a89f759b2

SHA256
531c00e243dcd4ea36e1833bc34d3e18a90f82f5fe4550f2665c0e40d965ffb5

SHA512
04848eddbfae553048637f058172a37a23287880e8d99064722fc06a94bd9c47dd04b6853f369d3fc2893cff8813bc926a168915ab3109b615f6bbe930a61e25

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
5d53ff8f11f90ab04d4aabf239c22dbf

SHA1
acf748658909bd123fdb649049a4ae0f8ad4d5df

SHA256
4211888aa035a9067591c6fd648efcbc08ba75555aca61b98a41ca42bf8c591f

SHA512
54c3f17c3811cf524f39ef765fd960f1acdfe953c17246272f1cf00f75a239b90e8ce9920f293438f4beb45f55815fba0a32586323a51887f1568e25d928b89f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2af2041609bcfed25dc90f2c0ab00c35

SHA1
4ce4f9c8ed1609c9ab8f8455356f3c043512874c

SHA256
d852914c47ed3cec71dce552d37d70f6ad2633c6750e17cbef951cb8a483cc0c

SHA512
d607260cc2988c5d6dc38bae46d5e365f8b5b54b1bb846e07aa35d7938b7504625f32f21a3135a7a51bf1d5abd6b12aec8270a61f392c8a92cad1608470e9942

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
3c19cbf03e3d0a291731140f4798d3cb

SHA1
92710d8b8d6fa4bd55f44f58f4c86539e3b9e972

SHA256
7d208651cf580ab6a0fd2bfda6a7105e7d788584f819025e96b468769ce16a00

SHA512
4a226b4f6bfe23f9d7d2190290829aa60716a4f30dd1c327cd31d4f7867d15b97d209ae91d7b967fb329dc14af939331fba84af0e39eea6997c1c4b1dc6966f4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
b7c5a63afdf9bbb7113765a716489940

SHA1
e131e72cc9bc714674bb8811c343ce0104379a6d

SHA256
6be01f301462a64d6341d648a2386c40312ffdb7604ee5f904ca2b2d03e205d1

SHA512
282e9fa33c9816661b311d30db4c4cdf73a1fb3ffc92f677ab8fd1eefa1f4b0680e175302879e9927f4a21b6b631e96dfaa8534feba6da6ee7e26824d1bdea4d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
96cae42c78063184e3e39c4776812d46

SHA1
8d88dc0fb825aa08086adb42e85aca63dce3d636

SHA256
e9d1876e0f68293b8e487940986c8f5a9f260960ce8b57729f664067bdd2151a

SHA512
d9103e5dda3038665c40c630ec5c25efd2f4b7213348147b34f335d9ed33b8e699c78ab83f91a12be30e3cae71b465e9f1f504401c38f666ad972cc10ca2e14c

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
c4ee8fd74aeefd886898f9e11a7a5eae

SHA1
eea3110510528c617e1b8fd1c2686d81ffb22921

SHA256
0f11944df9f6b232d00e8d53530c4debc285e7b0cf83f2c754d1d4886fbc8409

SHA512
623fd01cf76efd8498766d94030ca8dfee841f5ddc5582ff63ccb09eaacb7d0a4af577ad98205dc57b240d18b57f883a5276e9a852b2a3aaf4e9ca9924ced20f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
2129453e959f32a93ee2dee9ff72e6b4

SHA1
b7438638a00014c6847ea29779c87c08f4c25134

SHA256
29a36cf1108c1b0218a59a924254e58c6b26e329139f2f618ebe7ae316490767

SHA512
5dfef818d19f92d49e72522bfadc1f166bf4a1c0f72dd49e29644040402c502d470c4fefdf2ad72e5dda4506868d7f4bc4852666a155e478b65914b748d88818

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5c9afd2d0d3bc7cd9c8aba1551559257

SHA1
c1f351dc8a2fe5aa17970465247ea0a4e64aef4b

SHA256
7b682ba94903579d94958ba5f1f51bf2139dbc1baa47f2f9fcf48fad95db6b0b

SHA512
3863f5d8aae616f573e6acbfd6fb39fda29731215350ca6cf730aa9f20e015a111da0fbc68d89a0a5bebecec94351875f42a7d48a97d9a1464a858ee84385770

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
c5d19b44310a49adacf1b30b3792d568

SHA1
4679983438afce770e69cd772ba0c2522cd23e3c

SHA256
4cf5d6b5c88b059e40c8ce8d6c16a048acc367b3a0acf167bbc4de21b8d601ec

SHA512
1ee991f1228fc53bad4d6d84355381f07b9fc5e894d16336fc94a4ee6e61abe0ef09fa62e242ffcd78dc560f15bd94d0d68c1ab633dff22a8ba6a5ebe49cdf39

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
9eb9b3b103779c7bd65a9e286ba87b1a

SHA1
75c05dd3c078b18850354514f503e7239ee1fda9

SHA256
dcfa148a8c03954df6c1e5f7e41d51688f20a02fb004ab8c77df3b7acb3e52d2

SHA512
8deb8978339c2178e79fe44a840300dcc93841047ea70e1e8aa67e4014448da65a1503189d01cd29c5ae3cdf4790a828ea58cbb8fe5d6f7eabe5de278b650737

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
c435e0ec1ec61e9d380334bae2ae7068

SHA1
a6142e8c9ca9c4bdfef732ea1f72302323f23519

SHA256
32290dff9636002f2fbe4c596e89a4afa4c2e9912c0263be4d4b1492fa9c53d7

SHA512
89454796ed3b8f97e105b02e084d4dbd4f3c211f9cb85dc4bcee1d2e29dbe96a1e2d005528de9c664b54a90094532c6f349915c0e5aa2c8054607c82be100f9b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
6b7c47c88f6af23ef777f805a088c9e2

SHA1
a988331f7ab0c8f9a99ccd4c9b9fa723c6a2af6b

SHA256
344a75bd2b612d8fb7e27cf66d60b0785869f8b732c37e8476184548f25dff98

SHA512
3ae7fb24dcaff76ae8aa7f7951796def0625475e594c17e046662de8d69f21cb0f14ed3469c45fcc6fe0799b02b5fca87db9df8257ea3a54e9800e165d519605

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
b0d96db1b6e69eb17cda4b28cf11b16f

SHA1
0c6d980c58743ed90f104ed4c66d9679fc71a1bf

SHA256
10ef5a492bd93c60295ea0e225ef249f9eb1ac5364d69931e69d28898fb733a4

SHA512
65b68e47a55e070f5e04ecf3c284b9484cdb0147ee4bf072ae447084c1739e455fa87c19d70f6c4fe0ad975bccdd746c269b8d34c01ece4c15563132759dde4a

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
ab2c40e767d22595d6e08ab05ee8d5ac

SHA1
064fdf882780889eff6e2b12d7f3bfd6a6f2f13f

SHA256
d458874bb84eeec40c0f83b27bb4d24425fc294b8c8fcab9d613cdc52bb0e235

SHA512
d318459b3f9a09505193b4a2bab2ca7bc7e2547e2c3aa619dc92a3a3b74a4baecb21077e3d1bc2c1a8e4b7b46cda5b54e6dc0f315e9dbe75a02c8b0f27b86745

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
9a9b7acff3637037e63fb19a406cdd44

SHA1
3b72dd3c1d9bd8dfe88c5ebc43e2434234764571

SHA256
fb296be8bcbb3b49e5e534b41265c80fe040247d763a34b82a060ae6fd853552

SHA512
fdc8815e62c0fd2cb114a851272150291e5c63c2510863ee2f94e4c08ab82ac0175663ea8f709c4944d118b53cae30a66c7aeb28a9fe023f284224d0971ee3ba

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e15a6dad8fdc8afb379f9d3b65bc5b12

SHA1
5f5fb379df3a236ad61e727d5ebce69ce31a4052

SHA256
aeacf9a70dc7e0cca9678114ac93f203a964ea8f79ca993246a4d7d1e3f9df8f

SHA512
20c9318108274ee02dec007515926f6f512e2ea8dee719e0d7e8ce1e217b33860ec13bfa0038b0027346a823be60f7133984b0c1d3b2e719e847e4a3c693f6fe

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
511572c5c036e600589e4566da90e686

SHA1
43b68d517c85338b48eec60f0fdb4254106b448d

SHA256
e3b31635c59765728d3bd65abe95a44995b385fc4b34c7d07eb33f015d1a0ccd

SHA512
f6682ded9bae441628721bc0a869e49f200ce519a843851e218612c0f13ea6a1bb88d551b209a1a141e1c4f9cf484e1da6708e2b4b78390c699903ea0d2a1726

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
9352e9e48bac99b2b9629e0204201a34

SHA1
da27505d17ecad56b460bc8e4ddb2a5b54c75e41

SHA256
af8cec058d8472fedbdb3109e5c84d8f7348946c8a250a01619764ca75827919

SHA512
8c3a1f1bbe7aafb6becbd6174019c81ec20b5224fa039c18af03189fdae2e5c64076f24ac4b238dd426b3d37e0059d8f8e6025659b36419f4234ec12128916fb

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
f03ce8590f470b91eb7ea2bf2d65bfc0

SHA1
9fe8d7a5b72e6fd21798eafe1361a3f1f1a4f1bb

SHA256
ea8a4d2ac6f24bd19fcbf4a954ae7b5c7284947f624549e3853cf2f229f8e3ff

SHA512
6dcfb23ef0b216bb12fd71a2f24b09f6d01d97c6ef83726605582e827eb584bd010637d2661e67bd56aa34ceabbdf6e30f8aa6041dfd95196c51935a2d7e681f

Download Submit
memory/228-266-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/452-73-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/452-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/452-79-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/452-85-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/452-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/780-276-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/952-267-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1116-264-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1132-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1132-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1132-556-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1132-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1456-271-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1512-273-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2028-265-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2128-558-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2128-277-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2220-7-0x0000000001F40000-0x0000000001FA0000-memory.dmp

Filesize
384KB

Download
memory/2220-2-0x0000000001F40000-0x0000000001FA0000-memory.dmp

Filesize
384KB

Download
memory/2220-262-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/2220-0-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/2236-89-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2236-263-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2244-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2244-557-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3264-274-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3712-45-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3712-69-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3712-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3712-82-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3712-40-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3756-270-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4048-529-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4048-51-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4048-56-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4048-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4172-469-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4172-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4172-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4172-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4256-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4480-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4480-21-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4480-12-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4480-468-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4552-269-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4948-559-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4948-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5056-268-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5056-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download