47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
Size

1.8MB
MD5

024a5fde7251708f7932686d0a34de35
SHA1

5ba8ab10f6b80cf96e351f2f95fd93241c47e8c3
SHA256

47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb
SHA512

5885d22f1280d07c950edbba67108c8c9b17affcc75f8b2c57f53b9eced64e13cd030d57224d47fbcd6874a4edc621595ee9333bf8cd6cead29e94502cbe3e98
SSDEEP

49152:Dx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAUYjyJVJyNfyPtYuTt3eIM:DvbjVkjjCAzJFYjQHiqPtXBeIM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3384	alg.exe
2188	DiagnosticsHub.StandardCollector.Service.exe
5024	fxssvc.exe
528	elevation_service.exe
4720	elevation_service.exe
3040	maintenanceservice.exe
1156	msdtc.exe
4172	OSE.EXE
2552	PerceptionSimulationService.exe
1228	perfhost.exe
4256	locator.exe
1848	SensorDataService.exe
4516	snmptrap.exe
396	spectrum.exe
4876	ssh-agent.exe
4804	TieringEngineService.exe
3060	AgentService.exe
2492	vds.exe
4708	vssvc.exe
2252	wbengine.exe
3452	WmiApSrv.exe
4356	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\System32\vds.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cef2b7eb85ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4537.tmp\goopdateres_ca.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4537.tmp\goopdateres_ru.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4537.tmp\goopdateres_hi.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4537.tmp\goopdateres_ml.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4537.tmp\goopdateres_zh-CN.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4537.tmp\goopdateres_el.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4537.tmp\goopdateres_ja.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4537.tmp\GoogleUpdateOnDemand.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4537.tmp\goopdateres_es.dll	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c23c65de7e99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c696c7e07e99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051628bde7e99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000985078de7e99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab9e67de7e99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037196ce17e99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2188	DiagnosticsHub.StandardCollector.Service.exe
2188	DiagnosticsHub.StandardCollector.Service.exe
2188	DiagnosticsHub.StandardCollector.Service.exe
2188	DiagnosticsHub.StandardCollector.Service.exe
2188	DiagnosticsHub.StandardCollector.Service.exe
2188	DiagnosticsHub.StandardCollector.Service.exe
2188	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1168	47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
Token: SeAuditPrivilege	5024	fxssvc.exe
Token: SeRestorePrivilege	4804	TieringEngineService.exe
Token: SeManageVolumePrivilege	4804	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3060	AgentService.exe
Token: SeBackupPrivilege	4708	vssvc.exe
Token: SeRestorePrivilege	4708	vssvc.exe
Token: SeAuditPrivilege	4708	vssvc.exe
Token: SeBackupPrivilege	2252	wbengine.exe
Token: SeRestorePrivilege	2252	wbengine.exe
Token: SeSecurityPrivilege	2252	wbengine.exe
Token: 33	4356	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeDebugPrivilege	3384	alg.exe
Token: SeDebugPrivilege	3384	alg.exe
Token: SeDebugPrivilege	3384	alg.exe
Token: SeDebugPrivilege	2188	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4356 wrote to memory of 4500	4356	SearchIndexer.exe	SearchProtocolHost.exe
PID 4356 wrote to memory of 4500	4356	SearchIndexer.exe	SearchProtocolHost.exe
PID 4356 wrote to memory of 2796	4356	SearchIndexer.exe	SearchFilterHost.exe
PID 4356 wrote to memory of 2796	4356	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe
"C:\Users\Admin\AppData\Local\Temp\47c3e2cfc4ebfbd1e42a10ef26e7b9f7e798f36172511cc5b59be84ed2950dfb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:220

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4720

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1156

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1848

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1724

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4500

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
57bc9c9a95c70ddfb8a85bcb78b726a3

SHA1
724d0ab46eb9cd57fffda8f48db4d4e87e2ee77f

SHA256
80823ad9c3c9b0bb91220815dbac2158e41ac9b993645cfe52c2085088ca5123

SHA512
6f3c55caba1465f8d49440f94629e65842f6240b2f0d5c2903e50b2c0657c36089cc39dca438ef6953b943ce2cd9dd25814fe950a8566fc197383aec03add229

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
bdf6ba8690b079a27bd70b1188ce4816

SHA1
6e60e184eb43e525555a619e42afee81e8862282

SHA256
bce5d0e08f7745ebd091be7584f46541961a9ce9122de9a5e093094520db902b

SHA512
d1b27f5e97a86055cfe0f131b183106d41d109a0fd31ca96f6d28fbfae06e76809684b4710bb7470882bccd493e1b9d24bd11792d28172492c7e6e18bee46c2b

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
5ba9e40df0d47e51d086cebe859db18a

SHA1
04e52721fafd06d42d0d7a393bccde878f1a33f1

SHA256
2f534a80c3cbeded3e41ed97260b98c0b8a5fbecbe7886d6cc32b4fb7974ae45

SHA512
43d3cc75eab4dae147f7a40f3572b62150a12f21fa8b8614d6e7e1e85d3edeb2247501f34c60a58950424e7ddbe9801a88edf44904dc60e6249f1536e20415ab

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
f66831c0652a154b142c4d23bf3240c6

SHA1
b2716038363dc84139d32a625ec1b7993d78eeaf

SHA256
16a1571c12d9e7f22828101fbbce62d5fa9f08a8177d8c66c3021125c48464d5

SHA512
9b78afc76778cea6b6c6795a7ee85b115d69f08c660edbc4777370934141e27c726c122680295a1b919fa9f4f410f233b0559f167286dbc4b8de01f59401deb6

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e422bdfaa04e9b91e21009a7eb375118

SHA1
ed10fd5507098f95820908b4c720eaa490a01d81

SHA256
adef4c8b1f7940a21f497a5c8058c9ce982e18f82f55f8b91a0ae7535d53cd5e

SHA512
d060fe8f949afc5b1d6c2a0d7f20ddb9db91e854ab3a16b40ba19f7183bd0bbe92cc47126e4c9f9bfb05b5ba496c8cbc74c73c6cf3cd5aefeafb6dc6404feb89

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
f3adf4b60870bf838c8bac5781d9b0a0

SHA1
622d92473675c95123f5c8830f54eb4f217e8d08

SHA256
6fa50424802f0974ce1d0f552a6251ff992fb15f98fd2ee2da0d0d3c12dc30a6

SHA512
f66579ea46e7ea141af32d6b59b2b4e8a727155ca1be9c00f6125f61e91fedc3db03ff52380d696c52a014f5eec6e84594281437de8e4fc111a9d97c52e3b486

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
6c559fe8bc8edee0f3d56510bf1a3b5b

SHA1
936b960143134a0a15196ac58196476bb3cf7428

SHA256
e3f04f6b265696337408a2e9ecefcf8e8f9cf2ba6b34d8d7696280b37900216c

SHA512
a5ce7790d945ce905d8d05d1b5cafd25a1cc1b4c61f5a3d71c2700357c57558ba8655bb6b5aa46fe36aee479c498863a74b5688506eec3caa3bd810e06903267

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8d1e2ee06f31339ff8ac1890b9426ab3

SHA1
ae50a12bf4ed5995722afb85204ed8cd13b4c11b

SHA256
ce2d44ed683c8996726503b8cd6d9a09b121ae1d848aeb485520f92fe409416a

SHA512
307c9d8c5c0718db0b671b1b0cabbdc2e612065d8692be573848945108f4ff6bef47909edb17289f17ce657689a417d82f10ec5497c4da34890252815664e5b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
066329be4d70a001a69c8e43e0addeba

SHA1
45e3f9c920cc72cee2f8cd390b28954c49c6b988

SHA256
6f08ecec4285987d664c5e5a24697a23ec5431afecda52f347633397f1080c10

SHA512
0a462c35b30288c395d5e41fffea626d6ee1ce888d41a7d08637e93782d77510b9548d2f6ea13e17da81cec33770900514e5421b5c3c3381bde0789374e959f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f4fb0068d3f8485fa34497b857aa85bf

SHA1
ba5550371cf3b41e4f605f246de4a662b1cebe6d

SHA256
13f8e1bfdbe16868ca7790cb75a709e63cf66cb76069340bf215cf72cec33a56

SHA512
ff9efe4e643fcef8353752a4aba826a00c1d5c20a92dd8f1f8cfd8eea7aab3bb3560bea956f2740e66d39be2b4e7fce257a101fee8293c0c42186a20b98b92af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
4e25b31230dd5a511ace7ddc21f9cb42

SHA1
c2c50a50c1c0e1fb826cd6c3d0e3b2c747be65e9

SHA256
216de3bc8c9d6d80bcb3dfe10a97a2c774747ee6cd3bb9e448523814ec1dfa82

SHA512
f991b26e1f3a3822dde902ea567f1cad5accf63811ca733a240d1dc09c8a9fd0bf0b81c9b582bb6a864aae8c1b4182a5264504f1cff712bbd1f8486529931297

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
8c7ab29011b9d405a5b0086f6263d24e

SHA1
c9fb3d26329054341d893cb7f0ae1fde2a6cc040

SHA256
9f539fcb07e79f0316defc150dff182f091f9801aa3c94810465e7f0267e7965

SHA512
8beca5d1eb8fba6ec1e148a156c15da3380e22184f14a5c82ec66d04b54b8b44e357560cbfac3c0282a7b0a02ee5c1583b3026ed18331529dea20b85c4242785

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
9749c977652ec776ae9cf96a3d8d5057

SHA1
7abb67f28cc14663528375a7eb679e44b5962fae

SHA256
44b40d5f0cf4885fbad3349aaabe6ed1608c88580be7d3b53d61e121c43813cc

SHA512
738b120c364cece55fc1bcc2563954da3e2e3e738b917ed91afaa0b3cc5bd41e63e3f06314fe8ef5f8572b868764cf02bed924362f54cb93c180f0e37c39d6a2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
b3c01664bf3b9ffb818c843d577b1f3f

SHA1
e529ef1b0a0a2cb553fe8b552de79163732f3980

SHA256
6021a4fde57037b17371964e6e77a7f170ac43ea7a8da77ddff5c944cc43febb

SHA512
32d2e793bcb5ddc6d14b28e4785c4ff89997f4e149b7c8a6d027d5552dfe893db50d9270db1b5eda2845551dd15f3340f48e3d89270b1ee357a8da64602f1c03

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
e10fa108db5dd14aa84cabffe9b7ffc4

SHA1
c19aad88679b5281adff7c9af4b097b6057e7e05

SHA256
814bb97d050bf394a5c5ce6505f8f3fa9f28c9fce2a665d58449daba3973f7ff

SHA512
4d9ca1bf01989da88b1650d11d00da2e7bee165cced3e597206451a97a8ba7e0d693aa2b0bb34b0a205552a02fb6486277ef68e014e556a685f1326f49eb40e9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
f9997efaed88463ace2a65b135ebf624

SHA1
262cdf5a36f89fe8feda725f681dabd1a494e8a6

SHA256
e09eb44179f1f01d372c79d7444a93ba57e80375788a289b8a69cf385ceae73f

SHA512
5da1705f0622197f639dd66c753f5e631719b159dc9dd42c9d6cad7559a7168ee0d9508035ebd0d543e21c87402f0cf6a8a051108145dd5eb4207f24d9719002

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
1e26cf4f407dcd129364f9c9f5ff5dbe

SHA1
2f6bc061c9bcce45ce921ae0c536be0be6641521

SHA256
587bf9734a2038f98ef64c34403ae8aef0da462fe4cb94dabe07e696e8cff491

SHA512
24b9960963a8b8d9791ba12ba104d8e6feeb58793b62acd8d5e9c7eb9b821e3e9ac7da114539d1f6fe21b3face69fdb131328f876ba0a2faca8f231a9293dfff

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
f0cc9efc5403aff89e8ad4dea15ad994

SHA1
110ba4f1b602d7982eedef3d414563d126575630

SHA256
086b40db668f4de95831862a0a15a67106d1c0594683e1025a0e8b951f3ab229

SHA512
594f902d22cd4809b1df834339b43e2e9fc20ccbf6913fc8694d501970d220d131f139cdaa44c733bac08a9f7177969363439195ecab60871ff85eb077f5c269

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
378db41be4003ff3a2289d781442cf84

SHA1
7d9913e81a9e7dc25e8a23bfb5c35e7a8a20f250

SHA256
83825f258ebe0b32c084ce416fe1d97c6c191dd1229bd631d3a018d357e68ef0

SHA512
74162843b64ab04d8906d7e899d96fb91ef7cfeec8b1190d85f5d68e6879d8143e4c6239d0d49307e4cc571d7385ee4697cb6641a6fa504ce13e235c05c14f98

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
be1ede62bc61f52ee91e6978a1abdf62

SHA1
cd7fd2e7a85455d9b64aaf2120e6aa0fe5f46ad9

SHA256
83922b62d6962a6f082f427c56447ab245cf16d712d2b7665538d1cbc9f0d0e8

SHA512
b7faf49b883ec45c65e8f9cac4edcf1ea90c94c3cd285fd387950b2ddba243215c2dec2126c3a5c84807ed0bea5f55a0a68d26e17075ee05a89e89d7eb96ce2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
4bbc346987a31ae39c1fafdd9478f38e

SHA1
617f45aa9cc20368595b2df75e8ba7b636895540

SHA256
bc6a9e6750a06e3bd01202918c6d33372565a37afd9ffab64be01ac3a71a8583

SHA512
d4ba7055d8db7ccc308ce5e96ab5a8ae204390afe660ad4fcbc9e7424dd88e785866d9347617802bff24483d5fac133ce34f16dfce3a69f86aca78637c753fa0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
7febf510963f75b2d08a4bf32023d566

SHA1
f6e6eddc5de446c247eb8b165190376f06f81ac3

SHA256
1c0c2be2159a905cdc2947341c74b9ce77966d6920e33b9ccd557aa31833ab4e

SHA512
79a8ef41b43487ddd691452f16aad312c04912693043171cfb426aea3d318d2dddc8d5b81079ab5023f0b147e1d162fb52e3cad1363d4210498a477b4bb2d65f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
e71f3182b70a806e5e535c1b23f6cb0a

SHA1
329dc0771fc8cff167f9c4ca0979952b289c5513

SHA256
e71337c6d38f7dfaa748ed2fcf10296a5f3d45f81f6a7cc10096728de4ae634e

SHA512
e271a15ce6296b2c1e5e571ecc672d354e7b25303d5fa4a60beed80a7b4b13927f02a39fc41674c72f89fe43492af47f64aacb45c08172b864801be326980ccc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
8e14e2cbf9ae56c86d51769651c20f93

SHA1
79d128243f087b7e7c3e3f74979c9ba70e007566

SHA256
bfd192a8c099be386f6237bfb5828f1598eb5d4009650c5cdba86f720a94428f

SHA512
7bd3e7c05fffd719609ef84b68cc02a1735c17f78bc9425f4180d2a98b3dfd4b180bbb71d6e566df82aa8e245e5d1f0cd24c8ae399b7e0d0b7db84fa9902a2b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
c1267ee96cb6b5a6d20356170e699409

SHA1
e4611df32082953faf9fa4b519b1343dcef34286

SHA256
0c780485144ee2cb5e4a231fe6f470b20d31e2fddcea7b1b311033cc1fcb5f46

SHA512
8144f7b29e7f2ee6d479439417f59997fa51c7c6c64ef2c26c802363f943728758aae632b676f77fafeeefedc428dff11c307affa07974cfc3152c6db05b3a7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
15a7b3ac2c14dd1d8ea889ea38a63866

SHA1
d3e271feaf1414f9ce836cc58015255312196205

SHA256
45835bc7594c72de997d5376641089f65ed496e1f2dbce36c206a91fb625a7b6

SHA512
c8dc7dd7b50110dd8ef79e5ce840ba4dfa527b56c33b82341b641b326874bc6dd436a3178ab8cc78dc2d43540c9fa50177af142233a072ece3aac68591c9e717

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
c2f26ad25cc0142a20bc28a2c2c0b321

SHA1
13dbb5b5950a5800876b391bae15ed5bf9e1b701

SHA256
0f332300bb7a6f25e913d907a3f68521b2aef30f4c7f34f52a9bb83c427d380f

SHA512
75dd3b0e90d79fddf0dffebb859f14a723ab566b8c98cb12923aabc3db89ab8c61d419632863ab1a7f32081545018d626ab8285045135979b78dd6e5d7480c79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
e1d4116986f140ee8657d009554b1035

SHA1
2320d732609e6faae4415b3476d8ec58d61b4826

SHA256
946df35dda580a7c95ebb4aa4928d26333e62cc3854bcc166006edaa1615d4d7

SHA512
ef9b459afb533428e1bd7055b36454045206a7c5875764e60ed848b479627271a7a07e883ab7ccc71cf91034228ecbb50bbe7979c31650bb9f61ec9fcb24028e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
4abc755c64da8249cfed663fbbdaf6d3

SHA1
cf25874696c36173b2349d8972969b172383875e

SHA256
c7cd465ff47291abf3e35b4dbeda82b8d76ab1daee6fd1009e0723b6a46cd170

SHA512
77a01d90a99ae0a9b22cc2d90eeebf6a452c98a48ffa88e777b4406c4b7466001cf602dccbbaed53efe742bc2225ee640a66c89ba8599645dbbc28ceb345afff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
f67c22e5c3e914f7fa87f3b1ea0e60ba

SHA1
4656ad6117cdfb9e8f6cf20902bbb270f38271e1

SHA256
dfc536d3be349845bd8bd72939823cf2ed58ab1d0889b1f84518c94b45d7d6e7

SHA512
c994c2af84daef605e28a92efc6431af66802ab82a6c36d2d6e2bcd77171d435293426e7b6e1f90d07568dce97cf80a4f5c87dce1f8db0cbb8a691ab4d5f1dca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
2822ea44baae3ada0f5e9b46f4f80be2

SHA1
4c24edf04a31b1da0d66e85c341383feccd201b1

SHA256
c012aeee9679859ac35d8a771c74dc572b7fa6b8dce3ab979765a1fdabdf8d40

SHA512
03d7b4a9474aab6aaef0433952a5ed522efdf0680bfa5d461d60fb1eef95c1a9f8d4046b75c5993ccd5b383ad6410465d7fc6d386cfe4e2052718822f1c9622f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
0aef79470e57f9bb240112f8554f0737

SHA1
f21089c3c93d450b5ab432e454c24caa8d9f2eda

SHA256
4d6124cc4e0ab3cafe6d56a818275a89f626b0db02edd5885c5c85408fb9fcf0

SHA512
3dc1871a56fa00525f5d4aadacdbd4d4a23815278471bc8ed3a425006f87b1023a66d5a4b85e472faf4ea866716e42462937b4025a8f6229d8d99d9632f7ecd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
b945f5d6abca2d7aeb9e44eb14daec9f

SHA1
c83950d852e5d1ca72452be12b84728820a47013

SHA256
03d176f5846fe9eec13d539bbdf40f41ee06b7af2103fe88958949f68ca5ce5d

SHA512
dbc46f151d228af6054cdd708a96bbec240ef8e6c7153dee052eb85d2c534c3d696c89062960d6755d7bd502898f6c91797964e45fa3c59f37d009a1e047b93b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
bdc48c1243cadf522abc0212d9d12e28

SHA1
cb983ada4aec8ad9997a05d677e7ab0064bd3ade

SHA256
9e0a5fb0738218c9901cae540602cef93b46fc469ec805edbe8abd495b7f74eb

SHA512
32f322c1038bc7df5ec34d41d6f82c0898770477446dbd723f0f7754ef89d5f785d97c738bd31dc45d44f30b7b0806c400e2b9952622179fef6647eda27eed67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
6c5f413b58bf92b332812267732081ae

SHA1
8c5d13e63b70435344bd6a15f27a345a646da582

SHA256
3f1f0aaf3cbe5c8eb21593c0898f8159d184aa7b8dd7dfb1b784d18ca996caac

SHA512
4b2ededac60e994655930eb7da4712e153b9545b636b28acbcf8d84b3b837dbabded554c34ff5101f1dcdcdb0357d2308d678999e6995eda41463e9ce5c73496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
81a05815903124ab347562136b049630

SHA1
83ace0d47d009e6aed083d09ad97e54d82bc714e

SHA256
789ba892304cd936d4b0f4caffcbac595f24ce86f1f629d5cdb9708bc26f2856

SHA512
6ec7bc6ab1e486413a737269f4b6348ef2528bc89834b834ce445c3806ca092bbfb8bdd42331f072b1ca0ca9a9a07f6c7de0fb3572ace8f953a3b0237e62ea19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
2ce2771cf41cc2d6cdc4772380d16e41

SHA1
2e938cc3a51fe8bab39257ac9947993cdd38a2e1

SHA256
65e54c545926532abe6badc156572e1a81cef9ddfcc81221a28b46aaf3cae448

SHA512
39c6aa558be6bf66bcb3f452393ea20075db7a45eb788b5bec3838f5c4f11b748f98a76e81d81b1582f03fe0420fc47377199ac37726193b5a0abbecaf8e6fc7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
4e5fffc63302210d38de3a12b4953110

SHA1
a783c5a0dc7d375ebc18d1afff17695babb2554c

SHA256
7f5ce8eef7ec2a8c843cd828e23f9bad939bb0099f1f8b9af6a54d5f540c855a

SHA512
ef04e6fef2087cbaa5ab853a6fd710c3eec36023b41a8c63171c35280f0cabbc609ef990cc4a0ddf2af3f18be95d4247721afb3e865a881ed88726ebdc117b58

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
a6fbbf1a80ac4e3dba4243d30242d318

SHA1
2289bff3bbae23fdee8dea70280734c004f7437c

SHA256
b5a8acefdeb34dda3a57cfc4db9210589ce86a5a150435997d00ff08ddc6c301

SHA512
8ccdaee1e6bc06a95ebf2d2f61a848fcea2988b69437912cdb2148b71f4825d9c540ad7bed09658f57eee874327efa01491bc33a933b16ed964f2ac13d82c0b6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
2b364201aba57307b88925a4d96bb314

SHA1
91fb3ff70439525ef0402753a2e8cc302fe4b9a3

SHA256
4147f5c424622439f94137bf2d4d1cdfd9ffcf8510e3957b7fb5f941d3cf1688

SHA512
d8a448f2376206393d67382ef391d67971a790df8ccc18f78cb6d1f643b8c6414c9d733bb25ca24413c93dfd907a12aa278a2b81ade9f69d34be2ec0d9c5ef73

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
55c9fe03b4f3dd1d11a1c1100c2a806f

SHA1
d666e28a200f32b02a99471fcd19f5d6216ffab6

SHA256
e18d876c6a6bc3cd6fc4ec77336f5b74d57e4a612e9220d82e2179222e0fc77c

SHA512
80b25e69e5e18b83ef10a82dfdd54c9db0768e0e514fd5e74492a8ba8cc24de16fc4816fc886c109bedad2840c17deb124c9fcbab1b250b414b057ccdcb8a978

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
4211a3e6aaa4915ae5467b1f447607db

SHA1
34dca8ca64da05def8d4850fdcddab9e8144f47c

SHA256
3b2db050be11ba5b790f2fbbaa2f7518a30bb976db76afd75c78cdb56503542a

SHA512
1078df584c86537bf495cc0d62079dce17299fff027d3a4b3ce2af66472e715243a006370c49d438ceaaf0606e29242ddf8a90e9455f67446055b7f4a9a71976

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a4631948cd1006edfe2d1c60fc03cc15

SHA1
d909bb22454a8cb356d09d538e247d2a382b9072

SHA256
6aeb219b371d0f4188b2fad604482b6259e4afd35526341baa0769400efee38d

SHA512
a34fd3c2e0bdae59cc67387871918b862744ef3ddd9d77b6ddf3afc0db424a4fd7b4ba3c2214d24e11f070a990a3d067e9435319f13ab58d6216dff144e52f9a

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
5814e83ab835423cddbe88d87db42db7

SHA1
09049c4e9ad5f752eb4cd136bd0a983331c79c65

SHA256
9ac23e4223268ecf87c536f4043ff2a32c59df9a604db31069e0f05ff52328c8

SHA512
c878ddba3bbc15603f2f10d824ceb0c68e6cdbe875057ce55332f65fc7519afe7e2e7f76fa11f90a8a83f713fec60be6b3d6e4eb524b330fa771fa3213748509

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
f44385018095bdc89fa825099f378f6e

SHA1
6ab6779a7ea817c8017ee79b8710c06c3eabdc3a

SHA256
cfed632dfa46ecc50b7619ad59600fffc8adc301c310a1a646f1d4708f64d93f

SHA512
1c496ec52f5f83371460366c7d871666029897765f003d72ab735acd50863f7960190355ec47f0f3c00d14c6a24e7124703cff420db89bf0dbb960b0673bec93

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d191a6228107f913d1406ced38329974

SHA1
404ec9f216c8fc2fb5db788dbbd0abb255e74d3d

SHA256
fc5f2accb45c46fa71622709a817eb70273a1aa74f7302aeec10dded558ae3ed

SHA512
18013dd3699acee602da3ffcbfbf077019dc5eefa04bcc6440d1b464b44dfa55bdb0c52af46e7e8c322ba8ea924ca0010616e3687f865d779fb4caf04ab8a1f4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
c5a8b801c3fe2af0bcefcbc20cafb490

SHA1
2a05f2d11e0614a9d0839cd8f59d1daaad661055

SHA256
030d4a2fea38538300a7a48b70aaf72a74ea543493fe6fa18720cab92ff062cf

SHA512
ea37d7d1b45fed9efd673b42ba6b0821e5943ef39720ac5cb2ee0129a01a0cdb8e51481d2552045fa4df23324ce44ba31310d9441427f4b0a24abdc8421d4e19

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
e74ac8a8d82e23389a8bf99d26f776a0

SHA1
775eb348b05a99f1191a1c1276db04c55e67b909

SHA256
eabd989eb80fdf6139f448580d9bb12608cf96c3ff80fbfdd5cffd67a6d8fa8f

SHA512
b3d4e58d2bfd54d69e870f5033ba88c3007cfc6fd1dde0d7994e843d016d42a54a0774a5818ea9d8a4286bff389873d1fcdf30041494d0e6c9186751936cdc81

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
1f247b60ef234f521311a64278d370b6

SHA1
71819d2779d9f542337a9186025e36c679c2df0d

SHA256
4166e73fa9c16efdeed9b559e650d1aaa7a5b5ce298ed7b91e2ba97338b3ec3c

SHA512
82881951f687de63982a66ef56b43e1dbd99d9761eba7ba374d96c26f51031504ba566b94deb2d51b4f72f669ea89ae999b5a6f2eb8bc54a8ec44d9fcfef5520

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
9de3bce08b06c505cab4b32f891b685d

SHA1
d81ffd90f229a18e001a199757aa67cbf6db72ce

SHA256
d86a0f82ce37559e760bffee4dfce7399951ca00e093a7bd07c5a2a008f85ea0

SHA512
695147c303c91d5a63c2148f5d38d9bf8d97f43516bd316faaf2d1e70fe69373b58313534d4b5891a42d2581c460f8be50530c6b245ffbcc8b37e7798744c6e8

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
58ce49246a09ac435c18d9f003367d23

SHA1
6dbcbb2ac3a14aaea0ce9e0a0f18800788c40920

SHA256
84ad6cc7325e072bdc0a91a3ddca7371c4fdbfe96cecfb7878d9c13193314bed

SHA512
6f3ab785d547b5da8de0a1c25e47aa030bd34b9291bbdfda63cf58eaba36ea0d82b010a3f61802a7498ca4bddf3acc5c691c81209db2ad1a92e9e80325b4281a

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
dafc73f0e1a2cc1b55ddaabadafc21e6

SHA1
053a42f6c854236c4e8310b7f84186b5cf7bd9ad

SHA256
11abd7eed86b3ae431c6d915427fe9311d347d919cdb5f0cecf82c8998f7faf9

SHA512
07a39a9aa3beddb2841627a1c8a36b59d3f764bf564370992fb9ba3d63b849a80e4db7d020d311a752f057cd5feb91832920e7c6b17b6c33d655c4f77fbb08b8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
76920b4a83975096603b56ab137f8695

SHA1
74272be64596324780d51464a324a586ccbe3f17

SHA256
60bb2e37dceda2696cc37e056b0dbb6f5c3086a249ea6d888544e401a1ed0f48

SHA512
245a035b9fa86202b974ba6acab2058fff5bf53bbe8c5dc020b28126ecd99c3fa1708aa5fc4759d3c209f271420315f9df7b60f3e1f41f538d41191ce6b6738f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
06fc99af40336267bbded11a4bb6337c

SHA1
97d5ceaa5743277c18575d7ab09e9074e88bdc31

SHA256
6b68dced412e42600c0714d8501c6a03ce8f1828d1a5e1ec0a774a3f18cc0a02

SHA512
1b56674e1a3cf27c42113fee32cbea793ad9e4e874acb032dd14908e2258f190cbaadd39f7d41f89410a5f2c2a27c825c6326ee331e1a6b3ba6804ad0503f56e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
90b3d468a59e2ad2d7fa02ce8e88e67b

SHA1
4fff0eda9f8588c13d9306fc840b371804aebcac

SHA256
bd4354c77a1a49a7874cf8b16c91b25836374262450f39745585dfcbbfbcc3fc

SHA512
2171f6db225c041d457237c88ecee429a993b8f5e387c4f339346f668a59141d6689a5da1309b85937f649cf97380f3ffd0cd701220cc968238645063334ada3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
50139832d32bded593c3eb40655c5823

SHA1
c70cc5cd85a1137f0cd6edb9565cfd17666febcf

SHA256
fc5eb3ea644bdddab01d1c08f0debee11be2d1fd64e729239d0e5f033150a899

SHA512
0893eaa9bcc6ee956b33907c36fe5f0695c546b62e867c34c1d313f8f9c08d0a7311d6c61b865f6a3addf2accb14b7ada7d32a3844aa34953cd29840c6ef1052

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9f0df0eaff88113e93eeb6c9619f4305

SHA1
e4b95ad6a74d26423835eca74df5a9ffad210f64

SHA256
5d13258dad0ebc977777a7b42a7ee220f357daf34b179c4019d2cde53588f96b

SHA512
2f84edbb1954e3b72bd7d147bcce1593986b00bb1b19c5ab3effda3d9131a05cd486b22fd52df422fe028c25cae4fb2dc6d09eb2c0ac89be306b881386352299

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
2cd3182c65f5b81370e8ee0b8b765b62

SHA1
9233e6c028bf55fb8ad5d40001e8d5f963c7891d

SHA256
29767640fc0de3f906a8f423914078b3929c4785f5bb94ef555f846d477abb51

SHA512
7faa5ae4f780742956208b67f7a048b122fd974299d24363cb58a5750e5b772a37df070bd04e86e4d4be855d59b8ae28fcbe31eb0900eac14c1220729c23b218

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
095c3bfceae1f014c48dc009e72b53c3

SHA1
09f3deb876f7cad4d78c51212f6198804dac1b61

SHA256
941d15dbc8f11848c6994946d49e1abfe6d275f6c42b23bd9aa2572b40c67c84

SHA512
10f4fb4c7f63d33f3437fdb7a780b2a8278ac1642100aff6d8a211bf3029307067a86581905daf35d39172100d84907ec1a01f3223967fa29935e920d7a5873d

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
1747c5780b93374ebe4e316d8160ad62

SHA1
425feafb4cd4824bb2a23a440298173894aaf6d8

SHA256
71bfc47c3ae126015a3ee49973651b513b341d420336f5b23462919a1d357471

SHA512
6ebfd1369d4a80d206fd93980ea0ca01a28707937cb94247323bec333ebd1ee72132840f9556fdba4a014a45a51fd6f159e1e8267af17d4e034b07e27ca5875c

Download Submit
memory/396-240-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/396-731-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/528-124-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/528-118-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/528-126-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/528-231-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1156-155-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1156-165-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1168-6-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/1168-189-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1168-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1168-1-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/1168-580-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1228-305-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1228-194-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1848-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1848-730-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1848-208-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2188-31-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2188-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2188-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2252-740-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2252-314-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2492-282-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2492-735-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2552-293-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2552-190-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3040-151-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3040-153-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3040-140-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3040-146-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3040-148-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3060-267-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3060-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3384-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3384-196-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3384-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3384-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3452-741-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3452-318-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4172-281-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4172-176-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4256-317-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4256-201-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4356-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4356-742-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4516-572-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4516-220-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4708-294-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4708-738-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4720-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4720-135-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4720-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4720-244-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4804-734-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4804-256-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4876-732-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4876-253-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5024-36-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/5024-42-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/5024-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5024-115-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5024-113-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download