be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
Size

1.8MB
MD5

f5fa0983f6edbdf1cdb969ca2aa2bac4
SHA1

591de5a9f2deff5f3ceb208547680305050352b1
SHA256

be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b
SHA512

1d2b1864c99b6f4461ccaac2c7a0245c2e9418e7d1293fbf7db46899ad0472df6ee5fb08a89c2f11edb40d5ca0deca48179be378e6edee2fbfa47009ce0ee652
SSDEEP

49152:mKJ0WR7AFPyyiSruXKpk3WFDL9zxnSG8HNUPCAaq8Wdo0:mKlBAFPydSS6W6X9ln98t4C7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4244	alg.exe
4020	DiagnosticsHub.StandardCollector.Service.exe
2808	fxssvc.exe
2776	elevation_service.exe
2936	elevation_service.exe
60	maintenanceservice.exe
208	msdtc.exe
4648	OSE.EXE
2176	PerceptionSimulationService.exe
3004	perfhost.exe
4960	locator.exe
1700	SensorDataService.exe
2828	snmptrap.exe
2440	spectrum.exe
3524	ssh-agent.exe
676	TieringEngineService.exe
4836	AgentService.exe
3864	vds.exe
2788	vssvc.exe
4696	wbengine.exe
1788	WmiApSrv.exe
1856	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\locator.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\69938c1daa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe

Drops file in Program Files directory 64 IoCs

Processes:

be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM3930.tmp\goopdateres_lt.dll	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3930.tmp\goopdateres_el.dll	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3930.tmp\goopdateres_ta.dll	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3930.tmp\goopdate.dll	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3930.tmp\goopdateres_zh-TW.dll	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3930.tmp\goopdateres_fil.dll	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe

Drops file in Windows directory 4 IoCs

Processes:

be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ebdaa7c7699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003447b47c7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012e4b17c7699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d45d37c7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bda8a7d7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faef5f7d7699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4020	DiagnosticsHub.StandardCollector.Service.exe
4020	DiagnosticsHub.StandardCollector.Service.exe
4020	DiagnosticsHub.StandardCollector.Service.exe
4020	DiagnosticsHub.StandardCollector.Service.exe
4020	DiagnosticsHub.StandardCollector.Service.exe
4020	DiagnosticsHub.StandardCollector.Service.exe
4020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4592	be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
Token: SeAuditPrivilege	2808	fxssvc.exe
Token: SeRestorePrivilege	676	TieringEngineService.exe
Token: SeManageVolumePrivilege	676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4836	AgentService.exe
Token: SeBackupPrivilege	2788	vssvc.exe
Token: SeRestorePrivilege	2788	vssvc.exe
Token: SeAuditPrivilege	2788	vssvc.exe
Token: SeBackupPrivilege	4696	wbengine.exe
Token: SeRestorePrivilege	4696	wbengine.exe
Token: SeSecurityPrivilege	4696	wbengine.exe
Token: 33	1856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1856	SearchIndexer.exe
Token: SeDebugPrivilege	4244	alg.exe
Token: SeDebugPrivilege	4244	alg.exe
Token: SeDebugPrivilege	4244	alg.exe
Token: SeDebugPrivilege	4020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1856 wrote to memory of 3216	1856	SearchIndexer.exe	SearchProtocolHost.exe
PID 1856 wrote to memory of 3216	1856	SearchIndexer.exe	SearchProtocolHost.exe
PID 1856 wrote to memory of 4208	1856	SearchIndexer.exe	SearchFilterHost.exe
PID 1856 wrote to memory of 4208	1856	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe
"C:\Users\Admin\AppData\Local\Temp\be42e92b08af6e80b9634c3a4c9353ef4cb1bea7b2354c058b79bd8a249c6b7b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5064

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:60

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:208

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1700

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2440

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4128

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3216

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
e7c2bf12c87efa7e32870305952e8783

SHA1
526296520d212ed6bbc995e2c0dd3c378aa1219b

SHA256
09c1fcda521503dbe3c7863618b3bee59d5f6b60a22a1a8af80de30f3490b6b0

SHA512
3be9f9efb818fa93ecfa6b3aaae8f115f6c3e8cc160e1dda8e59d4ed3c08d092b0c2fcbed358ea2f71ee97f2f8ab00292645e3912e0d121e561fe7d270851e69

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
0bbb65c7fc9b911e95022a5099d167d7

SHA1
15fe19587245605d908a3a6dd809d12cdbcb65c3

SHA256
fd88b1e67de2eb9a0213b3ea6474ad9f6214874ab760ffc5ca6c38b86b3073d1

SHA512
7457919d1f3be1d39ac09a0caa5cf8fdc12a4abd7fb8eccfe4b52cbd1b2bb2d6759d3b60636c8a35d53d8d8db6ed5089fbde0f363522279cddc28c2046132451

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
496ab911e067e19dff5e5f9fbd9d1c1a

SHA1
743671021ae357c89ee9097d122ca0fec2bc76b8

SHA256
c26fd90a116207d8966a8ea28328d4441f2f64e312af5dbdb19699ec461fbb08

SHA512
40b2b8eadfb0c386f62564c9798fb815064e732f7635b5daa9ec0318d348c745b5b0a60544a7462793ca3cdb0d46cc0a3a9f010092337fb189da34e5bb711ba1

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
6088d1845d1cf05fab61b69951ea2766

SHA1
a791099344a5068f3b107055e1c95f4ed9b1a007

SHA256
8cfe43392039100b66ae25011512980cab5532e0d42dc88a3adddf3f48eef984

SHA512
61620fdfa7c863d9b266894e6435b418bd3a832672d1a008a07552c8d2e834c4bf26c539239ec1d9b170c0071d3e95f095669c904009df0206e4ad2f8c19cfb1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1c1e98be0aa7ccfc06ae2b66949945f0

SHA1
4117f9be74c737d64f155d5e5c21fdcebb114a7a

SHA256
cbd6e57a76710b5fe7cdf5a2bd22e261348680ec1ef2304259fbdaa645829da0

SHA512
88715d94cec1bfbce0d9aac8b0d0caf98b2706883c01c5c0029bb7771e879720a3ac0d8b2db68f9581c8edd38c9487c49734b1818651f1c7e41f0c1bc9daf017

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
25c4ca482289de2d52ed60d44b24ebdb

SHA1
570e6a0de44f1814f7d0aff4c38d73e836ddf9f4

SHA256
1ea13bb4d63f14050f50f3ec0858bd8cb43ae76ab76ac9e421056501cd52e531

SHA512
a2bf7afd21ced17e8d993c80b340e3238bdc9ac89c4e6ed16226ff129c1ceec992b9dcf34e2435151ef5ea08af18860de260af51ae2e46ce59636ccfe577c98f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
977b51ca1ca26bcae7c528385c26d555

SHA1
5b75b9add4b21eff8ee5410cbad4e35f568176a1

SHA256
2e07c8f4a804b2b932bc4dbf090239010ee5a9c0f96518446adf9ab1990ddee7

SHA512
3ac2f0d5c8131acc852c57b25672d3c24f426d7ba0feba6ed90d48e12f105f8d98587d42c1ca4b46a5f6f6bd330db48ca45f213df1baeb796acd5246b984043e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
bf5db4b02e6697ef7ec0c3316d6c6c85

SHA1
6000342942d5a0df6344fd3fe4281ea8588b0d2f

SHA256
0a949cea291e943dcc9cb7d90fe7e1ce00bf4d4c098a9d9f9e14c23c0aad4fc6

SHA512
331e097fadad912224a08b0e7ca1de6eacd139707f8124dd1c408978067b7f3492117aad8e893c279d750811537d117b01cb78294e5af30a1db86d2a98071348

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
88010c28aaae3f39e437ddc2cb89b764

SHA1
a2d60b65eee273ec51d4b74eb81818110b16d5f3

SHA256
01e642c2ce397bddec462265e2f65ad224656995acb1cad3e3649ab250cc7b78

SHA512
169e16dfb71b81906a4655a7892d537fa92b27e9ba2d257f5d1df2f4e3bd5fd67d0a420baa7659c7ce1ba8201403cd0f3827f5e053988879e405d512ab8b97c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a3df5e0acb7f439f4f04f0ae2e44352c

SHA1
5ae98a8835196f573e8c780d5b114e68cbc235bf

SHA256
7ffc1f803ba011dad3e82f79716a089d039d60d56514c6d3799eaf164121747a

SHA512
fe5fb4bd4a6ce2f4eae1f02e6af58872582d79e996beaf4cb790d4192055fbc7755bf7d4689bf1d410fc518f845eefe9c3cca2902f18ef2c5ee1c77979837854

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
cbe0010c5d41e9d87305bc1892e60610

SHA1
f7bd08725864501e82f6538747c9345f768d08b6

SHA256
e6da94eccbf6bd1adafc0156007705b2869d86d01c70d1452ed14a8fe905a914

SHA512
6165c7ab112930d5b3f71e8fb8001e5ac44abfd6b0bea46b75ea362dbee5efeea138eb885340cff67c7e2c8444018f330f7b935d682353d96dce1a8eae19043f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
bfc13c6dbc8b307710739cc7b3f06132

SHA1
fabe1d6c9e86007bbd8564fbdd7aaad36e266f41

SHA256
d055d3db03d5a6aba8ac8401d5b8bf88ec4b6fe6345a8dc8b5ae81618c019921

SHA512
2f4bc99b0c74a09c95611cfef61f6435ffefd825a891ee68935c2c56dca43182fdccd106ca373c0ac951cf85f0c940828d7330368d987508f0b3b3848590fc2a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
922f86c4c8a2257d416fba4df64d61f7

SHA1
de2f723ef76b6453b1407aef03a66f26c167d8ec

SHA256
9bdf042a330d3b5fd18deca8f8be38c054745d39d3242942dd7add5b21023f2d

SHA512
c5ef97fa2a2e84d0f9e5b23e5dec1dd839700d32ee6b2f24696870261624bdbbc3626b5776612d57836fe33426387d9d208987969036f616e72a5be60e7185f8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
8b4f722c9e58e4f0d15c5a83ac390237

SHA1
1182c602b324b99728a3e5fd618ee9b03e501ae1

SHA256
537e6d2552c89d74e4d0d3158aa4d636305565e5e19c6519714680b409536ca8

SHA512
2ca8efe254dfa46aceada977fe74b2b81768cf3b512a941dc111c42c6760c231f48d6b3f0337a9c086bc5d3855b582818f496e4dc6b1a0b32688c624106c904c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
89ac3d3b35d9b295b1d548ae0e146075

SHA1
e2970b2a9716d3a6e18e3dbb0e855bdd2ad33b85

SHA256
7845a9f520b8c1bbaf7c2357bfdd4cebf9478903dbf00ca9f731b6dbb6b39260

SHA512
7ba850bcd6d4f36fb9cfb4f38c93c937954560c3585fca363685c5cec94340aa78fa9600c9b92c9cc3a5f9560cde9c9470c770de483a915ca39bb1d6ab6f36ae

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
1339e30a683d054788604d9bad6a2330

SHA1
e8f6e10e41ff7aa9c69298ee4c92d63f854ccd35

SHA256
fcf2f24761892e63107c0ff7ec9ecbf4c8f0aa579e9ebeb210457e488a2db277

SHA512
9569a7ff22f86327ee179d974458c2bdbec31a1eed5fb69a79d1cf834353e150828b8d6957e7177a6fae57c0542f7938b9fde36a02c1573e255f2a0c505bd98c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
ce1c696d7a5b3f5b6e747a0ee9d72987

SHA1
c86fabf4e277492ae786405c46d2c63c9f29486f

SHA256
91cae1112b320e8d55419a2d489adbddbd79d1b983f4890402dcefad3799dea7

SHA512
11530df783dd7abff8b8a15f32c23c6fb30cf42cc9c188f3bf451ec0d138169f80a16433466aed860ba50905bc21c382729d38e0dcc2247a0b5523b579c85756

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
02fe3210500063abf3181a491a728dc6

SHA1
52b520708dc299c2c78f82f9b46dc394de49eb2f

SHA256
496d786f067b1a2afea7802aaa9a55ef9a0801e8264b02fefc4c6f2c663e5843

SHA512
0c68cf03686ae866bfc81595fa3f00a1ae0ca62b0c8f3f463cda9a5e1aab89f474fb325ceced94f15b0c415c238c99963fdbe94689e0cf52d91d0bdf9992090f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
6c45cb25d4806d4fc0c299d17ac36aa6

SHA1
3b01d3af9fecc051885badbe3366fd3a1769e8dc

SHA256
8826be63a8b088abedd198f1d54b6507f6612ae3948b3069dd4b85b1860a62af

SHA512
e41f1efe0bea61320ee7caee9e8d40ccef71af14fdbbe6c041238722ddd7d9838ae71ead206dc9f71992b24726e4666d8fe830010fc75ee90bd886e18144628f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
0249a5fe38c09686cdea59449b2316dc

SHA1
b5695ecbc2046726ccaf66ef040032da585ef1da

SHA256
4715ed533bd961aba6d91870d29412d1c42b81e0c0f2fdf081a89423fb9f1e68

SHA512
d7f61e0ec6640e8119a637b3f9daf09a2666975209131913917f9addbb1119571ffa7b91835205e8412b678cf05b7800c7414519af299c5c346986e5913e7dbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
b849c6679a679e456393ca3e2e7d1a23

SHA1
b167b0e1c4c9d833d15c0465fb88b5f9402ff2aa

SHA256
df6f838002f5a79cfb593e531dde5062f11fbb5d32934e2256a630543cbe0c33

SHA512
e08c270864e7e17a7e4ce4fa5f03a369524da4a445b27c5e22e1d854b4c3337894a08fe5e9a37b42dadfa901bf490a00af7ec3ee56760b93cbd3d50376135061

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
3caffb3872660bc70b19e9049ba5e9ca

SHA1
2bc0b1a9008833033bcb5ff8814b12c24847da4b

SHA256
e7c9cdc55b0734f49df58bae99d8f404870ffeee87917845110f7505e6a24b71

SHA512
da98ede1da7fd33c9eb0d529769563077f62e8672fe0a474ff3d8773e9ebe2123f09859addf02cd9716a144ad5f049eb91822ca9fb3fa3f30e3a641afe49eadf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
2c5b5310837d85282303cad666808527

SHA1
0c32763a5585dc9f1e4ee97db240fe92bce304a8

SHA256
7a87c9d0bf611c70bb2bf6f359d084c2d2caebf5968b7e0d7de0545814cc7a23

SHA512
7ae5be1c6aa97c85076d3ce1ecb817355d710423b5e5baa2af9ffdad71bed0a1f3c3075db10870d25128d0f1c54f8e6b2d824629d4e06999f02d7b3b9cf779ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
7c5e50d1f2abf7be21e38703ba8e7e6e

SHA1
2b9b77292accbafb21fa0c5685dc8bdf93aa1709

SHA256
1a5f38ea9393a9c19b4baaba81292b73d7ea211b462042df8e9ea23b346eb609

SHA512
96ced66cbf77049f500ce460bfa22cc82743b8c5881d5a6a44d5e2e787f9a11e86843fb8c07dd356b798058d1e74d64e7ff11bd80b8500cbd4acc73d7f031f32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
8854eded3a2c7d4f92c696a4bdc355a9

SHA1
42bfe2d65de20c5dca455d1648c655c03946afbb

SHA256
3bff110d46a9f98a5a6ca16621f5bca44af8b20555bb15c31c098ae259d070b4

SHA512
7d1562d1c8e8fd16a5defba4713061b1ba6458ba405eae5ae8c50465faecbe042340d162228547275e0d78f1c085f57b6e37165686a5662da3dbdbaa7fbdcb66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
f8c166488cdfdf44dc6d098b26d467d6

SHA1
450653088dd7ccca0414289c034b0895372d0185

SHA256
afb27bb47e5c2c4e6181266c007b93dc926fb0fd613237e7f471249548dbb69e

SHA512
20734ea8aafaff7f73ed7bcee1c1508c38e6f7f454f6ba4bb183a6393f63d98feaec000d052e99466348cc989830fe487c123b43123a46fa680839a032bf3fb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
29732fcf39599b7504f47fdd5b32e06f

SHA1
7ec850c0fcee6e0587737dbd6316f78c812d07b9

SHA256
bafd2d49409f7157c5f268e59695f060b5014d65d37a49ee2fd252020a3ac4c0

SHA512
1b54e357c1b1b7e9ecbb7def689617f69643cb9e09422dd30eb528bfa2a5731f7f718546b934ee068257df20b688fdafb58801441a5f6bf0c5f6fb54bd21d41f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
bda4e4ba534a916c6be152ad28eec1d6

SHA1
673a15ba370901f092fe9d8860a864688ba9d3fc

SHA256
aa59a43de7e24c08b7031a5ffa576bd03738d32147c91a3c8654b5742915f699

SHA512
0431bdbf7835a9f94f3f2f40570cd78ec2e769a7160033d2d2dc7534ec00adb9c02eff08d995983cf12e17fdea8c878c9b7b0c3ee5e7e1dffadff68b76891fc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
f1ced0c428e17c5c059467985aa2a73d

SHA1
3406715a5ed9757fa8ab940a157e500d9b1ec7d3

SHA256
e0e2c6ed6ee8b0bcae0932253b2b6491e56327bf1fe7cb7f361de7562c5eb635

SHA512
b58a1e1f8e3677c520dbbecbbf2f5e169d4aec21eea9408247f3c56ca833d551ea66c04c7431ddde14f689e8371d32b653b4140edf60cc08c5306a78837d8c31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
45825429c91fa7213949375e981fa759

SHA1
3f83f6756d852ef31a44be66f4e9a432c926ac6b

SHA256
8c7e7ff4b5d697e76a04112a169633b99d3d9e85679edeab5899afcee3190be5

SHA512
cbabee3aec6e61a9a19efed819d800ac2ff6516aa90308c3c56032c5c43f911737a6507ba2c6b074dec7cc2526583210b81e6e005406f9c2363018ec88eec4d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
517c92279af8464e2128fba8286a348a

SHA1
92fa14173f90e2d187c8f79d5923cd1366207f96

SHA256
467c1706dd249434621055645c3789ea936d976407026fb5f9118cf2ce30a4e8

SHA512
5a17fd81776128755ba6a1192a6b607f2ac10ea54520a5f0c341391f0e4dabe6d6a2758990ca8fdf3437ac79d2a9f94e4ffbaf26ac33174e61ae1eb9bdde2630

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
4c3720207d5c4a16ec1bf04ef097a060

SHA1
91e39ac20459e2e86f7e80ac24808e88621e42fe

SHA256
51fa7e1a9c9c4c0b150d2e3f6d0eed01665d3b6f891c3097efa7af37f8a681bd

SHA512
de25488df5b1cf60eecde25f35b424cd8a81e6f347db37ffaf22dd727758fd3252cb65747813bb3ec4c90725621c2e33e161ccbd3163622d9257c97dd0b84054

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
447fa8e4139ab327af524f7be6e457b9

SHA1
a91dac6048c86b77dfff56654c1aee5899f80df1

SHA256
554b1c43498217f646a02b88b70a90fcf902eb01a46856a3c4baf95694a889dd

SHA512
b1cbbe884115574794958f96446f007e16893efdab2c13c5e09ff109cf1c691112123797096f9b71167140f325522419c7f0321cfa0a5c1ec394fdd3a5395247

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
802ff763da766fd573b46195370477f9

SHA1
ebb302ca2b187ac8e4244aa77a7889a15e2cec43

SHA256
116c6976b2cdb4babbbbea81ff5a273dab17f3d127a1718f5c226a48b6942157

SHA512
81cef2e405a2a184388e3d0c5c7398b6fa2a2c65c24593dae53f16a3b195327f23329f2bc43a588b984390ce14253fe8fca4593c8d9a17b0f0262dff60bd2550

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
ed8e28a308368d4a6924c040b672a556

SHA1
7d9656e1f52ef08d1eb7909f161d872451b2decf

SHA256
c4d0faa2ee3dfd82aac20598302c6cad438aaa10c82d52ec1af0ee79dcd6f5d4

SHA512
c15164186fa7c5989e7c3d03aa695d73e4d675311e8c88b4bba38fc86b76cfe23f5b3fc6cb590f8ab0b8cc26aa99a204b72bff34ac8dd0674004db217fc56ff9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
c9019e514b3a9bd53b318ff36dc052a5

SHA1
978348b768b5e911d3559d08546c34b7557bedfb

SHA256
64ded6ecd8d25896edd1061adfad44bbd66ae7807b5e5d7d63cd66e94753d5c8

SHA512
7eab1303b5d7505c0bd63e3d5a381382728d31378118bb2b9ea010963095d97c91cdbf62115276553c9a76a22c795d297d4f628ecd9f2ee192333ceb44048229

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
a0550df32ce7946b57e385d0f1b9a522

SHA1
c438e95e5ce706e54492014f00f586a1b4f91ad4

SHA256
89f85ab4da202fa616d17366743d96300777de6fe1a90d5f215e999fa221810f

SHA512
97f77ad851132745dcfab8197db0ed2fa37a99bb6a29470024c92277c3dd3c1dde4ff281f443b8dd07f6fb1ffe19e0550bd1c3c8186886a1223b4df5b5a697d6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
bce06ba9ebf98785f41b467c70b8e452

SHA1
c507d5e5da0ba032f6e348b806b63f779ee6a2cd

SHA256
2e35cd0dec51e72f6eec3ed91d060fd470508d1e1dcaf26cfdc8d2d909c41b84

SHA512
c17f06134e8ddd8cdfd0fdef131a3817ac72451b8520fa452e6b2309e0b717f8dd77ac53ca660e350dac397ce76bdc6bad03959dbd3312c80abfd62315d080f4

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
615bae8144cc3a4d42774cef90203b90

SHA1
92779b7cf06b136c285f3feca873b0b893dc27aa

SHA256
4302e170440f515c04c1459697067840845379d0158df90dd9c7c3e55ae1f23c

SHA512
82cdfb1bee9a39092fdaf98d8992fadc00f7c19b6de892c9d536fb756b453b4c2eda6d84a99fb2f32350ec2148377f75fca99b85d80c6ee8398b612b2b53993b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
3a6fbd4f2594006375a34da2b820a578

SHA1
68088d65ccc5f818861c8f602a9e55488251e5ed

SHA256
006378024cfd0cb4d349b800f9e9ef550c7da962d4b02b6cdb66ff77132a4b3f

SHA512
df455aed76a56eec791dc3a9831572ca9b240b217d4f533678145ec6c2d097bc2949e47eed790fc8c13947e188c31a5d0baeccdca8e0987d39e2181df73da171

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
1812567a397b1795a10bdb3d90edcecf

SHA1
335268a91ede12bb85b1e6c3d2dc26873d628f3d

SHA256
824d0cd0ab3fcc56efde1c82b0e67b0eb55c77664f4470717d34dba38b7f1044

SHA512
2d0c796cc8cab640611318c36d72edeea5ddebc7ccdcc06c0c08f3570294aa861ae273635f8c52dd3be9525f88a122f4bdcb9b91732eee57cce9d20e59b50800

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
e3d18a4be03de43b59815fda2a7d0ea3

SHA1
afa75a747b85fc09bc2bcbe0c2be8c27f5fa80da

SHA256
1e8dbf01bcd4083749a93549eb79e7cd916beab9b11748f7f0a8ce8de28ad0cc

SHA512
c6bf85e6a1b0e67b78ccf422b2c60090de65a48bee24ed26978b67f3a6bf6cabbb468050654497e814d7434f52f73e633dcdf18170b6a16bb85513b50ea7fff5

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
f1985258116c43d6fdeffcedfe8ce7ff

SHA1
4d805c8029498b59ba480150c4dd73454093d162

SHA256
ec4acb10d32dbfdebeb0f51e08761a39498227944a15303fc5b459dd30ac6d49

SHA512
09df0e5813feebc1ecd51d25fb36b4479aedf19400dc9cd739adbcc1e2f1c78b42a8295fb4d48da5b6c3ba389b996501ac13cb133794bca3e7c4778fe54e41fc

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
6a12fc53121e16e0f7f8a7cf3bb239e0

SHA1
5d73f2c68d61f4ca201860346b07f2d1c963b199

SHA256
d7727beb97dcbb0800e8805ac9da2f73f9e8064d0ff06c908485e77a6ca345f6

SHA512
d272d7eb0c30b3d8bf26d3fbf7ec9aae1a2a0b4bf212b6c971cf0a06ba090eef92ef3ede8e7fe478c8806852609d1bcdd8ce66e0a7758beb97a47890cbb00ddd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
05a1472f0f604791d9b3c212ca134434

SHA1
df123e9ac2b2c18f026c853538516bc52c397913

SHA256
845936be670545812abd22b8f5aa941f7e5d26894ccc2b0adcd1c684c78e45d1

SHA512
6ddf78775683bc69dd7c0f2fc2cd174f632e69b5471bd8a92af72a10dfe000a9748390f0c7407993d5837f5f1327ce886729670de660af8521c81958b73a6848

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
d8b0e7c8fa42e174b74216c4a05967f4

SHA1
98af1a40f4616f47861d04dd1afd11c67a00cfc4

SHA256
f587db54affecfcafb70e7c1973a5d8951ec29dd0d4b6fefa325f303bfb53b7f

SHA512
a32b07654af48bf897d97e9b810329de10e9a0c560434d1bb36a2354af469f99a1819419fce80918b2bb70b8d03e322da9000e9557f264892bcb41e317de8e1f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
a1b1d605863b1dda7abf8b5e8a431c00

SHA1
884a264b74b40f17a87f36940ee0f3603a7cb036

SHA256
99d9a015d440763c6f649bf86385a4ea7fb3206a8fbfda9841927d51adc868fe

SHA512
62701574ed3fb7bd929100ddc3fc2465818ecbe09f771ca0592bad78f1e65fcc1d7ad369d6229fc319f6a4558e1daffdc1d11d58bcf6e4edc4d06a8e820ddeef

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1fef6128ceafce3e1584533e84e48525

SHA1
932ca152e31073a7ef40f9a3ef0c98739b94e3b7

SHA256
1972391d5954ed80677324f73ddea4614bcb140c36a5728e3c27ded0be554a78

SHA512
36a50e26d2fcdc94f0a0aeb294f9809c3ba599baba3ef66dab790fafeec5dad8b02f73def445df85daf19b2e004e1472ee5e3ba07bdc9a516cb167df98f064e3

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
7478937deb6c1f5b59038cd2a18d44bb

SHA1
d0cb476d8dde25b0e8a412183e97ede79a42f04b

SHA256
3e595bbc638ca794a2b9f89777aad4d9f1fd3555b78bc26d05b0fca7a92cb4c1

SHA512
e9d93dc0c74b8e88f581bea26327faeaf563c8e7357926053e7d25d560aa9e7680d1f1071b53fbc4bb09984c0890eec3e5f9259a9094980f482482fbb73bb4ec

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
da9d1a43cf1b1e185a6affe2e7f510c0

SHA1
bfe369e6c184f9e20a81d8809fd366c7a2c03895

SHA256
d8d9ed06f7a7cf8127785d9532390aca74ef5c27f3a6f0922fac9aaac87122d7

SHA512
3faef00bbcc10360a5560fad3f19b012a22abf38f360019e56b7e7d4bbf75508fa795c051e5a10b087cc35ecee5b8a88e3ade5d40e978586a3e772bb66f8d63f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
b08dbc29e7a7c29407e6c540db2a7b30

SHA1
689ce586946b2e8115170d51a752b6dc01a4625d

SHA256
12ee1c50c8c4b8808db1094611d7df3e4fbed18f3de53b353cb662f4bb42cd3a

SHA512
5e55adf944b39ef3087b06353c96e4b38edfd8071acf73bbd31d89ca8ebad765f72a7eada03d97d5cd2294a8d514aeb4c8246e838c02079e29fd3aa0dc20ed65

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
e8e6919b0889809c9dca4becf2d925e8

SHA1
2f24e57f2f73e1ef0b6127c9872cc7175fd46248

SHA256
bace23e2e47b41fb5ff118bdc0dae452dae21ffb4920458d1381b5bfa6323b23

SHA512
874c8ea3ba73e37345f4dbd4db27d33a0cad718e6a8ab925b8d9e83c7572071a632c8cf7fabc4bdf26c5056c4911a5e2cf0193adec19578ce4cdc48a777364d9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
0a84b51e430ebf2fce8f468c18100912

SHA1
059e7fd09cbf2daf47a1ae57b8504173984e5d65

SHA256
9c8966cdcf99500a1f32b41d762c98d726cbcde0b144ddc1991d7d8a0dcec201

SHA512
e262e1af84ac0b920ffc2aa23b0a3a902f9bd113274ce0129594c83f6ae5b7f26cf32dbf511631f755d6190cb20832cc30c4f9260cdbd56e503bc4523f7eff48

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
1e8f589e980b307e6f34a47b2b47bcc8

SHA1
a978a048951e58ba54d1ba07ae1cb5f581e26b9d

SHA256
4349c345616b8e50b0f97ce2fe3f83da867334e508d4546a398aa59f27618e77

SHA512
a81b2eccfcdea15c85068c928fb31f7bb1df0b19eba77a82d446a2986db5457015db1891cbb485167aaed523ee9ffc381ef63ca605065d1f9a901018d20755e6

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5abe4d52d08a1154d4d75f0a24f8a00f

SHA1
d630b8d5e25ad16aade2c28ac62177ae2d74a0ef

SHA256
c7204d66fbb6935bbe72368cd3422dd212586420bd13f49f51b57ad33b6cbe3a

SHA512
a174ec53f4a77c915208589dacdb4f5c0b49b5664dc40e22d13f8254faeec7aea1e710f09d0f6b0acd90596d9b779b10708024a598985b28ead34972c31972f7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
9922d8fb42e7834fa53b3592e2843163

SHA1
352b07297fcfde55975fb686977a410b2e194cbc

SHA256
8bb6a3de931989fed1b0de09fb044bba1af213c9a2e08d7ebba91b264d272868

SHA512
9acf09e8fa4960da7e25172de56f2b91ac09922b2658deaa20188e397bb724b9f6b0fd7a7bc33c9f181355d511f32a8926d0c73a90a3e0fbf0949e527c4d1bbb

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
2627154cb4385a21f5e9863db2cbc44b

SHA1
d3afa260824a54bc8b8535c95e73681a6fbc5afd

SHA256
8b34b0c40ff3b3ee78bc616cdd912db4d1bdc6bc90aedfa21bd071abd72f87ee

SHA512
44d5d030a9c855320b024242d1c8a29fa5e5834d27613fe2aa3911d62556e933486d1e845cc652e92dfe1dedbfad92a999d1c6c8ffcc44ae880e8cdadcba0593

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
59aa1a76ab03d6702a9eb3b8ed42d85f

SHA1
fd0f6ad935dcfd696c9ca83e10194d1331a17b56

SHA256
f9519ee7227d5911a6f3d08eeccf168464746c6d2be65ab07db28cb39406dedc

SHA512
ef7620d84b51ef7446d32716435e838fefea7d4c07ce9ca73fa3c07c9797cd1f047783764145f01d918cee1e5ac4a01001f5973cf6c5fd11a4a6088c052d6422

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
18d0f312eafd97de517105f0032fb484

SHA1
f3b3661e9c7e5af722059624cbab25a60f5ce482

SHA256
2f113f3b3f916ac36f40301ba9823eb7cbb093e17fc73fdc8e789b3c2f5be1d7

SHA512
29e554966ffee5adcaf639cac754a34a438c952f06055a386e10b7d2f2d566a1a016aa5b7b3ca71caed04e6cd08c90bfb8a80e612b0f5677d201afc6f21f0cec

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
a2405d8fa118be762829519816e442e0

SHA1
a3a121c39ab1b7311abcfcfc256d5869201cc34e

SHA256
1b58c521e4f5c239aaa5addf7720e4391137058e5dc39efd3a537cc6b9cab0d3

SHA512
b071830f295034262a8257910e40698613225b4ca72b67da06496c485eb24c3e2c749513f60d998fe72e2aa2b6bb62e2418a2fac7733b76023e2f7f09df852a9

Download Submit
memory/60-148-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/60-142-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/60-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/60-154-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/60-156-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/208-168-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/208-158-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/676-264-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/676-771-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1700-344-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1700-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1700-768-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1788-324-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1788-777-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1856-345-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1856-778-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2176-212-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2440-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2440-769-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2776-122-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2776-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2776-128-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2776-275-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2788-773-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2788-302-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2808-105-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2808-114-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2808-119-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2808-120-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2808-110-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2828-230-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2828-508-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2936-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2936-276-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2936-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2936-151-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3004-213-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3524-770-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3524-253-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3864-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3864-772-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4020-102-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4020-100-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4020-94-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4244-229-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4244-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4244-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4244-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4592-8-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4592-1-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4592-592-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4592-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4592-210-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4648-211-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4696-776-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4696-313-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4836-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4836-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4960-214-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download