a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
Size

1.8MB
MD5

ba3607bbb51c17733d548c8ff18b80de
SHA1

e10fa77381f6aced82be6f4f78c444fb0e9ff719
SHA256

a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717
SHA512

3281bf98acd81e456898834b5ca7732673fd8d1e29e301f137f61477e6d29c7c0dacec5bc7bc73012e0f130dc9a4251d75374f2e22137f87d09cabb1896b0580
SSDEEP

49152:RKJ0WR7AFPyyiSruXKpk3WFDL9zxnSSzDOQ0K:RKlBAFPydSS6W6X9ln7Db0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4996	alg.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
3468	fxssvc.exe
964	elevation_service.exe
1644	elevation_service.exe
2804	maintenanceservice.exe
4468	msdtc.exe
4464	OSE.EXE
628	PerceptionSimulationService.exe
5112	perfhost.exe
316	locator.exe
4788	SensorDataService.exe
4404	snmptrap.exe
1500	spectrum.exe
2508	ssh-agent.exe
1420	TieringEngineService.exe
3468	AgentService.exe
4380	vds.exe
1596	vssvc.exe
1312	wbengine.exe
4572	WmiApSrv.exe
1148	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exea1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5b212fb41ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\locator.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\System32\vds.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\psuser_64.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\goopdateres_ja.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\goopdateres_en.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\goopdateres_en-GB.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\goopdateres_gu.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\goopdateres_bg.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\goopdate.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\GoogleUpdate.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\goopdateres_nl.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\goopdateres_lt.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4F58.tmp\goopdateres_fi.dll	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exea1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc307bb9efadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b41ccb9efadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfa00cbaefadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2f2bdb9efadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d87ae6b9efadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032c1e9b8efadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006369b4b9efadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3e131bbefadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	212	a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
Token: SeAuditPrivilege	3468	fxssvc.exe
Token: SeRestorePrivilege	1420	TieringEngineService.exe
Token: SeManageVolumePrivilege	1420	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3468	AgentService.exe
Token: SeBackupPrivilege	1596	vssvc.exe
Token: SeRestorePrivilege	1596	vssvc.exe
Token: SeAuditPrivilege	1596	vssvc.exe
Token: SeBackupPrivilege	1312	wbengine.exe
Token: SeRestorePrivilege	1312	wbengine.exe
Token: SeSecurityPrivilege	1312	wbengine.exe
Token: 33	1148	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeDebugPrivilege	4996	alg.exe
Token: SeDebugPrivilege	4996	alg.exe
Token: SeDebugPrivilege	4996	alg.exe
Token: SeDebugPrivilege	4304	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1148 wrote to memory of 1952	1148	SearchIndexer.exe	SearchProtocolHost.exe
PID 1148 wrote to memory of 1952	1148	SearchIndexer.exe	SearchProtocolHost.exe
PID 1148 wrote to memory of 3440	1148	SearchIndexer.exe	SearchFilterHost.exe
PID 1148 wrote to memory of 3440	1148	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe
"C:\Users\Admin\AppData\Local\Temp\a1e7a79001d7e3fdd1a20d4eeb9385a37a337294cfd1cbb0d1a82674c7135717.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4468

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4788

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1500

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:672

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1952

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
f5569d6c614a7e0d9dcf2d93782a5cef

SHA1
094deef2af5b9a9a6821fe96325e6e57ea6d66c0

SHA256
29fde972cf5e2b0c8c9d624a4ca31503be98c313f3dac3933ff65ee61ab91e21

SHA512
3e395d7346606146ee6db759ecf7769fff228a3850440db1fee5d5a6c14bec39611983adb6a927d058911b54acfdfb51b564c6fdf365ae1977e35da714fe3fa1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
1aba8847bf9d2f8d825097f2b05fa205

SHA1
b62b5b435a4693dedf74a3be669e4c53b1d6e08b

SHA256
9082f6fc696d2b76c1bae372692e169d024d835a791f7128fa39f5427be6b593

SHA512
96aad92189739c87eb4c8f94e8edf741cb521e95f822b05e4ad4b1f23131f648a63ce34d99c474fea108049e2abf0f9f9a1aca6a739ffc6cf71ed632b4112d5e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
7d3755b15dc9ad88fde10db3f344a874

SHA1
02d9dc5b96cbddcf3ab0e73742f08ff44572d61f

SHA256
5ae08619e70bc12014de51aface611899bc3b18a7faca183a6adfed5a0c680b9

SHA512
ccfd53f340429b7f42a02d45c45606b4e0044a26ddc1d3bafaefd7498edea61f00e7af89a74723557a5061d5bb989397605e3f4029957e21182d1b0900751c63

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b93e278ce2e9ac49ba0f8d854a56d27f

SHA1
574951df578a375d1287cef91c224e3668f01504

SHA256
a0e68316b9dde1d25509423e9c5a27d27a2d0eb0d8c3b0e40da88a0591813bc8

SHA512
99c76f101b62eadba7aaf240799d295dfd33b77cee56b8f588d098f8bf5051cc78f4633ba13f546226da647f8c4d46a1382f014b5ac838385a53314ceca29612

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
ce1fe84445e484905e7f29e85bb3fbf6

SHA1
213e25959a148981e89d012d70df138655ea9abd

SHA256
bcf6f480937867dfcd252ca60b8303fb51069b949a53a54cdcbf7149b5b5b0b1

SHA512
f8adde7c5acc9926bf8ef8fb16fdae8c5aa400eac607d9c11a71f238e4e2c43c668afc1b38412f9d8df7910126f575d8e119caaf5ff624ce10ef9c243f994b8a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
84c2a9c2433b0208e801d5b0e337aa90

SHA1
da5ceedc380beb9a7c3a44dc6a226cd1ebdb82f7

SHA256
2bd889570ef2acd45456177340b03d6bbfa0474034a8237e31f03587e0f92e10

SHA512
d7e21a41bf45b16e93122738849dca4b87ad65b66630b46c3a7f19a1f3480a1b82d872cd185aafde36e931cc5e124abb5e2bef4a290e399a706ac4cdff291e85

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
7463b367df72f30a1a314a45cf562f71

SHA1
8190fb60c6883732178530d8b5e1796d27e11731

SHA256
80e8cf49eb96eb252a41c43989da2df0aea3167c39642f0b415da420157646d2

SHA512
45c23128e44ea6d616236ee7040678c91641f7ea93d4a3a58ac531baf77f74f4b973507785b69f9ad40650047721269b1b67209eb538cd9646fb14ae074c4348

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b692bede04d3c3c150ebde634b7cb1cf

SHA1
45441b45954e1cd23f3b1548a2e0bb5c31d26a88

SHA256
47790f267e86120afaa9a836283cb418d90b72cd84fc27c4153b22903d7f8c32

SHA512
3f2ed68f65957eaa575ba3d2d9b9abb7dccb0e77fbe597f545f4309291970e09078a58984221021a27fc6b92e2ef0ef158c56d61ee71b78007ad1d2d8b86f9d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
c1a77be89eb2d42f2930504950dd9941

SHA1
0eff98e9fd06bd44dc1bf6b644ae86d6c4581603

SHA256
7fcf7e3a6cfefc6aa2f4d0d50a4dc8d5032bac8e021a3ca57e8a19de804d9299

SHA512
59d5e6bf750f0b2aaee3e1d6282d2726b09d74283b67b6885033cc3755d14918f7fdd087d6f62c1fdb06df6f82e43da25bab31dab94d0cd13321c90fdc6503cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9503bc8605af15a4f54e7d8d0302d94d

SHA1
eb343419bdd091a17b51bfb90287107a68c63026

SHA256
695b84d93d7fac5f98733742bc112cc955cdc81a8fd77e40251e9270b7572f60

SHA512
d5eb71f0bd96b630551ef11983168c5e84fab864128d0575cdfc66f5939e3de9eec812fdea8b8eb60570b12268b4aa329729b4d447504e088966fcaef962384a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a1f82f53e62eb0ac9a388e860d333d08

SHA1
8dd28ccb002b023f6c2dd21e8a2bad8c2a349a01

SHA256
aa88f13df6c1595724db02ccb3f29c01cee7c3a190dcc85d23222d472ea2bda6

SHA512
ca20168c486c77a18720aead2fe5d8034762f653c06b614df86adc74397cf5d36d5e07674a8072752baf80ba142873b1a2c0ac82caac3c74eb83d5189426338b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
4c90d43d34ec06b098ef48869ea4ae30

SHA1
bedf2e3d7ae5285136d6146210335b6c8c290eaf

SHA256
8b2853b90438bd50e47fae9871261a955794867eeafe244f474188cb7001dd11

SHA512
2f02267c73b309525773289db324d07142b5048b94c41c0eeee5d3a0a603d5ef1b8e00bfd5b1ec7df74786af261415413e37d847534429c4e73819a2c7327e0b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
014d24aa8184e87ac6968c7009fdc65c

SHA1
aabc7262e0f582f3691882086571338b4ddebd6f

SHA256
d38a7ccf36db4b82b161549daa17b9f362367896346600db78fe1dd6a176af4c

SHA512
b095725be8ff21f1ec5597aa8a682aeae28c004de2bdd10632bb74f93656449d9db6260d7282f2c4e7e45d29a14790fae4c60fd2e0fbf722fa56a880342dbd41

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
5e13fb12039eb2306fd5ea97379dcc40

SHA1
5253a2bf09778885f3ee1e2e42999df823caa806

SHA256
63ce202aacbf89cfa64ae385c2d261b689fa2b36c148adbb1c0fa766a46db347

SHA512
9fb0abef0b5952c9bfebb1cd90a24bd46a0a7a14586c44070541b9ebcac21dcbd1a32a81784aa1936ced9501b93b927d09bf146dec6d0c0ec8423a24fd030997

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
ae7807970cd28dbecaf2f488c0e4ebf9

SHA1
d63a72591ca40d38b28c40061f5da22af90900f3

SHA256
81dfbbc4d15c37c6123765a7de276768fe61d26344eae45608d9c93feff532b2

SHA512
2466030e0de6a6f19c48c8aecc26538f6912ec608c43b2ae5bdbe634552a0120cdf77b70502edda2a0d1a8e0ed1a9141cd2babc8684d7a8144f5d4397404a7d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
54fa13aac86db8d3af428a592edd9936

SHA1
5eaadabfeeb3796d6135f2c798d570a6118dc0ca

SHA256
f534063c8620ef1083847df2d074f986f15ae54dfe67f152589c0fc6b85cd3cd

SHA512
1dc3a48908557f53fd023fce97ad13620e66eccbebc6fdc5a2b29437a08c36fd730b47236986b8f1c274e734b4bf3e4c9d5830d89debc5e5a1a46c1c5a5dd067

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
79f8aab78f201ba49c6ef4c0daf62b64

SHA1
367b8f387610573d2005300208bed779f4519f93

SHA256
2e09169f17d6ef455e25659a570309cc4d6114071caeb1c611fcf4f029980572

SHA512
891a8756614c997e0bd756d314cc81d24bd3e532d5b7ca3adae3d5a318d3fc875b215983255f7d844360c3e6e9340e39bd18d8404a8f501e63276a6e14a68c44

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
7a4e971edba6eed8a5249f96b5f268d1

SHA1
758648ee75cfeb901d60e9367f586a898636e3be

SHA256
06382225b9752ba2b24c3bd90a2db6964b1e13173f9c9d76bf67eaa45e75bbad

SHA512
1858faae906722284f62da4c97ed53d3ccf3bbec94cc13b9e80f3e3218b6556a6706f6c9b5cedd513ace759c50f39b373f1769e14741ceb70ea5618385e906f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
4c1d18604b62cd124fed3ff3f0e085b6

SHA1
3974285225e4b93205fb527a6694c117fdb07716

SHA256
10da0c8d7be812be91ed87f253f84bd9669cb1e2437449a933d664c87df9aac4

SHA512
61bd56e2488b5dac689a36c559ee6e51416720d1e47d5f424d0d14fd904c780d30a4761a48640bde63ff61221e728ac1dee9fc05d687257cd62b78994bff70be

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
ab3e0d944a64efeddb03310b8e5173bc

SHA1
5e5b84862a2df05ef609e726323427d9fd72d4d2

SHA256
012b04cd16f7eb98347dcf5371228901c7b851d4179cc4ee9002d40d6110832d

SHA512
6901b971017b354a5772e774e9c0b6cfd8351c9f3e4dd4d280a89b84a47c81bd138bab69ec0aa5ed766d2f32e5aa4a043a1252517120788e438e575a6f3bd58b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
6c7fdbbeb38895307686f9ae0275a4fb

SHA1
cc8a385fc371eda94e0752014f17c006b5d31dca

SHA256
81739022d9bffda53caf07b85cb180737c1c2c76e6c14fd94574a610e807842d

SHA512
f962df55d9e7547b359ccdd6d6c898ec43a5299d5e81d0f2dc91e085153b08d3db40f34fccda847dafd83209a12325534e8e64f3fe440cda1fcccc2e30c3a35f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
fe33dbfec60c7cb0cdb0235c95116aee

SHA1
1c02b6657537a78b1101740bf96aa8e757377d35

SHA256
261680cb1ef76f2352c366dcc79de4ad4009d1427af9020fce23b080d80c4837

SHA512
4830512ad7196e0dc1c7e0768b0f218feb168876806feb75572c5e02123b84f473186e0df988588ae6025ec1786e9e35eaeec4367bd5f7e4c070512a3c1bc18d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
b32ad1f28d0238a3121ee4e2d4e2e0e5

SHA1
e4082e9c86e7fc8e2bb0ed9cc4fa69e8f8590ae3

SHA256
53da7cfdb49aa6a1b018fdbf54f2d1a32f67b0d772147556ca0b84d7ad0259b7

SHA512
6795098528cde00cc230d20755955c699477a79af2f18ae36a518f3994f9cfcb461086f1ffb02c67ae999b20bf8f3243b7440f0dd1eaf6f13d75c6921661a9f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
da610ef7f26525a57a7d2d8f654890a1

SHA1
b3fadf7577b05b50a1c224fa9fcaf6d7fd57482c

SHA256
2975122b803e22d85439bd9ed3bb2e8a2f4ab9ac12a645e30470f0518928582f

SHA512
b5d6f8a47ecbfa529b627cfa412f08c2a571400274bfa31f161438543310408cb480ed183c0fc28f172aacce71ca3200416455db87313e77ffda2ace2344efe4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
cbd1f19793c0f07f3f14d3a5851c1236

SHA1
d55a07214f5d2f2c2ad27830d0eef100cf1dc1a7

SHA256
a867745e15728f134e49c1b51be462bafdd4370f8462bc437f80922fcb12b2dc

SHA512
a609dc56ec04573fe5cae72e96fee1d40466537befb148d168a8f69d634a32627a167f8e6d54e424b9faf5058c8bf12610b945366c9acf8336488645a03ec352

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
2e1eca9c522a812faa97185104724085

SHA1
9d5a88ed7a9e447fc9da45e386a6aa7d27b4ef2d

SHA256
9bed81585241fea5b5aa35a605f077ebfe9918093fd04dd154be5a5991ace9fb

SHA512
6be26d06f2fc9441d871cfb314e73599cec1a38d1928d0c22ec67bf4cb657a35a496b64ded1189a5ab93f3da254c6e09c8e043bc58361529d57fb92c6a05d21c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
833bdf7ad3e210ba6b8d3282e590c890

SHA1
d916941113c7142aced520bbb681a5b73541b70b

SHA256
fb440dc7a82c18f3f4252f1acdba03fb3df8003431a8235e200cacd8bde380f3

SHA512
440df6c8a17e7c531eb91ba756681d809886359583e87f80819b5af3123084e6f17521e7a512b1484a8a32d0c9e0c6ffa675371398ccdd17e6e23c66aa63d95f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
41427bbe8ff33e17ac22d759634655c8

SHA1
76f67d7e642349e283fc121ce0e6a96c31c3c6a7

SHA256
d598f6d9ca279c76f7b2678d1ed51afa9163c7d2f2dad6628ad1de595e9ec847

SHA512
5e35c1d32ed06dc8f20f207f1a06998bfabc9047528cdf17b1974220440501d6eeb315ba15ca5f618e145668018065f12e046a90bffb503b9ddf2e5196bd34df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
8a8e018bef98923ca93709de2b1dfa29

SHA1
e61bd89117a638c6ad3f646f0c0d1ee73a3856c2

SHA256
6e13b37d19c7728988adc28ce744cc7f1cc140044648ac13a99f4205b1ca6be3

SHA512
6891782d38cc0f63901176149e00b24c16341fabc5f91b0b4410824eacf63192d405ec50b6918a6069e433ad1fec327d7c18c9e7de409c4230c14a001e375546

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
e1b25a8dbbf3ed712e1a2f90800641d5

SHA1
c32e204d4601c1a6ddd742242ba72ce827b8bb62

SHA256
0470c4c0d3ddcd3ee26be649b022d1a6a86d54df2f8d770836ba41de4b6fbbc1

SHA512
f47c957c4741fe5b1cb2aac70cbad1f9b69d9d27a2db8804df98c345c3c3a14d6be1f6a3fb25be2f2f6eb70a40aee7ee34aaa6e01cde0a3dd978e96f4d22ee1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
85223840d064d85a56fedb66d8711ea3

SHA1
d18759b830d77ae48e0f820ec361c01fa6c503f6

SHA256
f6a4c03edf8f81ab90fcaca2567a1ec11a24db81dabdd6968cb61545e93e9f25

SHA512
99c2de06379b351c4018d13b5463eb3520d9a36c8663671c59fa2f7a5597d6d1385b95105b3fa55372beb1b2750ad44c90a05b3b529452f70295b1ef60cf0f83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
daaebc9b3162d7d4e9333b801356c3a6

SHA1
d0dfdf6eac347d9aba347b76d40ef920fe5ac0c3

SHA256
ef67ca3ac1a7767f375acdd657513088b320850835e7d72aaf7c62394e6363e8

SHA512
18bd2a143e8b14d2c9276869c509708075780ae580f75664c9c210839c665795840b1f150cbed60310c2c76ce2ddd88726c02d243ff1f5648e81affaeca15e0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
157f5f5f6848f4e3a7118a4971106ae9

SHA1
aca54ab54156d45233461dd9df709febe73a4a7e

SHA256
a434215af65b916b213079ae3d25966721386956ea7ab7fcca5958fb6c2a8070

SHA512
a1b4ac43832c02a6a924629266cc89e7e414b7a8eb4277d220b7bacdf8fa68e633725737aa682d4185bb690a03b5d484833ed8b47251e6bb78a24d7ab7f8eef2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
f6f4e63c967572db83184c865f498335

SHA1
db2745ccc269b8f269d57dae241f522a978d76ec

SHA256
25cf1ec3f52ca2e4ca3e999c02b37ee4dfa758b802f3d4324f9acfc3085fbcad

SHA512
94a1d4a96055821057041a44c42714dbe6dbed8ae1b3d41bd2f7e46ded0b2ccbfae14de361379f7ad32f83f249a27d1bdcaa40945b4adbe898a3b5da13429823

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
01d42635ac9a3bdda85cc04afbffc3cd

SHA1
2adc32dc36ed90ad030c32eb3f079a544198cb66

SHA256
ab94b33aa3e4c244231d03b3b1bf510a7a8bfc30a36f3cb8cda98f8ef9bb9c34

SHA512
1b876c2244ac69359889e99024508be16859c22d4cd669fede6ed66f67bc1cac3f6ff474bd798254a4c28b2a0e731a64dfd20bd056587aa66da33787efa46acb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
817ba8036bb34f6ce9f76160e1d6125f

SHA1
7860e3705461e4bb303d2e810f67023e6c753a06

SHA256
bc732fa4a528395bdda1afb9c1c1771f9a3ab4fec9ccc48ea538d555e61883f8

SHA512
f9137960bba067aa7e6936e1036e497a70be042e50e0e3a5b4089b8056eed81911695c1d35384f84943270673bb4adee2017ffe4c3d9a2cee89de384464c5db3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
25c28c99f3b6d4cc3029a145fcb3416b

SHA1
78541b78e9bf540005125ef6e342a9f137009ef5

SHA256
edfecc62df3ad4080c92a5be8d298b70e6ef956585e64890b0756415166ec20c

SHA512
2c1750d47ef3779d2e637955df9faa9879c98b6ea51431c76f43bb423cf1254eca459fbdb34b0d0d8f652e9a4d16a0f23ba2fca9f81cdd6ecbe71f02f7aa29a3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
d9cc3ecdcaf2ab7b05a6e576bf0039df

SHA1
9ca3c09e9224614cde4bc4f1ccf06f515699caa5

SHA256
aa67800f641b74201e69fb9ef8d546d5fe7ef6b9ee7ec7329cde8e2ad706c72c

SHA512
c66348a84f1602ee3a326c05d695698d66dfd980b597b73c5d54e5c02ae3680874de83464358705f2c815019cf3070f7bd0a56cc7f1e767e5a3348a27fec3540

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
7d91883c8dbe47510fe21ce5d3c9c608

SHA1
f62f2c9bde909e034af1bc55a1ac3d367bc7884e

SHA256
ae65b7410287ff8afc8d11a6538b6ad770d2091e82865021552e07d327208dd5

SHA512
899ed5a74a07e96bf861a4227622d12bb960299c1d86ee6059ee900f0e970b2cacd211d1cce81499d04dcb5aa34515be439a85043055423d245af5259e99a0b6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
90d4fe58201a8c37e11dd2be1320c61a

SHA1
dc0acc91476c9577936e4edf9077b94bee7d34fc

SHA256
2f70f96e899aedf78a2896dd585101052150cb88aeebe65b803984906eed2cc0

SHA512
db9e8c704462378fc9706e4efc5fcd42e813779f9b30c489cf56bec3679ad948859eff5b2064849281356529751ebb70549b84fea9bb8b09c53da29a877664a0

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
775ccb63c46d3d157fa499b0bc4c6d60

SHA1
3751da036acc389ab017dab87699654e3ed5d3ef

SHA256
7ef6c0d5af61684cc732c853b1806d1779e2075bbe50ab0543c0a1fb3b108392

SHA512
4b88fb23c91fcd29d95084ea9f15d6e6a802f9061f304c06a18a297284166de03b5373916aa2b4c3e0460143399b5513582b385d0fb538f0d58c33560a9108fc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
750c2b04273968f4385c604a278c3ad5

SHA1
8dc17649d7e5c9798a42be45d3ba558b6bd21f7a

SHA256
421a70258f57c0c167e05e563091d98f74464a2c3bef978574b549326e2b8202

SHA512
9f49d52085176abe64e5fbc6b0b0837026b98783dfd7a807a6d9d58e452285def66421855dd5ed2e23542c26aed82956efaa8dab04b2def99ff987164cf1099f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b02478891446510e46b8be8eae0c83d4

SHA1
b953698543abc8013d31919a2237da3020d848d8

SHA256
371c544c30aff4f1ded14d2f92692750b44a4735ab3ce277a800bf6b9d84c8d7

SHA512
a8a32f5dcf77e167b1748e8211a1bce8e3d5263c9e9d27940cbbbb503bf93d9d667c6a3062300f64ec2f1d59c51460339358703f8b89f633190043615d0b7744

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
86c3f23c29abb5183818a9b4210410b1

SHA1
62dfd75ffeb8a7cac6847c52b2db6379e2924318

SHA256
764b7b532683682adac16fea1b9112164613fd6825f2cf119d3fc58fe6ff40a6

SHA512
91db9bbd1f78ccefe0e00e8ee14016b2c592d81cf636b32e6d55d14dede96cf6e7cbe83cc185d6013aabba2c13b7719787de5e667345486d8c9a1d01cf361ae3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
a1fe4ba7d35b8e30a0e5cdf1169ad7e3

SHA1
4f0474a3072d6264a303a8217a029c029c04ab0b

SHA256
4de3007a2cded003f771dd4d8061ad84d5863cf2bd7eab988196ae6d6b393daf

SHA512
de146012aeea53390125c2218e99d206c39201dd7cf1fde310429ae259b13a9e42ffaa83671ce3ed3070712d4e37eccd90a139ccef42ba6e3577b44766032650

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
ec8a8e088d4078b2204e02d63a43fbdc

SHA1
2c426fa47892cf3c07be291f4de9c7eb07c523ad

SHA256
7587940e80c7328c1dc086a610832b29cf5f89e3c64c83c5fcee55e103e03645

SHA512
93bea63754eb376f4e8b3f86fedbc23f9573be93688ed45abbaaf65163a8d571085133fabba69e35505ebda5f72721d60a6f7852560aafe98a4cac0eb3592314

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d09c686d2be6aa025ba207c8073f4e5f

SHA1
0b878f40dfbdc8a4e3a470a5ee801591c15d7c68

SHA256
b30a46b497181f0d15c8d53ce97547756bf2731730e0c17aa326f70e3384d41f

SHA512
2af6ff7a47e551d4f5977b150683e04c683f7a614362ca0cc34becf429f422f8dd0e24aa00945005d422a9efb42d396daba24196de8ebb008201d351f6d2b29d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
822b589b8ed1b7d0eb0abc13faeb4898

SHA1
547e938eb3edf78282c9f948142ff69ab0d2137a

SHA256
7c466f75421debd47bfe6f1fe4460c6e842f6cde09463c6bd3672d9b19af5ac6

SHA512
3ee2218cafb88ebe4647c80c944d2fe6854aba1792ee498ddfc80adbaf121dd64518580bf8a2758e02800aa905ec9ab0276090af1e64ed1ac2639ae094734941

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a14c2aced250bcc6a9a30895930ebe2c

SHA1
190ea328103e6ae014383c34bbd0b08086c3923c

SHA256
0f15f033a360c1fe317e8fefb9c06f5c6b66fdc6693cc31e38cb5e0fb79a32b9

SHA512
f98b0a17b8ceb5f59400762de04a02b621d46aa97809e574ac2e9489c256e311f2749f8193640eb9da5ac7c844e73925fb4407a3065ceb20bf9a3d7db645f6a5

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
70aeda02c4de8216804b13c1d075ade7

SHA1
0dba7cd8f675dd11df4176f3aa52d0686026ad88

SHA256
417c685fdc228660c660e976d585d78cccde84ee27468bcd2e42ad05288b15eb

SHA512
9fe5e132a1a5f4a487afda7a96c74857c1375d75a8ec44e2bca7aae8e9a0de79e98214359a164a6bdee3435c786ed8056e14b8328c2471b153c33afc4296c2b6

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
615f69d821064ec9afbf1ff456baea93

SHA1
1dc6e463441fddf6a9729a3b3fae2775caac94b1

SHA256
bdd91a987bcefd7895e8aa6ee9e419408d16ea83e5b1132f22ed4c414228d5a0

SHA512
7587ad4992d0ec48dd929ee3c70dc213798f849771e27310bd081ce8cbe4ae8ff199e7b2c5e6d5b914f8f64bc0352eadb611c150f86a4e811a58588811b31998

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
7fecfa6d443058b8737d4c0791c303d3

SHA1
cb0296b9510380405d0ac195416998b130af8ba4

SHA256
d0b800041744cd19bd7b472ed870c3c14ed2e6d7c436f3c8d71952856b40fe4e

SHA512
6abf4702d945f8b801ffe36332ac77609d07ef0bd2a55d4e3a67c375d4b9cdfbd248d85fa3e4d4a85da88fdb533cbfacf032771ed5d145ceb534b5f70e91b63b

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
ccd4cfd02aedcc7773ab63ddeeadc519

SHA1
b503f8ce1156f28b327987188d219ecee1a286fe

SHA256
d7c26ad9708762bf4201ba413c042b6d68bd3599580f86a661d55246cbf3a388

SHA512
8605ba186c885088f000566e85fec6b5853c3a644703b8ea56b7d013b945bf3f591f1addb50d00d9f4b7a87325b58e92c1d57674f8f4e08bdc4a8ebb3fb6870d

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
7389b06957b7d0ea5e91b2004c2bc49c

SHA1
3ffc2b4193ec3d97d38b8fd086efeb15a00faf6e

SHA256
de0764e9368838a8cad97f1e6ca57bfb7da2bd0db9b6c514d7cf65b4ec3aeaf5

SHA512
a5e7891ea0b9e24d59443b4ed9c0d5b69572b7ee63f5e41007544385d9fc21cc080b326a808cbd53d6af55029ff8407e74986dd5467cbb6adcd887c3e30e27bc

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f5a75dcf9f78cd11de04590dad6331ba

SHA1
c6d7549d636bc37824dc398c00be36b64b68c593

SHA256
73d3a328c5a0412ed9d8861801edd14980623b9025e5c07bb012e6bc82d34189

SHA512
dbc4d6d9a9c313c0c8053460343f21d4cc47e6a0109d7db23bb634a9e3cee26d78a028738e48fe0586f945b8092dd8df0a7bba33c2fcfb5f6e337efcf3549187

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
b34075179ca8c1bf9e4c62ae13ee1d4c

SHA1
e5ef3a0634cedf60847dae56d1fa9e7c1e68d896

SHA256
b8e1bea440b4e61ba408e1d40c42d00b8638de5cc4fb3e3f6e885a645896515c

SHA512
8331bbbae65bec5df0823d91a18b197136086143a2a943460cd2dc214388b02549db7e5a7d8c3f87934d1db25485ec13a6910a2c19e035b87bfff0c50e180e7b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
0501ecdcd1c8068fe0d454dbd6bd6b0a

SHA1
8db074daa528851044621136133469e0911302ca

SHA256
68fe20a2a03521e59834a1a74ef80466e89af20482efd0a79a1cbb68eafceb28

SHA512
6f89db1acadf8899af411183df89f89827129d43e652d16ba098965940edadc885e1c5daff49a91c24522fe5aa63fad83f46d6c304e7c519c1bd0f60844a9dfb

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
19fa592a151f22bd19c68d2075a11d0f

SHA1
eee5da0b1c84241c71a91de3dfa04e93917f8c5a

SHA256
adea63898b7efa989be1d8faa026bb4f883f6763410a9dde3debb618f0e67af3

SHA512
c4e2716a9b2e7d006d8528ae22cda3b4003bc4387e253bc4489e73a8e5076de25e6ec3cfa6e37ed0e5d098c19996ebcb55db835f83151b6115adef5adb551d9d

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
0f7a470d7540e136c0aec1d1694c81b2

SHA1
9416ca0b0d7cdf617eb346f4149c3cd2a911c684

SHA256
24e364dfa214da95be355daa5a476dcdca8e71f7d892347c5a3532ba4b8784f8

SHA512
a03f0ee0d69eb3d5da1f3ce8f21ad0359a461eab175d2011660010056689ce83ae7b720b9cfa870605e560e7a8862c9eb8c87de47488fce226cfe5929a5b7785

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
419250ea9e6cced44caf0a5cd750bd43

SHA1
07b8ffe790238744c96abe066e8d433a82cb5b18

SHA256
eef2d0664a53a004a6dce442c84235f94c51c25d391a14cd8fcf91c91f910bea

SHA512
3c3e7221d37707cf0a98b44490213f1d3617378ca23d8beeec1a032816c87485a05af9dfe9dcaef2d360761bebff4a3b54859adda2656a07285adbb210c24ad0

Download Submit
memory/212-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/212-2-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/212-508-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/212-172-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/212-6-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/316-319-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/316-209-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/628-296-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/628-192-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/964-120-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/964-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/964-126-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/964-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1148-814-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1148-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1312-812-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1312-316-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1420-259-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1420-805-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1500-798-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1500-243-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1596-809-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1596-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1644-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1644-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1644-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1644-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2508-804-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2508-248-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2804-148-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2804-142-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2804-152-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2804-155-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2804-151-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3468-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3468-118-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3468-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3468-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3468-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3468-111-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3468-105-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4304-196-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4304-99-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4304-101-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4304-100-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4304-93-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4380-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4380-806-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4404-737-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4404-223-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4464-181-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4464-292-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4468-166-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4468-157-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4572-813-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4572-328-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4788-771-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4788-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4788-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4996-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4996-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4996-195-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4996-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5112-198-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download