aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
Size

1.6MB
MD5

21513f050930df925ecee8e874bc6826
SHA1

976a61fab1a06ddcbe7b1d1dab4f3413322eae5c
SHA256

aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd
SHA512

d9d1255149dd6b44d43c4e9481ea2b950e8ff22b19db61910d3988d2b046f6e6653b3a78852de38b7aca9d57368d64842d5c03b70358f481b0e91d78f16aebfc
SSDEEP

24576:EDMS76huDyqLsRjhm0Ijr/eax8JXO02q3A:EDMi6tSEjhMjSax84

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
5496	alg.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
5660	fxssvc.exe
4556	elevation_service.exe
4436	elevation_service.exe
1980	maintenanceservice.exe
3620	msdtc.exe
2820	OSE.EXE
2852	PerceptionSimulationService.exe
2340	perfhost.exe
4592	locator.exe
4548	SensorDataService.exe
4352	snmptrap.exe
2236	spectrum.exe
5540	ssh-agent.exe
816	TieringEngineService.exe
4936	AgentService.exe
3964	vds.exe
4872	vssvc.exe
5016	wbengine.exe
2984	WmiApSrv.exe
496	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\locator.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\spectrum.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d180e0b8293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe

Drops file in Program Files directory 64 IoCs

Processes:

aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe

Drops file in Windows directory 4 IoCs

Processes:

aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7601f45b2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5ea0945b2acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c59ba45b2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edc5e344b2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5864545b2acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051e1e245b2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dfe1c45b2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008308ea45b2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

javaws.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
3928	javaws.exe
3928	javaws.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe
3976	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5780	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
Token: SeAuditPrivilege	5660	fxssvc.exe
Token: SeRestorePrivilege	816	TieringEngineService.exe
Token: SeManageVolumePrivilege	816	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4936	AgentService.exe
Token: SeBackupPrivilege	4872	vssvc.exe
Token: SeRestorePrivilege	4872	vssvc.exe
Token: SeAuditPrivilege	4872	vssvc.exe
Token: SeBackupPrivilege	5016	wbengine.exe
Token: SeRestorePrivilege	5016	wbengine.exe
Token: SeSecurityPrivilege	5016	wbengine.exe
Token: 33	496	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	496	SearchIndexer.exe
Token: SeDebugPrivilege	5496	alg.exe
Token: SeDebugPrivilege	5496	alg.exe
Token: SeDebugPrivilege	5496	alg.exe
Token: SeDebugPrivilege	3976	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exeSearchIndexer.exe

description	pid	process	target process
PID 5780 wrote to memory of 3928	5780	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe	javaws.exe
PID 5780 wrote to memory of 3928	5780	aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe	javaws.exe
PID 496 wrote to memory of 5424	496	SearchIndexer.exe	SearchProtocolHost.exe
PID 496 wrote to memory of 5424	496	SearchIndexer.exe	SearchProtocolHost.exe
PID 496 wrote to memory of 5296	496	SearchIndexer.exe	SearchFilterHost.exe
PID 496 wrote to memory of 5296	496	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
"C:\Users\Admin\AppData\Local\Temp\aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5780

C:\Program Files\Java\jre-1.8\bin\javaws.exe
C:\Users\Admin\AppData\Local\Temp\aaa75f3cee5e9cd191f82bc8b1de0d87e1ca115fef319c347c71a66b72a290cd.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5496

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:6128

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3620

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2236

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5004

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5424

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
32e1c763dcd4ea77a20ac00a57a19dec

SHA1
b7d3935bfa627a0ee38f469173a11184587d558b

SHA256
cf310965eefb4b0669cc2f18e911e43d61697a18bce733258dfcc68a58eeeb60

SHA512
19a2d3fb8eff553bf5ceaaed208c6fac0b706c1a5e2b5f4d62e5d3b4b52ab5a587ed47c850077b2d81b78a34203980c08c823b4c4f4f1421bf9ce4c2c168e6ac

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
07013a527126e5a2c511e16188634843

SHA1
f60948fa091799fc1d892c1e9009046abbd99ccd

SHA256
b7d5aabf1c389daba3616fe9f5d31686ca4bd22022e2e82301931a0071f4bc5e

SHA512
78623dbe786d8b046bebe40775bbb055499f67c16aa48b40cff620df89eb993ddb2b4ca43d3b0461ba6fe1cb6dc0d5ba538fae5cbe32a74bbb2fe81c44c37d5d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
98796bea817170934270d2586c10bc9d

SHA1
1032521b2712556cb42e65663de1e8a15132e061

SHA256
e6a07d0a00ae7cfa1408cb11ff05decfe3230928f5e2fda1e467f0e7acc489a1

SHA512
3e0087d7af869762d38a72a65d45d01751120c852eaf7b29d19b0ccb9eae0b558b4d59e4e42476e5c5e5c28fd9320fa0fb290fc0b84a5cc214accd2850afb289

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
d9ab5c21b4b6ed4d19a63ec298c3ea2c

SHA1
b7a72c29a344672985af65faac9425d0a6f13906

SHA256
a194848eae76d397080d25afd1448c5501b6a1a6d7014e7bd667c3ea2f1a3558

SHA512
ba6ffe7ff35e9a9affa33169860939a4bdb7ff2e9b2f87aea49592e9dd3c46f591f9eacc860dcb9d80995ccc001e8172000c4a7fc01dfa0ac0e757af47797ea7

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6a3a56967b9a18d208483e07fec8ea05

SHA1
310c6ff407d98e718124afc607226053782f1da4

SHA256
7d6c27aba891c4adc798d519c21064b52122f5f9abca50fcd23f3389258bd66f

SHA512
436f7bb62cf9bafe85a3460fb4459bbc2a9f48f914008650c6e744690e118bcd5e4fdc2be1db84590b8e3bf5f6b237625e6a1218e05899da95550aeba0bb035e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
01aa984b6683e8c5b183e86a9e58191d

SHA1
9f7c23a58dfa101bca46ec09e140271697573747

SHA256
36ca3c3fcdabb3bb108fbff8befa7b401cc42d4d7c14d0ef41a910bae71bd6b8

SHA512
2bfb83b9db457a7ef9986a8fbac0ec6766fa1c34b9f719b1db05a05a3ef64fee8b5b5c6bfe891bf83bc2c41dd4e1744265647e9b49410f36d9c811177bff7613

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
7d1356844b70357b6fef36ca743109af

SHA1
ee39d425641655aee2bb412fd1cb505a24523955

SHA256
2cbb8bff1308422b6e061d9cb2124edd1eae503813272ca85fa66684d6495c0d

SHA512
a2b07255cc52e7fced4efbaf12d4b6cab72343bc2f210e9d6e8b68a7267177d9cd0478d52ad71b92ec1c1bd3b1e20d3a427f433f7fc38f4a6a4f7ac86515a1b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
6940a50583c61cb33170e6322f3ab190

SHA1
c0fafc489f2c3f5dd0be05c271e83498ddb21af7

SHA256
55fe826ff7556273aad37894538ec42c805affdef63c73afb2f6835a3983f7b8

SHA512
ec1b03beac4d5a392ff258a6a6613eebee9d4d794cf804d38f4db31097d10d14fb23c6a05755218ac6fe855916681e534e9e98244da3914e9a976de389430008

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
1a68d60d87b7fd869166b01185e13f16

SHA1
3e0d786e4f940f47f389a9cacff9b8e1af82aa43

SHA256
3cf3b8c5f6af13dffdfd7736e76c75dddbf29949a17b5248856882c19ec4fd3d

SHA512
23e723e4db8a2003bcdff9d5770549046137e1a58782f76939c6e2e5539ef47dcb90213c86328e046559453887fd9053ec66b937135a574f14a308fcc0b5a386

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
cc2c735e402e7d9a6be128b9a0cbdc04

SHA1
dac7f29fa39d02776ca63d5464c634d0508107eb

SHA256
4e48c8d6f0149001ffed1309ee7b31c9090704f44839bfbf6c36424a95f107d1

SHA512
d9f691f5f66d48e77570d2ca68cd0d72f07f249b61c660149f1edcab1ab052284b2575510a908f1de0483bc36c8aa2629961578c5783445630a8f9b3298dc87d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9e497d4fb53b7c5f9a11486c010f6bae

SHA1
ff08f5d6efe19703dd8afd70b93485e2c48d3cb1

SHA256
82b85d2c9abb1967cf4d107fdb4d3c054cfb3ebd9614db9cbe9ed2bec3224770

SHA512
b32a20e06f58310c8a8d4cf14286ce57508a8d89dba2d7fec1e6cf39ebf6affed85731e847b66b84abfeaaba1e4e5f9a529eac266b5890adbcc4069863d061e1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
a46f61825c280f330d166edac6d35470

SHA1
927ee6ffc72f515e97fde64795d02fa974fd3f2f

SHA256
4cfa51fe1ce3c131bf6239ff769a12c474ea2625f64709ef99dd4a863c3dfefc

SHA512
b24eaf1df1276f58ea9c551736bac6296f27eae536e8c56fb960586ed394a79c4f78c0d5da762e81a3e8d5c3616fea4a91ab613de40d0886fb697c9885b19d2d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
bb124d52e66b1fe3ade5957972e75aef

SHA1
bf6cf48adebfcb8a0d9fc807b084d61c9c2f6cdd

SHA256
ce4ed7ca227075a9fb4afedfd303e1ec25f9dca4208658c8e8f62970e8daa9c0

SHA512
7b0d939caaa3a01331d535b2304f9fd52a385b5c9b3ebde064d2a66cd4fe2dacd9964d1b616f5293d0d2c49f07f3446e68ce5e15ff644364c5dca76d7df7991e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
237d3caece3d8a0884ef9f411e3a50fd

SHA1
a1e6a6236bd69d58a89777a226fa2b0dc4fe3a42

SHA256
092acc5dd2f7bfed71f2fe368819ab9c66c7ed2edd2b8f4f8d50995ff9df2ab5

SHA512
84d068ecdb336c63e771b7529d2689da7218501b0bc5ec8ff93a68dd1ae66b0cc57790d7bd6c29fccf8bfec87d13fe402f8bad70976f27406b96a6aff8720990

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
a866dde144898e6c9fcb4c7b85bde5be

SHA1
b56cbd6e19e4b9b46bdf9a6799284a6d537afd66

SHA256
290033f7590bed0373a39068ecb464c083c9a0df8909df8ca9c9dec6cf23c6db

SHA512
4a576e67de278b0687038f287415379d01a974ab6c3295c4fc0ce6efc2a23c4ada1a0f5c3f193ee1872b47f54602ca9236098085fb4289b87c180d562453e070

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
3f9500a73d4977048af72ce1b05a6dfe

SHA1
97c080e7860119383d5e0e7095422719c1a542e3

SHA256
34307077c4f78cb3a1cf270752de410baa844ecd54a9d9a01fad4161b32bda8d

SHA512
529712bc28a6553f0529dd7275037f2652f0ddc6787e1c59a4193c749fbf6203c1799a1d715ebd2b60ebf42bcc9a9e4480b10fea6f07b5c7232b5f88cc39ee54

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
5d00d723910c42ad7b43f4c69f8defc5

SHA1
1a4d9b5d89d1c0a24e87afcb4ef8e56bf787160b

SHA256
a978def8633a7f3108515c1cc7f9cc7487aa4f9b27eacad6a8511a12fe6ca23a

SHA512
8d3f58362384112b1336c9b60cd342c3ab02fbcc7fd9bda6f8bf1e8fe86dc71c635e2062805e1811a524fe07e50bda9f63d9b4eac46a65ae47b4c5f403c1d54e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
e9c75c293d48b2e5883212d498e36409

SHA1
5d8e1e48ac879436cd9bfa31c81cf2cf167940de

SHA256
9e826438c962c0c22e72bd965594327407f41bc184e1c11664fa2d692072c40b

SHA512
51c2d2dd52a9f37a55bbad9e729adb4d635d334d7f7ff496433c6fbb7b8a0a7f8894e78c22dfa6345105c14f28d0b2406f3ffe9abd025a95264e27e7047d3088

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
23f954dab74cafd19ba59bda3675b53a

SHA1
01a218474cb30ec5af2457382bc3c0d3a1201828

SHA256
7d035f2ab08917570f252e0765e9faf27856b3a8f49d3f9d2e4ed84d2bd4c3c0

SHA512
18b5362e20e8dd48476065e4aa69679833128e8b6e8bf66f3ba9f4c66ab577f3ac58bac6a404cbd44369cb0be3527de80c5344323d0f69ccf447f3486a4d63ed

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f4d369ec66fed495f4f6aafb92fef329

SHA1
2a3291b2443f0abd998649043ba79365934a2365

SHA256
9652ee5e9fda0e73918599afe800d00d4c25d017ba6bf071ad3fac06e9294101

SHA512
cbacbbeb38584f1375a9ac1383b83fde233aa50bf84c1b7f6cfe0426a91633023c1651bff1afd310b37aa5e104b589a5f51027e0e06554bbc4f66c7ac09c408e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
50d1dde3cfced190f3b7868816d64b07

SHA1
d15232b8cb6631f00996f962fd40554ab45c5f2b

SHA256
93f7bf2c20994dd0ace38118338555fdad56fc384141e9cbadb332ba3636aa01

SHA512
ddb0a763b3c4c663e1aaa31abf44897aee8e82d84c44f1e38e62521e4d4cd77732e4b0ab1155d9d65f0ff3775c233d99294f69c7a9e43d41162e0f36532ba46c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
844c118f08ac7a74448607c01e09fc9c

SHA1
e66ae187b4a93d798370a8c9789165deb4545462

SHA256
e133c8652daf70d732800eb1630b975c5564ed5ae5f6176f594fc96d9b22bdac

SHA512
c631d8fa33949721a676db75e21d35b9a6ac4212f7742d30ea7caabd8cff85cac514e28ed7ed282b341a038e0072ce623b656b5a50eca0285e6fd5b77f7df89a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
0ef55ebddcd4f8c6afbc2b97dff32a53

SHA1
6f7ba6f43af0438e801d5f6768fd0fc99eb322a3

SHA256
a18c6dbc572a9500e96296881ce7f42e3c0354d01abd3f9ee2e2dbde834ae02c

SHA512
09682f12700ecb441c4297f338d537aba501fbb72628058fb381e46f7aeafb874babcaa15a5b8ad36a900052a48646e71a3060c0e21b598a4a46def18d9ccdf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
ff1b464e7cffa7e095a09d82f685432b

SHA1
008bf463c532aa5bb74fbb3138b9b0b55722f33b

SHA256
7b911c8ea8f4b47be23ef0eecb5e8dce3cdb1a04d11fd28a1a8b79f0ed353a25

SHA512
6d25c185e180549ec873be603421816f61e5b95bf2a2a1ac86378daa26afe538a4c812c75f3b8f87abf83d7ef3dc8174e1c39f7005281ee5a42bc127f46e9b1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
cadae9e220f2715b5cecdf336778f6f2

SHA1
0f7ad7953970f58b918ebedd5c9507aa61f3452d

SHA256
176214b611d8b8ff1e3fb0acc7402a8bcafff940ba6382507bdee0ad4bfd5034

SHA512
8d324cb8398e593aea781bcfc204f35744b690e6b88fccb52f6f4d8c58f54eba71f5f2a041537e91deea98b7bc7c7675d8b44f4bd716f7429ed44658386765db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
b98ad9a555d877b7f81c569bfd921771

SHA1
c9f9619d92c8e3232065e1e89e87b46f738ebebd

SHA256
eb696734141d73329f7bcec16d5f9874093e068a9b91bfb40ad97fc8e15afe87

SHA512
588545c2bc6f892a5f896d090491d391020be447ee3acf2480583424179bc980820ca5fd336349f601c4654482032ae94e893c235e9c46b95eb4a01b6048c829

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
b682d1cfd2d39c0cd7c75c18ece08a0a

SHA1
007ea624bd6259d1a51825b502ea73496947329d

SHA256
9f67c562ed8958a36e583b544f9004a7e71aebb2ad6db7f0b79832e17d140e72

SHA512
900ca5daf45332cba3d391c182ceef590fb0a01add97511b186af358e21b5bdc388a6580dbd8141ec5ae67f3dce7612a3b9814f916512d2304089e5b9f43f6d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
865926a007150b8b81d5f15ea19e5d8d

SHA1
85e06ea9b05ac5e1e59641a611836917ab08aa14

SHA256
60e8cfce450a7d449b7e85ee549f80a778abd291340d95eada0f9b16dda14bba

SHA512
4408420f25fbd23615fc070566c707717333c671426112ec94f342a57ea069a94e602b6074ef1a442c5ae8d56cfcdc3f4706e0ab48ad336a77276e11b4039a4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
7825b13ca72c51399c24fd860a691498

SHA1
30fb841f7f54c7bbbaa53766d50e81b76381996f

SHA256
02eb71ffa6b25fd98e5d5040cf6726c35ab2796a2c53977c9a76a5a21b1d9812

SHA512
19c7c274e456fc1e3d651566b118a5b65b8cd914652609c2b7a55f70578c9bd20f4dec6ce5f17d73d281aa0f1a4065fd807a0f82a8243f23a790f10e923ff280

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
9da7c215a70753d94ab350e9191bdd14

SHA1
7a4c04197b1d654a41a91109b2194b656d74cf6b

SHA256
f0ae25df9c89c093e1a4f32227233c5899a22beb9060e3898b150a1339c3d384

SHA512
47aabdcdbe984b8a8d459a1fd53f4a72d10d724be36966a1e905bb868030461101c603a423eef164e892610806661b0cc71f77cdbc64c39e34c46499d8861082

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
0548e30be9eaf1e52846f15322637325

SHA1
860133e26a12ca2472f1b06cef72fb1b34a5cf86

SHA256
37cd2ca9616ef74c10527f0938e328fced32231b985ac1cf6681a475171a2711

SHA512
832d01686750ea0c2f1739278300d450673a585cdec273c100ac6ec0db5e6e27c449f7b1dc449246a6221451421eabfdb870e59e074849bfa8407270b39868d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
eebe2104c5e5e31d79a974369b628646

SHA1
1a950dd14da9e1e7fe9b7c21849b811e60c735ec

SHA256
420e39b77209d6c1d6b420071a873bd001b114e79252b26e7ea982f936de7589

SHA512
9b460df48be20368c4aba5ca1730bc05694799715ceca33e6b4c08aac172c3c3a2a1df1250a81520b1729994be0fb7a38f7d793f6d40e8e0b418ff38eca48596

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
86589e15adf0f904af076e7349100e4b

SHA1
25b1e9b7ce3804471bcfeddf11b2e718b12f4519

SHA256
54b41ed1c8e33a5f5f89be56e852ded8437317d610ecd160c6aeceb9192044b3

SHA512
2463da8eab3a8e8409fda54ac7f957ba5115d8ff11c9ed57e215dfa71a4d0362eedf1806a547cdca4238660e385382e4dfac132f8e6e9531798276c1499b098b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
559992b188b1bf6405bff275c90057be

SHA1
ae784aa7597192048f536fd71bed5a9277e5bf2a

SHA256
cf0827a484cf248692209e5231c745b9fb1c6cbd14f47359ba36e15e99c11c90

SHA512
35ac26414bf406fb155de563f9c3e12c02203ae1adfc553390117236ba7c64a3c6faeced2faf0e8b626f9a062ccac737581b124893589a9873df226d2fa0e9ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
ea1c616cf22c1159030d6a7715987ed6

SHA1
6307a41d8f112903955ca2c81a16dbd65feb5efd

SHA256
2504d08254189dda0df1ad73f79054ec550c511856bddf274009886e9cbac8fe

SHA512
903031ef3b79de07b3bc5eb4132492e5ebaed2a239dcced63f690d5eef2055999e84a77ba085f87bfefa1887386715cddb728951fc7afe871f033f27f8563f45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
c1310b85c1f46f99211de48cab5c0cf9

SHA1
54621df75e8c6c6f150c318df6f0341dcf24bde8

SHA256
9d57e56993c1dafc81d031bff11f8ae6caa71b658da476693b3443ed8f12ef49

SHA512
8a73d0df0b9070a6b88365b4cebc87eddebd0e25d9277d148b1a5a5b75c700c40eec9fb9796a172652a992fd3d35e1b4ac84cb879534146665cc5956f3282dc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
0b85459ef05a4db5a1034f86c9160505

SHA1
c37ae540e0a024efc632f017738e398702d013d7

SHA256
08f2fcb98675bdbdb9db48eeeaa4646684d85b7bfd918d92c83eb4d1ceb02b0d

SHA512
0891f6dab61b003d06b6c3ceea566d8602dc7c0f5ac6defdedb293ad0d15d463773b28774e92197f6f56d155d15fdf653fcb37980faef7660ab029ba7d75c5c3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8eafda6bfc846f64f2c4f3a86c4a4d7f

SHA1
7fc5784898d2a30df9d86d2e34c310a8495f2f33

SHA256
cab7c039d459189eb9b9e2af3387ab42374dce2ff9d4ef29f7e94644c821991a

SHA512
00cfa75cbff9a0856b04c06488ca14beac6671d6eb9493db60bd9224fce653d5d4240dea28c40599450dd1be4b0b9d2f9214dc57774c0714a0004e36dca2d532

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
67823e4e51a5a305bbe41d7c93426439

SHA1
3dffe02b3f38003b37464815446e8321bc77fe7a

SHA256
984d443e65361c7b5e20d37d4648ca13c28acddb7dbf1925a82188da9ad0aa0a

SHA512
df34650b9dcfd8843cb60fd2b811383afdae2c85a862df5b4b597dc5ca7d5d5ff828cc548315fd092c5164c7e127266299ac8b6e9233db633c84b33c0887daa5

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
fc972f715037be08d32b96b574cfd687

SHA1
1c38e936393d905dc0052014cf5037e140947b9b

SHA256
7ffba5cc4b28e56447fa5138a75b32bed1e29e8ffcd4c6048a9d8a9fd07cf753

SHA512
15b7969025ed4383fd7d410c6355564ba86cfb7da6101d7c6a6c84354fae5342180190a4278a05ee52223b9f42b7078fbdc6fcff2c7c8151d4c57b4f5f6a9d96

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c6ca848c5415fcec23f4ab7a9aa54f22

SHA1
cd22bf47925a93374840554595a4dd84b28c582c

SHA256
49e63260b2ecbf2919d193e4bd32076c13a325e70bd19bef71019da46acfbef6

SHA512
b811c1689668a70b83b2977d0f89188ca3e2d8354affe286c542a787cf254e55f17907224394986810f0080b44b82ccd250438eba5dee59838013cd8b30a84ee

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
d6ce7e16d7adbf2fdb95ad74abbb78bd

SHA1
55ccccc416a09ed73d3c11f5af04be40913f8bb1

SHA256
8c9b1adc0d992cd2c825dc5ed26e24ec1bc518afdce753284951ad3a20df6042

SHA512
9298785d47cb4c1de7ae5c0d98888a3ed01717ecc788161d46ee4a462a78bc3e2b644a0bf6d334edcf13070c37d732e7351fb2391c39baf1303e637bae31cd14

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
5339e959c70ebe258a5bc260a228cb36

SHA1
868a332e72a10f19076090fa38af3cae6d19c58d

SHA256
be0884131c7caf0c5e184dd2bbc6b4e0f0a5a0b52a0331cceb64fe1c3d199f9a

SHA512
fc8edf141a434d7f56c465052289611e67ccd576b7ccd488de1bcc86d94c5a5260cd74bd57b6f9962968f3f2986aad712472c3d1c5467f4d889011196dd45f0b

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
3ae3f3c53ef252f0a3ede8de2e1bf86e

SHA1
5b579322086e9b2edd523ef9bcdfafebfabb13e2

SHA256
c59f4e55dbaf2e882c2293fad81c159b8c8780706374cd20c8a04290eadf55c5

SHA512
6eff0631dabbe657e5695b50cd38c0a4d489c2256f3e1651bb3bf22c0a0a69f051b7d4557848939faafe53cf83ccb73d6bf82a2c5f96f707d94eabb8286bc459

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
5a5ad58d4406d0f73c468fed1452cee2

SHA1
d9cb521638a18aa1839b2be74a99ab77f8bd373e

SHA256
68b6c70e87528f5086cd13b00eef90c811b4460d58343bf9da845c4a2ebf55b8

SHA512
7b4d66b79e9a63f1d09151b35d505e77cf637fc0736fde14c3c6a1e2ea36ed83e37db42c396b845eaee8fe0e3e872fbaa5884ca94a72ad9f85fd7a623c909daf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
2d73488b3431d14dd8bcb985980fcd5f

SHA1
dd7b6e5bc1c7a7c7ffa031757a23310b139c99ca

SHA256
fa92c754e8d39cef66cf388caf931d0c0aedaa60e413cfab78611d48f8af7299

SHA512
65a1435503114ec3b9f0b3c898cc8392fedeb1408750716557b8c2e0b58f87337dbc2cd5c5da12e0c537bbd4f9feba96d639d7767ca6df8eeb24cac854170dbd

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
2ea4f42e6fd24d30359ed5d31900bca9

SHA1
c55f9a4408d6741b03be3d4696366867ad267791

SHA256
7b5035817a97cb4cc58ef477d6a1569585ebeb79b45f88b46cc7b6694b1a7cd7

SHA512
3562b9616dad309641ae5af2efb84e2d9582239a5689df79678f0dd06e335968aeae5255a735a52a1643284c588e061c533c053c9d87177b7374e462652c4638

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b20a9415a9719cca7ae24018077cc3fe

SHA1
3fbf8c18f23250b966d9064b83da6544d26a74f9

SHA256
d4b0462482bed986a9ee58ed9961cc72d6fd5a90be82cc1c9b4db5c12ad9e8e3

SHA512
99401ca86f6b0ac706e1a9a7f28d6fa891ff55b3114c0d14c7b47ccbe41d57c6d6d18c3ff40807d1e9dd7cb6edf35da6d702020aab1025e9007c7f2232d525a1

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
48c7f7ba88f6096f2e843e444a25b73e

SHA1
abcf438b0a4eada3ce39b9f82a13403d371f8a34

SHA256
85bae8a105d071bab0a249870ef59826fc34b5d48ed30e8a50f5b95a601b2b9d

SHA512
4cca90a8e81e312e86d6e5f33857544f9a04848bacfc3cc5f3106fe76259acf36cf78f6e42896d8b3dfd04c9b3fcb8bb7fd9874daaae397740bf376c5827dbd3

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
62a42d0b65065ed2e410f1e72c07640d

SHA1
229dc0914e41bed5b3c952a0168784fb6ed5fa58

SHA256
d17c5b57c41b9717bb7dbb8ea4548da0f4895f0d4e9dc0567a94779b98ddfd11

SHA512
93d233e8901f1b356860169b11ac683f2061bc850187b7706faa6d0404ded4c83f3d532cf0b2afeae41d2b4698d7d6d0c560b66f765c72be469cb4d1642073b3

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e31c98e137eaa1ecfff442a8f64b92f3

SHA1
fe820cf50ecca1cd215d707d22d7354c95df1f82

SHA256
f5a7833c2608bccdd404808127b0a1f632b7e2f76e5d43812241c32b033ed2f1

SHA512
cee00dfb5a1e42c661aac531de4cb2a685010cfaa5b99d24688a3d662efdfdb9c0f752f69fe489dbd93a4516f758db5fe376166c220afc12f882b0c5e5e99b8e

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
30ff61c61b65d11713cca27a158e8738

SHA1
596bdd181ae632fd6add60c4c455a62bee14f40a

SHA256
47df547418c97d11b741510b3e5271994f4869d77fa0dd03fd4dd5516e9cec20

SHA512
f3a87b986b1910a82484b9573d35310927bc87d8457fe11a7a4cc697f8c29629a68c514ef01af68d798ba771bf862e0b973094cc8e495e94eaf0f3ae994a3c61

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
58775a0afcbd03b8e1fa67e5a0691ea1

SHA1
23603e31e9185603339bb705a129b90ed12fd884

SHA256
14a1f3bc3f3f48db87b0f4b3ecc18c171373cf636093137c53a89fdb0976b471

SHA512
916dacf55f8bcbd2b496c141a707e477457fee4a9cea5c519bb6b9b88ab70bb3b2e245acafd50ae6b9b943930540912d15a7ae0af9bb59fab8bc954c1cbe5bdd

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
149a17aab9700312d18e91e51b77a1f8

SHA1
74052f7bf376446b9ba8aa5c799952482757330b

SHA256
9d71bae8011982bed359472582b0559a5e40c4931439cceb8ca2748416cbcf5d

SHA512
c3ea2a78f623a576142fb5eac18466f6b50bfa33c3d9b6a35b29fbb1ffa915914e79770c414e8aa9ca7ccd17f3cf9422d04ff618689dae34fec55ff6e6d6c67d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f68bf2bbda374269811b1370b10711b1

SHA1
35f717b736f91a443951c8f46183fda7d3b81dcc

SHA256
192ec6f23efcbe1b5d6c3570ef7c947e115c55de59cebe7a54cac224c5204c0a

SHA512
393dca65c412d69e8afba56c96d2d4dca5b6b1e7f22b17e2b2fc1e77c4b25eff48e3cb6a6a1557111465ee7a08da8488d8dfb496726539431e1c5b56d86a96a5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
f3a0f67a19fb4c7073b3e2efb883b6dc

SHA1
03e3462af39d89999675e6b3f30196d4b4f8f7dc

SHA256
7fd76268093a04cb2de175bd98b67f360555261347c3a3788f33466646293c67

SHA512
9ed2d51d7fdeee773526f40510975adb56da012c47e294746e7c7e79bebdd62c8ef1ba82b8ae65de2d7da4c7c549f6bf9ba36473f98be281692fb2861944f72b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
ea54c9f9b3ceccbe8e1e6ea7dc99beb5

SHA1
08ddaf39d304f13c2178b2ff48fbfba4f7532dc8

SHA256
87967ceb2333e6ad0c465d69fc44e201944b60d202bb6ae8203dea96f2edaab1

SHA512
2cffe878c50c74184ec4b998cb7479deb323f344741395b43d2f79dada70bfadd8aea06f1819ec4051c4a8c84d6861a5f8b354bd593be77501db7b0e9f5b3598

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
31aec230c770b962078989a2d4c85c26

SHA1
5cfb7f3827913e28f8237c3f91dc64316e7da3ac

SHA256
8320970e227e1668b6a402fd5e5da65c86c5028bb6fa98b953fe9a084be0a9d6

SHA512
1ee2d6a06df0085a28da46455453b404e47bf52af60f36138113abe08234e1a88d8c58659e9338a171156930916938782718a743d68c7143ff1c8b6168e2cd01

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
b067017b50e2d3cb05edd47134109b49

SHA1
82ed07b88e85658c2a9f008557696fde2e787a89

SHA256
30862efadaf5c1b57b7721d707bf024c52eaa6d36dfcd8ff7ab00675361db4ba

SHA512
864a7cc0a9104f3fa269a565780f3b5563273c8e94f6243fc4de1cb1c530d0aaf5dff73e4a9be4afbef009b534d0579c6f00051c8bd1bbbf33935566eae5e20b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
b07446a453ea71d6a751d7d154d3671d

SHA1
75d778c39d8008437b69eee47adf19d6344247b9

SHA256
bbab186ff5d70128678e712c6850e6693a7dc8bac68b76da1a69e80f58b5485e

SHA512
b7bb194e74719211a7ffb39ab8e7e87e47a0e6b2907bd702d31adbc9f82fedf0b5f4ae25e064d06a6d3c64872a3622ebafdaf40ad2b60cf47048d98934893358

Download Submit
memory/496-306-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/496-659-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/816-269-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1980-87-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1980-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1980-75-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1980-88-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1980-81-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2236-267-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2340-128-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2340-656-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2820-112-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2852-655-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2852-123-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2984-305-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2984-658-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3620-98-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3620-90-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3964-270-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3976-35-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3976-36-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3976-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4352-266-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4436-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4436-508-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4436-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4436-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4548-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4548-505-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4556-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4556-56-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4556-50-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4556-507-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4592-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4592-657-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4872-271-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4936-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5016-304-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5496-13-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5496-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5496-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5496-139-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5540-268-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5660-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5660-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5660-40-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5660-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5660-59-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5780-459-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5780-8-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/5780-463-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/5780-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5780-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5780-111-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download