d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
Size

1.8MB
MD5

436c1a4e7bf8c93603651378a6e762b4
SHA1

fe5a0142a6d7ce7e1a2a4417f97318fedf830a41
SHA256

d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa
SHA512

bbce46faac8f52245126ab93370e51320a73f0895d2c6ae194595317a4835df3f0abd8b9569fffba5f356bc3258c3c26d61dad089fc854f3976141d31dbb2207
SSDEEP

49152:UKJ0WR7AFPyyiSruXKpk3WFDL9zxnSuXwBopwhKXmIdwh:UKlBAFPydSS6W6X9ln76CwhKnds

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4484	alg.exe
924	DiagnosticsHub.StandardCollector.Service.exe
436	fxssvc.exe
4352	elevation_service.exe
4532	elevation_service.exe
3924	maintenanceservice.exe
3776	msdtc.exe
5052	OSE.EXE
4928	PerceptionSimulationService.exe
4716	perfhost.exe
3904	locator.exe
2672	SensorDataService.exe
3936	snmptrap.exe
4664	spectrum.exe
4804	ssh-agent.exe
2440	TieringEngineService.exe
4312	AgentService.exe
3800	vds.exe
4800	vssvc.exe
392	wbengine.exe
1036	WmiApSrv.exe
5100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\locator.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7e2afa8885ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\System32\vds.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exed1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31DD.tmp\goopdateres_sl.dll	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31DD.tmp\goopdateres_ru.dll	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31DD.tmp\goopdateres_hi.dll	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM31DD.tmp\goopdateres_ms.dll	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT31DE.tmp	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exefxssvc.exeSearchProtocolHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000654a91755599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090884e755599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083a52e765599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbdf48765599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099876d755599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082d213745599da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009482ca755599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8ae74755599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1580	d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
Token: SeAuditPrivilege	436	fxssvc.exe
Token: SeRestorePrivilege	2440	TieringEngineService.exe
Token: SeManageVolumePrivilege	2440	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4312	AgentService.exe
Token: SeBackupPrivilege	4800	vssvc.exe
Token: SeRestorePrivilege	4800	vssvc.exe
Token: SeAuditPrivilege	4800	vssvc.exe
Token: SeBackupPrivilege	392	wbengine.exe
Token: SeRestorePrivilege	392	wbengine.exe
Token: SeSecurityPrivilege	392	wbengine.exe
Token: 33	5100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5100	SearchIndexer.exe
Token: SeDebugPrivilege	4484	alg.exe
Token: SeDebugPrivilege	4484	alg.exe
Token: SeDebugPrivilege	4484	alg.exe
Token: SeDebugPrivilege	924	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5100 wrote to memory of 2136	5100	SearchIndexer.exe	SearchProtocolHost.exe
PID 5100 wrote to memory of 2136	5100	SearchIndexer.exe	SearchProtocolHost.exe
PID 5100 wrote to memory of 3108	5100	SearchIndexer.exe	SearchFilterHost.exe
PID 5100 wrote to memory of 3108	5100	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe
"C:\Users\Admin\AppData\Local\Temp\d1a1761e4a6c1fcd6ee03fc721707a6af9570877f232a4ec4383aa0d0f77c6fa.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4576

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3776

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2672

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4664

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2136

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
0270e37d39ba5b86a96980d5b3918edb

SHA1
f51d2d3b133f8818773477bc8a2f18ebb0240c07

SHA256
699fa949ab6aa92d83380810cb1812c2c7438fd54f9e92f740d9cb382a235802

SHA512
5184442a526735290df18756bf6d3df7f9aafcc1113f424e95d2192a7c6bd5a5f4fc5e6f533afe7fefb704318ad57b0d93dc115fabb8542e9cc246baaa229332

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
5d07c76f1e13dbab9a4d20498ca3a293

SHA1
99741fa57575854ae1be55fc7c4cd81e12412ed9

SHA256
2a42c29d33e03675d2a1f04ebc872fb31e19e04e546ad16c59f47a7b0ed96e28

SHA512
d009d25efe27c0bd25df24126bde9fe27d11ca14cc4a4b0371e263b5f0d0454f7037e1526d055706ab396e12ca098da3d90bc39a8bec06e0e4d5299d4d0d289a

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
2ac3a2e77e6524803d3408151cc19645

SHA1
753885022268fb8337488772aa42259fedcc01f4

SHA256
2906a0d735adbc2b36355ac6a48b9c561ac22bb156894a8f180bb4827f2bced2

SHA512
564030ece3022ca0378da52df795ef1e4b810a00637a8e659d6558b74fa5a3cd166cabf2ea25213e27c1a3f9085b42343172e6bf70060ebbd386c160beff9443

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
508c650dd0a5970c45430c9af1477194

SHA1
17292520c7c7a2972c8d22f9bde1a196d1a0a9e2

SHA256
1f5c3da3fd87e1e865aabcbe09c7bd52426ad188b2d85bfed03c9bf2fa4cc7d3

SHA512
a01eca3c151dc427d388067d0c5a3e0f60a1aa8bc4906ff5b8fb7cb54cfbd25ccfbdab48c85a99524cacfd3084fb750be877170904fbf9372a1e3b12f5bdff98

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
a1ae6a1f1fa71aec58bb029877df6c78

SHA1
1ef21d40cfdde5a4c4917b8cdd8cabd6aa68468c

SHA256
f4097e60a903e6cfd86a50e6960f81de372eb8f89264d7df4e56e998caae6ecb

SHA512
c86da72da339357744c0800490a3e67958aee46c3d80e09b8e2d4163f07aedc58247cedfbd9dc984f12ff8427765b8f18d1a0a73b7f2f905cb9819a239304e34

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
061fb007ac7837a7c69180dc8ac32cfb

SHA1
6a101861a5fbcf76be9acb3c0406585c39c0ea67

SHA256
428f670b444070049283920b8204f2d9c27d7ce97e544e75ca7fb6c65054a928

SHA512
211b85ebc45b49fb611f73bc2aba867eaf532e5b615ecd57d047a0c688146c2596638ac7b8e1f6cc6db89783ff10e3f1b8e5f986e647f25b0488d26d6c78ab21

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
8299b13e5666a224886fe2d9dde92655

SHA1
21c48b760875604b743c92313a90aee8918ae2bd

SHA256
6ca4c0c6f8dad64ced807d16e3ed15347caa721df6b92a62fc9fb82489f7e5ab

SHA512
548339347ece83b2c5fc1df1639cc09a02be7369456ac0daef24f31716dd5772a84c2ea05e1de79950113b3e9851652e357aabd028eb43d26e69a5ce31185cc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
260f7fe4e4c5ae8181f633e73ce5c2c8

SHA1
4242718eec8a370305a7e89593f0313245b9b4b9

SHA256
7b18b4d548300db5172b26d0e3685462bf8e29ec35d1f5aede533fab759f3389

SHA512
8aef3cfde8d34eb78cf7c6564e22989a0f07bcf8862ecf748fa88c3a65f3425dc7beddde597a2db173cccb1ce3afbae8fdd5f1db1920f04d403b5cb27eff1fa7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
060363337bff3f40d823728a7dd25519

SHA1
8afe9f56bd28605b71fe2d68d05f60d8a81578ce

SHA256
ab1ac6e7d74baea0642986588ca0339ccef7dd2adb8156e319662a9126417ef2

SHA512
077fbac90532171ab90e9b6760fde74b1bebff71166603bb8a6dc0e94b842fbe157e2bc255b35c3b319f4280b757dd85a3e8bb701fec129bcc14846b8bbefc72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
58d3572757a1e3ae19d65ec559c56295

SHA1
249529351f88d975b2702115264b59c60259924e

SHA256
7eeb279e3fe61432dbee3960280fc54a82875ab6c32501c9f16d6fdd5bb76d19

SHA512
4abe4127bf05bd2031c876cb8327b1fe55a6aa8b6980d51738181ff74e73b353155c6d1ae8abd94be78d0b07e3ed73a272466dd692e096b74d1d668306d9e0cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
156b78700caeba0185718b30fb7d2c53

SHA1
c2db370cfb121257cbfeb52e389b74f1dc1e6ed1

SHA256
55c93e86f4fda3d0356418b1ade1f29464550032cf5298e57fafe77a7481fa52

SHA512
6523b1f24b85ac825bb2d151a526bf4fc6e6466497dab38e727119d9852ac492f49d17df6a9a33bcc1aea2079e2f360fa707bb177de53390e2efc67b9aee1361

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7baf7da311ce505751a76bf9e5ae1a67

SHA1
786d8af47ccfd64ec60fd25f43ef5811533d825e

SHA256
5fc56387bd57b707753c90d763c6a3c05a84de24a6cfa6133e5a58e41d23eca5

SHA512
14dca2650f2cd8163e935a2704dc98a786c5376d7d95932fd9ac4014c84e150171513c0a5043098cfb9a56d3e766271d050931ef4c9d67027ae2df31fce9876d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
5125895fb9f4395e7b64e4701f19ca6a

SHA1
ad08a1114a4ce2dcd4b868988da6c8c6e64a27a5

SHA256
1e19d02c4fbfc8293c7516de92ac51cd4b8058b2e844cf2b69d74ebf59b1d6f9

SHA512
153c366092a65bfb5a9af7e3fe4bf17bd7adf9df5ed0aa367bbc5547f74a825fe5f6cdef3ee96b32fdd9972f01c100118baf3230de0d5819254922d14db7c3a0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
77cf6184d70ec253339780494fc615fb

SHA1
5e4c1a8395243709424e1464dec74389f15b483d

SHA256
3238edd0b34e7d5f2a87a1e250e081e04077ade38c3666bba706d6f6c8e4572b

SHA512
a1f5c6004f17f2a89d9f55842e8ed84645421659285b514de74a94144c5e77b52feb96e49627790400c0c7f06e82c16db187a8bbc95064e40196067157b90549

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
bb81fbbadcfc31470326becd339b122d

SHA1
4274d8fc2718cc18f766cd823b6cc7d687ed86ed

SHA256
57e79097440e4cdec6b5a7bc8c735af2f1cfe5b6b3baf04a2ead78381bb5bfc7

SHA512
7d33e8d2dd469a454b8185766edf88790df485fb3b8d59f102a84ca5693bafed7b90833a91c2003c88d16c0a26bab1203614e7a6da881b495bf6f6de2c670d2e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
5020ea082da3af74f62da0096bbe62ab

SHA1
8cde76f209ad8c2203da22087523889bc9313e45

SHA256
8ad82d60733cb664ad7993e9153191492bd6a38e070c150c9cd96070925bae6b

SHA512
f92d504630dafbf1d02d9e718dee616796ab347138d7fddc2243ef0fc4f53864c26f0649c49f0ec955ad7aa0d57fe1ae3c13f364da57cf82cddf499edff8ad7c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d43305c96274c63a4945486f5ccd513b

SHA1
2df91ff7183b5fcb409b96ed44f9ecd91aaa7750

SHA256
155016180bcd558ecc06c3dbe08c85cb64ecf96591d62c232518e8485d0c3ab1

SHA512
f010337b1efcd75dff36f1408417e5068f0f29b772eccfb1a55b56b63ca0c91e161ab1421b405f9b1ccb71b87d24f20679677cee026799182a4d4df586ab9db9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
5b84200d1e337cf6a1b3a132a8dc6bd9

SHA1
185b3ef492fe0c290ff8e0c3eac957d549091e1a

SHA256
54a4385bf2055a521435287bd793c835867fc0b297ddf2593f6a1279870e7ca1

SHA512
c5796936552633e14f06a4ae0694a5c8723e6004b292b644fc3a1f95dc28a216ebe62d88cf96a6681016dc1cc3e8290a532bb07c91e4949d81546833ce395571

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
712b297ececc3c2228bb545b54be1e81

SHA1
05a39165ad8c289316edd3d3e32924212788e3ed

SHA256
95c09327d2a8193d0e150fbd0fc9d66d188fe33d825949c235f099829d377d57

SHA512
334ce8b0f76b9f9cf39405b233184e292263d4fde267159b5ff6a4c5f0e947610f58c0c9c6cf296ab577b8a1cb13f6b544b74887c11eb5a4b3a70a17cb7e7db2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
1a78d96a52409d528d8c2b8a2b1127c9

SHA1
49b7a39f217684b1f06dafd087541bbffa112fd5

SHA256
23e3551dbedc67096d5a2812d07de9d9df3e2b4526d1ffa26dcfc0c1684264af

SHA512
308c4ac178a15f5235cf37c28c98b036b12641e53527991a4fc1f7e19843d5f56a7e75a6a43c5686a794cb899e9cdc8711bd3159d5a0ffb447b3d955771e54e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
854e350ca48e5a12f9fb3be5bb95c25a

SHA1
770cb38c1ba0952034b59c03878a4437e8cb2cbc

SHA256
bed5c1d89d6f9f76bf01b5267e28a900928f1bb1d5be71c6c164399263485d40

SHA512
0971ff93e62edc65a02b09d2d76bc0ce0a7199512507cffad602def6afcd5b5844bf2428981ecb2fe385b3bf230cc23d1a9a6890533eb83d60f44606831b4bc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
3e6ad83f8c90a3df1558fec5a516107a

SHA1
ecb46207635dbf3288c83a43d4922735c7579ca0

SHA256
bb752af2416130661efdad20bb8fa3dc31b4ae453d7f8401a639ed5c0f21d7d4

SHA512
f127a0d96411a1a26e3e72fe7e917baac8497fb7d777542f76ee56d32a133f55bb27902a884d68e02eb9711a20b3935fbc38c39c5691bb455540cd4005bb3efc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
215e03ca27da564e44a2256cd25b5227

SHA1
fe96ef2f5dcafc044ac5d230aabad098a2b35cc1

SHA256
e9298171fc5630e6142105e3dc801e4872f0ff274bb3d9c7b12ff37c82fdcb1c

SHA512
02b0e612c32ef6a2b01c4c0a691909ede44f619e0114ad3798fcf78ca2d48aa31b3f4cbbb44e8e3728351b4e2799813feb11c6ff9f7119cd8b6983929930acc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
2c3c721836d93a34f1ff05c20ff14853

SHA1
cb98be396a49c85f9e6203282b25a2fa0cce7ab9

SHA256
e43611b99b1075eac90744d39696ff0e3f037ff53eeefabe7e72906774c85bcb

SHA512
34d82b48d0268aeb73dee314cb4d10e0f7cc694fa7bd4e1ac60d085293bc26af5e725b7d14e157a9754c4fc3910a9214d349294579e2809a64893affc2460f06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
17a309f505d28459c16e0edf966a6b21

SHA1
35702b412ba72dd1d99f7343fd1d79cf964dea40

SHA256
4e342eaf305377245c68f161a5014b4cfdd81de8aa6b237e269590c08da4d4a4

SHA512
66726599234b10529f1fe26f11883965872c0d2dd0b149e2e48abd2b4b05c0549ed551f11db6562cc8f7c714e956e9e735033eaf6cc5c735007e7eb17119769d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
8d972d49a896b72b3989844f849274e2

SHA1
8a48fe5cad683aa1c4a17381f7f5b30016256ae1

SHA256
6168f67352eb06ec42c2d42442c04bffbec49cc958428fec4bc2d57be5349d61

SHA512
741b836668dfb7522f791b8c6bc5a52fa4b0cecf9f4700a12c715a808a8f682e2de16799ecc69238a1218690f8c952024041f9cbcd59311256dd8105d404e6b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
fc997444ce1d077505645a19a5744032

SHA1
3de0abd387bf15a0bd72c1136a1360efd52929da

SHA256
6f655e8c75c5c94fca59d338c76a5d1706b50c79705b7d5bfae3e9b7b97c0673

SHA512
bec46968df21ec08ec662f75e524cafa31a31a842b26669a67ddba88561c71da6fff5505fed23f547684f0ac49b825593d213e1984effb6fff997440ab3963a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
8e0d69a67b69f33f41fe6bb6e50841fd

SHA1
43b28512dec63afc17611110d3c73bf9809a7b69

SHA256
c35e98f0a0b2dfd59e21e5519c1ba277d32815bc38bf20b70dc6618d23df585c

SHA512
b49ba270abafbeca5a39156b140b39a5a07e9985291066cddc84f1b306a44bd163b131e547e430d6299f22ac834d8bdf1d85c1ffb611878c9d74900623d21858

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
8f5bad265c0b02c6d00c28b14ddb7a13

SHA1
d1285ec5d72312eb07f552f25abbf13e0d486a45

SHA256
7ac85713d2bbc1876b5ac65ec18f2e37d140ac92595e5f666f339acc9ceab144

SHA512
97f0373b1e3b6b3723f758bcad3d90a40a0ba657c140ded256ab1207238ee4ce67bec2f8537045378782f12fe8c90917b9018215fdffcd4edcd7c26837ad514c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
c3b023e5e079d1a0b89f8c826d331521

SHA1
73455684ef73c5dc9687fc5424f591f7d067bf8c

SHA256
9c6cb8dbfa1b724dcbaf91b75dd2aacd61b951ee3e865ad7c0251b058f377bdb

SHA512
d3d386e0b56a4681c8771f3b099338a2bac39a0be538e897969097add374a8a5a1091ba7eb747230620ab58ea35f6274877f97c54dd52960f7130b6dd2d94769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
59f5682ee951c592dabfb74a5cec453e

SHA1
1ec9ee3937ef691ca673777126ce1e1905bacb7f

SHA256
1efc3411bd48f962877342b3a492783cb8898836a16b440eee089c6e0820393d

SHA512
f647f2dd8a8669b7ef777f4783b2f94a093527b1ff64880302b3d5e0f3eac9f3b8d3e890356a0c4eeca01fe14faea7fd7d30276c369dd71d6f8901367afab441

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
1f56d96776c2f946ed67428bceffff29

SHA1
5e7ca148bb9595970c932b2223d4c73c9503a8c6

SHA256
b96e021a6bba5d41c83d278e65df9a82644e814ecbccd5d99424ca4a30b0e9d4

SHA512
9c5b6b893189e3fb5288cccc3ecfab6f264ce00087aaf8a064f04539129a72cf30766ea04f0a4715552d41a86f4afa37516276c6f8a0385e9d6cdb88c75bcd98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
863656cf51c28854b09204a14dc5bc4d

SHA1
9715da60c898689626994bd892c09fe012f746f1

SHA256
9325cbf6ed6797e855701bc1bb078cc92fc5be9e94af3e45be2790b49ddca362

SHA512
260558d010eaa2a1f53cab04c0a6243b27f216035deaf368b254b18aecf88b53045c1732650e98aea5fc408cbcb64bb094f5aa888634f96da2a76395135e0ee7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
c3c3364e0213f391ab8d67107c795046

SHA1
789de70b967348bbf66ef0d9d18db791f9cc01b2

SHA256
e447cb7ab4d445e7bd304235a0dba58d53277e52380751cee6926d3eff76a730

SHA512
abfca19f5e2963419608d8e2912b266c6efc1dbcd2dc5ddbc0a69ae85f687973dfa9e7c9f01e326651a2ea77d08f38e7d4df1484f0b64bec18920bf83ba7f89d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
bfa16ae2cdd2dc0103c6c3376ac4682c

SHA1
d273bf2c4866875971c83854c049bb18b65143de

SHA256
fa8dd71422d4c0d48f091bb70440df8ce3771fa33d219ffbd8c90d8916820ebe

SHA512
cb1765acf55c8f469ecc65fc5406a96bbfdea7bfdf9e4ffe70f62de478adae917b4b568bfe108397e171a6ba431e593e218001e554afe8b616bddeff3763d73e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
7e30e3ca53c6fe23e5560ddaf162cf4f

SHA1
9fa482ffd917e51d1842d7ad08f4baf9074449c2

SHA256
49f8ceb164bf7c9085f9d3486666b90bd4bb1281c284275296655caa7e459f3f

SHA512
ca468d1e73519bcfa9099ffd623c791c069ffa0b4a6fb543636f3f1e33d640f595868daee3cafc0df66893410ebc3ec84ed3f90de896f6f76787be3472ffb57f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
4063927b23f26363cc5598b6b35fe1fa

SHA1
5f96ed630dca6d5bfcd7c5114599a63ad6c19b7d

SHA256
4d2af661f16c797d5d49bd0028b5c9df37baa8b3340ce6b7ce7d075a69fc4b10

SHA512
b3d912860bfe8d441a8d5091ff6917194cc59190fff499b03f5287ff9c7999c02835c2362cac5add71c45a03939cf14bb3849e5d1cbf154e971358bb8bde9c1c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e427c33fd5ac373fcccbee38860b85cd

SHA1
d1f00b54c9b682bd8d1a7b608bcc05c7c7b0d1a5

SHA256
5eac6a7a5bc646b493329dd19675fba39022edb258511a5cab46647d37e86a6f

SHA512
b2543df389d34133648cf26e461c2bbec34644ccd685b27a142a3721bba00ea9823c1ca80f88ddd93573d69cea89324f2f46f39b895833cff1ca900b06291c5e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
faa545987047033fe48ecc0959e97270

SHA1
88a8fde7a50831125aa24786958034bb83ce6e00

SHA256
b426fd6ddc5d1817c9ff070afad80b8c42d8f1d6947bbd569eebf7718b3f6a8c

SHA512
7b8e98476838ccea73519f0506d0e31be44149d991e9bc3ebeb1c810edbffb23ab710831873eb2c98b21e45bcfafbb869542ef3161fa63e08bd1f570f495792d

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
54b75ca1ffc0b18c2378face8e659c4e

SHA1
9a351e07d67fb9ef2fcb0f37f753ceb9b883657c

SHA256
58dd46422a61ce6e82f032e70e2ce70aadd845cdf38a23da0a5ae6a2996d7879

SHA512
8c6c2ec1c5a80401b6c5096a1d595b9d698ed49710c730e5cb961c77858f83c01658976cb7565f4b2cdeaf0c8df3bc22cb93233b4aa067f49513494bb299bb93

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e04977767a799f6cc165236a6b12eb30

SHA1
f1bd42fd19d2b1f73af2ddbb7d789982f15758f1

SHA256
441bd5d5c471d5e1d53c632a94966ed67db75ef422a5a7104ee8e69b873846f1

SHA512
e87c7937bfff728ae5505e1222cf3e88de9fb6a47a6c691813d3110e3cb05445de4a6e4055237208c08ff05e213cc22e5c65b72b60dbf430d3a78988b11858bb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
a36808de82307bff5efe940c48687f06

SHA1
abb11e08f739318c926c94574e56bbc3f8701f5a

SHA256
5756e07c0e6ad42e15a6ed77847e8ce5ccb0888afb8772d6cefd0c0c1d53a989

SHA512
0f119dfe669710ee46680dd6f0e125c134afefa9b7dbcb58a04506a5252ad9c2328d750f3792441faeedaf64542d7fff1c1ab56ae4cb1ae65ef1b23aa3ae736f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e2b230d9fc59679e2fa0ae16db3e89db

SHA1
df32adecc2519e14058bf79e9f8dd2a4a783e7b9

SHA256
318215837220382824b38be6ff29333466a8ed8659063a224306f3209b364904

SHA512
fb5823e8c2a49e9df3f25860ccb4d72400be36d4a382fbdf82eb7f84da1927276138a749e4d77a834acca5258dda4ff0389ea9f92c76c72b9ccf3a76a5b78777

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
595ff226cf28c267fcda1f3ae410cc4c

SHA1
7a748090855e7afde82638a68567e382036db636

SHA256
8f48d6b27b9bda818073ab7ffe1e92896cc8003737aa61c0d2ec7cece82c9956

SHA512
877e233a13a6fa59c45b2646b8cb6759f44c557dea584176c10990e695b6963e99cd5efc0c69a4a042b1ef1b44c5a3b18d4db71992825f89c4405ee12a938f7b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
383ca4b00c0125c3b40d51c84bc40da6

SHA1
b7d9a3dbd6731e82a758ecba56c5e7c0f2fa35b7

SHA256
cfcb17946d6d5d6220e42311995abc80e398072fa0f3518caee26b6dde81421d

SHA512
d9e74c74300222f5b35299ce7772bf4517b9da5bbb882b12a9fc689522009947d615bfa5a9090e5a565bd465eb1ac2b5ca441bde21baeadf5772700038a13278

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
2e659bc8d0ff82d6dd088a0e3537a8bd

SHA1
c6c28212ffbf5f2816d4dcf7d5973d077918234b

SHA256
17ab804bb2b2045200678bfa1e21c0025e7ba628f0058e020bc5ad2f44b66385

SHA512
cdec88455456dd9dc5c29d6fe3377dbde2a39e5e47b7c3fced159a28c1e811f606db8c40e89c39240fd714e2efa23a533d776275f7dac41f9f8db704f19533df

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
24d168e7364ecfa9ab3df5021b6cee85

SHA1
f53b98e79bc61a3637f7b4789ab24e1699cf218e

SHA256
dc8acfced0f9034ee8c7aafefe1aabec58252c325b0292b9015e61636e59994d

SHA512
ed97f0e96f94896a7d9a9f86cec4dabb1e13ce5c564176eeaf5786b60a09cab6da75eab0d561262a6b0c237dc8ae2e90f55b43deb129e7b9a5d7bfd7c849c673

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
82cfb2a2fe199d726f6ad2cb65e2b323

SHA1
1514f1a15211e617d80acd625327ef39d937af5c

SHA256
94bda634546a6d412f550e8f532078f8a8b89ae0d8b72e43e2e8399ebf18e6e5

SHA512
950b4564613e12d234aae414031cad509e8088fd5a63dde9cf3ff2bb21803fea788eb22809965f5537ed50ef4d783cb3947c9ee473aeec097f240edb2ab4753f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
65ad771bb9d7ca70119cacf6a222aff3

SHA1
9637f5ac706b9fd198b5557f5505bd4afe0ac87a

SHA256
30a5044d201932202f7f654643232afbbb99ce728309c9bd42660d39319dcce9

SHA512
9950e39379354d87ef1c55c91c38cce3471e9a1387a46646c65d1219c58deb8583e5ac0fbcb6b15073f73594f4c68adcae055ada1ce8c2e3952d9bc3c0ba85c8

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
865508fa18661a6ee93075e81dbe3766

SHA1
397d570fca616825b39b9e6e5f49e3dae5f80e99

SHA256
ec72dec6ce1e3666d61d365fe41968bb7787b7fa848aa9e8f7e457f20f5f372e

SHA512
44708453b34e5ccc25e580800ae90f788ddc5439a3e850c82bcaaada827b353e07a19a8a85c2981d15d4e3fcbb9e5f882618d62401717072ed21dcb4edac98d9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
aec1693a306af26f394887102468969a

SHA1
6f3c9e3bb92dc313008fa8c3e46a5733df25fee5

SHA256
f1cb3d8f69a904b8a0474bf6b210b2da9881e3f542b84b1a42987136206d7ee6

SHA512
8c69f509b9c6c0d3543b7714366c774e6e78a64fffeaffdb6e538dbb864f92df7d94f5dc99d2264eea80653814a97f362644675239406eea6332a595ecedf38f

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
e06748aba6445a07b1c4597f3064f1ea

SHA1
06a8fd5fbe93e3b945156127a1cd5ef4d961a059

SHA256
c575bd895aafba7f5e96c3790ab31410daa3a962151f89b9d5d20102f3af2918

SHA512
cb0172d5f5fe0262e25364fc046ebad86d6ca4768a65c41a7c74c95382fa0cd913d4308aae0ea2b187e0586a7a269d733daedb705be33514e0dd1412b1c114bf

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
c2a7d5b53d4bbf6ace87df1d35ae470a

SHA1
e20c6814caad2509af651ae32fe2edf1ad957df2

SHA256
ea689d0403f65c5f2833309893eb97cd3855f7c4d74c9c775034ad8bbd1b5907

SHA512
fac97f281384ed85a99d83089b40c78a8b6c24927bff34563a1f10a7070b59345210e00c4d5e8e7cbf3a2384b6e7a97c54c1240fd51d95017792dea040ed30ec

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
766d65be3b322a5c2605330b817e373c

SHA1
3e17a1d96447e4eb18f77efb371c314cafc1f4af

SHA256
d0c7bd19c5e0452563163b1eec2deca351f1f710bcf2526e9b038bf7ffebcdc7

SHA512
ee469bba423fa3c19dce46c64adc3905306d1386e672bb5d71cce12b0b0af81d1cc23ed8b9200ea66dab183090fd8b9be1c41b8bc79225666eb563d4da9b965d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f78e7034f6cbf848ab50850ce3b529b1

SHA1
863605e12b26f112c477d90d2198fc5a38c59bc6

SHA256
5119160841f6524646e82526d90c7f3652b86e070305e13f10971380c60adab3

SHA512
2439ca80015a44ced62c911b5d8d9f5bd24841dbc2b2da59522e62a240bb8451d6def14109fe8808a0ce62b42562d0455e993ba51a0c55d3111d6e5d48f9ee33

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
05e781177a6d885585192640c6094526

SHA1
ba8ca63be8dd66eccc5900e715fb4b3ca6d66585

SHA256
cdc2c40e2d4738763486f6d41978a2f37d83b696d7552c3051dd0f7e4ac70a01

SHA512
3d58a544050a61f3efa1f2b357ca2c1a2c45e7b504e4c4caa00ec1a6ee7bcc56f63a0f225f14eeed4a5f7fa540f5d93da83be9353688b8e4376944834ee78d7c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
574e11bd681d94e52a0f176befbcc37e

SHA1
84fa03f77180357ae743447e04caca708d94159f

SHA256
e59f71f1b6b6208b34c41b2899d208b4aa276386de379044f144a274952d06cd

SHA512
ebac936f3e862f8e6e29b10067d4321f53014776e0b4b6896097f5dbc38af86bcdeb9259d8fb71337c708f34aaa6dd708099d079275079fe08bf8c3a3a1acaf2

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
fe9defde85def2e2a963f8124ff04fc3

SHA1
8325797acb568ee77de847302a09fbd80ad7c3da

SHA256
942b6790128c0d1ec485e9d0cf918853372c9cb42b297ab6046e8267e8cd06f2

SHA512
d0a6f1e5acfd40e1edbe673ef0240c356f1786677d685dcf46b9bc561ca3b09294bd2bbff86c18f18a28036394b29c065428523aaeac68b1c71399709eae4cbb

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
29ab73d6f3e8947e4939c4f25fa8216d

SHA1
15026b06234d3a843626e623eb494be7f47e16dc

SHA256
b170be9253afd00c31a3f75c8ae0e04df160363853eade00196bad14a4364f71

SHA512
bd955d89bfe63492efb7dca624d566a31a09f475bceb0f13106b801dc5bf255ed53948906f4a347b8afa170ced75ec7f21a7e6f8741375afe38f816a56dc6f47

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
20d93c4f1cea9ac562282941191c9a11

SHA1
b46bbb497f1eb350967da987cc85ebbd0d8fc184

SHA256
0cc059a2da9d5db1bdf33f3a29297378eb4561698f8d0f20ccf9b2c83d4500bb

SHA512
106c59c624e6d646201e506d6f7859b7fd9e5262d3940153518cd5ab25be2c21c5d6d1885ca0c7b1e5e2cacf8e2d2350545dd8c0400f5a48d9edb32e2ff6d3d0

Download Submit
memory/392-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/436-138-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/436-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/436-136-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/436-43-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/436-37-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/924-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/924-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/924-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/924-725-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/924-31-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1036-735-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1036-334-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1580-6-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/1580-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1580-586-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1580-1-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/2440-330-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2672-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2672-647-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3776-336-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3776-154-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3800-331-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3904-324-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3924-150-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3924-152-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3924-146-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3924-140-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3936-339-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4312-271-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4352-69-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4352-124-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4352-726-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4352-63-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4484-680-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4484-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4484-20-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4484-11-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4532-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4532-733-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4532-216-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4532-127-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4664-327-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4716-323-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4800-332-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4800-734-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4804-328-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4928-338-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5052-337-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5100-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5100-736-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download