3bb0986fbd9dd0628f7b3ad3a0db3138f09470920d268ca2e46389746cf9382f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
Size

2.2MB
MD5

3669a5f05e725bbf652fdd99e63d466b
SHA1

d6dada8716d006dc8e92463c851fbb5cdaa4c91e
SHA256

3bb0986fbd9dd0628f7b3ad3a0db3138f09470920d268ca2e46389746cf9382f
SHA512

00c1b950afbc59bd9405f43ff9018e2675667c784a881312b73f43ab66d6c502df9e6e5c03d2e81f07db131666ff714248bd2a0d359774591261bc7461cbf88d
SSDEEP

24576:YtLrcRh28ORSKVLgCLBVh1Tg/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:v0VRSgEYBVfTgLNiXicJFFRGNzj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3360	alg.exe
924	DiagnosticsHub.StandardCollector.Service.exe
3156	fxssvc.exe
464	elevation_service.exe
3260	elevation_service.exe
3264	maintenanceservice.exe
4252	msdtc.exe
2244	OSE.EXE
592	PerceptionSimulationService.exe
1756	perfhost.exe
1996	locator.exe
2164	SensorDataService.exe
1136	snmptrap.exe
4516	spectrum.exe
888	ssh-agent.exe
2700	TieringEngineService.exe
1520	AgentService.exe
4712	vds.exe
4484	vssvc.exe
5008	wbengine.exe
4416	WmiApSrv.exe
4608	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 38 IoCs

Processes:

2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exemsdtc.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1f28d9d092be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe

Drops file in Windows directory 4 IoCs

Processes:

elevation_service.exe2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fa4c5ec8099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cd231ec8099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001140e2ec8099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028dc58eb8099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005af0f2ec8099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052a022ed8099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec852fec8099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2c629ed8099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f842c3ec8099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003b5f7ec8099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e54828ec8099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080f595ec8099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c1538ed8099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
464	elevation_service.exe
464	elevation_service.exe
464	elevation_service.exe
464	elevation_service.exe
464	elevation_service.exe
464	elevation_service.exe
464	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
Token: SeAuditPrivilege	3156	fxssvc.exe
Token: SeRestorePrivilege	2700	TieringEngineService.exe
Token: SeManageVolumePrivilege	2700	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1520	AgentService.exe
Token: SeBackupPrivilege	4484	vssvc.exe
Token: SeRestorePrivilege	4484	vssvc.exe
Token: SeAuditPrivilege	4484	vssvc.exe
Token: SeBackupPrivilege	5008	wbengine.exe
Token: SeRestorePrivilege	5008	wbengine.exe
Token: SeSecurityPrivilege	5008	wbengine.exe
Token: 33	4608	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4608	SearchIndexer.exe
Token: SeDebugPrivilege	1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
Token: SeDebugPrivilege	1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
Token: SeDebugPrivilege	1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
Token: SeDebugPrivilege	1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
Token: SeDebugPrivilege	1212	2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
Token: SeDebugPrivilege	924	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	464	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4608 wrote to memory of 4292	4608	SearchIndexer.exe	SearchProtocolHost.exe
PID 4608 wrote to memory of 4292	4608	SearchIndexer.exe	SearchProtocolHost.exe
PID 4608 wrote to memory of 2788	4608	SearchIndexer.exe	SearchFilterHost.exe
PID 4608 wrote to memory of 2788	4608	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_3669a5f05e725bbf652fdd99e63d466b_avoslocker.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3260

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4252

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3324

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4292

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
2⤵
- Modifies data under HKEY_USERS
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ef796117cc840e2baaa9d2346484f87a

SHA1
d8d6d58894e4d1d799d7e9fd8487a133be931124

SHA256
53a6589ecf056b478458041673ad8193224d48345cc0d210a102832ccf3c45ab

SHA512
1b821fcfb9f375ecfab73ea0707484e5e1d4f05c0f2692af3ccda5d37ce47036966e50dd36fb180621201d03417a71c66bfe22f1ca8aecbdc02aba19cafbc652

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
5ceebcfa350ee8007df9efa039f311dd

SHA1
f971137e0844585f5caa6ef64b2e51b275cf3544

SHA256
1b0d0b191aa8774898bc03b3b2e8ef568c84d6118e3f5c0408ef3d0c1c93c7b3

SHA512
1fad32d99669eb5393c3d0c997aa6b439824ed233ff76606ab11d6b8e80168b320390cbb77853aafe7308fca14b95edffeec9871bfead536130b38980b53cb70

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
a16fcdb85d6bd8e823086f601c435b32

SHA1
4c3545bb1ce63f15a8ce0e1a772ea1a7b278d9fb

SHA256
55e42eec22a139c8982cfbe31468ea458c18c5fa69578172dd43b05dbc254425

SHA512
e276e25ad3f0803d4d12d490c89bc7676927236a198283862b792ad8cc3576b212ef3de4a05f855237e4e28e48e54d7de20a935ffa7f6a8e723769cd6eff0f21

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ac87b821d954326f5c6430b45e627f73

SHA1
3a5be4395da391df91212ea33c8e31a1dc5b7158

SHA256
329af946b311500b709d4a60e84e7d8fc8a25f28a908ad83af74997e9f5fc43a

SHA512
26c7edacbc9bf76805071e78bb1097fba2461f9c0077b4d980cac2e1fb24cbcfef19582018d66b8027e4507b8dee022e60436073a53c2a8d3733940a53f82a28

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1a77da367492fb001aa9853de9cb0239

SHA1
f6fff7b4ba431906f3e02e842435b75066d90822

SHA256
df288bdbfb345982dbc5ab6e477f066caee3a6def5758e7a028a8f87f314f341

SHA512
eba46764e588171a4aa96be8412a049e0880c3f77a061d56cdbc0ed9175138689ebddd0c81d999224180dbbafbc4fefe670d5a8d92b10de93b09b3c0fbbd4e1e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
a71446d5abbbe67b37d84b1e34f259e1

SHA1
aa1179a1b225e90120d8d4d1f5e8541c25fd6abe

SHA256
45b9fe54bd0df4b152c390f79a68fe341a12e69024281382b2ffee6071284849

SHA512
d729f6fe69ca18b77f0ff5bafb9012da4127b2bdad43f5c56489195512e2431d5a2b168a67e40fc03bee63044fecf5fdcd7c8cbcb98f4040927a1c7daa514375

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
69b5b06ebaea6d3678e859acede282d7

SHA1
1be9634eb0bca7fcb8134bb4a6b8bd5fafa9f4c7

SHA256
57e74360c60c12f790c540636bc07e9c0baca8292af65b308376f2291ff05eee

SHA512
9082edc17c87f3e5f20cc96e77ad7ce58e836ce851caf117a726a32953f0cb726bc78b411701767bd5dbcefa2a766d84321a88608cf905561e4336d8f7d1477c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
99d94218fb1b31dbd256329ed84c341e

SHA1
10742c50f6fbe7f0defd3d1c27a4ef6b91c4e71f

SHA256
d23f353d74f283af76acc1b3ff41a2bd53163bb0de78b87db197c73825f393bd

SHA512
6b6923c00b1d36015201f444eecb21d7b27f674b67fc04a2f47ea57771f9cae4eeb4da5ec8e6705a32760b0d2978ff28efec0c51b23a2b0683002692541533bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
14891af317b9c573d6291d94b5029170

SHA1
f35f5370c6f911898ad3ee6e110a24c3b618727b

SHA256
990f3f1e7059ae4984c375c4ba4cc4816d38e8adb6e9c9ae70d7a528df84f5e4

SHA512
2b2a0e4eadcb68ba4b8f5506050b401715d3359c2915c84324eb69ed29ff39db5981c84b6952325e23ec460febd607d124fcd0d5813b815420a129f8411335e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a8308b9682c063912baf2a675d2f9b41

SHA1
e33e5c0f047802ab0bc9718e9a6296516a271ee5

SHA256
b3698fe24560b48538a6520003fe854b4600b34316bbe634917ff558481f67d5

SHA512
1481ed8fa163c3ec21d1675332b55d94529b9cf5385ff384cea5d7de22339ac00d6ac54b638f69e5df83843ff0796f81b5e96a54005686d0ae316e056b8c965a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
2b177b20af25935ccbcd90be5f5a2f16

SHA1
1f091aaa5a8aa4d4b0d0c776c88be4adf38bb561

SHA256
2bd28309681afea2c906c84bbc95af8a1d180d178ac2c5acf6582510bc81daf6

SHA512
2f2fd5f176f7aeba1c6b4c9930867ea7ce935abe497333e5222e8b04c57e268f7b8b7f695cff29f80f195d3727e132822319f9f008ff382c39c39584cf20156e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
41093bfa120b606c5dfb7955e142fec5

SHA1
6b35dda77c43c37bff5abb36514a9c1d61db9def

SHA256
c3685e221f97988e566fb4ad880a30f020d41fd679e70d674c650f4665b6c32b

SHA512
27c37f8467deb0f3f249cf77c57649fb46bd69b1cc89ee607a329623890e710288f607a4c40fbbc20078e9af5ff5c1fa2d09a5ea7757bf783593be403ad0837c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
860a3d2a0155f7db534aceaa9aa95725

SHA1
cf17f70c5e4842b554ddf9d937e2364cddda441b

SHA256
22b52bf4290e42da3f296cabd0aee8b9a2ebda40673916d74c0f0fc355d0d7c6

SHA512
914a133c21f3a9e3243c0185639f43ca806935dac343779ba37404c5b2bd64cbb5d12030bd0ec6ca672887787ea6365d3c77cc2691b1907c485a1efcfb97136f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.4MB

MD5
d5d82f839691544fe3b44ee96336db2c

SHA1
0f870797873743171ca043b7fbb8d019ad0187b3

SHA256
f9210f77db44f6908c5d0170dc577983e788559cb9d82477a2fac691b5877b82

SHA512
ff8c59d38b9daedecae598cc7442cf8db73abedf731a17021579c303db653334727f43212eabb370734494a2dbe08e78c54b75971d100ef0a67dca6316ca195d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
c241cdf96e1b3670eea1c937cc634850

SHA1
875559118af11e4a2f7b338d66b6657103802ce6

SHA256
f3fc0d5403f8ab563e817dbcc416ec3bc3fa663ea2efa1fe4505d10c3ff4f9ac

SHA512
be9b7ec271f3362f5ff73a55373c8fb28d02b30e94c982932d28c3459114bf68905331f9abc5964a29d54a2e9e92015c812e27a334d36d9a30dc0dc547afb3e8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
fd683b0b6ecacef98f515d19a6b16ed8

SHA1
d6853ee45f28ebef8f04e144bfe10639e0c7d073

SHA256
99a2c96d712f675d969059ddee1ca968409f6687fa25901b312b6a00ec6dca2e

SHA512
f0082028c13a25f7ce543aa8bb1e8f7c2052d10c1f79634766d37a16778ad2b7e04b31e2c8edcc5b240e292cc36fc0824be17dbc732d5e85abdc21e0a48a0192

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
7e83f0cb3692f4602d711c3d487c82c9

SHA1
f191c866e1e12336580d7ced37e1b8f5287b53bf

SHA256
69ea32e4b03e65d0750ac26e74590e7086b7027e88292c1bf838c8656a26e8d9

SHA512
6134c36bb6a29b7fb1c39fdcdf1b1eb19ccb8d4a3218b66b595341b1fc2377859b5d994adc385a35ff0f60a8787522678d3b212f7a6b8bb58ce9514f740c8426

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
9cd79f3e8412668c1d1ae468cf2dda4b

SHA1
6e3784186ea999d00cb2b6d3c920af7335bdaf71

SHA256
fe16a08e98e64bf6006532ed156c5239742563964bab3d0a4466fdae8a8c812c

SHA512
13986dc9afb3b2ee9f34aeb52ae6d92a6b4450ae519435206d69dca42e643fb453b13112b94f25d8f510fc3644f714837de565355826a4a7cdd652276d33de9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
c3662ac18e3a79d2f4e065c7511ef039

SHA1
d208d929fa9b074df8633c56b3eb728ab6bb3930

SHA256
cb83d57268ca3bfc943a8a5256a961970a0d6fdc7d491883a6650a7802b069ad

SHA512
84f16b1d7620710292ac329da149ed359e8b755e897950342b37852c5a364e20d4e94dec5e7cb95b745c6d26a80eaf66cd98f1a311e01fbd96ecfb36e243a3df

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
2ebfa8c4c78433e9cbcacf44a3cf6487

SHA1
a579f256f4b02ac460a78afaa1015333bf2ff1cb

SHA256
f37b10ebbb85624b071e795e093268bc381e3399b3a822c98013ef7f8f6417d6

SHA512
4fd26900cb0e689951998c68758063b82d5cdfd875d09f86383196dc5cd41591b9f6ee32cc5b53aa614fa0e9832a5623682a0d22037996dd4f3d0d97bbf6460d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.3MB

MD5
27d3446bfc9665e9159bcab28dead045

SHA1
b1743d626bd80e30cf6ee80d12f23ca9455dfa14

SHA256
a4ad61ccea33a31b5298c2db4cd7fb6f2e4fc4d8dfec757d89e8f83c6472f215

SHA512
ebce1cc43ad2b2f1d23df2cffb1b6c3de62544236a4b0d1d43ac9b795383957c30b0c03abfbcd6c2b2d12e15dbe211e01e07267ef2859a00d8ae49db5c2c4793

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.3MB

MD5
6dd0a526545508f05f21f133344a730b

SHA1
7cab6f3f78fa27f0e997405b235a4ca4420f9ede

SHA256
4d454178670386664c751ff714e2c16ade427eeaf86a42e2b8721fb449cb5674

SHA512
0ddebf47b9f963025f75f381571927ce8a039e661017f6c4f404b35f236c8914f19ca691a1807c61785705b05771b23a099b0f0c095df0bfcbdc2b25ead5f34f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.3MB

MD5
66b4ecf96554c7a42b3ab000be3012fe

SHA1
5d453e3ae1c72149992f47f63083dae7783ab1f9

SHA256
ade1e09b1898bc278cf136ae46ad8d6afdf0bad220c49ecec77e816572f2c5cc

SHA512
37bd001baca0452b3683a23fbe3bf5d84bd868d535c0822ee5dc2642b0b45a1a36d662e5b532e7cb690f10151cd9b864314e613e5a07ec488b7e86364d3b5027

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
f926fb102e90e2fbe5b15a2f3ef05217

SHA1
1505447e2bf1076e1be8ac9947cc48ffbb1ae7bd

SHA256
d1a2d3a22d0b69700b1ff54b9767c5b5f5c7bfb1a763bb353b315a5b2c5b84f8

SHA512
c7e05721e69a90e63a90c99b1c65707df9575fa016f3859a8b426ab99c34f54a6d7c00e01f794a21238fef4fcd17b4248a9a623b34d9ad29d76fa5bda3f9e264

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.3MB

MD5
d8895eb7072ff2a221a2031b83f1d1da

SHA1
3c4d583d44d9cf3306430862abe969c10ddb9787

SHA256
83eedc4eeefbed3e4fc0886c962ef73fcbfb37370a6b3ca3f855e78911bf8079

SHA512
ada8437f514cc3139046d1e908e9e087d9aa18dfe1a8726f451687bdad3a81121b835ca64fa51eef8ffacfe0d984abe5f9e42f3ff9ed088cc2c3789e3aa651ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.3MB

MD5
d9a66392b56913f5c0838a662a49db58

SHA1
ded2beb656b1333b0a71da59c62fcfe85cb54468

SHA256
a2479c890bd090ede4f64a9cb4635572a06e6c6dd7643c96977ab098714d112d

SHA512
8e031868e7d6f2e93fd739bd418cb2d587478fb7bad6bf4f5f1a9453cfd69a47716f2c68d76609dd9deb142cea6695190db75e3646dd2686fd285ca1692fddd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.3MB

MD5
0cf858138b55cea830bd56cbd2e5f097

SHA1
0dbd9b688c94cd3a9732cd612a44600ff6b770c6

SHA256
e33e96bdeb814dc824c281f92250e3f74e1347fe9cf11fcd5030ddf8c47534e6

SHA512
807a4eba833773935f0309805183d38aadf32002beeb4ff117ebc0c6c88d480a694d1be975999ea563f8609d52bfe7ce586045b8e4ac3259e9c8db5cf4a95c75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
bc26f675843244eb218e7460ec31a928

SHA1
78257a27037ff8c0ff7ee521852b17d88c71cd6c

SHA256
83e0202d227d1aade59b51246bc3914d20cfb2bd409bfdfc3e63d0256becb26d

SHA512
8deb7afda15146c71803eb6cea3ce6f65792f52094ffd0e271acff3509da5e005011241d7d7496d1caba0135f0f9f37a334155738a01f876fba5b224fdb2c7f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.3MB

MD5
1ab290a6e587626be992a325ac291398

SHA1
b34d56af886f85ada9526585daf7724a5a9f3100

SHA256
abbb727cbe962740454ce0cf044ac8afb838dd78929ee4ab3a0a47f11aec8f60

SHA512
901372e40f507c3fb2306c860e6a4ed16e4567953a0d634b6105f54c04f6b29ce932ffd900f6eeeb5bc5a27c25fb214c0c7f797478e90c73ab7e109f1dc920be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.3MB

MD5
f5596c0ee01172654fe455412e0291e0

SHA1
b348303be1f9ee10a354d7d45c03ef691b0ac9dd

SHA256
bacfe3568ecbad09a6b57dee46918063be78cdcef08df2d0a9b928a054889274

SHA512
de3053bf07fed1a8f2afd22827e9143ad749c60de3ca5da3564b6991ed8cbe717285407fcdbed304253d3404ee159c5d6dd50334aaf279588d82e9a985acb0dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
9cff0406ca63ab7d0395b869a25ae215

SHA1
e6805f643bae5035702dc56bf99b9fc1475d5135

SHA256
629ea5e0548f0b9304bea433d67b72a45bc3df894d5b57bc1e5c1276a5548de9

SHA512
c4562220e4ab65b14723adc01a286b7e96ccca1229198b78911f7edc64eaa093a252089bdeacf9d92e8eb5c8409a8f348ee8a2d51b15c9d61a9a69b5b5135f8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.3MB

MD5
a0623388c8b044c2f4735443f14ab116

SHA1
4d960e1980b14aff7f155219da79956a7198919f

SHA256
fc6d0c1ad7296787f74a549b5b0c45d7a78299b10b7e5d27bd5f9bf5a1c0da0d

SHA512
e2e303a2f367069933f702621a99b6a0e19fb59f1990ec4097b2c5d2d42fa3242035ae0e0b1ccf0cf1b8acb0876bf8a096e68bae2b7d4e40536a31cb5c6626e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.3MB

MD5
f77d0d77b60e5f22dac8b2dce90d5ba5

SHA1
07bd646687d3a66f49b026502e088c1b2840e76b

SHA256
bc6cba9ba58de646ab5dfb681c27174afe0f9656cdfe6387bc336dc5d263212e

SHA512
b195e9b3df068c97856005fd809a58f5f63b84d663ec7e8a5ebc480ccf090a1a2a6d528f3fd9db3d780c3efcca45e84c0ff59a88d539f66ea83a81f11baf2beb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
c5879b0478004fc0b58f827d03ae3748

SHA1
469e3cb1930fdccd3e43c3f2559da9e89f63246a

SHA256
f786c07c07a313ea426faa54c4b5c19988d0e56878398a5e9027e37880a2862a

SHA512
979380e8a3efbc5c93850700c907bad698c1f55db5abde7c835882d30e5da90805e8599524822f6ee90d29852a718880b8158ed0097c6cb9ce61b8629a4b7b83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
fc37c3ead4a33318c9be570072a4266d

SHA1
2576b4dbc4db1e281da0aabc05f7fde44051bbfc

SHA256
92b8f51077a5dcafcb3555276f6003055ae5b25242f4980f44ff04b1f36c3377

SHA512
cb00b5d17bfcaf58d4aadbb86bb7e74814ddf4d552508ad32da4079dc405cf8003f43618cc5b606a54b6aba2839a24f8adffba3152aca6fe774469527606fa25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.7MB

MD5
1bf49eaf317ece5dbf4cc2793e91f661

SHA1
015a3a9dde16d20efbb900e7a032e32fbcdd3a44

SHA256
3e9662077a69fb2b271ed2f7b821a39d960e09a7f6ac556be8d9ff0836929594

SHA512
14bdfd21502615b55c6bd42c8140f6d17262ae16123301fe68620f97fb553d938452bf430064e123eb79515d45bc6e01efc01cd309a1b82d8b7e637259b0ebcb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ebc5049fe08f1ec383b1e77fbfba94b4

SHA1
9a93ec608df216af72689349e1c3f54e7a7616c0

SHA256
74a40802a96f2ec1bf6be1289a951aa3d49e1fb42fe9d03ad16ecec744e5b44b

SHA512
34034a7a90b9e30e067bfe1b6fef4600c3de0b4e5c5a1b430782188db1dcd0167a05961f2600a32995a4a980fc65c1eb6e6c733f28a8458f1aafec3026d6b6d5

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
2162b70bd8ede837aeb27a076ba973cd

SHA1
5233259d08f615752a6bf8ec0318f2fe014a195f

SHA256
d93aec87952efbac855e87c1184823f1a67932d275dc3beb1f70709eefc83b50

SHA512
971a9d704f6288424eb3f175e024bafd5d68f10327d7eedb5b1b4d68333c1555adce522cd008ab9255070ee4a0ca0b28ec5c5e50cac9ab7ca8f5467d1e1453d2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
1b2765b86a675d05db57474e2f151b85

SHA1
a92176104275cf4dcef64b12b2015da38482342e

SHA256
afebfa56e67f74c81c5c1956cb39d53fbe5a79d7e2cffe31a3c643b0a5a157fb

SHA512
bdffc230d7f5caae2c4b1d637265ea1a85235da3718eb0840511e5e978ea004f17642750bfa8265e523eb880628f7052474ad1e7b6ea9844d90463cccfa75df3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
05a23863455fc3e207c2cd17a120cb83

SHA1
0fd7afe9e09bb985acba3db3d267f5d8ba7d09cf

SHA256
a9de893be9f9ab8eed121847cb143dbe792af4c6dfc720462f1649570d0a3b7b

SHA512
dcc026055d92009131fee63d947c64dd569878abcb7332d929e39c9363117f84a8f203ec755f083c7dce6a68d9be326b9bb3efbdf2dd915a75ee6af8abe48908

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.4MB

MD5
7fc67da41193fd000e96bc562b7c84f4

SHA1
3bb324cde54f472a81bbd202b1ae0f317a85cc60

SHA256
1913f08b8d866267a664fef491554d888b3ad7138cab4616352796069045dda0

SHA512
d816f7b1853bf532ada0ef4fbb7e5ca30e897c9d0cca122ecb392d6d3494085296cd19b3a7cfe35d1d3501d29a0b87a88b79d05951123a21dadab6ab1fce52d0

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
33cea40b15088590b450220d5bf4e5b8

SHA1
521a61d8253d3ea08265f0cb5a1229bdcbae94f6

SHA256
d1e1b7b6088e103cdcb4b70413855da09abb87a48838432d450a6ce715e269e3

SHA512
15436175e61332d3e462395a2f7bab8fa3eb5b81230faeb60194e6fe8f2d939392b85a35b6b12b36e160ff5a008321db9cbdd47ed93057ea4ad3f2aae8a44d33

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
db6fe079539267c7b7ecfbe595428001

SHA1
a30956f65cf8583a9d948697cfd3c9f430802fe9

SHA256
14c2b168345a48efe281e2e5fc082403e5d73fc9223d77a9bcd818058888e0da

SHA512
7bd985b8e76340a87405cfd68c5b11f28575de72c81be841fea787e57c1a07708a10410469d76d15b7d2b8571643f14c55667b45f0e99035e639f59ef899d8ee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
dd89290b9893a3925b43fefeec6653d2

SHA1
796fb62325d8f6862ecb494864ebc553d8c46885

SHA256
0a204d3c8bc04b58268dbba521101918004500739293345979fd0106e64900cd

SHA512
70405ec13b33d238486dd66d2c3a3c3bb74e75af6853509419c023a45a164b009cedd0cce58449805467c1e93034d63161874aab0d5c1ebae98050e1368f3bb2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.4MB

MD5
6528ffde6476cb522b8f513a0e5fb42a

SHA1
6a7ba617a90e030c49fe128330ad63a8033b159e

SHA256
367f008b73c53df08f246a8d23b40b69512da6a958799b31eac10b795810aaf1

SHA512
71562f9384694e82ec9bf116d264105d3ebb796d085b6647a35b97539980719780cbfc7629e3dfbb9984ba99ac951dcde1ccc5f37a243dd9753833aecf56eb77

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
73a941249497262655878c2bdd6795d2

SHA1
602ae13bf0fcc14726693ca3deb80d6ef3a1cb3d

SHA256
b592edc88ad3c2be4e5c03a8d5503c2e58bd6217b69603ccec9711189c12c738

SHA512
fde9326f50871748e30d0b8d09a9e6d1f610cd2803f1fc803fb162b62345dfb0f1fac410212a14c7737949c2e011b19c3b8d61933bdd05f7d5d4469838f531fd

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
2f43933e17e5798a5bf3c4b5a3bc9756

SHA1
432148bdcf069870a133d7fb68cec90b2bec6b8d

SHA256
cf5a6edd8ed8a3ba148d32f63d6ce71441576ceb4a15ec78f7ea9c37e8334d75

SHA512
1cbb2aefad222b7b69f6896ddace7a780997197ca8f6a0ec804efea5f2fca93baf0d1a131769b991b8da0adc830c2dc70798f8b10a1d491c764e1f9599503a87

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
0dd7ade754024ed19be0c44a3c364b8d

SHA1
efd0db57b6ea44dbfc4dc7c949bead6be77fcd48

SHA256
764ec405128067fe26f59ef10cb54271d9e6f76775d42fe7df179137b326c62c

SHA512
c63ea0b45068e7e26ec70939d31b583e5c90bc1fe80bcce37f7141221cbd4014a5324f892a97d84ebadcfead2f4e3e71871c3e8c8564bdf68c5418e7fafb55ff

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.6MB

MD5
9ed86686e1a53f0620db2ea0d588362e

SHA1
51e277aa1828e5664e0509b785c12a99df0209ba

SHA256
058f0fd633c61b61de6ca3977908d3af1f3dbdac815f1395490c5f2d436bc3c0

SHA512
31201d4744a1f713125dfaaf120d3354b2044080a135718ceedb8ea0d140168c57ac98a51aeaabd7cfe03fce5cce949ecb42e831e734f1741c2289d761d192b5

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
33892ee5fa04fb4d3f538a867fbfa5e6

SHA1
fa383ccb872e2347c2fb4195237f014c90008dc7

SHA256
98c972fe6ae28f8ad393ebcd3dedd40dc33de2df426403a9ddd3317eb5f9216f

SHA512
25b9ed03c6316618b083235b1cd413574d3037152536ae537ac9b12c74bf626f82c9625f5d53d0cd0fac5e790ded440ade755052e7f5ca227f0c401cdd1c5040

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.4MB

MD5
b11c70c78332eaa50a246190a324522e

SHA1
cc148d284dae9d2f533d4e855954c2568c2fbccc

SHA256
e1531b3dfe525eb012c40bc8e574ae3a1f98e0a92a730a5a0741ca992a0b4c08

SHA512
2868abcfa240d4597da544a18a612e565a75024cd3ee5a923b9642622681c869dece2a98140d695719e2a08219be4b90b04000b2572dd2e790862bde3b8e6796

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
56b8fa855f4bb13cb1c2dc6df2f83067

SHA1
41506d8c3fa32ffcab5782e59b4b41e4e2f0d00f

SHA256
3f3959f72438e884d0ad097c37d75f4fea602b8d8a979d2632d2cdbd98fe8a40

SHA512
6bf777835315b59ba48e7667e97d0278e3580e635a9c1e287b8147c3e1ce984d27dbf5fa007e5d497865e7aa229734403a7360551cec2ce167e6963cff9242ec

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
d4ebf65ad31adb7483e26f392973de7a

SHA1
43a0b6e92d2105a20765292359689fc27cb3232a

SHA256
66f97121fad666298a2e5c871d30f507d8601611bff0bf72027b19552d9c537a

SHA512
e1a3e8eac02bc4e02939ee543e1df7892852d581b676d79191df5897223128e9e62783cbc1d81e44a04d7e74fa8b9f18123c2c7bafcc42d9cd8afb38a14502ad

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
ea21b1044d07aeccbe75bf35e2301d12

SHA1
ad3bb92a36b501a2da14c0c6ade8485096a7e5ce

SHA256
ae1038e49816ff6fdd38c091f465a1e62175631d48989656b39ea0099aceef01

SHA512
3bf180e7942e7160aad7ce13a6c95e89dd30579aebb49a636749729c7e7f3400fed32d9705539ecac8ca03c7cbc5b6abace9781fb9e1e92708fbb5baa2da675f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
37204a935d1d8fa96318666480b12185

SHA1
fc99898afe9d639d8853a6233e92275f5aaf639d

SHA256
b4ebf4718aaec6a0a5fc26341d5160c8bc6144a2de2bd9bcb14162cc2a9fb2c6

SHA512
c904319ed31cb9fb9a943fb9533a2f43789914925661c7b8e9ddd0de898ebf524eff462456765f4ee4a3bdf68d46785b34696d258406c66f330174aee5f1dea7

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
24ef6e85ed1733d7bb648786c4bc289f

SHA1
05d3a50ae2650a6890e1790fae42db06fc946350

SHA256
be39181d5342a653a8c23db3aae9dbe73d8ebed405fa46405f808963aab50547

SHA512
a5a51319b6d67028374fc039f13f6584aad05f19aaa7e5115aab5c86bf9f49c30b4340e5fb8bccd926365369e0a83b139eb21b389766c1dab69b10f6a355231f

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
3e6014af1d4bfeb651c66794609c3cc0

SHA1
49f69e765e5c6abf54dcdead99999aba7fe78851

SHA256
bf555a6b3261b510a3a6fe811bdd571e08642af0d71d68b883e92475a60361cd

SHA512
99c3268b1b24d7ef7dc474f13c6d1c4d1005c6dd7c7aeba8c6fb4015b3eda5612e8788c8607c800779f6e97cfbc0d1dc951bae34f42431d7acdd538894f8b452

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.6MB

MD5
80d3e3d043c77c5f12af5a4d787746c0

SHA1
186b764b401dfc2550d59cf5d828cd29989fd72e

SHA256
46998e7e7c6a295999f84485490d0a58f743c375d416fba875cc80ee2d8e7192

SHA512
fd9235833c15ff2ad222f5f7d98c1fa85446e776afefc0bea7c6ae504a59e07822ad1d55b353f344bdaab7922915eaf029abb23a209fdd6442d2a4658d675aaf

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
046c755f987f16f4a6ea9993b93dcfd4

SHA1
0f90429f373e120f3375dedfdb667ac43c6121fa

SHA256
8804749fb1544f44ff91ddec0bf39857492a7b70df85f55644cd734bd6ada607

SHA512
366ef0618ade63bf25d9495d71b131e1c35b4c6df7db50b7a5c9ac9180a7437eeead41c0a422437cca09722a04a853b6aaf073a8b9a21512b0be1370d6dc5391

Download Submit
memory/464-390-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/464-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/464-37-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/464-31-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/592-93-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/592-87-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/592-96-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/888-163-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/924-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/924-15-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/924-25-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/1136-142-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1212-1-0x00000000024E0000-0x0000000002546000-memory.dmp

Filesize
408KB

Download
memory/1212-0-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1212-408-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1212-6-0x00000000024E0000-0x0000000002546000-memory.dmp

Filesize
408KB

Download
memory/1212-81-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1520-144-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1756-98-0x0000000000800000-0x0000000000866000-memory.dmp

Filesize
408KB

Download
memory/1756-103-0x0000000000800000-0x0000000000866000-memory.dmp

Filesize
408KB

Download
memory/1756-138-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1996-139-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2164-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2164-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2244-78-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2244-72-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2244-82-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/2244-397-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/2700-164-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/3156-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3156-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3260-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3260-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3260-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3260-394-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3264-71-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/3264-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3264-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3264-62-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/3264-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3360-137-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3360-11-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4252-66-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/4416-173-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4416-443-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4484-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4484-442-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4516-143-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4608-174-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4608-444-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4712-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5008-172-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download