7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
Size

578KB
MD5

249b72362af18a1d8415e2545a4f9200
SHA1

7dd4cd8c6d8c2624f2341a8a3e9bf6da9d2f4030
SHA256

7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211
SHA512

f52824d8a14a4afb8eb1ef4fa3077c9e3475fca0c1abfa33ce0a243c6ca62d442d7740fc88683ef4f1ae3426c92d2cddae0d2adb5024e4e721d5d75fc4617071
SSDEEP

12288:soH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:n2JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1924	alg.exe
4452	DiagnosticsHub.StandardCollector.Service.exe
4152	fxssvc.exe
3788	elevation_service.exe
4776	elevation_service.exe
3304	maintenanceservice.exe
4144	msdtc.exe
4752	OSE.EXE
4756	PerceptionSimulationService.exe
1680	perfhost.exe
232	locator.exe
2672	SensorDataService.exe
396	snmptrap.exe
4968	spectrum.exe
1812	ssh-agent.exe
1196	TieringEngineService.exe
4092	AgentService.exe
660	vds.exe
4160	vssvc.exe
4608	wbengine.exe
5052	WmiApSrv.exe
2328	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\System32\vds.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a9bdcb24c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000841feb9ebaacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044edbc9fbaacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005895e19ebaacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cffd0da0baacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a42a999fbaacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe

pid	process
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
Token: SeAuditPrivilege	4152	fxssvc.exe
Token: SeRestorePrivilege	1196	TieringEngineService.exe
Token: SeManageVolumePrivilege	1196	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4092	AgentService.exe
Token: SeBackupPrivilege	4160	vssvc.exe
Token: SeRestorePrivilege	4160	vssvc.exe
Token: SeAuditPrivilege	4160	vssvc.exe
Token: SeBackupPrivilege	4608	wbengine.exe
Token: SeRestorePrivilege	4608	wbengine.exe
Token: SeSecurityPrivilege	4608	wbengine.exe
Token: 33	2328	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeDebugPrivilege	4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
Token: SeDebugPrivilege	4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
Token: SeDebugPrivilege	4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
Token: SeDebugPrivilege	4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
Token: SeDebugPrivilege	4972	7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
Token: SeDebugPrivilege	1924	alg.exe
Token: SeDebugPrivilege	1924	alg.exe
Token: SeDebugPrivilege	1924	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4988 OpenWith.exe

pid	process
4988	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2328 wrote to memory of 5572	2328	SearchIndexer.exe	SearchProtocolHost.exe
PID 2328 wrote to memory of 5572	2328	SearchIndexer.exe	SearchProtocolHost.exe
PID 2328 wrote to memory of 5608	2328	SearchIndexer.exe	SearchFilterHost.exe
PID 2328 wrote to memory of 5608	2328	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe
"C:\Users\Admin\AppData\Local\Temp\7a11cde31d77925e64000e460b65929624b3934cc8291856263deca83eb76211.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2464

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4144

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2672

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4968

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4176

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5572

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:8
1⤵
PID:5348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
283e5dd7f0370a9c7d0d379d06aa116c

SHA1
0bf906aa9e68408c623a02053f4ec04ff4c18c4f

SHA256
90d9015228595e120c7332b0649682af050650a47356667d0350ea24b27adc02

SHA512
2f23fde6b5ec764ac87a5aa67762151efc741334b88b9a94584fff8b84a1327f0c4f92b96d7ae531e865760caa0fe9ede76accfdb27db1c0a2a752840ee4e10c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bb86ad80f8bd2323fc1706dc07197e83

SHA1
abbedb45d9931b5f3d59509068a9b05ddeb4b52b

SHA256
ecd7e6596d9b2b405d891fd981c76562ae42b40844414fe1f2bdf7f380328ee8

SHA512
284f1ad53f731f592e0e47d7bb30448c37e6d467e0824984a843cfc29d75f64ae1de613a1136c328c0bb5aec51ecd1d2f3dac67b6bf65dad649450aae1e4406a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
033d9f64d648d47456d1bd2637d3a09a

SHA1
633365b4f6b6143ce9c729d2372b538fc72c0ccb

SHA256
1199f9bca66b098f413d0dea995e947f45c3b9ac80a10d884bbb547ed12b05b8

SHA512
d9b5959e1e8abd4c0619a6e8f666743efd3334315c31d71ce834e2cb1c447ee01482c51930418c9b904e11ec7dc0d93f333855836a41b6797b0dab16daab47b3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8a4670fdeb8bede6297382e8c30d8c3b

SHA1
de0e66c6a42e7079778b9753bcf0fb1a24d88721

SHA256
1aebcf221c936dcc7f01ae2af48a0a4160a6e845abe030b28388a56fde44c0ef

SHA512
91a56f22f495494467c9663eeb09050136ece6b69e79012f49d09e895eeb331490098e1a3d08b90b8b240d0f3ce09e51dab3d6582b417d746ee6423c5cf83e85

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7e37d621177764b94b09e76b67f266da

SHA1
eb6ba40b9ab3c3573665c7bb09c5f8ce4b8d3237

SHA256
3167c317c3ca26c806e410467c716e40fc2912ab11ef509e6751c09d4f366626

SHA512
9d9addd7bbd38f6e84bd0c6d78bc1df6f3cc6518fb77fabab8a85869e31087f7014e30b305175c5390c6d464872bae23291567fdb5e7925d69038c588322c665

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4a7cf871e1321313db18cf36c47a6b77

SHA1
b8380829856a293c6072af40f8107a51c4776306

SHA256
7db02aef4eaf900a8bc38ee1468a3ad9b0c3468fc463f69db505a2a54de411be

SHA512
7a68e2eea8c52e5946e76238bf6b81c059e11a2f9c1aa3f0ef393fc3609e8697ff1be411a84f42e35496ec63e327f4e7e5701ec543dd570284fc51344ee78fe6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5e8b920a7cc0b9763699c979d43008e7

SHA1
d3238aea2b0992dba3c6520aea1319ca62934b9c

SHA256
ae6d33593672759f1dbe6d94fb655649fd8a9570aaa121b8b2d6ec95baf160c7

SHA512
a75ed74caa1790be0961d453ab78cec1fe9937b2b1b6aef973ec0ccd5aa61f27c8d801b8ecc01938653266a761f2b0809bc40e48097716b5810cc654d4a33502

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bab7deb6addf0c7b97bbd7742f40e2cd

SHA1
da9ed0d9b5fc39c5ef0603908c342d6695447a1b

SHA256
af3276c064ce1e5f10451da4fdcaf9bca3ad63cb8e89c7a2bbf9d30c05905140

SHA512
82c8b08ab107c9f0f55162bad0ba90a0e89e5154cefb2f87c15a90e2389f78840a8a176283e001cdad0b8df89c5cf1f44f804873e2754dcddcf1e163e28c127c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
974ec61d35f653feb3aee389a39ddb7e

SHA1
5c5245ff2b1bc6b2775882b8f83fa3a314ec960e

SHA256
c9da9119538175de02560897d3c4fbd0916367c3906559c5723520aa5fb55de7

SHA512
95124f3780b84ab8d3f45bce3e74beed839cac2eb169f1eaec16db631200c95ba8981a78cd8a62dbdcffb338779c88435f715cc56b6cdc801f50226f76bb750c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4c2db80e6730c356bc204ed252066fd7

SHA1
6c940ade1ae594b4ecf803ea6bf6d2e7328b1064

SHA256
b0a0c52fcff66a797f240e9ecd10ce2d2b11890223250e4d2d55371f7d5b0c57

SHA512
f065c85adb924317afcf8427cc2bac1c998d22368ce25e25557699ec424991a6c9f22864afcee3a66e25d0314699b2366c523e7870e974bedf07d57b87f0240c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
03e18708a2127a45521c6b562b5ede29

SHA1
aa3d7abde1922436176dfe3c35cbabd11ea1d8f7

SHA256
597d42a4004e0486321a02cf682ce8cb18e49ef5a343d11c7613dfab89535185

SHA512
46c79bb5455f57074ff7c363cf53fd42dcbf6e2961fb0ee4324fbe8f57a754e078fbafe8827a662c781f328f843125b6a87934153030baefd8ba2d0e573420ec

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dc1625b20ba789b738c74f0fed593ae5

SHA1
6262dbf7cfc3564d3c7807d7f75f45b0b4b9fb7d

SHA256
aff1c46e99722eb7f1b5cce4888023ee231d5b6e4dd56f694b3671f4d4f5db30

SHA512
2d6e3f4c54072ac25b433574e0fe5ea597adbfc5b2c0551d53ef7b5d02c56f1f88213ea1402aef83636c5af9aa87826f23863f353d2499be5aef17be20f53765

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e9042921dc504593b8a2b9f8af2668ff

SHA1
f7daf6c96371d18438302a829422a91fd2a1dfd4

SHA256
2ea5474a4374004895135c7df885e6fe451cd7074ce6401f202fbee529890b47

SHA512
c7950cef15bd1dde76605e7cc26428df96f422cf99679659a7e33aaf78e9bef919c0bbe0e2cdae734b40ce84cffd4ba68de4d01e1541fe124a405ffc792953a3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
91a96521f2ca19d63131f7ed15c5d059

SHA1
861218bef048fec8eded18c251b398886b0a740e

SHA256
5b4ba41ddcb9434ed8450ade49a188acc20b63b5486acc91bf41f51d9dfa4f73

SHA512
bcaccd4dd30d1032ca2fdf1c858f05714235195b435967a780c39a158c57dd3c5b4ce552f32c2fae1ce8f6777362745644fea8e7df746f2d0361d87cea963420

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
353973d4958be4968f7e7fa67a129425

SHA1
994c03581d556039321cbffeb2b0f3a06aeaf821

SHA256
1199969a6023a931de7f0720097cf8b39377b123dbb83c20c634257e98ececfa

SHA512
1492ab58d81dd3b649bb3e98a1d5e518cc3834c01cf9be833baccebbba56b1cf5994273df098f529c0606fea7ab70e9c60cc90b5ac9f5b1a05763458cfbc8f66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4eb22d0d17a9a42acc5e2a7735f4914e

SHA1
b2d66626f778b612e075c70c307891555d71567d

SHA256
c1a3b90b41519e9559e02d7d534c6c1253e6120bfc6298f83af6cafed7da8ddd

SHA512
a67e3dcf38426a6e2e7b92abbf3fb09a009a9a98a2c68667549926e51043596caf94bd51e8de1375d41899998dbc6d5f1148f87c7465a40f626e26e0c6bdbfab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a5e1690152d42151b31d811c3a498ebc

SHA1
726c34c74a84b9ef7186e77bd17ffc362262e431

SHA256
9befb3c6d15e491128d2a0ede38ab6ac7de1e411168d800aa82f30ec63acc8bf

SHA512
a7f61847904dad05b2b233bf5771a01bffd75d2af1350aa444df869e096170d8a7521e849b810a86ef2fbdc20e816dc7a5ce8e394d06858b37a461431942f509

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
03e803361f4c1e7efb6bd2639ffdc796

SHA1
669ab91edd31c216146ca274c4e0ff2ac71fbee0

SHA256
7babc82cadd37f2ebd77cb39d66464a4f4705b63c441e29e4270a102de2f730a

SHA512
f8f5d0e518d7ab966ccaa30bbf5c77a6ee5a880e61d5a11a1e933698cd5123fa1a1133965a196b9ab7aea1d1721c6285c2b9660834fe4e3e561b5041c698bd6e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3003a0d6fe8859cf324777232b08bd3d

SHA1
70dedeab09dff090663209a8c90c56b55dd0318f

SHA256
f67783b54c31247a458bf5b91461355bb04c0090d4d871169a2add0e2df311ec

SHA512
504eccccef9797b23e91663a4d09261753ef30c4651743be369e6b65deef87d95b287489e10c5f861c5a39304a19c25b8d9baae1b1b5c34b51bc3c823495209b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5d8c945ab5403f0fb8a51d3e4941343b

SHA1
b0b141eef54645e3cc37702a9530aeef57ae9344

SHA256
3c5f75ef306937d1fe0715a65bba4423131d490650770d1bfb858e438ef77a26

SHA512
d98632357af21538022b407b1156ef99e5821b4380975f0617c44d8ef057e2ff121abcededfec3ce3848416067174f34ca705adda6792dd74c42bb51e5580a05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
96c0a43072ba2dc29ee9cc9497ab8662

SHA1
d5db6a15e1469e7f27ff7ecebe0e3521a8ce2016

SHA256
c9e472b432f8b93244e5bd7ba5dac27336d87dbca21455a650ef9bc23076e3c8

SHA512
2865de8d9fb15ac1814c739badeca4ae90369bfd5ec42612a4556fd6846264402a52aef0665b4bf97d37dc4ce670bde05d51e913c5474b81b90200aca4753dda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
954cbf25d5e6e923f5441702512bec11

SHA1
a7eca79fb4fb489893e4e3f10d0bef3059d725fa

SHA256
64c7c4408440a1c3be25d0e2996df7aceb0db4b0ea0e98735b61e6ce8d75df5c

SHA512
96808088d4aeccda60c6a10be510abcc57c09f9559df993deda0af3a41ed2aeb9b2331dd517a05584301d649f0dac904f73deb9ee50551481701dce4b53d738c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d90471c3811a953a446f46a2c2746262

SHA1
bc6d5c65a99f32d0f85d427c5a348910e878fd6a

SHA256
0aa44535c830fe488d104a066500363fb85418d549ddd2c49924cb7df8136737

SHA512
354b0b5a001d458d8b7b7798dac87fa604ec1f2c45f2d898858484e1095ec520743536f9279b75893f4e56400460fbcc8164d56df2979db5c99dad64f98cf869

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2bb85d1add5a9666c66021762bf61300

SHA1
98171e52cf0b08d1fd8fa62b58624cf9614b6bd2

SHA256
8d596c6a37d7d3bd301076392de0c3d2fcd709f770433b55f4f678976d24e375

SHA512
f9ecb0dacf261777b2ce1c46da9defe49c379f45bd56928f6de74dbfd00a002e05b5b34017fbd1331ae114a2bfedc099ef636b204bdc349f4b68ad8974b55c09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
119cc46acf4ecb06bbb2e66f7b07c205

SHA1
8ffd58a47ce7eb5eea29714c9b32535360759630

SHA256
1ded0375542899c37a8a06dc86d55e059bb03e778eaf6a76177459b330a134c5

SHA512
20a39837753837da0ae65ba5f12c043293c83a0663b79ab42da091a30880059eff4b381463e5c49541e016df5270a8f5f82be79fda08d3ff6c182de287e7d623

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f9099f2323e5393343234bb279394553

SHA1
eab6a2b23d98c90122a9d69576721b30a59b81ba

SHA256
f5cb3b63ad7e2600fb2d131f82b0a2e2ce34dc33eacd7626a7dc6a15b443aae4

SHA512
07e4c8e8bee6a404a63c1ffa234056f43713293adad74f2b1ab5eb0ad9152da8e975d6e80ddf65866ea13f9cc79436ea19e5847640c62e03889661772484ec5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4d2d1eefdcdcc984d64a20db4b7e52b2

SHA1
77c18f3259c86a305fe674277502e351a4e3fe9e

SHA256
af395a03efcff2015764889927b74ed6e5dfcf9081171cdd5e4402a96b234e4e

SHA512
ab0328eb1acda33ab3578c63cdc32a51ebe8e3390fd5872a10c5341f9cb66b39cf06f3eabef7638543092cc9f5fc95e5e57c144622a0ca13f2180e97cbbef346

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
48c16c29a0a49de9632fadc7b703d3d8

SHA1
7346b4f3091277de08513d765217922d9b38f5f0

SHA256
36c853a49d0c9cc3b5a75efbb17679b43cc090ce81115d6776363eb34a8e2044

SHA512
d349660826a59edebd33233b527d8d4ccd2adf716724fed3b93ea2eb11ea80e5f75a44b882115d4ecd4ab79ba55f7be69fa290d5235dd35bdf8ba6d3ed861108

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
89a977e4a68e2cde2386068fa53987bf

SHA1
6eb47ce3b2659187631646edefccefc15cdcefc2

SHA256
d9ada48bd02144a84f0c6cbe43f7f1b7cd857bbb4714f6e7930044b2ce797675

SHA512
8bd2144def89dbd130864e63f2079a099f0761402a85375bdd20e18488d42d91093432562d62ce6250ef393a91669950b02fe134672f4be90a1d004ffb019e3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
30f065f7db470dde0e592e7026a4f714

SHA1
2222e1aaaa2cac3ed251110e6f9d7fd89eb546db

SHA256
9f3650fa63457de9206f6e849fac7dd6a246297d82d00f70fa524a14b8011c67

SHA512
20037ec32a0221f0ec425118509abcdd235f9703248461b12d039c148d55544f19633576928dd280639863a2f259f10cdb1a07def4a2376fd96054222ced1eee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5227647989f6183cfb3c5728ce4f7084

SHA1
02e78c4434404d66b4f0345827e406a778124e6f

SHA256
3330dcfb785eda0c24b0f7425e72986254f3105a6b35e2eaef47960837493c43

SHA512
9d03878fad8270b94487f543d5bb3c2006c9dbe781212fb01f5e550f88e0ce6695136e76fb29ce172ad053122b2c8a8488327ed20575d98d3d5b50ec3bc87938

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b714dd264f6b3d43ed2d731b65261ef4

SHA1
d1de0a6bd596eac5f27c01a774a3d9dba506dab9

SHA256
d14698279e7641078da6d271d9e0138c6b4bf8a0efd13fc1ae7764c438bb868d

SHA512
499651271d8e59538e74ae278b4d9db9b246a49e59da4fc4468f9c02b99ac66bc5abfb2a59063ca36d3765feb48c5da0891d8e5f34c26d9e08d0ff68e03f8d9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
dd06f79313c40b1f99c8688492c95f4d

SHA1
9f921ef92f0c443d5903de5e82ccfbce03b7a0fe

SHA256
8d450f9dc4d9298b11d92b97c74148f4697bf36000f5d0fdae6dbf7702ce7ef6

SHA512
eebb49448abfa2358f8a10144001f9a10f1f470c224b8c063c2b26ef05cbc0eedfc97547daf1e97a9c652e946c976683cd2d6aadf028cb62e3dddbe1aedfd97c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
99ee5031b7712e96fc954076e254fdff

SHA1
e13ec20caf52e06350fab38b95fadef390396fd1

SHA256
fb559828b4cef4b9b40b6ca5133975bcc5763652ee32450c3efa7d1abef7f0ea

SHA512
eb8fbd2184d63dbf989ee63529e663aaaec9d584efb9f42223db0b0e305f19a574bebfdb703ecf7c98527c4b05cd9995d7088f70730ea55a619885131c7de46a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
48648e5f1b06ab18db83ea09da1fea16

SHA1
bc0dc6cf16a9f7024232880a9775a56803dae87b

SHA256
2fe8b267061eba266308ce56756642ef0acb81119d257c38dfdd92d431ab14b5

SHA512
080f34b64c1ebd21f16d1f3e2cfbf7b71bdec59afc69c95a282cf7223cbfcacd2e61246a98f170d1f0ba0e7e5cfe363b4a0a217c24f4eecffd47a4d24d3f7e3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
13c217e0f8110890faa4b03fe6830303

SHA1
d95125db017afcbadc03bfd1b9554c4d18dbe5ec

SHA256
d72260d5cc1a2f99c27c37b5250a5f817039ffeb32b2ed40d3c8a8f3cd7490b3

SHA512
5863d8909abc45e114b46ca78388cbd3cebeecf4eaee16099b22cad615044b4fe411c413e5efb4e77b001be59115ba67cdba98da6d84e6c7bb86502207c1f14b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b23e54966f32a916bcef4e13ee4195cd

SHA1
af2bd191ab15cbf7ebb8f60a50e581233e57c4fa

SHA256
847103f74447ebe4adb49475cef850c29f23e13d1dc63faf33e815000f096f94

SHA512
c80456257c44180779d34078ef3d8c7dfbaf8664b6d0369eb344708e354da8ff6ebf9700bf864770d80169bed1ae56d5259e3ceb5227188865685a9d1f11b932

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5ec9f275300fed5e52fd34461d99ae93

SHA1
a5e011c2b4e8eadbf63f4e7641e1f5cc5aca351e

SHA256
399c20a9b86d5a83ad3c311e7fa29c8f5de40f8b296471861a7810506b73608a

SHA512
296f543bf78e9596216503668c3f47e90b3254c5e58cb6e2eab5d3019aa887e66b3de522f9ed4d062ff393720428c64a4f212f34fdb5a8c5ea99c9ae3a3dee9a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9ada9d332542f9e652cc825f40dd2eb3

SHA1
e17fa02adceec4f2076038725c473bcc81dd0d82

SHA256
7f19f2ed21a9ae855be48b2c9b1f5356d7921170dbf06cc06f4d93571eec96ba

SHA512
da0238a3ad30e256f7a9e6f508dec74f986caf45dae9fa1c5ddc44b6808d3e79e9bc4a8573cb3a7f8e6dc8691ee38db71b6887277c0b69cb934c51c0117f2f23

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c334a916517dc2927b8e351236e5a34b

SHA1
4a5705f859db5ee30c8df486e4d962a45f3ed037

SHA256
c4dc26f44235cbf87267a886924cb8d595e9404704513715da6e21fbeef03018

SHA512
7858028ddb56aa7c508bcbb9caeb9ca5aaa8b973f34ee7bb240cab979fcbcee55dd7dee0db2657945ba5a74ca04b6b0c17edf789284637ec69f1abd15477cb1f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a31f07e36d4eb8b4d0b0f4da7e1c93bf

SHA1
b96394653c39ed916c26e1ea90ae22ab22199663

SHA256
d27d884e7f7a66805924f52944103aea6ea06c80e2a181b83cad39fe484d31da

SHA512
49648e0f188f67396858b953c0d452d32beb358171772525c283a4bc170470c66b702a664a20e7981f4616e306b6730731d026e5f2f8a7d4c07ef187c5a5e74b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
212a3dc62d03cc07d302d1d633132f9e

SHA1
35a17bbd7dc6ad12216d93ce38871515b0a9a423

SHA256
460a654914bbcf20421f99c18bf179027b8afecf8c97d04f87fc517ff3772618

SHA512
f0d09f1f26be67a3b81fc3e290545d920b30822da1a917adbbdd628d24b577b340cbf0c02bd7561c2f0ca8eabf384079ee69f7369ba38329b5f303eaad12ce33

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
76ef501e4882f530245f31310133ee46

SHA1
229cebf326e433d98514171efde5e14cab9176c8

SHA256
55e5dd29afd5a92fdbba49f548e8b9b6b8796253cc94898fae708843f0dc2d46

SHA512
1912e09af7c0a88b1ef348a3b3868b717d24b7f93b45aeb2e69b6f9b1fe931cdd587d829f92e05fa7f51a8ebf3575d8d2b8dc9e08208df78851d227e67524b1c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8bc1d636f43d4949d4034c4d2d8f30dd

SHA1
bb313ca4a1638c84fa988c92a474d6a4fcde2b15

SHA256
f6d8388269b875ab53f82490366a83b4ab55bedeb914e562d684d4a1c73b74db

SHA512
5b0ddca552635f232922fb961b67f62ecd7fc483b3e7586ae44ab6f2b8ccd340d6a6bacba2195e0118cfc6df4624c3d92a67fd5a10a633afd34caca24148edae

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
60617d6cd507192263d0ad24be8d2ab3

SHA1
707b9131ba4b74cacbf46d141ce470f5494448b5

SHA256
ad81f2630c562d266ef7b60409484797e77c088e286cca3b59505fac5bd0d89d

SHA512
f71caf14d1ef9395d0269d885ff14ce5dfae8b26d7175bdc0b6c92d1ef1b048a7659d33f3909e2517fab5dcdc6fa474a541dd3ab3ca6d4a41a914571d1a1577c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
14ac2c513ca81036c67f676148f63c06

SHA1
ec29625b3e3e971ea63a701ad8015814169bed3b

SHA256
f99144ccbff80604cec90fa32cac65ebed19f73bfa8412aab869a4fd7decf692

SHA512
2f2d7505aa363899f28d66ce7b54fd7138feaffe424402dc15ffec6c0093347e87312ed0330dc9490d6a7636896647fe901fbe6671a46225179897d60e2ecd23

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1b6b06a13429daa80badc0defa228e29

SHA1
db474e7871a2145552361dce44a8d685bee7e004

SHA256
f60fe1262fa79cbef69f2adc82457a8a32887b1813f303bfea80a6ef6e657c8e

SHA512
cb5b57e9c8fcb8d26e00349b5e1ba68aa0d32807864a16c8810950aeb958e32422455572e20a07ff2e2fecec0dd9b81cf88a02695bcd451a525b7188082447c4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2780acad629868c64a1d00b2643f3dfb

SHA1
75a66a5eedfabcd6b6276f8d1d23693af4f1c74d

SHA256
5e1ef2e6bb2d6e0a6042e8325b44d77f1619bb2185ad671616ff9269f513b7fe

SHA512
bcf94b8727023f437d024ae40fc1f6cc8a83915b6c4e3d764f8e29ca7ec5fb92e69125f6a4b25b896ad905d8904546f4dbe9053453777b95f1b74eaf4e3b9de5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2d9ab4d68e8dac75d0a5b2106da69ed3

SHA1
4697490518afd0b6aa4879d4126cbbaf97ccb2ad

SHA256
0e568fe30bb1960f76bee8c35c030c574886f1a5af6d477b6a90f35fe1efe368

SHA512
ad7f4045fe74c2df9b2fbe983cbe9b928b40e8666c5867b6d5b4c66eb03ada49590dfd6a5e8dc7ba1f6ce716f2a7e3bd8b53f64de097a00b68f54e3798efe3e2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bd1775f70f3e6040c0d4b9bcd036f04c

SHA1
c298675a401bae91f1ba750b680326776901b32d

SHA256
a0cb59209d204cb026a460323ce480407fe85733de44d20cc51e6b969b94296b

SHA512
af453a3dd4e9ee5f454834feb039eefe32fe21c2964886793e0b13a77f9c777c9aa726dd8f41eae22b8812c8fb4018d1665aa302786cf4e08eecd7a0424e8fa9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
dbe0348d53405dbb70391837047c2e96

SHA1
cda581e0da87bdf4a074ff92ea5cb7afaea54c0b

SHA256
157064f91f22aef6b26d2768edfa5f44d8d894ce55b5256eeb819a7f723d6907

SHA512
093af50944bb844d4d411e4e525f259ff2141b83ba5f4144cd263737e09a4e866dc69b2267eb2b436c05611c7f1ebaa70ca2ae05b9cbc74431239ef968717c78

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
dea3b2b96e8b8a742a9c4ca900f1a38a

SHA1
d66ad42e2c734069f4b6848937ac40fa820579c7

SHA256
b51214681d25af4f4dd998dbe3101f8b10a065960ccf42bd0f6c4af06b907a94

SHA512
b27a59318007c8487747502102d401253f009ba5ac529469bc788afb5bcba009f8794271cd41c7b0c9d67d2251097b988cf0ee11285b70909dc08880c3bf8925

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e620d654224dec95bedf515b04638f11

SHA1
40724e4c6aacdc496d9c648e4b55f1cdea93d42a

SHA256
0ca55a3db37c485a96a94666b77c6d4eeedcb5b18f1783aba1be4ea76f3f2bf8

SHA512
62263b55dd930cdb4423dca6e1bd972fbcec7d7efb2b03d9a9d74dc5d8ec4ab893bd348fb41a32fa569986ce9f562c8058199da4fdb3ec47fce88d34c2a1c550

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3948dcf3243fe353a3799cd0cf0f72fc

SHA1
7a4d3276a9262eb744edd821c690a45af34fffde

SHA256
f845e07f327eb69d40c75dc91092df2b4c7e08e201ce93ae475c7fff18a426a4

SHA512
79301cc933656d8b88d47faa2c8ae79762e2e329d6da4947816326f26a2782a4b3246faf6464287c110ce19f2a55f46658114fa67771cf6f8655294feacad882

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0f4d3c1b65cd19803ea25020a1b504a2

SHA1
f227b0c19a426e08ea17c175e9cf486ad13ef137

SHA256
f649a27a92961e842f2acbef9c49b18d183323637f1dd90ad79dd062a3ced4dd

SHA512
4bda16b2ffd2be554f668dfdf2708cf7ff2b436d36528a5330c19be685ed339e0d03319f0513b58f2a3482d01a490e7f54c91b2fa08c9351bd03c0381388535e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
87c76d7b8f6080ff6f82c40918ca4d59

SHA1
b57fb9f56c6e63da9d7a19e2a6dd1b0233b4d8f9

SHA256
35a27810939a2e144d67861d91d7ce517a8ea9d947ef4e9ee749dd6fc9d4b918

SHA512
6e19a00774428ca795e8f26ff5c0a17ed5557f04701901b4bd33978c7ea93c701dc96dc4fc60749c8a6451bfc268cee89eb8c088747f5552ece5b5bfdfb160ca

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
505803a862aa569c646b3539629678b0

SHA1
3490ec47e94111a3b1f7ccd3d8f826c2dda5479f

SHA256
0aa962a313d8c6a1e1787325f9f6f14b78accfa2f0137bde922f39806ef271dd

SHA512
c02c1aa51cb44e247dce8f89b1745ade2358f60fb2b5a6c6a6af07f73e13193312caf49d41c5a79541026a77efb3ab66ed3a352e9b9d0ddea5247ec1e8ea2f22

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
547b83aad6c78aa41795a2b005cd23f3

SHA1
115cdf4e5b439811a315aea9f79201be2b13d15d

SHA256
83d9b22f57a1cb851421439ef8831e53c33d70e2c9c14f7283bcc16f3b55f1c9

SHA512
c9e6fe3018af23f0c258b300d2d266aff8d5a189b60f10dcbfb984cbb30f63fd207ec5b4dc3e424292783810bbd95b5dec2bd3b1d3f032364bb32844a4302a7f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5345e62f56cc831aa7475b3fc45edb9f

SHA1
d7a2e49c053f5763f57ed09d15d1feb01e793676

SHA256
31d91d78eb54aeba5768effa5522d006b77bdee66e0ccb173972ea9781317020

SHA512
43df5d0dfa28ae5c8000bc2e3e5c093a391d217a4d9632d7d3fb58a8b899676efa0243ae2df9a7c9e9dffc4b7d9e221d3fced24396b2fd2a767b1333680514ce

Download Submit
memory/232-188-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/396-191-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/660-211-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/660-517-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1196-194-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1196-516-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1680-187-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1812-193-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1924-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1924-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1924-233-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1924-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2328-523-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2328-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2672-466-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2672-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3304-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3304-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3304-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3304-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3304-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3788-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3788-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3788-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3788-421-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4092-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4092-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4144-184-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4144-88-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4152-47-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4152-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4152-39-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4152-44-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4152-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4160-518-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4160-222-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4452-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4452-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4452-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4608-234-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4608-521-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4752-185-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4756-186-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4776-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4776-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4776-62-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4776-460-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4968-192-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4968-515-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4972-0-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4972-210-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4972-1-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/4972-8-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/5052-522-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5052-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download