f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
Size

1.8MB
MD5

24811ec9a32209202302600486440d8f
SHA1

3b32c2807071063c2e535d9539be33f2e45775fa
SHA256

f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a
SHA512

432975c37b7a18f68f34feb8ca23e523b3d61c240198e2e3947f95d732aec1ce59456f6355311e27df58c5a95feaafce6068aee1c89cff1d94e373836f7024ff
SSDEEP

49152:yx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+Cks7R9L58UqFJjskU:yvbjVkjjCAzJzC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4568	alg.exe
1852	DiagnosticsHub.StandardCollector.Service.exe
1632	fxssvc.exe
2076	elevation_service.exe
1016	elevation_service.exe
4772	maintenanceservice.exe
3692	msdtc.exe
1560	OSE.EXE
4192	PerceptionSimulationService.exe
2292	perfhost.exe
2492	locator.exe
1564	SensorDataService.exe
3580	snmptrap.exe
1500	spectrum.exe
2472	ssh-agent.exe
2916	TieringEngineService.exe
4316	AgentService.exe
3224	vds.exe
3200	vssvc.exe
3260	wbengine.exe
4536	WmiApSrv.exe
2332	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\System32\vds.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4072313492be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe

Drops file in Program Files directory 64 IoCs

Processes:

f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM4035.tmp\goopdateres_mr.dll	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4035.tmp\goopdateres_pt-BR.dll	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4035.tmp\goopdateres_hr.dll	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4035.tmp\goopdateres_tr.dll	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4035.tmp\goopdateres_lv.dll	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4035.tmp\goopdateres_am.dll	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4035.tmp\GoogleUpdateBroker.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe

Drops file in Windows directory 4 IoCs

Processes:

f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac9e1299b7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff857b99b7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002eec2099b7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cfb9099b7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac9e1299b7acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000218a1e99b7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c147192b7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d631799b7acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000219a8e99b7acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1852	DiagnosticsHub.StandardCollector.Service.exe
1852	DiagnosticsHub.StandardCollector.Service.exe
1852	DiagnosticsHub.StandardCollector.Service.exe
1852	DiagnosticsHub.StandardCollector.Service.exe
1852	DiagnosticsHub.StandardCollector.Service.exe
1852	DiagnosticsHub.StandardCollector.Service.exe
1852	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1164	f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
Token: SeAuditPrivilege	1632	fxssvc.exe
Token: SeRestorePrivilege	2916	TieringEngineService.exe
Token: SeManageVolumePrivilege	2916	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4316	AgentService.exe
Token: SeBackupPrivilege	3200	vssvc.exe
Token: SeRestorePrivilege	3200	vssvc.exe
Token: SeAuditPrivilege	3200	vssvc.exe
Token: SeBackupPrivilege	3260	wbengine.exe
Token: SeRestorePrivilege	3260	wbengine.exe
Token: SeSecurityPrivilege	3260	wbengine.exe
Token: 33	2332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2332	SearchIndexer.exe
Token: SeDebugPrivilege	4568	alg.exe
Token: SeDebugPrivilege	4568	alg.exe
Token: SeDebugPrivilege	4568	alg.exe
Token: SeDebugPrivilege	1852	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2332 wrote to memory of 1228	2332	SearchIndexer.exe	SearchProtocolHost.exe
PID 2332 wrote to memory of 1228	2332	SearchIndexer.exe	SearchProtocolHost.exe
PID 2332 wrote to memory of 3016	2332	SearchIndexer.exe	SearchFilterHost.exe
PID 2332 wrote to memory of 3016	2332	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe
"C:\Users\Admin\AppData\Local\Temp\f2e495812301db5484924320048aec3d7fc4a6d01a6cb9b756a6ec49dc03981a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:804

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1016

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3692

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3288

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1228

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
2⤵
- Modifies data under HKEY_USERS
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ca281729cc30ee42160ec9bbb2e2b4c6

SHA1
04f0b065dcf0e5e141a67afc2dd641f2d86185e9

SHA256
b7f2b566249fa178a9c259b13eca91c40b22ce4a9ac1a4af5450104f2e3c295e

SHA512
dbc9537fbe872b2fdfc054f23031d1c70d64d403a2d076c321c6af809bed3062ec81c8150d2255dec0732be4b4b71b83f8e186b75b389528b23da6760270caff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
5dcbe5dcb437fbf425e445806ea8bf4e

SHA1
353caf3a83c990b87a193e7147d8a59a565082a7

SHA256
6d684a82e3b5ca798c4e561cf9687744a03b4d79a75ceed8e2416dda7a6026b3

SHA512
669f609f3d386cb04559d9ba6deb118f7efb29b04ac673a025efc4d57547d9bc7b2de113648ef58abb9e8eb4fb7eaeff475df4d224444c3970f5b87fbddd03c6

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
7826ef233de1d9fcca22e8d0c18673bc

SHA1
2c0d51104cbe49789a3a35a15e32a611d25bef92

SHA256
21fa319373af02afb2035b1e3043c568c00c2ff56d7b51003ec2d8358e46ac62

SHA512
0c8377353a9d70d86f600f973444525290cc6d87d07abd1518b598becfa72d1b6ed608f2f6877c856c36a18ca9275e0b70e6d0120c59ff5bb2f17406a11cafb6

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
6bb58bef4afff307b7c2c560d275a97a

SHA1
d8705e096f6ef1ab8f4f035068053fcc28e9ed20

SHA256
e4210e237b59e227e43f58ac814f9ffb5848af5d6a8bb1fcbccacf26b7fae47f

SHA512
9b27ebc18103ceb8e800198a1972ff502b06a1923ec00562cc5fea2813e61ade5f3f7d1bce61bab7e204f0fe344793059f87ede457db4fe54038d96a52acfd9d

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c6ad8a6eff3d1d815f12bd1081ee8a6a

SHA1
309c34ac028f74f1047119dac6f5799990e8e518

SHA256
8eb5e18eb631b0ed3a3fa2e62f168fb2318577d0e5342861d7259ffd4eb819ff

SHA512
03fa919da0f3fd0d15156477f8f9a79888e33bab1461d6112bc6dcdcc7bc1dedff66587523030ec30d7ea33357bf47d0e517bf5da50c761e889bce5371410dcf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
68cc0aa50f0a331633f2806ff92eeca9

SHA1
f3d9d6a5522be30fb1744da41ddc3a4bdbf06e9a

SHA256
6edb44b2cbd37da8eff43760b31eac6516f1d2399734732f8d53bb455d82e775

SHA512
253b1c90e1a92bf06f76841daab7186f7703b06e0bc91c8a2c4b268b123d3fa2725544942e92585d7263ca2ecb8977b5968bfd1eab55ab6e14093f15bac65231

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
ee7c00040b242479418f53431743b19a

SHA1
fd6a4470038a02edb7e2b15ef6e888f005f14789

SHA256
1696cd00ec04e419c559590521baaf47d8bf37d6fb6f302162a2e6dff2e90876

SHA512
7b5ba9d482c156ca870e3bb31a84d6975be642d20d58a2b1e5571152408f2785dd415a450443afbc0074c736f9d3bbff4ed74c47e06eee7ccd15d51350a6869b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b0d91eb6dfeb80f75563b474b815ea34

SHA1
4b443ad483c087a240bbb5e81a242eb1042a10c1

SHA256
51347319a1b663a5ad03916af2bb675f986f96e5dcf449189caadcd181534589

SHA512
1b0d0ccc2fda15fc4cd583374bd1df7753a1df3a39adc0209ba6eac41ed1f8cea9b37e81e42c620ab34b1f20cef4d4e3e6f55dc4c83d0826fc8c61f17bf2bbff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
6d3f2608c3d36d3c89b2b79c8d01352d

SHA1
ac79f5b556965d020d4da800b025c5024fc2e294

SHA256
58b2ac1a59a2f1715e9b9b28dca2a592ccaef2135b6babb2ba0ac65b94661b33

SHA512
946dda8f902cb475cbcba3c50db6e4c90ee91ada62e80e8a5bf9f9b887e81f4ed09815bbbc58ee60f40317201929cdf31708b645c1f0ad7a0a009e4d7f9ae4f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
0d7688854077c47bbf2ba651334f2100

SHA1
cd2b25a34d018a7b3de650b3c5fdfa840d1b2826

SHA256
a3bc63713164c14411568072e100421add973c548afa3703efff56a77a419fb8

SHA512
90e4b7afb264737062ec9f450e6a0e4375343e71b333754e9c11989c383566ba8f478329595a19d41adc1849a8a2039be3d9b2f08e369aff4702a798f8fd57f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8dc892a28437d716f98d5d83887bc47a

SHA1
2e3d409ebba9c3e79ba2ff83d1edc6e3d1b3a865

SHA256
98e1d4d0c988cb4aeea5dc8b125a779108d39263820719de2f6ee4b1ee284cad

SHA512
cd8fdc4edbec41475c485cd58f0e514fc0c4fb682f35a36a403ba95b29cc4610a1bd8fe93d048dbf6114dc155ba8415522abbfbe93613c4584034cd86f714a39

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
1e412991ef4206f952adadfbdbf11367

SHA1
867d40397105ed4caa3545bbb280e15b29ed97b2

SHA256
bdcf0fd143584113028cfd29a502f5d724dcedb7bd665a4d0d9e0d196871edc9

SHA512
fb71b59b64c07a61cacc98035a69d71f06e0ccab2bbdb12daeeaaa2e56543d65649f74f06640f50f448b8294a862904dc33892e2d7867afcd9b73f7b3c25d792

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
b59870a0c099b4d45a5bf81557ba0a11

SHA1
447a30110c76a8a95e7a3d7a1f967a0545024775

SHA256
10a13aa39cbcadb6d7c505d98b54bbf78a677540b71e3fa09fa79116e5bcea8e

SHA512
86c29da1ffa1213de88f7e086805fba89cf9e9740e848658bd5778d7f8990d7e96119013c99d47ea8952665bb01a932176536fbd494363c6d3395af8cbc75940

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
22bd1e0e165795cc75fe5c864121477a

SHA1
d3c911f490f67205b782e28f72d130d5ea525abd

SHA256
62250f7b19e0393332ffaca185542703f6cfc02fdc052a44b1cb1a1b6f33fbe5

SHA512
85b1a014d2d6b6d1c26aa86951f3bcc8e6e144a8d992212e7d8705612c83bd57b822adbdf7ebf1a3ced1ef7333f0912166d3e86a46b5102173e9941b6776dc75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
c5f35c8e8176d26c25c5abf30392fe71

SHA1
1e054f2731661423afdc0edbc39cc1c817ba1103

SHA256
2a2ebe944ca799b47e193f1c0ae8c8c5dd00a17cce2c3c923a1c55623f4a6645

SHA512
0fab0a7dcaefe5decb150bc8e34f2491ae822606e1121cfa79bb45b0a9c6132d7f44a7f3bc37697a5a15df6e6ec655fce93d3ade60f31c3e50bbd41faf557ef9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
7554589964de429f90468a1b20f1a9c6

SHA1
ecfadca7f1262d62f17211aec5de852e297de00d

SHA256
060818921384ec8c3adc2752394fa95344143970cf32c3aceb6d95fd9969e94f

SHA512
49fe0b13df4d0a44d5256ed7e230e96a248678e9ae6fcd5557d4c26617046911845b81dea6dab4e7934d932f1c4ca474d74b527b25e962e1b8118a73afbbffc6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
4d32141533d3703352763064cb45ee80

SHA1
57744dcc726cfba65fc75e50ce935c6cc5d173fd

SHA256
bdf2b96f4c156f4f1f5e3544986b415ffeef11f060001ca5e09fff1038112ec2

SHA512
8841cea8a251f2cfd382f52261fea9db9ce17cbe2ccb7113b05a4c207ba5ad1d96af9b3098e9eafeb17dac7396b2f8f14f192f9c86312464e04f9eb79108e6df

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
89962598fdc3e17b313c838bac036421

SHA1
32cb5124dc02149d7309a665add423e01941fa4c

SHA256
9e46413da17f266a565f2b6a802f4c808496cdabf77941c77cbca0c6210c0be2

SHA512
7a2c9aed5d045d6ac07cf149103e748100b9fbc8c532ccd48984e65548f2887c2e9bc675b4d4d51852aadd168ec0b884046c2dee4059cabbea66d7def5cb35c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
62d37ae4fa8bf9cce84a05b8a5594264

SHA1
c90b56e1d2b6ee6abe5a9f4c50af895066eae5c7

SHA256
b629ebba17d57ed3f9ae91d61718822aa165ff2c4e2e319759ca4a5f3526a1fa

SHA512
ec5e4a76abe3ce66ece00bc330df3b8b39971c3a4de1dd3a27dd6976f2f194d3bf941d0124a4ad389a4ef12e2193818a373db2fdb3e6ff55f6c4cfa71b986f4e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
08b15cc70d513b7ad6cb455ef9261709

SHA1
9e6e13bdc64aa0588ca475c7b53b0490ee2e2d8f

SHA256
1a675e6a8792311f251db6dba8d51c5fd603296f356f448601f925a93c839580

SHA512
eec045e877d8b8501d255ced246274a962226a4239fb8f9047a7abe75cbd1dc1095f7fe8f2fbd1ebebeb1c7f4e498bfe88a6bb0346959a8c3c86390d4bc33f21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
355c40d597e57d0a8c1fc8abb7aac248

SHA1
4320d2ed6c21a3bbf89edf61a4ec24514d011755

SHA256
7fc101b760ea3666f0d7962ef8e8bd1bc7bacb6255a8ec6dcb09404c03579fdb

SHA512
91d8629736dbc5cdaaacbb5b9547d4fa2442a9e731602a177aa4b1632a143347ef26730075c8c1a4aebe8a96846b0daac4b1dcfc766dcee244c2c290bbbd4a97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
638406888619035cd2626428e28c261a

SHA1
c03a97a1fba3e641f95fdf25c170c2d5d6199d5e

SHA256
173ca9b8b524ba266e5b7909580f8afe3ac415248f3ed9153c5f3f53aef2517c

SHA512
0304c94d71ce117192971afd7b410c36f35434e44a025cd37438f9dafd7605de2a9cd065f7becaad44a3375b1c6619093c5bd52345eac45d1be4f9a0fe1e3e32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
f42cb7f5b024a9c66d7e04163bbfa7c5

SHA1
ca5ec0997bbae29b44fb622d7ce7a1ecef50468e

SHA256
0b2ad4dd3f5fb0615f6ee8e58de24226c3bbbc4541f01334671d6e98e88228a0

SHA512
91a874b1ea6ae017618e2dc28fb351920b23d913f3f3ac7bd7ea1ed2ca4e44be950182609dbf4d0a224d842245c041926b4cbfd69c93bb8930c4bb12dfec6a85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
c34cd711facb39920ff834ef15740f6d

SHA1
e8b9161cf60fad2959dbf894e1ce6dd920aadec7

SHA256
76ea38cebd91ab7def6bd84d93c242645e9febf3859770f5d2909eea4af42161

SHA512
8108b0ee424ba6236efbd7da85783cca5a19247a55d7339c6738e58f2fa9f13f5feb17b5f845fb4f8f9bf0bb7fb31816f0ea5551b409d5e779b53283f117aaf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
997d65dfb03d0bb0b43c086965dc72a7

SHA1
44ace08bae5e61b018efdac910f367a6248b644f

SHA256
44e0913e8d64be6c8eda789e6d6768b357c4c654588f7eb8bc0a877ef2c2b78d

SHA512
d9f866318bec281157bf31428c4260d013231c8e2501df0a62a5ba547d249e5c3043dfea8e4cc716a99adbf0067056f6f19f701ff0f08c3139a5f0b00e907e95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
7651f8beb65ffc4d4143c8e20fdcb819

SHA1
800ded8322b65ba0e9c9f79d2d4549542ab7a0db

SHA256
8e1c006a356e160d33b99d7eea8b11edf6aa4b36bfb585357d654c054ef29e4e

SHA512
66dbe85544852145323088c9d3414ce56d8d889761ad06c9373c83b385e8790b4bd62a85f1aaf113c5214a4f4ebcbb8249368020fbd0ddc70f23876edcc03239

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
12d159d529f25b1fbe6df459d81e3474

SHA1
4ed90d4367d3fa81acb19d6fd1584da601520f3b

SHA256
a071a06aa15fd6b33b24e6ac96d78dd2ba0917138a4aa7e0018879a78167de57

SHA512
126095bbb82638c4bc8b1212b2fbce4f4923d6643b732fb98e654754fd22c0f80a845952c043dbaa1d88a921f4ebf6c2b4733beaaa7b49a30835ebd829f5d92c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
d6b213d23fc0a039318adf8b6c17a49b

SHA1
2be220b8a7e484d9f483b0336c71cf4934b7666b

SHA256
a575c0a02a1e78123bfb4c40a5e26a6ba2560b79c715f30de47d33f0e4e1e649

SHA512
c91cbeedd47ebdebcab14aee54cc84703ebd1afa0471dd4a905f04cd12027d559b95b13fadeca6ac2127d7c54adfc7896c5f6a0def0aba69086c09e97c40e30a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
ffad1617630743eec184c407af65f35b

SHA1
0200a6f39bde80fccb18e684eed101debb699414

SHA256
3db2a52d5c695aa82a202f888436209f31423e6a01f463eb242dd032a030a9a4

SHA512
1b6f27ae3cebe61a0016e69f70745ab53f3140372c728db23093ed1672282f520c3fc3d3e44c2ea28bdf6a3ab896fd87be293234db231d07637a4d82f36d6246

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
ddf0faef3b0e71b7fbdd0d53c5b43f3f

SHA1
a8984e695e5aa303f87b3be25b68b23d803649ef

SHA256
ab4892ec47371691352cfb2acfc9f8a3dc28a6f1d19d890042c1752db1c67e24

SHA512
341ae362db9b73b9b889101c8d3ed6289cc357e1f77cbc60489f6e975575f28ff2fe20a2d485b2f802a135526463f192269bfdc7302dc1e82ede82060447ee36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
a81544a0e88e094dcf449aeefbd7d89e

SHA1
ceb9d301fdc28927795d38dfbccece947376ed64

SHA256
b5f2004de145a351ea2f9d1214067a871f79cef67ed382d66563b6a181492d4c

SHA512
634dad26e149ff7cd490550d87a36207983b870c7759715613e94412e9c69bbc84b98ce8562b338ddf78c060fb899df90e071a12181993d0f356c1f6c8e8b17f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
3dc78db93d43e329f00a1c6b720bc8ff

SHA1
7aaa0d55b03147efe7273fc431295416e0697400

SHA256
98c32f7039063ad105a36388ef95bb5fae0f9a28a2c3c71c68b9b2d64b17720e

SHA512
81ff1c2beddf24d45f2210a7ac1297374e6a4d839d44a2c646cd8ffffeb770fe944f1b0b6742941bd95f5f668abcbb0bd1db6f2685b1ce1f8d23788d740995e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
8595473165d7bba2cf3b63edf058fe11

SHA1
b2cf187523d62a6c9a3e9ee06a87b2c6373c61e4

SHA256
33e80b88ed0f6f5038f5f7acf02f80b151cb068b7903fb43a476fbe40c2bfa7c

SHA512
b4f2f3e49cd9f132fc45022875dda8fbac6db11bb5fe14a1ff32f1fc190b3dabdaca86987c0b455840e6c2256ad00ccfacc10a7d35759aafc6374118c436ac83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
de1e5e400bfb66c09181201548a9155e

SHA1
37a08d0eeedfc45a750d6e5b81ded42bc37b625b

SHA256
e2c45edd49dc2d62cdf685802fcee4207b59f961c5f32eed6bc996f1b50473d6

SHA512
4f9f0e87a1e15c4ca1706e7e59bc9aeaa13bf9d6a93e0437f44a0b425d1624c966cfef2abf4aedf947a5af707f0d0ef6606c4a6997565ae90854ac1443fc0ca3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
5f3cc78a1965cc50e7bd2d545879f0b4

SHA1
9870d014fe724dae60c56daf87eebf9fe035f1b2

SHA256
ada262e6adc1c83634ae6adb1bcf49d25aa08ae3fb1a72e96c41efee2ab4c60d

SHA512
e2f9d56a7af1092dd52f2ac84dac7a1a786d5268df5c9093bbe1facbd8031c1fa1374924b7bbd1406cd54bd19dc4cc32726305ed1e28afbfba0e958b46984e75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
772e7f73fa61c3d22fa99cc0a0023614

SHA1
2ec7bb3881caa7954b794d9bb1b414e8278c2a38

SHA256
28c30fab69b4859d840cba359ffd28926a7e59264b5aa9340b658e08a1a8ea04

SHA512
01b623d8d207961139075a44ea732786e02d2d381f00bacc88c60b475f3ebdbf83fc5d88b29344ca7337e9219fd47e98fefaba3ef567852ce18cf5ec912a3337

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.5MB

MD5
a86ddb8c4433c4665fba7e315c1dc63d

SHA1
38673aad272f92363109007f2ba2988e097041f3

SHA256
2e83896dc676649bee7ec69a9610ed6d7cfc3c5410967db98376714d4cca233b

SHA512
0c5f9c71d4e33b87fed8afe49698b5d7c5bb30bb3400e57953669a5f9cc892dd242293f7c62abcb3c79d5aea8d3eb99ddee4ab2fc5b23af159362000c8af0c77

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
951efd43ae5b5686d8d12ffad40d78cf

SHA1
ebbd0d267ef4af7fcfb330e25e255cdd17c478d7

SHA256
df2f0525433c4d00d3b645362b2c7f1dba9c8becaeb01dcad4e50dd9bc8265d5

SHA512
e344e793f1440ba97cf45a45e6f120d012455fb97382346a0b0774e3486c8eab479b1e9f3033592992798021e27bc1e67dcfa558b3e70d8e38dd9dfabbc969d6

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
22a2489d8566fe1db71b563eafdcbdfa

SHA1
5e38ea6e967c8ca84f4bd2b4fe085c8fc1964bfa

SHA256
db154e7119a75b27e373992bea4b98f099175524691cb41a33ac7610eefb5cb6

SHA512
1343dbf122fcfdeb520a1c2e7a8bbef63190671cbfe99052f16337ce0f8fbd8224f612cc64d114f8f8db69c9f0a493e61ce810bbe4770fc4cf3edda1b0c7e368

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
84c97d94bb3162790ffcd1ecad19ef6d

SHA1
3c3ec9816239be22b2653261a1d280b724662793

SHA256
0f3a32f0cea907080313c328d98338d719640f7ef82eebd2b8c4e6a86e025bcb

SHA512
7ab6814c2e6463898174ffc4c853e7c5e0f3fb56ddf1a1280e790b0e3b5bdcce54727dfcadd7d0ddf775afe301a3c7bb13c3b5e933f5291214540ea97a544653

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
89c44d3761536f2d3d265b66444ac0c2

SHA1
10b49bc779c3eae5572ac51a3ac73434db58a79d

SHA256
6427190781b3a270c1e9ac17a3ec15fe7ac53a974f46f14ad146b5fb7b47f435

SHA512
3402f3728e8f669bc61c20efb9342ce6c818e91ea9f544fda9d1ca448338dc39bde4454e438a0f9ef9fb975c38d898972d2055ceb0cace468580f9756df6d88e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
a19dfc5023efe4ff1b5e135e46ea0efc

SHA1
f7d0ba14de62fee33ad4463f06aa704a9d44ae94

SHA256
2b0c3ed472a390532a311bdd7532de3c99c6eeeb142b5565a7ec7a53980d65ab

SHA512
28cabebe13776c7d59c880bebde1559d23361bbf6e92b788605559f5d00a18a6a24d6ca378acd89fe5f3582943ff40717d251d07739094d553f6b7882620b8c9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
19b2a4465467212cf943e1be97c1626a

SHA1
0440838040e7fe3ddd117f2b3f6153055604d437

SHA256
d7f444ab28253172e894f298a4c346c4367f531fc3b3ff675e98527a3f141c0e

SHA512
c9d9b415ec01f41c806d4937cd7576359b1ead34dda08d3e9e6add8918421183d8a7cd2e1b49131c99096b4437d75de9a7ebeee506a61d9b75ead3361ba2219d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
820a4104bfb356cabbfdad897fa8512a

SHA1
d2768633963439c0c27f99b7a242f2d7f940367e

SHA256
f028841c8e572e7d73cceebafbab39970b9705cc75ad8c6c7fcf19730d0477f1

SHA512
941963da2cf5f64935d19971e5976810d87c075b9824d31038146663c440fa1ff304e9f456763b68c99bd459a45ecceeeee59420cc112226efa33151a5f00ef4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
3be110e9e5699e1931c73a5c399f000a

SHA1
927a840b6a8832c3f0d528868c684895441199db

SHA256
da5689c0b8677ed2b034184705049d6476945422eea5542ee3ad70d752d339ff

SHA512
35c97b75233f6b2ab220a07687a6e6f985aae3cbf97697478bd30450091d8b94889d53f57c7db734324b40a3d433cad59b980759b2849a45c7ead0a6d9011a00

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
df59396c4cd23e928ef0ec4c7aa06601

SHA1
74e8b142624b348c3af6b5928a9482ed22d22522

SHA256
45c8003f3a18b1363d351c7da57214c34a0f5ba2de3d3c2c5da91b11b9bcd949

SHA512
537e35bbf3c14a8ddb65d7857f897bcac25a43930a91fcc7e5c66142c16e63e4e493a11325d5c71b12627d6000b3aa2657ce06e75bb5c022a3fe98e4bea71615

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
00597d745c3430451bfd7f3c91a4013a

SHA1
add35801a270f16accdb33051e19e1a07ff0ae56

SHA256
93911fa9c0a99cc1a56ba7500661f2cd2904e4204a1e1ab6153fc7054855623f

SHA512
30007f4e11522851c00d9d91a8b1a0ceee44e1af10b7074edb7517ff8c6f6954ef09a1316f0689b66fcf0c6b02589c446b6b060ecb4a10aa58bb7719d9b96263

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
3e2a3e8ecc37b5c2b2deda151b056298

SHA1
9d760db314c841a63bdc1c8788eca756e8e329f8

SHA256
c45a1ae02e37fa0c084029709476c89ec5b604f50906412ed4eaf0d20d7d2fd6

SHA512
3b2bd8c9a403efdb33dddb650a5cf504663bdc49ada08d07987cb0e0b7e08c03557e399f19eb6e8e352ae220002364b6abaf10eae14c71401b9b77a7da8ae88d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
088d501556856c55ede220b3546acf2f

SHA1
de73f00844a2eb43934370ec064233b5de551b8e

SHA256
2bdd6b97918e9a0c19730d29ecc8ad8709fbb16623d567f8547ebb3e17461248

SHA512
f488906700f35e5b0dce60124f25627f39ebddd6f6891cb2dde4af6aa96c8fd14e7014c8d8cf6fcf1fb78b25eee8f9f2affb42b3c55363181502c548d20d843a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
c1164f2afd79d75a563f7d44a2d8835c

SHA1
22510cbfe252810d75c0ff8d554ae14df2321981

SHA256
4d196414c5c4ea398487d888499c93ea3afdf6d247969523f794cad2dd72fa4d

SHA512
d6a803cdd3a3910cd6d98bc70401fdd6c5cf02426e994e5d45c1a503ce15f2977b18a155cba1e4311a0c5e7a1c8d1c64975999ea5bee1ebb23e7ecff73c08e78

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
dc35757ac02c1845061c6edd3aecbf74

SHA1
c589e20c1cfc93bfe24dc92b909273deafd9510c

SHA256
5610f85494093c6f85ab40ec294f5f5245d3aeb2ddfa119480559c36ccb23870

SHA512
5d4946a2acf9100f1b6dbed79eaa5db9a6aca53e37971588ed787a6594e2b2c92aac182d72c6b717b64802db849e2268c6450f78f72cbbef9438dbc820145a14

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
6fff92596f655e25ad9ab81264b360bf

SHA1
4b32ad9baa5cafba6c817474c560a8a6a4edd2f1

SHA256
ce089316a9a3ef91f93e4f0e0241d86ab9d841d6391705bdd7410b8841ab333e

SHA512
ea48d2dac10c41fb906fcae903ca78867cde3af68ccae7cecc46eb9830cb46719a08e6af92d36ef6b73e5ad001c97e1182a455a11aa162604c8f21afbc66f1f6

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
9c2452ffc8e051444fe3d0b43dda9367

SHA1
cf9087b03c1bef9cd2ad2009c70c581405b1f49d

SHA256
3d844f94d71d065f422846b9a6f863028331e5ab7e0aead304fddbf296389c78

SHA512
07f688276eaa872463e1e469248b7f13150fb3236f48ac9c44d55e53b9deafb110d01e99a38d4ba464d32ac43e250b733e8f0dbe0ed16a77bb3b2f14ac41768d

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
1e8fceafff1b359be18079ebecbe46e9

SHA1
88a8a085b8323262697c59c582e199cdb1bbb5e0

SHA256
3e75275be460936f7a9e50ec2a50a5588748d6d3c177ca55203133c9d5f2800d

SHA512
08126a6f04db8de63207b2f39dee80b5b5f2878e60aee723227b82d9e23c9e8f6b9efa41fc27731713a753518d6fe716f4c9b6c3fa95b0bd9fff84d27c67e8ab

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
cbb67e3c2b011e6394a136da471cd625

SHA1
ae66ff4271c6a8efa7cfc539772cb6f772d92dd8

SHA256
ea1000d1867854cdfaf161ea5aae5e3fd16c78c4c88ffa2683e7e422f325c77a

SHA512
1a3cb7100b501c4897b85e3745bdac5ed223edcb5375fe5a6cbfd552af4c71f600e539da4aeb91f9b3349046265a3905536f78397e1018200f3633d61fedfea4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
70941938b9c189294a686f1049c007f5

SHA1
f06eb434339ee838e6f0a0cdb1285b06226593da

SHA256
1e95dbc45c293aca83cc6c35fc2a7d0faa9e5e2fa137f752129c0c15c11aaeb5

SHA512
dcdc77e6c65de87d2af02b9b6fba6d39e98179e6767f2aa51df85115215140eafc684748b1411307c3c1e61d64762f4d68369baf22880a1b4e0a04e1279105f3

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
aa11b436f89024c870b11214cdc17adf

SHA1
5218262512b65e6b144c89a1268cf391ed2b64b6

SHA256
7059dcb3d9b9ffae0c769fa539499b4682bb3538e46591608630cfa30a74f2b0

SHA512
ed9bd779bf59311604f6b762180187efd78afe165dc408371a07e0b0a70482385b6b6d348f804ab6468fa762138aece90a0a1cc0cf19316942a1f1adf25207ec

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
4cfe2bd685e6fd40540904b7feed2100

SHA1
3b9ba93e1915cbd84a65468b8f40aa3b9df695d6

SHA256
a5d52120601fb34ded8355cee7d4910e4a87ad4f33d81ae4da56cec32692175f

SHA512
48cc0911d2e0bab767edb6d657e3dcb1923eebe252e0a3298cdac17b157f75779e950f8c6246a5059f07a77c0a0ca475e2fb94179d413372084a37a759f7b575

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
19abfb82c47d6da1a2009a0e656e596c

SHA1
29bc609eb3d6a4a5a1c818c7b0321a5d2c667b7d

SHA256
d836da22255302d81a1370059631aa3c24eb6751674944f569fdb53ff1198d7a

SHA512
09eb29ee57221d087e73a0444773d536eebd81a15540affc1413a0fb5f64c6d2de3f50b22398d5ec0759422459099c11c2fd3e551b162576dc26d0d26a311512

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
4b1572bedabfe328c03c9f895c2f42f4

SHA1
641576f9a9541b8286923e36cd603e7fc41ca405

SHA256
c6720ed5b079fc24500ce399fe9251c423289c37abdd7455bf25ed905e3040b6

SHA512
7ade95b65a85c16630f5f2b328f884a2ba45ac84b69fd5d4ebc3378a77b64676ea8f18b5de9a397fb2a38a1a5d3373c7f4b97d0ce1c573a32e04ebfa358cb4a4

Download Submit
memory/1016-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1016-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1016-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1016-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1164-180-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1164-539-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1164-1-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/1164-6-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/1164-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1500-243-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1500-653-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1560-182-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1560-294-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1564-656-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1564-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1564-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1632-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1632-117-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1632-105-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1632-112-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1632-111-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1632-113-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1852-103-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1852-93-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1852-102-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2076-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2076-121-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2076-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2076-127-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2292-197-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2332-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2332-777-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2472-256-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2472-657-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2492-326-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2492-208-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2916-658-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/2916-267-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3200-774-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3200-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3224-295-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3224-771-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3260-775-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3260-309-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3580-230-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3580-456-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3692-158-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3692-270-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3692-159-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4192-297-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4192-191-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4316-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4316-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4536-327-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4536-776-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4568-76-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4568-196-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4568-87-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4568-86-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4568-85-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4772-153-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4772-156-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4772-143-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4772-149-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4772-151-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download