2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
Size

1.3MB
MD5

f86cd4e98762f4c78117c5c51f680929
SHA1

3384b913e53b565860046e3755408483015bff45
SHA256

2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8
SHA512

9b76f173828d5ee50a3f5b36a12157e27dc3b2230439943dc705b4bd76bc92be63c084c2a4c3cca0f8e5072093ab60a84e972aa3bc0f28d2de5a4dc82f03f0b0
SSDEEP

12288:VJFGzdZcEAMubvjkcH34D1wYeskMjFvm0qKWjr/pMoVx8JX8it802q3LZj+:VfGxypdW0sRjhm0Ijr/eax8JXO02q3A

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3216	alg.exe
3224	DiagnosticsHub.StandardCollector.Service.exe
4772	fxssvc.exe
3716	elevation_service.exe
4284	elevation_service.exe
772	maintenanceservice.exe
1600	msdtc.exe
2516	OSE.EXE
4184	PerceptionSimulationService.exe
4684	perfhost.exe
3336	locator.exe
3920	SensorDataService.exe
5008	snmptrap.exe
4900	spectrum.exe
1236	ssh-agent.exe
4516	TieringEngineService.exe
3488	AgentService.exe
5012	vds.exe
2672	vssvc.exe
1864	wbengine.exe
2412	WmiApSrv.exe
4432	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\System32\vds.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\67440766e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\locator.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af21214783acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075c0944383acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf83b84383acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000255bd04383acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d5dde4683acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb24e34683acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd7b724483acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005511d04683acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002c9804483acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe

pid	process
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
Token: SeAuditPrivilege	4772	fxssvc.exe
Token: SeRestorePrivilege	4516	TieringEngineService.exe
Token: SeManageVolumePrivilege	4516	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3488	AgentService.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeBackupPrivilege	1864	wbengine.exe
Token: SeRestorePrivilege	1864	wbengine.exe
Token: SeSecurityPrivilege	1864	wbengine.exe
Token: 33	4432	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeDebugPrivilege	2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
Token: SeDebugPrivilege	2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
Token: SeDebugPrivilege	2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
Token: SeDebugPrivilege	2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
Token: SeDebugPrivilege	2732	2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
Token: SeDebugPrivilege	3216	alg.exe
Token: SeDebugPrivilege	3216	alg.exe
Token: SeDebugPrivilege	3216	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4432 wrote to memory of 2696	4432	SearchIndexer.exe	SearchProtocolHost.exe
PID 4432 wrote to memory of 2696	4432	SearchIndexer.exe	SearchProtocolHost.exe
PID 4432 wrote to memory of 940	4432	SearchIndexer.exe	SearchFilterHost.exe
PID 4432 wrote to memory of 940	4432	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe
"C:\Users\Admin\AppData\Local\Temp\2cecc3784f0ad991a23eb29291775fa10d9ac1f4330cb584e9d21f5defa695a8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4284

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1600

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3920

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4900

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1132

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2696

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f0b127e87f8c08c2d0845a96f72fde0f

SHA1
a8c0b6f8e0b1dcd9953d9d97f2409e8893e32da5

SHA256
d59d063582baba3be8284f933a785399376026714a96d425aa47b3abcb0a2cec

SHA512
40cec29ff80fcd4ebbe8bd93752db489e4aa54d75d9c987c40545bbec0189df467d1431a7b1e48e3113a8fd8bbf276d4a99003f50e3f3d2207e85bc576f3eb97

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cbff658b2f8c8aae8f839172995c127e

SHA1
732f7d67fdf3e024ce82404760f35d5eca06b93c

SHA256
d7e10a7208ea2d69cc0de80264effd87e04e98655b4e76f033e11ded1db1fb07

SHA512
536f64c671678d1d5fc8894e1da3eb2385b44ab50dbc12a5de1913f559c487032b08f5010f784ff072bee15417f7b7ede58f71fda4058a6c57825f7005b9bcda

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6123f9e47e81be1e4a2379f4628ac640

SHA1
5da0ab300fa697706487c8bf8ff20caebe87e2b2

SHA256
19e71ed9da144822a7f3762c3767a8b1046fce3204f9685bd5d4eea6821fe16c

SHA512
e94d14bb102958848e62e3d4ed48aa3b718b7c123b752f57bef02f84801ba83e86703b2a333f62af2f92d1fca530107f12fc8d75692b89a350786e5f0d197b63

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
48b3db981d5f2d18c7a54776e3ca72b0

SHA1
40b148daafc9ad797d3f1ea385be1377b148e48f

SHA256
254cec59700c7ffe646d0797e47e125add8f355aae6819cdcc135cbe6d0218d2

SHA512
4c6f78d66134d1ef8c7b204eca027b20285de1e4bc3e241e178f8d26e49b54806079d5f7793e1b48ca81140fe5718fc6092231bac347ffd2429231d460383288

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0961e70726f521616cc5aa7550aef4cd

SHA1
b5fd78c3dc41507260684896d9175e9a24aaf836

SHA256
8db69a47031f907a3c9d219f69966af0d7f490c5833ca1dc7d138fdf0f9bc567

SHA512
1c21dca106363eb8eb0941c1e7c17fb4e2cc6a3ab3a1ba72954ca4550f1019a91c4d348b1c135379a6d4e7e32747b4bc435aa6b71ba5db3cb8b9c3adb437291f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
04d4da6715f4388c71c19112b6396e26

SHA1
2db66f150ea2746ff4abaa47f09818321249d4e5

SHA256
4d24cfe2f55d304293a7ff1e638272ce7efdd745e647d183492912b0465c0d73

SHA512
cb3025c548b92f62fb9746cfb1692b9559f488ccfb30eefc545ab49b718f8bf47119fe0779f9ff76f19ad57f0137c269e5445b3d8fc58c3d780986642f6a578a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
659e0ffffccdf6ad3cb8bc350bdb5dd2

SHA1
b1cf8018a9d096b7f1c7c93b4ab3936f54c06537

SHA256
0d40ad087db98e1d02effb4c72aa1593893baa164600ba00e89beaff1089b827

SHA512
a6d308246e9a7966ca9f880e54d46fb1b5d1666c8086d51890765a6d6b3fa0293398e0e8ae4df8b1bfd6c00e2262beaf5e521ff12e4b381eba1d12750effa5b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
458ae833f6aa2150aa2c53b79d88c088

SHA1
1bec61a82561b88bc0b982dfa375f38de053854a

SHA256
88e980d1f55fa2efb41a81855a7e514c18505328de83a6214711a97f88a5afd4

SHA512
405c67379d65980e00b0fad639a57d42c8418ab91ed873d095ecb4f5b968d15f7799d14965b46b27080159ba57c88455138663f35f048865a926e2e6dc6ea488

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
6624c54502cae4836554b56e52c70b37

SHA1
d30d9d54e0e2fbfe8b81b9405a413740a41bcb67

SHA256
84ecba3f6a2ed4c0fb795107e6b4815f05c1800739fa664b6142821823233937

SHA512
1816c9fa2dbf441ff06ae105701f4e77723723b1eb5f1e166ba52fb836bc2bdf74f9bcce28b78957b89f3dec2632bdfb21567e3d1d3ebf55093b95f162537386

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ea622524441d597c9b1541ad4da47204

SHA1
9e72af64bd89b5d859db07c5264f074d4e0774c4

SHA256
ce240297fc59f319ea9e3142d83a8e3a12e41e3f97714aec8cf06b785b732858

SHA512
17af1e3db936564934d5e853dc77b62dade6bf1d2f1c11e2ba955402fbb5223711e65a78c174f909db53b05cd7c6b68b5cbe62d7f45e39425e362375359fef61

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a73464317b12c20bd314a8a6db445913

SHA1
2facd1fad4903255ca2a121ce4dec528d02da1a7

SHA256
2c846934278a2d5476101981e30141f4c706eaa4de4ab344a0f587d737102042

SHA512
e21d402a68637ff1fdfd6f0c4222dc26f9921d35ccaf8bf7e48e9b88a9ab962c179350191be1bd1e7db7d627855a405a13b70e5793811e96472ae04f25693a60

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a64304f772fc78372c4c132333f930f9

SHA1
7fdd602e3bf5baf367f374100de3087679174374

SHA256
2ef5bee630c1b614ebbf8f9a836a505c6c95f80a9288368c41d92c141367a501

SHA512
1117db5dc8f8e132a8842166b02cee312dba89e2d106218ab98fc68d3cd82436ba5fcd49e6b493e28282a05738d8aee084e02905c16235741dee9795a32742c6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5a7e811fcb57910d9541ffa8e8a4c6eb

SHA1
10444a2dcbb4b1fc80f5f38183497d27b2e485ae

SHA256
336dc79f53c65f417e2fc4748219eb470264ede7647064db076984ef8eb466c4

SHA512
489b66fe006f605c8c96b6f5f8f331e230dc7d8186fd8ffbde678149723af2279a569b1b04f1785595399016d3271de213727de5a57da55485dffbab1e39a6a1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
cfe43672d3560d4a97602ed152df0514

SHA1
897bcac5212e12200cb802642d532a9d933e56e1

SHA256
e8a89dbf72f3cdf2b655651c09e0371190b2966ab6e5e429b91e6aae0942d2d0

SHA512
59092819be8845370c65b2503da873219b85ebaa1d229063522bead93e396f7de7ccdd346fc82bef4c6925805defc8c4b4a4e6292eedf3fb96a3a747a9e3476a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cd80757951222715598a0eb60c6be06f

SHA1
d09a815dd24e3680e04846045727c6c3c80addbd

SHA256
fe7dd0e71a552d7ceba17d95fc81a24385470bfca3f7c6df8856ebe6242fc506

SHA512
fe54d9e7a6cbca478cf9342ec5a8e3fa245ab8ffdab5a71fb8bf6781397f6fc2133f7970895c13445bf8c5ba320b2c68a8c658c85a1a4d71620fa423208b96aa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
54836f1060bd63a9b3e275e5ef29606c

SHA1
f48633bbc385557d0f9b836645da4dbb19d1dd29

SHA256
07e647e43d62b98de1526db96bbb2cb121a4d987f06b1bc32e0ca33268fcab2b

SHA512
abfba60383336599fc94a2127f054c49882560444e1382fa25b87e73ac0fffb2f26df4ea4aa8386a78adacc7babe3ba1e378cb6023680fe579b5a3f03a3048ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5f4daf3501054b6221097c77f3520582

SHA1
003c97b37a79ed55b812a6647111db609ccda7cf

SHA256
34c4fcdb3468cadb5f3d09c8a37577238a84337e807a8c634bebda3be40ff9c9

SHA512
fb65062908bfbc0f5de6b78517dc24751a9c0e693da4446342a4931cb229cd2c038de3da903d2f594b9dd85c1ba3905c31ebdba8498e6b634c1c4bfee6dcdd9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c441ebcebdfdf759478b036b7ee5bd91

SHA1
c1557152db852d3446e41a1771d128b88b3d417b

SHA256
121b4b56388507fc9fd49c686ad9d799d438f926b6354a3606c0d99082a8bd6e

SHA512
de1a2b2564b5e8a72639266a9f156bd9d831056ac6e84919509b175b2ea114f96fe747154bcff73ce9eaa24df306459cfd8b7ffc5f83edb18ad8fad80fd5d104

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
07ac1d18ba8f08f7b8d4bd1acfbc8b20

SHA1
32808768ffc2171be8ddce44ba655e3b524566b3

SHA256
ac3b8441f45b09697276d80b0ab3767692c5924d00673626ad3fb8248f12c06e

SHA512
323cf31f658a76f67d1bb00d30cece3686b138e741084e3f1316c7dc89bd92cdb73323e017595825a6d850ac9590097c68f3ccde08ff03d0c469672a53af7339

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8fe3ddd41bfc8b1d902afe31ac8677a1

SHA1
e414f0df25f1a3287ef66f8e19483dc822df6e3c

SHA256
fad510d6f7414157fc971c695c8466da73c20c84ef2dd7d0ad171fd951ae872a

SHA512
c1a70b389d8d5d2e78f1842fd2bf47a2cb3bc2e0fe8e8c8ece8704a6ee820ab7b5290940f8338cb8c0241f95f21f743ed761267db70a56831800f66eefb9b595

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5642e3082eef2951369eb0c7430b58c2

SHA1
336c3e1a57042c8958c158186789e71caf2479a8

SHA256
0c2bf269386858f665a400ee55a8307547abe76ecf6dbd94e544b6cad826d83a

SHA512
6e15f17933a60b3340f9fd221020b96b1d82f715a5e1681bfc863c1f196239c396a5953f266afe22b46a7d127af6bbfdc92311d2a945074016e0282de800d76c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
87ffd29ed334132d94e75f07b12bf971

SHA1
8cac3e7b998fdd31710615c2f2f1095fbb62b129

SHA256
ab1bfc3208b06e26e39339eec07ad9809cd20b72ed9f80a7ffb7a78d5d2f35d4

SHA512
2d6626e041188a3176c50368194975121cf9c45c150a53d8731758f5cb6d7382a23c9e0bb9ee4caa3a377cc4c04f32cd832d04e28eba6ccf582e017d5d46f1ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
b28afac57b597a3cc428bf80be2a2c4d

SHA1
ada59ff77878b4ec7a75073c31877ce483bc188f

SHA256
4236b9bce698d84e17f02c732b5a3d65f9913f98116889d8ca4d38c3900b5e8f

SHA512
c7527292fed0006300717027c2f7650c3711c962b16e66af3a558f0f23e10c715eeafb5ef018b73ac62a90b0afd878317e2868a7999b83431d99eb5b6a613e48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e38a68173dd4368c6750e751ef4aa007

SHA1
6f003cabe2b29a9de0ac89d22e5fdb59c2053b84

SHA256
7620b4a4bbda192566e9b5b34794e2e5dee5ba4dcb1d7d3fa28c734475dc00a7

SHA512
a6e35735c3a51b5c11af76d5a8e82365635073db0b295f0658540c5175fda0df872c206da715f1514ba3b0e6095ef3c48951cc6b1c7d94ead9147ab1d5f68693

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d0cb8514552c021f36ad2dc0a47cc79a

SHA1
4131a1c48c855ba768186314a2ea415782ad9675

SHA256
6bb4633612a26cc2f6d1883ba9107a98d21a6de1cfcd3f3f3c7a146d5b698cc4

SHA512
33223e0107234b5890aec3045eb385d4383fc39ffefdbf1f68d81e10f0f48f2064410ab65a820df7f6012b679ff7181a3a705e6cdf358ddc836ae016f5f2058b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
812b93ffcc99ae47040438028a9722f3

SHA1
1b58db3402be5a97cc0f3cad38af7440fc6fa2c2

SHA256
5e74790a2f44c6ca828921554cc2a5180a190dfa012ba875a18f5ad558d0f7c8

SHA512
525dfc836725ca0e8619c018cf10086ddbc5d702af39cb20595bcc2bd8c5504118303512db9fca45b57814f7c1b7cb525cc235408623c48309318d91a9c6447d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bcf3f47b935dcc401b00119fae87ac69

SHA1
4a4ae9e00b87edde969347304780c73fe8b26bf2

SHA256
27686605f8ca94c17676ce4079d73e8bcb28ac9d93adf3c5dcc2b60d20e9f3c3

SHA512
d1d3de2620262e0fc957f1cad2f39cc21ffb4b40adb9b940300c70d760f43635e8796be71b12be7886d31a6534d3cb3aaf5c4d60e8b37f2cd27bafc340a3e84f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
6af3502c7d3dd1a34f8bf83fe245d5ca

SHA1
d91ebc3a8f5f48d1ef43b7c4cf29fbc2e01e9e30

SHA256
c9da91e748d81981510641e5f93c0fe53c5408b171a4769650a6663464bcdf35

SHA512
f345fdca4be87f741755cb9fbc61925662703ccfbad145a1fe77ca5a6fc91a7ce3797f1de6044cd1deafde16a4402224080f2dd041e8f2ba5e7f3045b3b24a0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
4a99ca12b80e0d298e5ca08f73eb1b67

SHA1
63c6405e1522c01c60f7d0b5730dd339af9853bd

SHA256
9b764f21db0e6184c739a9ceac852b4b84b6c3541bcc399c4cdb1877be63bbeb

SHA512
b9025a8af98459558682afd0dcb18ebb77bd7fbc677d0f3002384aac5f85a3c1af89ac244e177b35e1914832f970642dad8411d2388b0cf116142cf92d871181

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
54de237897b16aad954c9f3a7260c095

SHA1
6a5dc4d9331345c352bd04bb7dc94e364d2744d0

SHA256
50fbaedb4bbba692ca55e8a4a915c321f8c6359dd3cc3853c75bd0756a3550cb

SHA512
4745fec458f3d6b88e3ecff298872a4ff722694a88ae5b73125044435e1434bd0796365beed2ed595bb4f49f8c557e6458b29e56443efc7f909a7b8efc266c5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5b2dd02f33a2d4410e34e6d24bc5b03a

SHA1
afe39bb73f7ec8798c548c757b9fab0936a5060e

SHA256
d86a5518590d42f4e65914d66a6a065bacca5567e287bac4f4fe52d9e5167def

SHA512
cf32a03beda34a40cb7144bc3e9c3219ff67d107d6c1fdb783b2879259c7dc1e795ce3b85073a7c574cc0722aac4bf48f4c121d7139f1721f6ebb3369facfe42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
fdf5c10208437657b598f5fac86bc6a9

SHA1
502af0bb98d40b9d05414732f70745e169e7d57a

SHA256
442442147818c1f2b8bdea9ae48a02d8bf622ab7687b39c2a21bae12a0987b66

SHA512
f692c843afadb48ce7cba1e409cc7432d0f59b3f0a3b209e69f7c82421780fbaad34734146311ce7594fb9934ca4137d289601a1b6f232226746b11b26e5d8dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
16777b9038cd7f5d35836a816852d50b

SHA1
8801dee1170793e83fadfad389fb534de939fc6c

SHA256
01190ee68eb8db64bfce075e12fccbf598571804b4fe32e08c152688014100a2

SHA512
bf11daac9aa1aa64437b9351be9d726d535be6b77d9b540590fd4eef0c88be1fa595f47b71c11440de046ad8bace603ba1f130577d11a40ad75db90fdc3ccfd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
290376c3f659df1dd71792ff48dba947

SHA1
7c5f3fbbb5645bf6e4b4eecf1e3edbfe976e894a

SHA256
ec89a144f6bcfa32d9865878cc5897ddf4d4e6a782c0faf9c4f4307b2aae693d

SHA512
2f21eb8fc2abda5a0310130bdaf864c749b941d6876cc982354e3ed0c37f046e4e7c64a9f7d6c1bede8ee92b3246ec0e6e600e6de5f3607f97f62de5bbc7f26c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
86a147bd895adc913eb33d0fd9299b79

SHA1
b35d3ca0fbd6406c63b0b2487f99e552511bee38

SHA256
30a3ddeb71d5919c5e648f0b6de66e47328c35890206eaf1008a9d42a9160b1a

SHA512
9acd16f8956b9061b872fc267aaacb6826d5e1416c59f81f9c22b2863a61f4a9cbc0d5e9f035cfda63bfa885233a08d599b18e449ae11ae2c1fb7ed972a40376

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
908876989e64640f8688d12da36ba12c

SHA1
f6460fadf2311790155267708c3c0392e1e8626d

SHA256
eaf679c97ce813097d177900acbac76e4811f09354c56ba5d1e17f171f6c2ad2

SHA512
f144d9a2b81557215ad988f152ffaa0f21703ed6e3184ff2038ff11048a4afc5bf4a92e2b0f44526484c46fe12a0cd0990616839104ed8c27a580112e92e21e8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
16d5b5570c75b06a2bf376afdd855d71

SHA1
04c8440450b29b4377a2dd4a94628a5cd1430dab

SHA256
82280f72c21f9fc8f4bd3b771ea2982f069ecb614be68066251f3e06fd9811e2

SHA512
a561870347b37342e22dfd3df7022cc042233f5de1d40276f72a9c338d9b3a087afeb4d913504310523116baea2dad1453c65e54e8e19b9da32a8f02712dbcb8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
b65f01fa1d32fcc43dc7386bdb507262

SHA1
2bc6baf9522dbeed14c7f3a2e29d095ee0153d26

SHA256
9320fe9390d1da2ef6e9e6320a99a0b36f7d92389459d876d57f7e466e4b9c44

SHA512
876e1c01e984ae58833ba2558ffdb49c977f8c212e9f975866dae76812362e4f982c1532b1189ea0399732e293da1f28270d1a8ef7835d61797dbc15b0a30ce9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8ef7be6902b7948aa2bab2d070850302

SHA1
01896437fddacbb91afe24840ea74250869ebee7

SHA256
e93c3c28bd77677ecddd25c9ed8a23f2a9dd2a4eff6f8621d7492d12aac626f1

SHA512
9a54dec969617c3bd3d87ef36eae0102075731cdf900378f02c2ebd9697522a7d23dc61d32ce85a1b0a200885063724811551db9b27f690e06ca425095006647

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
97de95ce677326c92a63199285939ed6

SHA1
0439076446c1d32613154d1dc3b04378b3b313cc

SHA256
eed0378b8511b70067782e9172307e2b5201d3220442429599f4675ea1e5a95b

SHA512
bfd79ecd70740ba461403711e68b67a1530615695949ca2b233ba200061bb3a27da81b3acbeb4ee10921f8cea708005ca86c061bdf0ad22debff45f507b3a1b5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
42347a505d327954b073759142e004d1

SHA1
eb2c599a6d600039f31a0b6698f16d6b9516785d

SHA256
249861bbb5e2f854028c3ea613c4ce7bd9ed6441bf87f53b7ce83e8b0bc56fdd

SHA512
6fea13f05906dd9f2a43560b410ec119c49dbc25cce3077370476c0a07c5b4ca266a972f81efb0141e2e8933e436144561ef50fa7a37b432c7e14bb885f725d7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7132042e5e70242dd6b3c67051056a6b

SHA1
997152898df343dd58459d12bcd114f3029dbc6a

SHA256
45977211bc65b13b66ed1b878479d798cd33b86353e87f1460e2940287c0eaa1

SHA512
32dfa370d083227c9c291a9ec82516e3b898adcb36635777aef8d2e4dcf4a0f69382a75d37f47678725ee5bd8b3e5db493b160a192044008e8889117f030a06b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ef22f7479562d662fb8d9b41ce8206ce

SHA1
5b75d0c954d3c68b550cc34a2834fb5f53462a2b

SHA256
2d5da0c246c45e03e05a37a450a20496c8e7ad3d6ca621a1b0d5a58c056340db

SHA512
cffb6844c60ebfc58c556e9ec090f0b87f54b9cbd1f88642c621ace8884dff71bc02cb1b3e7b15c9f0ebfacfb62f49981e9191949f915693e07e09f8ea6723d0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
7c7b5f3f29989a33916c5a23cb333026

SHA1
f7cc50793af847cecf0c79fc998596116cd3085d

SHA256
38fedc8089f9ab7244c17b3aef5317d467de0e1f406d8ba3779042adc6468f86

SHA512
81764e78987a571d4a9c1898b9f8b8f3103e042daf8220c2a1dce1aad5e007ce195c64ef44244ccb6ada9a8a0507da585197c7a61423db96e26b872d53f36903

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
59794bde147ee96ba050fe3e5cb8ea11

SHA1
ecb5b6ff12b4a220928b202c405c44d35e04d824

SHA256
82f1f281799b1b5ebd63e2e686eb533a5420dd651498b98fdb9b2bc71ccb5576

SHA512
6d18a96b606733542b85e2adc0e8dbaf9aa00012fb0cebf26b67e1aaf871c3bf6542a564eb6cf8fe062afac41510a9ea9095b1b8dbd06bf23eb1f1b48896e647

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
79abe63f7f82c79e3837f07585dafb1e

SHA1
d7b288352d2b42c26a62ea562d84cfae0a7ebd80

SHA256
6685bdf65349b297126abb10c7af35f83d7632445a1a6f80b87767974be4bbf9

SHA512
8408d3013fba0873e8a63c49dcbbc21c72958fe6a0fa03570559747c19e8e806e54223996526a597f0d5deff8382dd7ff5baf705db80624cf1d640a8198545ff

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a5683e1b5ab637947c5575032d7b78bf

SHA1
53db7f33d3977d933d057123792ebb4a53147a9e

SHA256
a0c24d3d450d1d3fd5181cc2d79865191c3efc66a2a5b38fccbf1a8527b86839

SHA512
c1d830a1d43ed38e1a77fb7ba45e233c7c7edb315ce1a6f3309ade5943920cccb6548c5ff81e5360afb5345ec45e741c42509db6baef663b2b26458b7ed72bd1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d9ea4e934449824e2a5725765d11f798

SHA1
505d9e612d7e231ef457871a900e4ccfb69f9937

SHA256
1747cd509910d062bac6381184176d4de31e9bd2688c1c94dccad90f0de70290

SHA512
5d0e255ef9e240b66cade9c9bb284324615a57ba43ef45b7eba17866f967f16ad19ae2f6a30f66c29eaf610d469784499b99d116345950f34c736dbc1d3b5fd7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
57b302b701ffa40529c2966bc3d31fbb

SHA1
fe1076f3f981c37704a093a7158bdbcb7ee40f22

SHA256
c2c814ae3faecdc996843fda1663f2541c7bd4b7c5cc8817abcdf88a5d4060ed

SHA512
9b448bc7e66518400e08e3fbf32774bc078b8e576dc3c82c819d2a0736cebe16b55e714e11f6eebe99172432a36eab730c3068309873017e3b1791354180b4b3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
aec303f2c89b830c93d9f83072aaaa71

SHA1
a984182ee8f591ede25cfa58c08cdea670db76b5

SHA256
87121968e8bb09829beda7d6181185e049f428032473f4a98cecedb9b5ac1d28

SHA512
33f26165af48f64c27152ffe3edef58eb92899c68c9273cd067edd1f1c92f6797f8d66561d323e8b64dd7a1bdfc65dceed68b7002f2e8819f4f89ac660470500

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
54b5d41c9b2824487cbcf974480e043c

SHA1
71f0500c64a4b4e1e80604ba3121fda2fd4ea0d2

SHA256
7e19c9022c9d866e07f2c1a91f55cc29918b064fe7395eb479abdba2defaec92

SHA512
1d82a7e1eeefc67b56b36409e9859c4bf0a85b9402f4db39102cfe44760fea0b0011f95be06d67ba162c2b18d4bafaa0ed5eef4a679f1c86ebd6c1da0a16b450

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
bbaba772b24c3c2c5dbae7c59938b06e

SHA1
bcc0920aa8dc076325a44fa100c6406e84d989f2

SHA256
b14f212fe0e80ec003878b2e23cf8aa1b18bb8310faa1b5882ebb04c1dabd7c9

SHA512
bf5205a43ea5cb412ebd3c4028a395e1c1baf1b6d9e67232394b0c513d1764f4b144037e825934baaae7b7380a63bab78449199774ac1274118e34f4e4d6a098

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
626b4c9fb12e327d0e458580f2935447

SHA1
137dae62a049d973870ad0ea45e86c22d2a56548

SHA256
3cc545fe70d8023140f3c09456ef911a69df318c106978a387eb4125f0b78cb2

SHA512
1ce4f264bd6228ec01b4eee6c546e29662604e47d1ff598130b733efb0fe58ae3bbcb77718b15105becbb5f5406cbbb35ab0a48432b352605f0183129f873455

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3c3c7d6f44a9944f27610693e32cdb98

SHA1
b5e92f0d9fab7157cb241fba26e3e9d8a79366f2

SHA256
7eb668f2b4658b3d83beaa31138b8660662a30c99264563f7da17d6a494d8650

SHA512
5d789ae8658cac5ec05877d86776eeaaf61f614fbbdfdafc456d64d9f12ba28502482978a081568c187ab3e1abee601270802446f950588710bb2d43d31b42c6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
98ef4b8c0121f59a63a13ce19af82956

SHA1
d4e230ff55a6ee4d0f184d023f3015ef7f7925ff

SHA256
86bdb9740ddc258c502a47c7324bf38cd869eef983d2f148ef486712493d88e6

SHA512
2159867ee91a1d0839f62e71131f78e3fb6db2dae322cb7fedf35699e3dd4e8e9011998f41cd99db503efa28e5ec0cee8530dd354d308864ccf50339a53f44b4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
19b800aac8c656b7f4fd43aafb9ece72

SHA1
b308bfe58772487d1c5d36e71c0175cc4cf4c5aa

SHA256
fbab19cbfc640854daa075c92822b089f2eb9a3f8b50f04a8bcfabba97d04b8a

SHA512
2550c8432a7bb460a2e188cf9beb81a53f45078974d767fb028af126bfc845ff019ae56b99598dd2a21c97c0eeb6f0ba0f7c74791d80e8d019bbb44468a1c146

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bd52eb36f13c1f095238cc763cae7e93

SHA1
667aa9cd3571a269a56e18744a00c56666626356

SHA256
6667955ced8cd715bad35902dbd211a7870dbc3bc3dfdaf52b1da05ff38e7b83

SHA512
5b59c3a8fc0a1c5b84abdaab47e12b35825c967978728ce9f4c0ebf2bdfe57e48e95d0d15ef3df99f2993db3b13148c5f556222c7f2078502d8685f195019725

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
99b308346e61fd636ca0a446eb915d5d

SHA1
0bbfd7104e71dbccb2ccc5d8e98c21614fb88152

SHA256
270be93df5d71d8739acef19d3538b5427075270f44ea322d3f67730f7a364f3

SHA512
b658da744fe1311202f07315c575650860e276dfccd8d4a3543f22e2b11c66f2e74b4e83855d6a2e67c447f01caac1381951ef5675e47502ed1ebd44e790ac78

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0657f44c90748b1089f2233bf257827d

SHA1
d6507a50999398b5399c3126c2c0ead1cb74ef24

SHA256
d7dc03aa570a199033c74a9da4ac25e7932eb7232b994680421296ded6295c87

SHA512
9ba21a929074163625b8a987e0c5c7d5600fa57d3c5a87b131fb7d4e34c33531bb30fab3d385fcba664741dbfa86433d1f09219ab49db26df3d8afd38121238d

Download Submit
memory/772-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/772-87-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/772-82-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/772-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/772-76-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1236-470-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1236-189-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1600-100-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1600-92-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1864-529-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1864-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2412-533-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2412-261-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2516-113-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2516-217-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2672-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2672-528-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2732-0-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2732-91-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2732-8-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2732-1-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/3216-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3216-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3216-112-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3216-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3224-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3224-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3224-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3336-141-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3488-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3488-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3716-62-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3716-167-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3716-60-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3716-54-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3920-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3920-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3920-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4184-229-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4184-119-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4284-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4284-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4284-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4284-188-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4432-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4432-534-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4516-192-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4516-523-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4684-241-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4684-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4772-51-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4772-47-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4772-38-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4772-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4772-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4900-443-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4900-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5008-395-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5008-164-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5012-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5012-527-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download