8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
Size

1.8MB
MD5

1d3224ea49b945963fe4c3c1510eca04
SHA1

0101db874c542eee27010ceb69026d46ede1db31
SHA256

8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d
SHA512

f55bde5085510375ea2f3b5ee794530789b04fafe31807c5c988ebcf73272015487a41ff749566cf1455c1c2f1e6c2f51f8d236929ecae1a9830e2d1a22b40d4
SSDEEP

49152:hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAa/snji6attJM:hvbjVkjjCAzJXEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4404	alg.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
4120	fxssvc.exe
4960	elevation_service.exe
2308	elevation_service.exe
2376	maintenanceservice.exe
4108	msdtc.exe
2380	OSE.EXE
1312	PerceptionSimulationService.exe
4876	perfhost.exe
4520	locator.exe
4524	SensorDataService.exe
400	snmptrap.exe
440	spectrum.exe
3884	ssh-agent.exe
332	TieringEngineService.exe
1556	AgentService.exe
3156	vds.exe
4116	vssvc.exe
784	wbengine.exe
2664	WmiApSrv.exe
3312	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\locator.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\System32\vds.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f1455061b4b1389a.bin	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_is.dll	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_ru.dll	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_te.dll	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_lt.dll	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_gu.dll	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\GoogleUpdateCore.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_es-419.dll	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_lv.dll	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\GoogleUpdateSetup.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_sv.dll	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007487e82dd9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f85cd32ad9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ff70e2bd9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae403f2dd9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e2c4b2dd9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f782f92ad9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009eed4434d9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe
3088	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3492	8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
Token: SeAuditPrivilege	4120	fxssvc.exe
Token: SeRestorePrivilege	332	TieringEngineService.exe
Token: SeManageVolumePrivilege	332	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1556	AgentService.exe
Token: SeBackupPrivilege	4116	vssvc.exe
Token: SeRestorePrivilege	4116	vssvc.exe
Token: SeAuditPrivilege	4116	vssvc.exe
Token: SeBackupPrivilege	784	wbengine.exe
Token: SeRestorePrivilege	784	wbengine.exe
Token: SeSecurityPrivilege	784	wbengine.exe
Token: 33	3312	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3312	SearchIndexer.exe
Token: SeDebugPrivilege	4404	alg.exe
Token: SeDebugPrivilege	4404	alg.exe
Token: SeDebugPrivilege	4404	alg.exe
Token: SeDebugPrivilege	3088	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3312 wrote to memory of 2028	3312	SearchIndexer.exe	SearchProtocolHost.exe
PID 3312 wrote to memory of 2028	3312	SearchIndexer.exe	SearchProtocolHost.exe
PID 3312 wrote to memory of 3468	3312	SearchIndexer.exe	SearchFilterHost.exe
PID 3312 wrote to memory of 3468	3312	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe
"C:\Users\Admin\AppData\Local\Temp\8d7b88e6e323540e44b1d5ae5ea9b8d9c655d932b8001f4ad61a075358a7478d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1672

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2308

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4524

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:440

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4088

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2028
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
13561979514c46ba2442b132fad8aece

SHA1
0ca098817299b4139a824da0415542b66a96e128

SHA256
62bdde4d2c60cd5d9228158c04561c69d213bfb303d15db74f4b25b0d4685ac6

SHA512
a667a86c02e927c81a1316f58378d750514f2720e90ad695ea726ca94d0b8cec1a7c1ab10807fb4d8c8609dc154ab686c40312f2b30f8c72db44f717a7aad77c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
81154119ba7c0a5138728aed6faed735

SHA1
3bc26334f7f42c8699b996c6d53f1b09111505e8

SHA256
b4758c516d27c56e0b1a9e97c0d659c952b3ab549290c110ea74a9097833f0be

SHA512
111e14d1d48e8ccb3eec6d90b8ab264a4b22b54a87421aa71b3133a2e0beae10c944e5d62f6fa977001d0bfe8ea13b9a0e87de5249d0c5bfb915bcc3a9887a65

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
0c04f6d6ea9efd0fce30b8e616320031

SHA1
659063aa1183cd7227680b71f66c46d46e714b3e

SHA256
ae44a5b7253b5386d2693e2b34b073fa8173685b24b7fe20b374a6452da83981

SHA512
b357462ed372706d3b0a17762e4b3712fe07dbc75df1d7b160b1b39fb0fb7a2d09340887ff38afd40156e426359adf9b5508b7c9c0e40eaf8cb0ed212c5bc8b6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a2c0438fe8b40d020430d74d5e27261e

SHA1
9c6dfb88da63e949b71a27ff5cbfc03b7f243044

SHA256
3808ee1c907ef0120e1e2ca7ce28d389b8aed8da88143980278c5e927ddc3f09

SHA512
16eba90f76c6fa341c2044f1a6951b1ad792dd448a4eee2568cd6dcc7f6d99ea0759dcc607bfb776b6edd13f9c2d1a57dc4830f6814177e02373d72b28848352

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9cb9fe0e8edacb7efc5d2233f4f3a95e

SHA1
848e9131a58e04433358e53eaa1f4ebef7e9c3e0

SHA256
69590d7a9eb4729848ea670797385cb0d3bed26c26496757f28234fe5b7528cf

SHA512
1df7851501227b5d01eb8c9f41a1d6944c7cb7b4ae5051f9b5d8e355aa449beb4dee3cb754270420b56c80423e470c6526fff296ca0c58eb6b4db7d33762fed9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
5dae66dfd542e9f7339fb61a21f0ce2d

SHA1
6c139f8aa1d263511a2eec13438ad6b50e71e584

SHA256
c725d55f3956609f183ee54d925fca1130e6c24acd412a255e7cffeda702433f

SHA512
0c47c43fb5e693b18c31b3cee7e259eb98899cffd208212a1a0a5d8be9517281c9c11b0ed8aa7101935dcab9746e628c05348ab62972a48939bb475a596876e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
641ab6ac8ec6753e42cb3b692a646080

SHA1
202cbf36740d82705c5f55ed409b3c11cfaa829b

SHA256
19f4a4702c9d3130e8e48a7a8f08b8459963835ea0267241adf2c46b9e9bea4a

SHA512
74232ea5c820640a58c57684026905e7f933aab78faa707ed5add49c8a071da9ad47b2c63c07b63c81ee683b9a8168e961283ddb697e403ba50d212fc331153f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e8e72416e06cf499d793a4fadce7cd7d

SHA1
1db1a62356cefeeefd36b8ed98316b7379454a35

SHA256
96fda3393b4a2219063d8fc26454f3ee2584939f7086fea8853e900cec8e7697

SHA512
fbbdb8e9c5c87da3a3743350b58593b920f623b78d48f33ff807b772cc78c9652b9fa27c4955a1e88aa1eb6ccb8a0649cc33253cd26d453b42521de8edafeaf5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b6209c070e74c81ef5a5773752472efc

SHA1
c3c23ebbd0b4a74b9d191e8fb8a224dfe47f0321

SHA256
6dd3efd71af5b46fff64180c9fbe5f20dd9b09793705a2dd207082dca09be676

SHA512
7e2e9355d906c04c02375a44ba528844a3e3561f65bf799e9237b196c9d619549ce7e3d0e9def10722d13d7929cb9367a448ff8ecea1422220c32ad371679ac5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3acb39a1d4d0ff6f9f7ec71b6061090e

SHA1
a5aa0eeac2c59f98f7f257d26bf7b6b14eb4f41d

SHA256
79ab9aedd2e0afce4cf2b60ec21ab5d3f21b71ad0a9627510a66031be64d5281

SHA512
14b421e93457add52c35b16d517c76bb936898368b304c68020414d7d6ef4059de1378c9305235c8dc2fc473b50c02bef0a1b02e14742d0e8fedf522164be964

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6081c8fff0a529f3cb3b62504bede924

SHA1
5799efafba51d5f1c1e1710a27e4603afed9a298

SHA256
36dad7ef04201d0af91d871829a7e30cfaf0277a3aced0de913e5997992903c6

SHA512
ca8c4a716338d85c8c723cde2753376937d20893fe4861f693abddf8202ccade16b32a5b7dade3c7aca2bd9f1e1975c7d0a5aa66b75521a1a0da00333f424706

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7b1a5adf9cb389b7fabe4ee95a187250

SHA1
85564e636ffae8172dd9f23aa1e53fda6d7d30fa

SHA256
15e9f492670e47924f2c9982849631f9fa20e452ea98afccb882999994c6866e

SHA512
56cb83d45e7c0d1461024fb929eee09586c3f2e7f478b2d28811ca18191b3b4480d96650115b13a719e9529b83f2a156675a16612e7cbca63ad6068588465853

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
24c524ccbf67ec7b10d9ed3a90b4e24f

SHA1
fda1b770cd5068e82de77f1551527730816fb64e

SHA256
36b47d444153c5847a84503f1412b5e2f26c278e49d857c888b544ec6f1397ae

SHA512
1a5c2358d84aa31cabd23e539dad31b9495ae2d962d79c200b73ce653b280e59404b4b1505dedfdd11d991d44791489b5bc368e61558addd50d9a6968a7bd568

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
aac3bcfd0666416b642c2e5ac422ce6c

SHA1
21c70b971e7c56cc6dcb75a58ed01c3452aa8382

SHA256
08c77592a5df44d3c4aa8ce598feef5cd31fb7ce416d8f34eace93a0475c8805

SHA512
4dd0c1dc7d1944ea3c39c4e72db20128e2c4203c87b89a208f77dee1ccfa943ae78f794e624431e06dcafd8a7f52f92ba407f4c6bd4df5629cc7264ca6dadc95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
606a5f323d8dcfe964105c21e447a312

SHA1
09ff298fdf182d84cb841fbca8417600ea3cbd93

SHA256
96b5ba2235986b7a9154641240c158f9003adecdbd5e82f4fc412f89b66b0613

SHA512
639cd25de050ca487ed36452ce9e3525d6e29444f2ef33f704d78a35e8082b669642b4be508d46ec43ac72e214261b4af537cdae417690b8f7dee9e7b65ff53f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9e9675a090e147af43ea5069803986ca

SHA1
78b0d0f3b7886ac95a270a35c64b5d08a4c7a8cd

SHA256
c14d666e90fd6a78aa20a4f944c620779891ca1503ea0e3a58ddc8f33f1e9f3b

SHA512
131a7596a0d9efd4704722d5cf87f723a91e030c2713a14441e9503d68f7b152d85849e00914703f6b99e6da01b366626d45f65f26e95b39fa6e3442b0bf9ff4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6b2bc9177ff5845b82a58a117f467d4e

SHA1
1ad8bb5f622da8000e5ef589cbfa2b9661816493

SHA256
a074b670350c53bc0c66fefef23b7f9a75e93755ae0c941be990ebc15e3a994a

SHA512
4e5dc10e858a747bdd905ada44261162ba5f3ed9ee63ddb7189f9c0b5ec43d9aecc6c37b8be72ffca54c4404231669ce0b53162c61e732c5f437e463b5e725f3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6649583d17b6a6dbf4807c14268c2e81

SHA1
0f48c27bb29cf3278412e5734fa7a0878fb7c793

SHA256
bfcf225cafd90b1dea82805186d6eb009ace99f74ee7e018cfa13ccd1bfc5ebc

SHA512
a131abc1282d8a5cb261e1b02e286a7d8f4fba3ad4eaf2124bece35d42cadc8fa6597a41c6e916f7946fa2d6e5c5421b71cb77a6570fad2a88a5c9641ebdde31

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a644174ef26039bb7796063e1c172447

SHA1
90e5086449af2d90e98ab8174435847eceacca1b

SHA256
a8c8a9c271fe0e4f36aadf581fdbb40f2a39634a630c9b605ec11033c9e7f319

SHA512
a0725ba91e745e48b987b20955638073ae08e119c664067a4e3814854b687375daf9264fa5efe885a38e6eb9d09d4e48673a12751061a56bd8c3b8b2d028bfe1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
bc22e2934ea636707f16da740e9557ca

SHA1
9eb45c7ca64a2cb80960450ada12b7ca5120466f

SHA256
e57f0c2811a1c352a3a15aaa2acd665a6afa46cbdc9bce442a01aa9fbe7dc0fe

SHA512
4b6906bcc67d59b7926985a95420e578eb8bd389070930e18789b651b6ae8b6f10ce8d2a9fcba564c03ba2849cfc5a2a16f6a1dabde96ac295059d977f9da237

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
3e79f8ee3cab16639c9435158ea75cf9

SHA1
b0d88a9da8475c819e251fc61f045733784e70d7

SHA256
61ecfd796d34d7fe2dc694881f7475e645d70985627c62660af4091a5d45d2e2

SHA512
1862a31c339a4c1984f23636fadbeeae4dd3a8d49f5c0a3207de24022658c471e17168d66dde269ecdd47c68cf17c111ff9ab949259745db9cc76e10b3a66b8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
626768b6e9f31950636bac0713127d7f

SHA1
78479eacc417e5284c8f8cc2d0879e668a24b23e

SHA256
cfdb5f471161e4e6128681c549ebb6e501fbae6ac5f9705be7931e7ee0e5def6

SHA512
1bd95f365011257c43ce7e44d2a551f3dac229327000f60187746bcecf472356d306d0e4d6b3f4b0470df3dac99f42902d4ce5b4ebc2c7f785fa58fa4707caaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
8d7ddf9aaa0e069a9d8bd2e85e48793c

SHA1
4ae67d3cefe2a36f22b730619b0588fa4719f7a1

SHA256
12cf7b2213ef65cf3d2aa8e1f98647dc8e88e3b51075126927a7d5a3e9a323e5

SHA512
a3fd85b484c64d2b2025de25c0ed8d3be849b2d26b37375824dcab52d4f50a43cc949cd71eb9dfafbd540e02cfdc0ad553b4113ecddb4097bf2e1c4eb180108c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b2d999d62decb7d81a4d61b32725341d

SHA1
9414f0eafb006cdebc7195239bf9a8d95c05e800

SHA256
2730359a8000dc727e71a34a9eca4d69219a04310ca494bff5c998b1f4e2baaf

SHA512
0d97eae49ebd58f8b4408f187e9964308bf9fe0c12e9b1bf33770266ffc42438c6bfdffdbac37b6dc5acc6cf9a5e67823014f1d676791ac1c11c78dc059d0e50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
85bd7564bdf7bbd26a0d597ceb958ebe

SHA1
d6c1a42a8dd89e7f790bf63836803c69fc1d2247

SHA256
d2ab4d7eb87dc4db3ab95b20c8d326deffc3902eea431727d8a3a65c561894d1

SHA512
ea0db7e327a993e2c9e67025872db4623dbcdae39aa9e6b12479c61807ce5b92596e19ce66b89a33a54b84451d5dfdb7888b66a990d5fea2abe42f66f8eb149b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
b365c9f26984db4488e9cd2b68367b95

SHA1
629f762a6f265d120c16e772d105416c5580ec07

SHA256
8acbf8a96fa3fbf8864a3baf7c0326e1de291a39b5ae8863f7f063248cd3c613

SHA512
f2daa760df6f868b08e00b2e7df0ab9d1647cef286e0e24b2919d516d670b85680d87237d494acf7dedb9196c113ef9da1a87ef154ac7fd6072d1d7a8161c8a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
2ef5cb55c3825b122763323926abae3c

SHA1
2519ca895edba4598c038ee633226fceacafb8cd

SHA256
ffcb824b6f94abe3ee42fe94bfd6656d9702adb36d9c546ebad2d4da3f0e3a67

SHA512
99ca5f8b05f8417f0f568aac95ac7e9557b7197b449371dfe56608bf0a35fde85005c06a386267836d998a6e1c97bc55c0daa9845a1cf2c9abc9ce7409c37a06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
55636995a28813ac799343d47b6b6fbf

SHA1
19d304281ff822124914e1783df9a46ecd04d4a0

SHA256
502f4db85a77e8f1244a6c87e3438b8be74afed2ce22279eb24efb914c621a51

SHA512
73f0cf5bc26945a9ae16c37ad25ea366574bdba5cb67cb252ba9763652b0b77f89c85ce36759bdde7023415f90cbfef174d50c35d371ae67f764945adbc6a576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
7dc04cf2f0ea78b06a9a5c8bba572d76

SHA1
aad8a26ed1f4f3164885902e76076cfd11a7a140

SHA256
c53256591e0208c53b43217ee433848d60ba6941e91402ad7566df0f63514d36

SHA512
54c5e36307ca971003c0d9c02221e2adc6ff3e7b98d1e9eacca35f5b02f647bc87c4b71411b9119abca26613712d15f39c0c59f45e985b87e195eb32e76f5c4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
007060232b6cfbd434b47cac2534a67c

SHA1
8d87cfca5793931d93878a10ff081fbc24a06b44

SHA256
b80ce9dac721615261cb15d16ce62d5fadf8861d8ef99b1b66a2be200d664b26

SHA512
9fd718bae9ff5c644f0c0e6809a85a53b1b6739380a23b4c09360bb5fd478bada968af3c881d12a894ae074fc90ab4d3d902c1e00b6a0a2c0866693bd5680c3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
8a048c67dcf8506991d2d073e6368f7c

SHA1
55e3aca36569af94fb978668825eee18f8be3080

SHA256
bce8e29e6a06a69a14acb8748d9603d5cbe45168b53008b8d807930f41fe0547

SHA512
c29c5193d872668db85e22ea500a03eb1c33cd818c479ba4a2b83c2b7d9e1be8f47b9cd6a61f7955f82e1b1a5eaabcfeafc34eb16626e85350efe4baa2d58f52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
04f009f9992333c4f2a64c19f48694a4

SHA1
bba77acdea81784a3082ea4eb2898a79a4702943

SHA256
822307adadf005f7e7386d4e90a8d3364480696d5a244d1c008e8e525e99e981

SHA512
fe10f07df88c42051648e8fca83ca15d91d90fe7d37af834c914fbf1d029b80bbf229b313e85c0f83f47a989a1addd7d9c44a2a0f2811c3413c2cbdc9d6f6624

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
dffe607ca0f33144168798acf0df0248

SHA1
9061f7c0f310448eccea397473997541d9546d92

SHA256
c3fce1cc6d46104ea322970f41591fd21a4f2130226b1fde8b24c8e3d1995c77

SHA512
7bffdbcece6dd8ec2a74fcdcabe862ff36b3788dae4c15fe459353336dc4ab6ab2425fc3bb4d790926688be4f2f26a1c4869986f36877bc6787263b4c3c44ead

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
c5f4b452f41e3552ffb666d1b1653e14

SHA1
034e58a244d01e10017b684537ef644d5d8086f4

SHA256
c0f625b3c4b243c8ab1f54001a592fc20b202f4ae17bc7984e3a42ffc319f4a2

SHA512
69d169e0c18c9daa2956ff589ebd60b79b90c7524ec599df8a78f5f4e6375571d6eb2d7665c3c9cc2eaad09d1714744b60f771c064dce24bee74f58fc2bbe0c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
1972250a44d186ef24235739323912ef

SHA1
c6d5b27d21efb8887d40d26b0c8a0ff0d9b5f5af

SHA256
2cd712f4aaeaec0181cb937a8dad0eefb2f783d5104d695652fe21bb3d4e5520

SHA512
683c8c33238575798f638ad88b5cbf63e26e584c14033908bd5c2302ea58068538d32cc7f72bc87f3f11975e6ce99fa4d8b05f24af973845b58e81f974b44313

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
21cba4e9ef92ea070df1cdf42b89fac5

SHA1
5bf786b940e2c5f00a627a854700b5eb5724cad1

SHA256
ec350c178328a0383613c4b334c1a087c5f2a011e947e1e3f9186f2b3111f323

SHA512
da62fe236c472b253e298e8a9eeafa6834bd548eb57e129b927a2be1f0f74ed716329f8768b4d21302bda06606695181bb686cf0132f021f558e8501316b5a95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
56b2d27eff068a60c9c7b1d04b1dbd44

SHA1
3b5e79da196f690b1b65c629f7fb7d807401720c

SHA256
830c90f37af73e2fc07ac5d2fbc8a006bfa6fc2c8c4445d91e5bc342f2a97269

SHA512
5833bd103b52e289e55189d28400a42fa58c15994ba63a58efa3c04933a96056f0ffb714a034f9a68c571ff7698ec35260badda509c34ab36eb7161ffd16f79c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
40b001e56d9312401bf9c0225615774f

SHA1
31661dab0049e39a8d0db28029c3c58574c8b788

SHA256
46b071dfa86237df8dac46cd07d24a3ebf4d2aefdd19369a169d66ca27e526d5

SHA512
4f2bcaef26fbe494ded5d0d7960cb4db64c197e9f8abad3d2c121ea8780f2eebc66cb28c15ce2d5e545f68949c46755646d0171f16bd65c316008423c0685c90

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
00ecf2e40b501f2150b54e23f1bb0507

SHA1
fe01d9a2a67c26b5996da0faf6a3fe0f0d97fdcb

SHA256
aed09485c933bf2a1d02f7490486730cea1f2c3eb9852f1e44a607222b1487aa

SHA512
b64fd946eb8aaef7ab6a23335f970056a6bb7656b21df0a64eeda250acc64cc5a763010b5bf4c40f6e1076af3132b3db76282b11b1df1aa9ec6d48d3b1238178

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
f9a0e7570834a69c2ebe164382736254

SHA1
59cdce5861788d0972040c1206ee4d16237abdee

SHA256
f1e62093fd15f8ad44a567fe57cb0d4946744c4efb77785c54402bab4fb9a81d

SHA512
cbdde52da0502fbdc27cc01befd6368433dab5f84597073bfa24e3a6fdc14d2a3cab9a936ca4ad0743594e9e49641fd8c8158d9455e934ea31a72b47567402ae

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6f1602864bf80c18b3f1cc1b8379ee37

SHA1
95fff36149fd7ab8ba03dd7964a163f9d4de63f2

SHA256
8de9ab32616e8f17e0ee983647707f981145512b6a722d65299f0e51317ac397

SHA512
ba4fda277d55c3fe87aa7aaa2f909ae9175e6f0aacc81d486fa3180d8517204c35b31eb48537c07bbf312a14db1510f084b5b23282a503cd728e852cb5b69e82

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b9e6187375273a3623c0e71a5851e90b

SHA1
943bcde69e6ff3965e44140685efd4a6e0774fdf

SHA256
7927d03146f78f88a4532acd0767c3a4f7725f677678fb28ab8f43e1db0be498

SHA512
318307c3f47840cedc385ac6f35e186fb6234ae95f24946aa55202d51ef5955d8049bd869b4d3f8651a5467e4f7d5eef41d403411f474202fdf1c2e1a85fcda8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5dc12ae313ecd3d5a38cc26f710ccec5

SHA1
a814af0f912361b8fe0115fa149335e24e1462a3

SHA256
af71ac57b4be119560085e18fc346757fee96f685a5495d244c2313a3a4bf6c7

SHA512
34227a99cc105564461b7a256a1ab8bca00c377999ec45b706429d15cf17e4500b5be38b607a0f0579661bdecbec88d83d7eb356eb07ded26e27045f5ff484be

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7ba661c51a37461ce7727c010ca7cd7c

SHA1
4f4280717d6c18bd40c06927180c688930d92bc2

SHA256
86cead899e3a9bc5031c89d6c030029bc4d04fcc1897788bbfec8b90481099f8

SHA512
db7f4e65385e755f1f8c1a2f0b1f519a197f6834069de5fb5925a709b3ac22bc576104f00d0a94c6a6deed57b316ec3de3337695e5c251238193c3de3f4dcdaf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
130400d2355085aff334b098aacd818a

SHA1
89353919dd45ecfa276d1fdbb8af7412a6b20088

SHA256
0a74653b227c8c50c52a662942475020073b43c78a150fb0f324280d4e82e190

SHA512
34c8439ac8f5520672ff1a24d5c5d64dca3d3f7a11cce829385c4c6598f4267cf005c71343887b7a55074ceec2129854f7ad8842025808355740013dfda38e1d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
94c27cc9ef98c33a93e71ccebe4ebb80

SHA1
2233a67e4ed7268ab4afdaafd530cfd7a5755dca

SHA256
a357376102654e9ef0c26ade523b4d33785fe702c8a818714d7b9321120639ad

SHA512
178735649066383c28cf3d75cb574dd363ca39cfd63efdd2b81a2b8ae45069d36974f1bdd956ca098ddbd2c7fe0450e88fc3e0b992646431f4e300a80f077162

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7ddfd9f4d4346e7d60b310d4b943f84c

SHA1
965d71d1bab5e12c4f9acbf84a47d043cf502e3f

SHA256
79aebd73e513600e1bbc49627bd83538d16363633fffe474b91063b0fbb57af0

SHA512
7cbb79ff8bf1ff86841f19ec11b5cd4e14e317f826206d75fb91ee238d2f4fd577c8a5e8845a078bb7e7149baa33857d199822bb5d26818d52866a2a17d8ecfc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32ddd09150993fd4fd9ca084adecd266

SHA1
9609c8cf20a5b06f3534cf4b92a20031a60e7cfb

SHA256
a81d1ac301fcbf61602ac3a832471227c960f4e1ec8a154c5cdf046efc5ef577

SHA512
a9df3230911d7cc97874ee0c034a8ec50549076395290696294198d214a066c341d1eec014170cbe81e3daf5dee050d4c9755155689a6099d7a19676c48f7038

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f7b7ca528dbb84b56d3ddd3c8b4f802f

SHA1
c8f97cfb1f8355950320b4cc05587a3e0f1a5f50

SHA256
430d2e26b137a19cb3e3d5e1aba1c1510a3824df96325b45e178c9ac94355f11

SHA512
056a5f89814850ebd9875ae3fbd32a9dcb7f3639ec8cb3fd1b8a418765f898d440bd43c4000e37ab504374da60861f517588893615c34a0c11e653dd5194f8b5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
300f9b3732a2f0b189d79fd7810f0ff2

SHA1
f5b99923f0341db656c9b7e63097a4bd9e6f76a3

SHA256
7550211b8b35dacd442c4402ad9d5d0323fe3433c63f4e12d84b87ef1e341dca

SHA512
1326d793d5509a76e150a854752132b51231a007987393a34d247d1ad80cc50801a09ed5fd6ab52a67c7e058803062f589e538c224956047fb70c9a896cde26a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
69d8d8f358072613559153d67aeaa45c

SHA1
d35f8a25c045fbe41c98a67c784cec437f2ac16c

SHA256
7a6f3490b7eb8a5e1b9961cce864899a7a67cb51a76bdf9c17aaf0ef09421417

SHA512
4943670a3fb71c44776ec21f875e00436dd065c800fb4b79918c9bbc15e15bd1903c25067452346112d93bb2bb4ebc796d52185e4b93e52bf0a6fbe0fa5c1482

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f5626835e7662a5b94f4bbd97ad4ea8e

SHA1
dbc79cfad5d4133bf955686edbab1e9ac8dbd598

SHA256
3024bdaf08812aedb0264c13cfbdc18fc00907796d2c556c4268c649599dad53

SHA512
264fad74a7ada38a5991ea80e216378524f7b892b64ae631ce2cc170922b8762d7e3b6dcdfb8e6819d3953634fd06a8de92df31f4c2fc4ba19c6c807d638c80c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
172af27b3887d206b0d37789b74c5a6f

SHA1
98f7e05a02349881dadc679e888810c63ddc0379

SHA256
74a796bfdfb267511023bb96f7ddc4a67fe488509b713ad21c6dff9dce5b35e1

SHA512
d06ed36e2295d2bba71eee9e6724622c3467baa5f7f866ad2a16aa8ee29640e2471f5f479a7b1983fa8581ba8d015fb2cbf53a246c8da3cef7f1d089164b7901

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
cd83ff7caa68085d05611b4ba418f50d

SHA1
bfe3d80ba548732f36fb511b3dc3566ca7aeb85f

SHA256
c446146ab44183ec27a8d275dd4109d2b5b4f389a3e072ff4702806340dbf9bb

SHA512
df017b903120806918df7f24bdd78b25fdb25c1bc5153fdf95948a92f085aa2696c0753b02d554d0520bd6038c95d536e9564431a2d79ce15394fac9b292ebc7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6dc30b27b3e425e5b3164d2510880864

SHA1
1254da3de84c8b6c87563967e55df886a7d7d650

SHA256
d5c8558a6250660b85643e9d7be031df961c306e7fd9301bf8a65b47fb2d1ad4

SHA512
3447432ed91c2c8910c6995257ba83623b0bd56eee0841e66dcfb00206b536bc4d766a5edb62c10121aea478bd487939dbabdfad9070f10516714b3a962f1264

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a972a03129ee749454081eb6fa23ed31

SHA1
ca9b8490a1155ee8532e3c27f69b5e1712a81b88

SHA256
18a17ee5773fffcdf2671d0e861fd49405d6c2732086834a50c5f0561061bfdf

SHA512
ee4cd63bc68edd29b36cbfb94ffd2d89e399391088d87ee8d122cd7a1a4aba92ce78bb75cc8b0a79c0aecf98980c6ac7d96f31c2374185a1f465c8e509b9d3d9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6db48b61e9a17d8b0308b0fa54021a5e

SHA1
1cfbe179d26b5d5b8f9b3de104acd1d3efa7968c

SHA256
8623909d66ffe21a9905893f5ed9ce6924676be1cf28bd14e82364337e702c96

SHA512
8d6b1cf2fcac1e75bdf61970e75b301b766508471bf65842fc9efd5ce324df0b3e38d6eaf2f73aa8a3a58a71f9dde4f08c2140e159ef70afe2713d23ce423028

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
95a356e4048c8576c1dee8577d599504

SHA1
fe2ed9f23f3a7f756320fa7f64315ad4f5027cec

SHA256
ec7cbf7dc4494d96e7da6eda0525e71aa5fd3d26e36504dc30aef4b32c4270af

SHA512
90851f30a036bb6429969902f662e403a8e695c0a4f15cdb21c220930b3857a5a26036655f2693c5b406f57f024ed31eb84a24a568f8f0498040a02a45537e73

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
8446cc02075bcd78bafd4edfbee8014e

SHA1
989c29619a0e38e1404a7c5e2b849561e45f389d

SHA256
c0720c237891843ad9bc340edbde8959dd00aff6786c35149d944f70198b1aeb

SHA512
72e03dff7b4a7ba6894c7062abbf5ca7e8033dddbb055f88a5860ee6b6a947e37ab9aff7b0823194206707d67358d6b2fec80bca6307de3667a96a18455bf4ab

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
9eb7984241411e4be435943b02b882df

SHA1
507059f48ca4460e5f92374e5bf6c34f9ff9eb00

SHA256
4d2fa2ad54b605db6fdeeae8293b53c1bc20f44db78f1bb2812f6d29c2c5b195

SHA512
35fc04c7a95935eabea25bd9be9ab23325007c669b8d850961f74f80ad5ea2cf32b561be74144a39cb8fd11f4eefffd93a9b70807733d22f017d2cbf395fe20a

Download Submit
memory/332-273-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/332-793-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/400-704-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/400-237-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/440-786-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/440-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/784-323-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/784-815-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1312-321-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1312-185-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1556-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1556-301-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2308-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2308-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2308-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2308-261-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2376-141-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2376-147-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2376-152-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2376-149-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2376-154-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2380-299-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2380-180-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2664-327-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/2664-816-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/3088-85-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3088-99-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3088-205-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3088-101-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3156-794-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3156-300-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3312-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3312-817-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3492-1-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/3492-6-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/3492-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3492-171-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3492-500-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3884-792-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/3884-262-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4108-157-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4108-156-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/4108-284-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/4116-322-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4116-814-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4120-105-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4120-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4120-112-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4120-125-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4120-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4404-199-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4404-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4404-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4404-19-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4520-206-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4520-347-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4524-607-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4524-652-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4524-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4876-326-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/4876-202-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/4960-122-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/4960-248-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4960-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4960-116-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download