041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
Size

1.8MB
MD5

cc0e1f89cd4a4f406227d7c2e94290ba
SHA1

099b1bd918889bd4c1ba4fde36db62ce06fb2e91
SHA256

041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf
SHA512

ed1406ee6761876b3a994995a98f9f454e8568e68daa25fe0ee352d8c809ccf4abe64f587635de9b95e61ab724b00e577f2c70ea4a969bb08bb314a629ede4e6
SSDEEP

49152:8KJ0WR7AFPyyiSruXKpk3WFDL9zxnSSs7YSLTQYWkK2/:8KlBAFPydSS6W6X9lnqJ3rL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1120	alg.exe
2052	DiagnosticsHub.StandardCollector.Service.exe
1852	fxssvc.exe
3152	elevation_service.exe
4796	elevation_service.exe
1736	maintenanceservice.exe
628	msdtc.exe
1900	OSE.EXE
2004	PerceptionSimulationService.exe
3584	perfhost.exe
4696	locator.exe
2384	SensorDataService.exe
4328	snmptrap.exe
4660	spectrum.exe
2132	ssh-agent.exe
3000	TieringEngineService.exe
4116	AgentService.exe
2700	vds.exe
3260	vssvc.exe
1640	wbengine.exe
4552	WmiApSrv.exe
532	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\spectrum.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\795c1137293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\dllhost.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\wbengine.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\System32\msdtc.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\msiexec.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\System32\vds.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\vssvc.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exealg.exe041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42D5.tmp\goopdateres_pt-BR.dll	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42D5.tmp\psmachine.dll	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42D5.tmp\goopdateres_is.dll	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42D5.tmp\goopdateres_th.dll	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM42D5.tmp\goopdateres_gu.dll	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c30c08fecfacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000679611fecfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000438747ffcfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000561e3afecfacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051934ffecfacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3312efecfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c34703fecfacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000340a46fecfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000087f5bfecfacda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2052	DiagnosticsHub.StandardCollector.Service.exe
2052	DiagnosticsHub.StandardCollector.Service.exe
2052	DiagnosticsHub.StandardCollector.Service.exe
2052	DiagnosticsHub.StandardCollector.Service.exe
2052	DiagnosticsHub.StandardCollector.Service.exe
2052	DiagnosticsHub.StandardCollector.Service.exe
2052	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1668	041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
Token: SeAuditPrivilege	1852	fxssvc.exe
Token: SeRestorePrivilege	3000	TieringEngineService.exe
Token: SeManageVolumePrivilege	3000	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4116	AgentService.exe
Token: SeBackupPrivilege	3260	vssvc.exe
Token: SeRestorePrivilege	3260	vssvc.exe
Token: SeAuditPrivilege	3260	vssvc.exe
Token: SeBackupPrivilege	1640	wbengine.exe
Token: SeRestorePrivilege	1640	wbengine.exe
Token: SeSecurityPrivilege	1640	wbengine.exe
Token: 33	532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	532	SearchIndexer.exe
Token: SeDebugPrivilege	1120	alg.exe
Token: SeDebugPrivilege	1120	alg.exe
Token: SeDebugPrivilege	1120	alg.exe
Token: SeDebugPrivilege	2052	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 532 wrote to memory of 3996	532	SearchIndexer.exe	SearchProtocolHost.exe
PID 532 wrote to memory of 3996	532	SearchIndexer.exe	SearchProtocolHost.exe
PID 532 wrote to memory of 2348	532	SearchIndexer.exe	SearchFilterHost.exe
PID 532 wrote to memory of 2348	532	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe
"C:\Users\Admin\AppData\Local\Temp\041174b1b0707b013cbc2c806e66be41dc4d0b7de6edfdb3edf77324f53ab2cf.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4796

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4888

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3996

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
75d2fafbcebe737680785531bf68455b

SHA1
50e20630bd6e8735845a62d4d68311822876bd75

SHA256
a161e340b83bd48e55ad38951bfb3522c18ae30bb967ac58c4a7cca424de9bad

SHA512
5ec1e928a50f677a493b588a06120e00917cc0bae5191076d9e44e6147d4d1444ec6b86f60d10756a8a419015c169ca0d3bf58ebf6b6e494fdbcc1fbc74b7959

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
ac66dcf398dea3a1c0cf53dfb4b76775

SHA1
f49694ea724c26c38d393e5c1a72bdcf5876a2cd

SHA256
f189b8c8bc8e880123ae8bcefdc1d6f1da02edbd51390086ee7e9248fe5120fc

SHA512
ae13156ef7d99103e08844bbe94006ecaac5f6a79ef8f9ad6d8a442dc20b2f47576debe7c43e2aa9f92bae8724802bafb439856efae6917a6faea29f74c2854e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
dfa7787111a1489c7464ac1d4b8e0401

SHA1
501794957ef382b2645be2823cde452dd4a48aff

SHA256
64b6fd83e723f881c4106ae68c5f6a96dda5ea8ad53a037dd9bea2acccd27eee

SHA512
b98b5d6dc8d073ff8c6f1682a15606d693c20df516bc0ca7c824fa6f6e44e2dea49ca767f3e58af8fd9b10a3a073c6a9c3eb1084f13f7d19d3e050c8ceb401f5

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
7c293457d1e9fa47045c4be9487ede8d

SHA1
b19d6e33bbc465a3c6735cfa930d02dbd095452b

SHA256
ac3a4f5e03ca8049836fc52c8567241c061153d273b6ed7ab638bc2bf730b5ca

SHA512
de76901ddd7ab08b5aa62b762e2a20646e55e449104fde452580e0ae65f06afa47e4cd6dfdd2fe6c6a6f66e0a657ec77d6ef7b2c526c8259287e185b9146a66b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
8655e57f978b0ac20c9eddf86e6e2939

SHA1
de1696a0b898a8c15e27f7f0f6ab3447476f82aa

SHA256
28b473c21b030c8cc2c8813843f062a465fa3255860b1c84376c9b9a019c4bee

SHA512
0294a0539ab9132181dd2d60033ba68d334611ee8055a6e15d159bcca68b67d1779a3b7b72ad6afe062ea31a3237596c129e6cdc91786ce635de7aa2274cb3bd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
c3957ef63b7141e4be3e7cd226ab30c6

SHA1
c131150ddb71d01e8dd7e54a848344668f273b76

SHA256
2fc84dfcac0b9c20e765235ffcf7acbb3e0825ce3016ba6450b7c5f0b65c62c3

SHA512
fa94ca91fa9348a97d44dd2349ef203fb3a5e320580b3ff1c205e73e188551fd2c3a6307381a6a4afe1a14c539c5da9cc93a131ea4c0c4e18c64621eb73a1858

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
d819ee6a579e6b1bc7e91acabe3d2b05

SHA1
6056b67993c6a4b478577adcf9c6a8d9360ceafc

SHA256
c40885feac63400f7b98835709e17e53558ee5ef2e38c2cc1a499fdc2b350b54

SHA512
6973e2c5a79f0b2a60665baaf4ce161100c862aa8f563c625fc2fa0f32956e8f9320433898a93cc41eb3cb128c6adb8dc2995b643b19ce56dd4caf5f05731d12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8867c0a60fdc28977df1c1a1e0e38022

SHA1
d77f36a989ec70e59a948e7cb2f704f59cca1dff

SHA256
03e3c11ab720e407a403a0b962230bff86458ccdcd5bf7579f034c3d43f9e4e3

SHA512
1c676b1ae0b584eea683348c6bac1a6f38b9e60677b402341c715586adc70fd9e79bd2f9def9a8719b51a5fa5f236846bd76220992b10e10a46c825cbef5aa5e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
076571089a07581fe71083bfd1266515

SHA1
54710452ccd5f7b8cbc1ad4a961fde4c2102ccd9

SHA256
398bef9c8a4598f445958c7f09d98c09553cfda090669bcda8de388ded2dfb35

SHA512
a288546b87764b063725164cc75affc0d3aa84beaa6d27d2aa3ceca310cad85870434ea8044c908d782bc2f90d538486c8fef4ebc9a3f3690db98817ae6fd73d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9ced761c7dc22a327c3361034bb58144

SHA1
f538b2fc9d72d7f726dde0fa13856b328c870714

SHA256
590c93fea3776660bc947becbadbed4e22a4ae8cf606ea44bb52b69fef218c0a

SHA512
a645590ee1eaa83c8892990949f283e1770a6816d50d4f717d06086b8cdc2da410f00e1d2cee82b88411123ed0914f82328d4b0abe2d5f9e94f6fef0872f4baf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
460006a321011b8cd3fedcd39886eb1c

SHA1
9fe23d12a8fa6b9da1ff5156537dbc2010b1e714

SHA256
29291f0bf0973805f5db6dccf84b0a797918227d33d0287a53d49d11af611db6

SHA512
135b68280ac65c5baf7de3bdd3a3c75b7e4a24a7db64e4250fcf4af4f0e7e67e9d2104393e3de691ab298e9961f67e91d1e8a0a67590817c0909a1b835eef2c8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
972fab14da860c08906133373980450c

SHA1
a7d2811d617005c8a2f8977a5cbd6dcdb1108594

SHA256
99b52e2429289afcff0ae8dc097ba4c8f79c80fe0f024a8cbde4403473bc780b

SHA512
8ac2fe5c0dbdcbb77d0e94e7e459ea71696df84092bb2f90fb916e162f2095673a4d051990dad5e29c23d609cc3deade1a613820d133613e8ad18b13a1c92031

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
fe07e6a38f4c91722f9ca4f1a07ff458

SHA1
8a7ecd47b07eb7b77ed1cfdfab36746328a46338

SHA256
9e38e227fa499871a1d326720071ce9dc24d6935414765239ba77699ed4972fb

SHA512
707e13e8513c1def63562724b571b357acc6bfbe58f8a135443078c713eefbc6e640b092512dd8c0fd12b2bbe4189bf286e99d92971e2a04b1a262c3e3e4cee6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
3c8b969c95156d75256e10a4be58f2e4

SHA1
82396c0c74193231f381ba1e23727b17269b7e2f

SHA256
d62ef973235ad222650020d67ed32e1d5ae35d365b92fe3c84e9f18cc2464fc9

SHA512
04104f44addf0ab7a64734352d834824c9cbbb614f153cc3b3dc314e3e596d0f034a2a4d2a2dff9bafe1291ea3ecebd97e1d928fba4551a1d2199e4a026106da

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
d4d19b27bfaa17d34f422b2a86e32b2b

SHA1
fc17ce1287609cdcfdb3bb3fe0527da079a349a2

SHA256
64c8c07a3a7dd232eb738f18bea6a743cbf48b4c67f92f4c61522272328a436c

SHA512
7e14516fe3b8d8a537e249db86b1e213d1e8c7ab72ba33eb7ae8a2455225ed4a261b02d75aceba89d91f1afc9201ed594361cf7473ffc00a7dd19a88ac29e8b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
9b09b4e41c059925fb7d4ad32429413b

SHA1
fa4ec507ef714abc81ec5f9153f745aa67ca1d9c

SHA256
284843e3aa83a7031046e1802ad32cdda459e9478727355613bc85a0af4c5751

SHA512
d8c4be9900a9e18e05b0ee75a24cc42218b75a392bc31e9fd7a49652c941d68afb9214f1a0081763082486dc4a57975a2d11161e3329a06d0cfc3abff6b6688a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
929db7e8084ad21b4ef99baaefde09b3

SHA1
ea5c3c08d39c140f7babef95bdaac52dbec5f7f3

SHA256
0d9949ad7f9b8d8f30efea7cf9365dda4a7d8201824265c52d3c5e6bfbe63b94

SHA512
0d1056c302446f6677c19dd6f09163426f2a65d5163e3cf03663a8d2198f512e65574947a2f45bd082eaf704d921dccb3ae1a04bd02594d9c0e5163c0d3a4f32

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
9c96f4f97edd9a893486bed07fea3613

SHA1
ce6cc4f7422ff8d4b0799f65e183252a140bb27a

SHA256
6dadbd0ededc22f3cd3142c9669608099d18fec85b159d9868dfc9e0852cb67e

SHA512
767105f18ac4b208dcb7a7b02c46154eda79aa7196bf7dfbc4f43938990d8795b67f4eb5ca317daef9223c8895627216b5e6e027342087b2ca774eb35aac3551

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
1fa8075942e6cfee25b531fdaafaef0b

SHA1
e17217c4fdee745a75677b395ef24c0ca25a7c20

SHA256
8a5d8f37bff63ac95936f75654264895fa7c2042aa935df9a4623f1b50599c57

SHA512
16502cd06a216ec10e03e65317aa606805053a0756eedcf772689e8e8e20e23477108f937822e6c69137b7cdc43f912db885a76573bcea7ca6b188b41f93600f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
5a0a0343cd83ef4266a7b1aab0a5fd79

SHA1
9061b87d31d20047ba0d111ea21576392d180e1a

SHA256
c1e2ce4cb5f75f9fa5dd727cccfb93be9c1a3e51b808f11a119f2d401c5360aa

SHA512
ff00a647dfbc1c2df94fd5625fa1a9681e8e12cf4dee7d40abf0418f3d53b1b4055a6cea8114d4da955f704414576bf536974d4dc09100c0f6d704539d1b0878

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
79ca50bdca3ac3ae223cadea99802006

SHA1
2dd94ddb61153d65d32b8986d9b39a956e4ca237

SHA256
07354e8111b87c657309ec6b183fb9655e84d83228e9ec37cade0127daca7db4

SHA512
b0ee62dd70052d2f850cc43ae3459007b23b7ff556902144a2069aee601302ec617484eb5c132701cebb9c1d7f4ddb4689c13afef5d391fd31290e99e8ee794d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
acfeb54235378c1eba69da49077484b7

SHA1
5b9459c73caa49baacac78c70cc15acc323ad561

SHA256
9ff9c30aa914e0cd10e8abf709c0f4f973e1e8b6c4494562dca8a98d8c5fb3a7

SHA512
b2881176c13998f178e9520ca73f02f24912bef13c19c3e21f060b3b86fe87243f22fcdaf7f062195e63ac4de1db2f35633b517a077d5915154ff651c3ad131c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
6ac2ea49305a5e168a4769520397d742

SHA1
a54f348f777b5b7171c9641d644327c36408b916

SHA256
98597cd93749130a76073e6a1bde094394547376d5d1fbc920752010aad37b84

SHA512
881c5ec8d0cdbf88e0cf37b8f736f106c6955831d8fab71df2a2711c4d153cf00dafe1476825df4b4e9a7e60cac877c82662c166b5146f1b8ab8d5d958a97821

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
746a222ff9774b03c6835672751465a6

SHA1
dcef52fad0911583105b69e0001072d5f05c0941

SHA256
cd3b2bc6f80cd1b58b77cd0694783aca0caaa846466f84a725085763e66342a1

SHA512
2ee84418c5654ce6d8daf4f92f592220b8af429748d78e95c99b9127d87ed90259bd8adba9021dab3e9d8297e06792df8a7b28b5a311de776b2a68737338fe5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
8c2e6bfd0110ff05584f6510313c9146

SHA1
dc30e21e1138c3216cb73ab3b041dfd484ddba24

SHA256
9f2e91a0b4d06e7436edf6f2597b039402628e93ae132af6252eaba1d1260fe3

SHA512
da8c7f6270e50a541696f5a89ac704c8e6596486e449de2177fb3362521f15418803a4038919dddb17542f7d2f0c057915985075ea796e319fe2bd9ac9393f30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
74db2ed0ffeef4830e468bf2339ddd84

SHA1
e4efb393146010b118f5c2d99b8d1ee72ea40beb

SHA256
84c720c8f862b7597517c97f67837bd953eab0ac2fcac0f7936b42eccb184ffc

SHA512
df013b0d553733b7bb247dabeeab4a71f6cd9a06884b64f409b35cd10ff9bf523a0875791966bf6edf240150566374c5d8f26ced35cb67ab75073d2bfca1a122

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
762ac3c105ee0f45cbc4c9102b13e2f1

SHA1
dcd9aedbda745ef6faf11547b8a323acf1a09908

SHA256
90fcc075cb7020c90544fe3c58ec8256fb455cd6617925a35171ecdb68af5f67

SHA512
7d494dd6fdb6539653b18206023224c0b5145886527b558d777440aac668fdd6486ba0da0d701f52ba0dc58247685e61f6a3469585b9a18240f527503c3bb052

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
9532922d73d4461d1bfda80478345b7e

SHA1
2fbc018c8a6b44cb032f2b2f1b9daa0036e8cd17

SHA256
9408f2dc09ecffcd373ea0765458fb4ab0fe34aea8f2a585a0917be9baad2c91

SHA512
5f387a870e65fbd4f1b3d96f5da4ec7615e68e30c18719ae031d365a4232a3efde5e2c902ea97eb1456ae51b94cfddac53abbb369df293fceb559b947c736f4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
54a14ea3213fcee4f6f35afa1c385129

SHA1
4c1390a353f64317f7666ef02fdf17e052d25438

SHA256
8fd030866d59a329264f5a196b0bbf95429de99c0795731e8f1fed82f628900f

SHA512
03110f2f0ba41f47fb73cb0d07f26ca381f07bee5b32ef804d438d641f61140a32a0c8e0199779f5ee23949e252010792b5b1fdc3310b87eade12c7db5f7d563

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
730ec16c5af7fdecbbc0d2a557716e25

SHA1
a4cf9d15e97fbe799a890239e6d6ed92002d9efa

SHA256
d187fd6db35d831e9598399fedd013538abb0b2d2eaa829aab3c879f26072a4e

SHA512
f3a7171389b2dd4a32a3aa7045e441b7cd4777d18d4a06b3533402160780c3244b5c3c377216e0bcb6499426ea00bb85baddd852057acd9e3db61501920c16ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
bae0b6a6227fb33c3ffa144dddd65c81

SHA1
2253b4befd841a43127ee1a55d6708df6c628b16

SHA256
b488b6b50b96bc9250a0569d8a69ae5a9821f7c6d1ea09dcc828d46fa7e43962

SHA512
eb9b31e2cc065fe307f723a2b7762701ed5f179071ddbce4bf1ccb6a7238aef95205e81569d66a515e20a7dc7abae19696cdde8e990077e535dd23f8f98d7b19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
c8bc6adaf63109b841aa866bf65d1310

SHA1
e707367947addf95f578368fa568324d38bd9664

SHA256
87ba8db46467e95ff69650618e7cf332bccad8caff90fc858f04d3129dc978d9

SHA512
9281d9681d747f71642a20c46954ec294390535c1f545d3f92a812076a8fb90fef59cc41e9e57b21ab07182a4070334d176e86e2e08bfb886ba5edf186f3413d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
eaad0bce55437b21f3fb4897332cacb6

SHA1
2bc79fce8ba727d6385bc48fd9f40de69f3d5b45

SHA256
e971f6b90c1abb39a111b2b293e0b24086adf9243b2c200f4e47788f4f3d4ebf

SHA512
d7634f365b463c44aaaba73c39330a9d3803016ab4198953938cb7a1cf34213ee7bc31ad72d96279f674fb08dd29d7cad37e852c3f1ffe3d36f59a8908013303

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
c5d6a3e7bf32884bad7ca80c19318569

SHA1
563879698d532d82965ba593680d3507e5fbc660

SHA256
d62849af04ab3bda397c7d9553b64bda69797607b7441017bc43689e08b24edf

SHA512
2f7ec87c6ba50babe1b201f28440bca154366302fc841de7dac4e2983c03d98239305a4940826c7ef5586e9d03b35a99fc166e505b7942b9c86380a6a3c7ffb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
9db34f2bba2e28c92edca7be3c6b6b02

SHA1
f4c0d937b371f1c76c26beb6257c051e4f7979f9

SHA256
40762c1fddfa4b7ab8c82d5b1e34acdeee9187a4e92487466d7cc6274654d270

SHA512
6e940fdf938f43c4d538cd7b44c3125d5bfb65ac98d896cdcfda819c40c312b64b849ea30c70e5bbf1c065209a4a35b1da12a2fe9e08d236285d15671441d5e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
ef5c2d69aad415e1bdf18fcfaefe75fa

SHA1
e6e19a860fe2d6bedcaa7cb584c1445f3dd1117f

SHA256
504b9347090daac1d8d6571e2953549d4c9b5a8ba5f2a8544229e81a19eb9408

SHA512
239dcf3443c182cd7f79fff3eeffb2eb24376d9b4f2819af5be75614800ad7b43310d98e456eefb7679fcff88cbddc1f85deb1f525859dd132de076ba47cee6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
6712ee96e422008837f63cf4eff6712b

SHA1
d4baa150fc95f9ebfbeba0f6dc80809e423a9d94

SHA256
5f7c19395c6a26426e54d7f22568f0cdf6a16475530831acea836499fb3f3d5d

SHA512
7a07364282613261143fcdf28282ec384230b316f0603b2f9823dd1f51505754a37baf4deb9680b8c9f36678bb88678e6bd8a7deb2534b7ce9c3d5eba6ff417b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
76958275ca6ef3511fbf013437289971

SHA1
e833efbde56698e868f215e0d74d7afcf23b7f12

SHA256
b9f57087033fc2d3e0e38b45ddb0af54647d2a18e93731d80b9327c70560710d

SHA512
8f3fd213d9465af880a5aa92295ad416993cce43cb0645c43a9566b38625a7aef720e361d03c30eb7bea8f18b7ee4ff624ec4706df313a81af31a0c004a7f159

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
2f3178741fcd7fb9eda58f83840bcf98

SHA1
aa41982b35bdb4db73dbcb723b096dca2cfd3dd1

SHA256
0f42a8d0f912c665036a00f4de6e68ae92952dbfde3dc0bd399790bdca68b329

SHA512
e11e5dd36427c8b93241f1069eae9655afff865e9230dc71e648bd309a29bc88994641af31fcc85bfc16cfe9b6077538b7f8da637288f25ba7ab3519c6cd0635

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
080b5434a7040f4049f15f0c245d001d

SHA1
81b689123c388830e96052ec2bfb81dcd6afe717

SHA256
d6fee8e691937cf175b1577f20f6a3878f73298d5611709bab782fa6cdbe5a43

SHA512
94e70ce639d6d9578599ece475a17490d7550e46124e4eb255a91a7821710fad9316b0adc54077e3dd708b27c7e71e4ca3fea6cae4f67f87913ff66be928b35e

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
70197ccb0ccae52d055f195d3c4c64eb

SHA1
b432698c8ef684861d3dcd30d024b8642ebd264a

SHA256
8b232956fe3c39e7fe78ca41d31b754bb3f13d971a8d09a27ce97bbdeecc0335

SHA512
0e510086f64ee158c83614def17248dc75b24558efc99d1fdadc9d8e9b0052fb1a66638a24bc8a76b5f9d71e007ce7e4e5aed35c1c148302440c2ef006c9de6a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
1f2b73f81e68f6b3614ee08a4297dcf4

SHA1
57c319fc6ea74ebb7bb9e5080799f4b8ca595c4a

SHA256
50ac77719c2af1015c89b77fc8c564be98eb0f0315ae20928e6cbc300cc9394e

SHA512
91b99e70d03124a7cca1aa5305ba8a655b2a2427e62cb5a67914e48c5ddc5de7847cc3b47a55d8d538d33ed7db6949379d2135b145cc3d1bad6003b82c143f0d

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2b9434d892c627ff7a8d391cca516ed5

SHA1
0568b42081830bc2c27f721977f153b7909bc06f

SHA256
d3a2645b10b873c4d2ea4415572c1b6e8aae3a1a043915df2f00a8f362968039

SHA512
b7e8edae4c2109c5af32a2a8a823c8239afe9c15bfa620d788c50a8a668646a7e576f2a5100f7629ea26a371c72983ca0d7cbdf42564313da9cf18a01122ffff

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
fc6c086faa520cf698d0da4c5888afe4

SHA1
e44f89bca15f8fed5b418c918f92040a03b7a1b3

SHA256
6c10f6220452253a30f173f01a253aa2acbd35ac28d763da690c12e473fe61a9

SHA512
687b30b57995ee38e2caf6296fd060a12b304a97cbe810dfb19fb1d6c298997793bea21bf8439c0f5627939a6b65bb4d938c707b4ec20cf6192e4c8a3197e7a4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
259748ac513135018effd00cd1f4db70

SHA1
74a6e5bcffedc6cc8e9f501438662ac7ccb527a2

SHA256
c811033e1608e9996a3d9e66598ff7a2e3f2f6a358df620ec2537dc9fc0592f4

SHA512
96acf4894400e90ff52acee48ee4361e63b86e30942cbbf7e2a72c52cd746b5f152ba4ca4d9daa5dfa930650ab778bc5e41a3d7c982086542cc53ee5d1e52ef3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
5be17ff07381a04fa93d9e2b2609b137

SHA1
20d91892467eadcaf07dca3570251f9ed012be9a

SHA256
7ed6a1380d2b79a60d5b73921b83df89279c226b9eaf5835481fd542bd95a866

SHA512
6447c58e216bea14bc3b87298d0c15b36e156a1d0c84c412ea4dea5daa5ac5752fc8f285844c6bb4b79294dd2ab6e7262ca3bf1d4f687b54f2bf87b2c88e6bf4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
758884f7a7c15fa9b2b956773877c0b1

SHA1
e166b8bb18d07865ccc4e540b9f9fa2963e347a7

SHA256
a53885cff46c5013f453f80e7006457c6cec7d99f1502e411075054c5aeb9a0f

SHA512
442662d3fb98e0aa8690e4618caf54e6a8a974b5cd49b506e337cc57f7d4ff1e859dabbc4cc400391bed0d4008b006667b12f2bd7686f5258332bf52f4cc0d46

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
e16d5c6d44046fef014dd5b64b98e58a

SHA1
7247d586d3686b3d35f4844339c5b0d1c1eea175

SHA256
18de67f34d90b33c2529725e231d96e65fc643c3fc3213cb6e31701efa70611c

SHA512
bf51fcb57db61873b30c393bb5074f0d493c39e2322bf04f8d4e356677418ca3eb4631e921f56c8a97c2a2ce7e51842740511a6d9bf7593b41e883546fe6561c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
ff1ebeaad11d6788052b3a15d2f35f21

SHA1
17ea393e5b9b37bea3b8df099de6e7153733bc03

SHA256
90c376a2afc425bee562ef1559f1c18296a0dc5cdb97b451daec4ef08b357602

SHA512
30711b76f32b20288fe50fbc1fd78a21af9adb52015aa35e7f60f0ec9f5f171803d521118c26831f9252db3d5aeae1e44089c44c1691b789f61c0c7b6283ae4f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
7527aa2047344fd783088d0b3ff0fa73

SHA1
26983220bb7b9eb4b82043af08af1e0bc04798b8

SHA256
75e4faa5a3f8c9ca2ce88d3ee19d4db4049110fba09dece6d950d9de6d364fd1

SHA512
5a17ddee0b7ea3f7909ec0ba5729556e50b2bfe3a59d42fa03f095804897767b536ede36e65ce2872d2e758a9b8ae685f0224128b1836706f49cdbd17f08900c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ff60cbdc67a111777bba2b84c4b1c796

SHA1
efba52fd22ad92ebe1c0af89972d324b8468360d

SHA256
35e930e7b3b71cbb3e128105bdc59e131a731a4f1f251956317b0a891c429a04

SHA512
196ef8d4e8b969d047040fad6079d9067b4a6dbde5d682729548ac4e9006cae313d32e884b1c2c4ea4b3c3a94e120081988d5ee0029e4d0070928c005f1dbff3

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
b13e9f5d7969b023c4684c3369777289

SHA1
cb99ad8dcc3e3c1a314a9865af7c2dcb439708d3

SHA256
aa26ec381dc647c998e76c1df447472ad8151c7d2208c24f8fb54b978707eb4d

SHA512
7e0b4c16f173a7d5202bf56d39d97ef6dff5ad674ae933764f0fbc0b150b2c5a32750b24658b5d0b423a203090d3359d60bab8dd406e5e366a76cf1da4c22788

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
39a1bf8961f398f262473a3eee4a89c3

SHA1
8d21449bc6583e94d6f8be1520caf56669d855a2

SHA256
45965ef466614d42dbb84ee0c6b3e13d4f997c81d29166b13bb9b89cc95a29d0

SHA512
d041ac84c46815b1ddfcd128756335c4e8fec8b2c9ce2e7afb392659580570b818f4d6dd02adea303c83e35090251419bc1ecf5b059296a480062197b67b3856

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e7ffeae55820d81acfa5579e9daac398

SHA1
b7ea8e8f9429e6694df0b1fb5a06799e6a1e581c

SHA256
819deb0cc2acb9da6bd72967adee438d46bffe0a43325e0ae38da682e4c62127

SHA512
4855e10edd48837b02ce41e1e52cc22001fbb1fc16d12bced90986dbbfedb851c7c9bbd624cdbea3f00f1dde47f6c165f1cdce1a50ea1e6c881de9264b464286

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
48404ca8788200acf7cb62bb37db5aa3

SHA1
1c3f8bc35baf30d8a88fd640262ed25dd25a1a44

SHA256
157d34b172fe821bc1fb173b37ed067616e892f5b6c30b017b8a77a55e34bead

SHA512
20df20c5b46906c87defa5bdfb3f10de246c74802987ff61563c8cf4f0854d7d6dfa26eedf36b112bc7d0cc6059fa10bc731177082d344ce526a92cdb3c1064d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
96bec365f7f9def898b350abc53039f5

SHA1
e2f5ab134e9d1801f5744cb86792fc279803d12f

SHA256
9086613c71e005cb7fd232e3c30afc7e6dc3748580a97f13acd91536a8c66606

SHA512
26e028edf1882ab32d594776b18dc5361997ad7e46fedc3a0a83e5f438e3b9c3db1ad2c9e9828b69aac60e673e2f52ece5081d39157ffee2cac758a033c48045

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
94a07c6431407a471159874f9303620a

SHA1
ca86552479eae779409c77d4e155caa75e2111f3

SHA256
836beed9fb13ff370655bca09efcaa32d94ad6982e3d2f99ae4efafa79894a30

SHA512
f33d4c73279f36ae86fc16f901e8e780d44d21e8d62f2d11ae7f86cfdfa30fbfb724cd92b105d88dd33ab21d8f1cc0ff0cef268295007557acdf6e71609d8889

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
f0c96438ed1ca1779689f78cf59429df

SHA1
aaefd0f7da8d5bbe5a240803682f3be18f1ce4c5

SHA256
c1d4458ee55797299092027aa200da1512b94a9894fd29bca5dd7995888106a7

SHA512
d2ad651cd703f884bc4e3ba8463bdaaca7578890a16c6613c8e1ee80ee91bd43dfec33196dddc52788bb1f11093911fd5cd3e5e97c2a10f3edfc2a1750413594

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
c6b90abf08009c9cbb93ca36f99fbeee

SHA1
3ccd8ed7afcb042e6ce3eeb16ad2285ddb07d5d7

SHA256
514cea5f4bbd37cd3ba8926ec7b9623f922a5de498e86ce44392339a2d6a2d00

SHA512
a30a9288ed479d61a05f285e6319cc9e797a72b938f0713c369992da43aefc4c6de69e2dd3b2edf4937b3f1a4f88d68fb095d199fbc160b9f861231ff20dd71a

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
b7aee5afbd78802f88cd1c5b13bb697b

SHA1
0cf2f88d35ad60b9a277c16ac4ee70f68788aa7f

SHA256
ecfeeb5da159c5d19e72d37f3ece958ebb9a860fbc514657ea21850259ac15a5

SHA512
d8d366f8228527fb7ee772ca21c4de4c163536323992d2f28a237245294c3500d3d7fb4d482cbc252635ca0d1038d8d999b5036d0fce57b8b71a4f8b0c6804e0

Download Submit
memory/532-739-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/532-353-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/628-158-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/628-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/628-277-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1120-184-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1120-88-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1120-73-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1120-71-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1640-737-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1640-325-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1668-6-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/1668-177-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1668-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1668-595-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1668-1-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/1736-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1736-154-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/1736-143-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/1736-149-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/1736-156-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1852-111-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1852-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1852-105-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1852-119-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1852-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1900-178-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1900-292-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2004-193-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2004-312-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2052-93-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2052-101-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2052-217-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2052-102-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2132-729-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2132-263-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2384-723-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2384-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2384-349-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2700-732-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2700-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3000-731-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3000-266-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3152-126-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3152-127-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3152-120-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3152-241-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3260-733-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3260-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3584-196-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3584-324-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4116-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4116-290-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4328-230-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4328-514-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4552-329-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4552-738-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4660-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4660-726-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4696-328-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4696-214-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4796-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4796-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4796-260-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download