6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
Size

1.8MB
MD5

1a07a939e7405aa79774911c9aab9e8b
SHA1

babe6e65cf536fe78e9f63da7ea8b5161d464184
SHA256

6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2
SHA512

b6e0a4c7c8d2a13861e472216a3d50fa3de3267d14d5ac8416557039e6e7d67dfc4153d01dbe3b9255fa6a8a14a5846f3ece410298dde2c0c8e782205700d1c0
SSDEEP

49152:PKJ0WR7AFPyyiSruXKpk3WFDL9zxnSl6KFdi2Ga9x3Ek0V:PKlBAFPydSS6W6X9ln0HFdi4VEk0V

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
556	alg.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
4160	fxssvc.exe
3796	elevation_service.exe
3020	elevation_service.exe
2344	maintenanceservice.exe
392	msdtc.exe
1892	OSE.EXE
3344	PerceptionSimulationService.exe
2412	perfhost.exe
2208	locator.exe
4328	SensorDataService.exe
4152	snmptrap.exe
1468	spectrum.exe
908	ssh-agent.exe
3152	TieringEngineService.exe
2932	AgentService.exe
2344	vds.exe
4188	vssvc.exe
1372	wbengine.exe
3176	WmiApSrv.exe
4512	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\System32\vds.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\locator.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\48adc31c8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_de.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\GoogleUpdateComRegisterShell64.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_ko.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_ur.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_fr.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_ar.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_lv.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_zh-CN.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_en.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_te.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_kn.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_it.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_tr.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4650.tmp\goopdateres_ru.dll	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000464fde908aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047bd13e908aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e461de908aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096f9b4ea08aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfdcf3e908aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a85714eb08aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1132	6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
Token: SeAuditPrivilege	4160	fxssvc.exe
Token: SeRestorePrivilege	3152	TieringEngineService.exe
Token: SeManageVolumePrivilege	3152	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2932	AgentService.exe
Token: SeBackupPrivilege	4188	vssvc.exe
Token: SeRestorePrivilege	4188	vssvc.exe
Token: SeAuditPrivilege	4188	vssvc.exe
Token: SeBackupPrivilege	1372	wbengine.exe
Token: SeRestorePrivilege	1372	wbengine.exe
Token: SeSecurityPrivilege	1372	wbengine.exe
Token: 33	4512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeDebugPrivilege	556	alg.exe
Token: SeDebugPrivilege	556	alg.exe
Token: SeDebugPrivilege	556	alg.exe
Token: SeDebugPrivilege	3804	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4512 wrote to memory of 5012	4512	SearchIndexer.exe	SearchProtocolHost.exe
PID 4512 wrote to memory of 5012	4512	SearchIndexer.exe	SearchProtocolHost.exe
PID 4512 wrote to memory of 1680	4512	SearchIndexer.exe	SearchFilterHost.exe
PID 4512 wrote to memory of 1680	4512	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe
"C:\Users\Admin\AppData\Local\Temp\6c75c4879e0e05408b30871d715cf8a493b0efd151d60daa2e2ce6c6be1037d2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2136

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:392

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4328

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4604

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5012

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
b2635254a70c98f6ca70e4faac12d907

SHA1
797443fa5a97a2e33a09aaa57c68fbb60d2a622f

SHA256
e7e8008ba6bdb04294f07f328aa3783a93a21c45d78782c11439ebe82bd421eb

SHA512
e1a29899ffcbdf1f1343297ed63ea5775aee7415a47ce1f2a09538e7674502792f866f2f773236b94b88519d92bc5223316fec0b69b9492207d92ff70a0ae942

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
2ad63eab2ad48b7acef82a48c28e27dc

SHA1
cde9779852cdf9c283d99f2aa8c15a652074ca5e

SHA256
e52ae27da82823129c790bf21ff7723652ea4eb238fb4b5f5b8a6f43972135cb

SHA512
d08a783798d58706948b8fdb444768b42f9200f3046ca59091a42ca6f8e6432f00f0001202291145bf03bb6ff27ee91aee375e0fd60414943ac5ab176c4a852f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
a29fed98098a9c4f0222e0d5b1ed846a

SHA1
35ae322518cfa4f2d0ba992dffeaff6ded858a11

SHA256
72a67475aea9d3d7247d7f1da2665e51c22fe24c62f733a5c1b0e1fca9348fed

SHA512
3b86e0c4d4feb0580ab8f459e23d4514aff0b7e35d2ac71eb5632b54995f1259999c42d12a0685c0116a68f88f07a734b20516ebc692f1208b4dce33e98516fd

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
d3e26ac7c793cf7fba64ac5f243649ec

SHA1
34af870cee4c5195fb361407c24cb8bc18737491

SHA256
5157396f5a64103bfbef1c4ea0959576dd29ff6c3ced8dd8a0b66450a6f1961b

SHA512
9ac9a3ca1f3ea674537db4c83fe9187b71a328544c233d11527edd4a01ab5205cc1fcc145b73b02449533b0dc42068edcc6e64b55a4742ba7530e4452bdd7d76

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5d2efd6cbaee3ef0f8355632e8edb594

SHA1
790b62a2e5690961f3274a658371c1cb33852b1a

SHA256
98124dca7684d6b067d98e0f1004ed29c895d8531e167325a60465d66557feb6

SHA512
2360dacd00ad85f263556e590e6d19bc9155fc885e5ea684d93f778baacbb6f02dc90e5919a83685e5563a2f1adedeea8b1b58e5e94ef409d04d9131a430e913

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
5f7528a712b9e70de962646588c5334e

SHA1
00a6b632ed948d29ec8e3c7bbabc63b91e273497

SHA256
22d2e44d91c71c33d79b8e48f2f4fb7407fa8456858941ebc77eb5a6a482376f

SHA512
3362bd34a822220d44b237c395501078e7a1b284ed432fa41feba5bf94dbad2284d8008b8e8db6f2f68993e87540f4645f54ac7deb9b47d18b0079be589cc8df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
a9722d678448b89affa735d9b430a6b6

SHA1
bf2778746c87655a417d639e2ccbf19c4ccc6797

SHA256
19ec6443f8244391c0a3a7b77198a4b51ab83b4d87a0047e20a712a164b06cbb

SHA512
faf1bb477dc6b6b75e98703338c694b5525bf5841e306a3aabc3604d86b56fefc70b4a8a93e3347fadc60419672ea0992e8bfb62fce20e707a6128ffc3c9f2dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
349d91807019e9d40656406f2bfd200f

SHA1
ba2bfd17bf419b5b1d59be6112041944ce292d20

SHA256
24cab38f4014dc9df022dad692fd55b3ecb1d189de2014a9b514f5729aed8510

SHA512
1411415b25d484f1345d5b54c7851065a33e89d9a15f13edba5b60672449c5502f1c5cfebd726ecde65278a0937c80945d03e9ba64777f3b8bb78b6be1481055

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
3b5ec066ae8d7421a2237624d7f9491e

SHA1
54feede6c014c5c6a054a4476e69d224a6bc3d87

SHA256
90baa3d2976fbf9be65bd11249d7e162a9df39dc57e33408e04c586aa1c6572c

SHA512
7e26556eecebcd4ffb15d594584d3512cbf9fa300f8b6821a118b4da69420e3f0d397eee69751282eacf83d1449efc38ba000229fbd416bfba04bd75257c0ec3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ea2dd61d5ce937a664dd309dc5561a8c

SHA1
e828e4b493c9d577327ad21e17a4eab4ff0e1e1f

SHA256
27f31022e8f41257eebc6e74ec6e37a295fc4877638af0ade49b3669d69a1093

SHA512
cccfba1f43478035d3661f088bc96d39c3c9c579b07132723f473e6b54b3aac94e6bd4d7f118e6dc135843820600aa623087ddb6bbb49fd89ff9ad8622bb17c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
c59e7144bf4cbf48f5e7d6b7d205693d

SHA1
7bbd1b16d43bb7548a140c108a01188c11430c1f

SHA256
266071c30d4dce94dfe8bd44c192a6583b2681bf5c80477479d2e6f05c3c272b

SHA512
cbca2051aee048245d62ac33854c46d06c03ea0954173466f3258002951b72c2fd694816a0ced3743a0ac8b7ee53581f5a6bb5ca7b1deed10d92ae2e7985a83d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
11d12fe312f49c96a06d5e00c72b84fe

SHA1
ea6727bb7e8945d87b2377651cf5d8d48e99819a

SHA256
54f61bf8d76bd0d75ca2e24d29ff31545058029892bdf7e4068f2d8e1540ff4f

SHA512
e2329692a8349fb547dc9b62336c9a31836fde3d191c809f858892b3b8767b2f15ad7504d3f89b1fa288ac4af7f0cd4e29b2e623f27bf9c13dcd6f555d2f7d74

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
a3caca3beb3bedc8cab734da7a0a4320

SHA1
a2d3a516689b27ef65b78a95121210aff88bd29d

SHA256
945efafbd37f3267f5c37674a6b9c9ff1fef84d2c131929ca444b8653a09d714

SHA512
9f5e3d310dcefaa43de9270771389c5b366ca73eb3d30e473da295576a2339fd877db9e22e8464274df305570cbab09ec1752fa746b90cc7ec18051c83e4c8d7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
fe4c05053a9cf786998ab6f909ed841a

SHA1
1a939827144f6b6a2d7b5219a3cd6df1feaa1b6f

SHA256
228f02efaec98c139673afabf5ddc626a88d7af9b9c6809ec0588b7814da2bc4

SHA512
49c944e218fd710baaf8c23e6d582259a936f1127192a2bb420cf63de6839315836f8dfde4841d14b08236ee2b83e314eea37876588a6cbc72e750446b9bf14a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
5829c44253450c2481b980f17dfe90e8

SHA1
7e3cdb51a13924848277851852937067d30fc07f

SHA256
ab811bfbd3f5424c4b5751d1cd22bb70e955f126a1f46b07fa31c383b14c3c82

SHA512
032b0d4c2b4258cf7d5ff6afdfe767b509bac2c0222a08ca691f797206217a4c5163fa415d18c41465076bb6803c441155ef8368f5262f5faf150122bc92d8ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
a70516faf62383df22340e00653b9bea

SHA1
2f62a49dbf379e06dc1f134ac6ae4d43cbd0b86d

SHA256
95e9d1fc7fd70d5ac3d3e822bc1acbaeb9268d291491ca0e5beec66413f98319

SHA512
7b521a73922577f3755946ab364395788d38c466afc5373159248a11c8e554aebc21254c628973205636948e1ce5035bc3e83989b75251546a6b172d3f75b370

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
9c3f4a8061bcc266d428e2506ddefdf5

SHA1
cebd03371bdf4d34e95a7ff159a0fbe2455e630b

SHA256
7c139186b2709a3e5f1e4ca960881482dd5af22c40d1d714142557ddd6ee90ee

SHA512
bfc7b3e1da2595579bf6fa4e5b38e789d4f2f5561b02e8d900e41b1839863f154af241bc409bc41e9e79e0a7c7b4300702cfc923f1de2611ac3f560de6916e6e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
4e3b60c89a7a5bf97122eaa91ad4c52f

SHA1
97692080ff9bb6f8aded441773ec42761c46361a

SHA256
795ce8d18589a7892df2679745b3e1784705da4a2d0350cefe77dff3649d476e

SHA512
b6e05bf23e9aa07c4300f29843a6fda377d9849a30344e4f793ce39dfa7e84664e13c707c89208020492de60d7c230a2cc6ebfb9b245a3be377342d24dfeded5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
de4a2799660fd0dac840c51c52ac9cb5

SHA1
6c6e9e2a464357c01c629df20b0eaf1fd9bf2ad8

SHA256
f3c309ef419442844ef9b689f53aa2a2e9785df712e1b01993defa61c22eaf83

SHA512
b6fd2f87989ee13e3be260b91d7943a99f99b9aca012d1b7a5445a0948669820aca966f9e39bbabaf67914f2936fd87a13f5151b4cc7d396371b8b7a9d0fd54c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
aac92e80a9386c152d33f7d320157ea5

SHA1
b9ab36764b157a73a98e567c10f30245a5170955

SHA256
64df1c183746d2ca64d7d4d512a09815127850cd4e17f134fa72d470d782147f

SHA512
4d104ed6120462f099caec009a5f9a2c68e20b2fb7a81723832781141d99e660019d9d2f6519f0d41d7c617fdcb3361e7ccc948520bfae95b6bba5b6293125e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
5a1559836720f91af86bcd2dc9512d47

SHA1
edc68b3b19bd1f006ce27f725f8bc65fa2c73ddf

SHA256
dd355878e7d20548b19d54f74f153ddd8d25310c75030de7334e9ff2be12915d

SHA512
1f9ed9954f2d1cb8ec15badced438e5b577154d1721beba20c3d8f4ced70e1f4d9ca480ae2764134ace31f8fd8466c985e6fabe28c0f179df1e2b627afc0edce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
61a48996d7cf0595edd013c629e748dd

SHA1
d262913bc5a6c60838f229e00b6d1d8b27a84a7a

SHA256
0f6cae3aaa6f31c0ccd89e56db933c8e0ea736a80aae4c02ae987194245de4f7

SHA512
45515c637cd026c71eb9fdecd1db588d52edb35484c2ae74d6c28e88df24d0162772e7a38593e61eeef8fc0a2ff5f51559cebd28d4bb69ba35b05e16ec211fee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
92774ba76473401748fe04b64233d9c1

SHA1
3e55b71e6cdcffe05277f216b9b76b3beacb630e

SHA256
0378efe4963df3cc68c901c09bb0a6f7659681ff5dfad3c308996fa9bcb5fa79

SHA512
6b7478990e8476f112054f1fdd5f43206c3dd7002bb87d1298aed4d49dff361b1e6d07dd5d573a582bc7d5763501cdd1573d1c6813423e483a4cf6aa53be8ff9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
de7c681f8643df291f001d858569281f

SHA1
c815ed6cfe52845951833c568160124011f24fdf

SHA256
cb5dc500f4638d426ae3fd9b0f65a2aa0dd6b030e8dcbbe972141ecd9c1b011e

SHA512
aa65a91fee02cedb1a1a42e12f9872792cbc7896ad2b3a7878b9e36bd7255d8160ab58573295e47700bce6ee281d9324bd3e004de1fc2ad5cdd0ed427924091b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
109fe2ba975bb9e4437886654f813f7d

SHA1
770a1f7c2e204cb8e45b809b5fa3a72dfcb50189

SHA256
9ba54155d0579d20d3f3603e103d3fd95004efa2f57bae4a13bd12fa1ee6cd4f

SHA512
d9a29d9e9adaab5f45fbe8936ba603d1143dafb468ca1821ee995312a6f76a2cb005fab9dc746a1b11c6cbdeaec61fcd57759c4864e16eeca693b7e5e176266b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
f64ba9056a564a19cc6382bc9c40badb

SHA1
7a54165a25a2d9571fa98faead49c689ca951699

SHA256
be316051f91dc46e7c929e80fcc906540cd6556fedb28edd6676f7aa5498609f

SHA512
bd3393ee840f5299e3851c642080150c6b6b200ade34a9fbfa1ee192b6dfa60a1d5c1781a519fc2f8673aee63e1870c56ee8050a4847e20c8bfd8677311b687e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
565a79d69714fe34fc8c6545a0255651

SHA1
9d861d740745ae189f51f2cb9d53b01ce96556bf

SHA256
20c99a1bbf23a6de8e3c29d1557d415b65109d28e972df216b3565eed9dedcd0

SHA512
806d7f08cbee86dde4f3174166285f2ea607d238a6ddf5e19f3f5e0b09929be8cf9aac7d661520aa245bdaa2cd6e41d947959db9f250183ee30041d7b9cce38c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
7c9ade0bcbb1a589e0e9d95a0ab9e948

SHA1
578d9b321ea302f6142b36870d4df541e74d604b

SHA256
c5f6cd83bdf1e41b483eca8eb6d34686c6705629e805ffb80ff00e6a2e6fb84e

SHA512
b6a7811c8d43d32d8e698f8fddff63bd8a45dde32b4dcacdddacb8e4f83df3eac43ecc783c5148f9b64aab541ada6a012aaae1aeba5ed7d49b63b97b34b5a6f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
1bc635be67c52d581e5e3efc0a050edd

SHA1
fdae6b0d45542ebdf719ce24524b5e4538e5f489

SHA256
4169dbc32e14807e0a46874a56e8f6a8c44407b10da6c32d07ac539bec221f8b

SHA512
709cd352f9bc0c14abd4e585cbc47de37b688d97845347d3c65eeca5ffae49be782a6394b9eefb03e1669a3bdb90f047bf159fcb1cf4ad793572b5755e893883

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
bf311259a1331d3d488d6316fec671e2

SHA1
3b3c9dc12eeda7e2296abeb57beb84135f19853d

SHA256
c4faf96ac7d03de4d87a21dd5de8fb1d1807d68db5b121d47f9f3afd7e3d7152

SHA512
a4523cf0c9085249faba75ad7e2d99473d533c567ec627920e1fe0672d2b26662fc37b1177ece283528411340395896c5ee0c25a869f204d9ebe988d6f446407

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
5631f9c59bf6335127c5df971c5db5a3

SHA1
dff9419f378321f33e7efa4369cf26856b3c77ad

SHA256
fef926e927352b68c5f1e5f7471b69e7e07aac93b1ce7b9df08478aa676a1baf

SHA512
453857dc694f83c82b714e80c5b7cd969ff3f27e12fea829c0036fca45889399baabb08db6dcf84cfa84ad93aefb10cd89060d768ef65c498d12c00270935572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
fd98f888e9aa7ca7af9c0a3ca741a9bd

SHA1
bad32f09324530f182e9a57ce8586263ed2065ba

SHA256
12662f8b4951ea0bb408c5cae75cbf74d8d8a20135a8e106d229032a0f2a52e6

SHA512
39f2fdc5a0b2341046fd3a4d68b752362110e38df7d27947489da519a34bca3c6a5ae920dc94777ef8f5722fa8e96adb05b6e3cacc174f4ad3cfe82a464663d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
5f6c267e14b425eeb9362fc8ff212a99

SHA1
4b10208b1dadbd87725830abe0ca7e99b35e1736

SHA256
ec051d33594aa17c98745a7ae55a6a8c84ec62e2e01ffe0437f8575163a539f4

SHA512
b0f01ebe0e4addc28adc2fe8c4c4b69674110bc4a93a1eec5fceb46727c1a727c6c7a2d4260e5d6aa3504e39d839239aed26a9639b2cb01310a41ca2658b6d7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
1b8d73ea6cd8077d93444e908b36796b

SHA1
a499348d1d67f75df44fc71b0a86fed552541f5f

SHA256
658aec841fbc0b3beb32f0b117601e089e2ce4dc2e8ac13736f24ce4a79ed4d3

SHA512
3fd4d1c8a16b99b0c0591b0cf03ca61cd597146d3b9f8f063c05406c19f4013ed84accb84c15a90e38d18a6c44ae15746980566c2ddff88b5847632ae8c8ceaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
31b90b60e2ab222fac4680ae0b0dde84

SHA1
f74d13b4d523ddf33dee3198a393ebe4b06414b2

SHA256
6ab73a0b1bf52e6e0ed02d2cc07e75beac20c41c22e7edd1283680cff465448a

SHA512
2adb29d11fefec4a7383ab4e6ed099899a5ad54a2319cbc7c829671b79b045fda3587043de74f8871eedb8bf347a129826da9535fbc2ddf827cddc80e50e3e65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
a1b5dc811e098e2a3fcd56c0daf433f2

SHA1
53b7ca2562d8b6b9e73265e4c19a01aa730351f1

SHA256
7f47095bb1bccb5fe3c9dcbb7186a3160f9e44432265e0ea9bf27ce56f12e306

SHA512
5e6b1df0d8fee46096332608e86bd32a76a770f095b5d6d3c491167a049f0710d2386b598dbd05d073f94730b05459d61f41cbd64a1f59dc9d153f9b99f5f003

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
51ec7735197abad41118c12213cda040

SHA1
c52ebad41c54fcad8029fd724125aae8a8b00f51

SHA256
c202676304d1bed4f220ea9da2df40e320585cb5c702c01219d4d53e43d11f05

SHA512
7aa998da5150de98b35b33efb9d659b9d044d113625c483377cc77d89782e373b7572d108b40e74738de8130557501d4d4e5da43fdb98fb8d44b20211aa22582

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ed03e644584c828e8f9f073f81ceda5f

SHA1
c9187999288f377159c2f5821770d096eb7f11fa

SHA256
07a1589be3d4203768ccc02b1156abc3148fc5cd5b4f688ab08343e2520fcdad

SHA512
00d20ef5ad696b9e85b7400fce0ae040f9f6e75cece6453ef10e0c892883694bba5258f2e5d6e99c60c6ff2abdca8befb83c1445547c94a97dd99b59d1b22c04

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
8311034d57702058177d4ddc15fa6ea2

SHA1
e306b4ceaa12229a6cef129e4422423e016ae6c0

SHA256
0ada6f33fd581c392fa00619e7ad07e0571df836eccda27f03e1ac09c9abf484

SHA512
5c8bea42dc027aef107534a9ef1b2cb9ac8632741b65741493910a7972c1b5794e58b8d04d01e60df5dff0d4eee901a12df2fd82351dd7f1b158231603fcc5f4

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
45d3a5fca1028b5ca91ca9d7085d37fa

SHA1
e0b19b9d083859b7251309796caddb43c25f36b2

SHA256
bba78beb9ada5a7f9bc301328ee0e8a37e91ab1fd92dc217420a1b79d47b4d01

SHA512
995e47cc8e737dc6c920f77ade89fbf7328612e79b4b9d4388cec5c0d1dce8303be830ea119031a751487eae06a27580806448e52fed2f4cc9e93c0ebc7f858d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
ee76e83d78963e76b26d5dba9eb763ae

SHA1
c3f5cc40454c354fea4c0148990023b761df517b

SHA256
756dc1d3aaabfc379358745d0151a555324d2a8a9619deed85618301ec283244

SHA512
2d7fe6abc8117e4dda54efbb61d257b5d22541e82acec6f7f217994cf73ca631780e58c6a10f7496d13835f822c82fb6375a35d0cd7490785ef6f9203136810a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
e34ec23004cdcd5d92e60c471c44f77b

SHA1
0848e5a2e1771a2b40be57e9153a1d4cb56d1d24

SHA256
7086ab8a832aafe0f52a1e6fdce37e132304c32c4957ed0b7a2ded3e5810fb03

SHA512
d70c2afd89945db53f154aef604251a3db5456bdad101c3dcb71dcf7f6005ac2cc82f471af4439a49de47f569338faf987d6f5b4a26a17f50df4b2de0c22fd11

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2223c978af4413e7f098e70af425db67

SHA1
d6d42ed7c883e6f86a80d1f55ac07f1bfd4b046e

SHA256
c7148e78110d9d5816e7aa0fdedba24c9abcfe632307a6a8b709fca4379e465a

SHA512
8f4ee2e086703b3b56bf465a75dff50b1752e51d94347e6f78525ffab2ab05f79c8434878dd876db436819afb3c94b5caa7c87c2c31f4d9240eb827d8a7150b8

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
d3e8757c3048c6488b899ec87d19b0a1

SHA1
687734041e05a6c24058242dc133c121e57bc4bc

SHA256
9abceb154399c01a23dc79fa86f9faa73ad667f65ff415c4b5a1d14e008b0261

SHA512
f09efe484817085e4ce2e79d8c2250458ca042fba2be45d996eb026b205a4cedcbcf40d92480b38d247fe6b6f6b1075501a65759c48ff1eb068ab965801dbdc4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
c59c605aa57d906bd2abc4bfbb26849f

SHA1
6e751298890f0a6027e2c1957a24b09b2958dcda

SHA256
42f9e1e2ad740a456db43c1580c669bd326ece151c31bb2367b46df159357de6

SHA512
838a5113ab8ef05abdadcd37853e4e54f43ce320e5e067c0163a872cada0bb057085d2740f23e548fd19db1426f9e1b9984023403d33dd9b05511f59d99d1ea3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
6b340cd597d7744d6dc4f2ba19c6100d

SHA1
4e3af83b31c2c7d7e6f1ce41093a2535a63bb99f

SHA256
40971d49ee86e849d4aa1b2c458c72e86ea26ff2b1e85c4879369677f66e5740

SHA512
f5f4dce4632043c07a741940789671c0719459b7d9b35e56654a84e745437f43486b17db1b3954a5f4f8046d58c2d65f076283c31c949bd9901cf5e45d681e24

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d2cf594ad051803e54ce9d46e1986768

SHA1
dc09cffb53805318e8be2eacd1e43c0a67f87b9a

SHA256
88a50dbf500d6a703b6e99244be5ba322e7fdae78d1492984ae9116f93cd535c

SHA512
e6f2797e674c3afe95459dc49ab978af57f2a1f8f34c9f33caa1d1f2cce3fff4c08df567c32d924e47f9c16c8c8f31b8f67b084c978daa5cf533c8c324be2804

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7286300436f01f532ea8bbec78a23e84

SHA1
33c172644e785977f21ec09f9ad25ec0b916b45e

SHA256
2377f95970ba95b142a4c7aea937f3aee91b35d6675e9f1407590a997e2e855c

SHA512
3996019894d9f8850669f453b1c56f5f18ddc100cff0bae0ac5aa8b2b755ea60516354fe6c0c45c164d78f6446bcd0ffc9af46ca4272a1ad596a312438a237fe

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
db9299101bc2fbf4632ed9c86ecf362d

SHA1
4f299ce44de5f314a54faaac00fa31d3806dd6bc

SHA256
c79804f2f0e65214d7fa171634215391c7e21521d6fc37c694b98c60e8ab2896

SHA512
14a8930922faec979b79c585fbb47a994406d043c4f5a4baa2355a562d1d8f8a719cb94aeccf2acca8bfa2a372110146f52c6cddcbeef2c22fba9209f8cc762f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
a6b091673e6591a9ee81cd1f31244a90

SHA1
d627c5dd686f29a533680d1944909efdbb87af3b

SHA256
6815de898b23847a4a2affd8d32ace1c02bae1a97aee8b3c25e10dbc455e7dc1

SHA512
b1b8e7816fd140dd8769fbc84cb01fba853edb2fa97cccc262d3ad4d11b2710dbb6800770d0732ed1733a0de815d7dd5de91816836d789c697697d675ca875fc

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
065c57836e71a106e9f2ae88d71c6f63

SHA1
a255b9b8c005936eb3b2bb5cfd89a87285955c67

SHA256
bdf6927557d3c1968e95b7c2f36b16c894743e84856fdb567fc6af91e055171a

SHA512
61cdeea6cb9c08485e5fc5cea9f971b125e4e2fca06a64a7a02c568a885754567eae05c450f08e70e429fc375678992eee2a819e0bb090546d99bbf0a66eb89a

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
5f51a95a5e02f94a59cb2d5cc119afd9

SHA1
f14d72062ab797ce7d318f5c6b857a50d1c9ecd4

SHA256
5607a09b0fe0be542518af7911b5ec7cb9fdcce34892e33122af67bd9332b79f

SHA512
af3d7c369b0d775173e045113498ef33392edb03f3881d7019cc368e70d910ff0cb12adb8215992e5eeb1f6d896e36acbe7f4afd7dd48811e45091903875d966

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
572e659cf46677f17dce5b6b35780891

SHA1
593f54151ceb378e2e17f1db0fd5b6e3209f6245

SHA256
ccd135ad16fb0908546223b6eb01df45e32169ba85c8b885a1cb0c83cfdb5e13

SHA512
61adeef07c7c7c5f624f4f9c16b56362ca9c947a71aa86143952734417e2fe38e87ec94e9e2a4249e60f387a9750c0b83a0a5104133f428017e39a5a0b1626d6

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
07e4e8dedffd08853a6a14cbaa265b8a

SHA1
5a03f70e289829946abb6d172d32ce51ec825aa0

SHA256
ae3fdb02221866da62ca25639b359fa367e0f605427ed7a6e68be79f1e58e206

SHA512
129f6043e05f12942e6128c4657ded2fdf25d8964bc59d6e1e6773db9d435313c306deeee6989c0e0cdf8b91a9f02be88e5331fe9cc72b2474f02b06e9b7a6d9

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
013e711e7f99310674be58ac68b32c30

SHA1
ca43ffdd1fcbdd3ba78efb18002ab4061939639b

SHA256
4c0f4681c1b1d8c2bba678ccbdb06784377b9c57b3a7af4db3f8335a73dd8e89

SHA512
364a50fc6cd80400e666f5f50f4b0a6940d94beb6f63275543793a701ae91cc3fcdafda459baa4c44ce6e869afd782fd5919f7bdc23e524e44b63143c0ca62af

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
880b2067efdc750c35cd5530724033de

SHA1
2f45235ae2a9dd827b82e9437aacdd04eb8d82aa

SHA256
84be8a581d15661100a45d8d466f069cc05b30dd02e24b2f03598d95471dfda9

SHA512
ffdc604b96ffccda5454cdbfdcdb3aa304553befd265e277118c3af1b80257a774df2d9b2bbc86e1ee27dd03ea208bbf62d755425dd8195a959d6975ef194961

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
783d33fb6c9f6510303d294a43091f29

SHA1
9ae35c84bbfe4f7f97c487d7b3a0b093e7e58187

SHA256
deb7ad6960036bc589918dce4cf56c036f57e5b7d485f59bdd1e6cb34f52c285

SHA512
b8415263c9070951e0c7d147c995553b700f240ab957310ebd013c05a1dd4712f3929da47dc8783998982294a4547467bd025a34430048257fe56f225f91d0f8

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
238ed2a8374db9fb364c89195da444f7

SHA1
bed63985225f7e90e13b7b1767fadd84a5eab4a1

SHA256
6b2a9f62a0a25d07a8d6766943aaa7ad58f60b3eae9a44c80280f040aa137f29

SHA512
12c36a98e8cbc4e4f7b647229b5101cf1d00defdbb5484eb8a2d51077bf716315a7a24f69c3d18df1bb4789ea5c75b4c258daad45a92971e0d229c487d03332c

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
e973772a7a263d94e6946e79eb02eccd

SHA1
5f93712c01f18ca5322403a8daa275cca157fa5d

SHA256
b19a5f488dd787ef2de0e3fce1abea5d121388caf336f6d55e3d8bc1628cef30

SHA512
1f11acea1dd11c5f5b8a155d4e77e918c32f34df99154401dfc2531c72632e95e0b1e523d44ebaaf81fcb599dcec05f5e090384bffd6a8eeed8e1b3924551564

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
55f6a4f268943dc36679b6a412852f7a

SHA1
701272ce1541b86afdc95c59c21af117fd550b09

SHA256
ecfa221761c8b64c9eb95178011c5ca733f0f220c9719349ddb1a255755dd9a3

SHA512
f88424a61920e3ed336c3754170167a6e0ac9bba75a3c48dd6e0ae0fd27134ac6e099faf50287a4e6df6899c822d30390a9340bb73fe6c3c685ae46a1457559e

Download Submit
memory/392-167-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/392-158-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/556-184-0x0000000140000000-0x00000001401E5000-memory.dmp

Filesize
1.9MB

Download
memory/556-32-0x0000000140000000-0x00000001401E5000-memory.dmp

Filesize
1.9MB

Download
memory/556-33-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/556-14-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/908-248-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/908-816-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1132-550-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1132-151-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1132-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1132-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1132-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1132-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1372-824-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1372-309-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1468-743-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1468-244-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1892-182-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/1892-284-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2208-328-0x0000000140000000-0x00000001401D0000-memory.dmp

Filesize
1.8MB

Download
memory/2208-208-0x0000000140000000-0x00000001401D0000-memory.dmp

Filesize
1.8MB

Download
memory/2344-141-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2344-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2344-156-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2344-154-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2344-147-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2344-152-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2344-819-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2412-197-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2412-308-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2932-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2932-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3020-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3020-149-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3152-267-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3152-818-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3176-825-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3176-329-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3344-296-0x0000000140000000-0x00000001401E6000-memory.dmp

Filesize
1.9MB

Download
memory/3344-194-0x0000000140000000-0x00000001401E6000-memory.dmp

Filesize
1.9MB

Download
memory/3796-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3796-117-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3796-123-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3796-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3804-94-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3804-104-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3804-102-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/3804-191-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/4152-556-0x0000000140000000-0x00000001401D1000-memory.dmp

Filesize
1.8MB

Download
memory/4152-231-0x0000000140000000-0x00000001401D1000-memory.dmp

Filesize
1.8MB

Download
memory/4160-113-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4160-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4160-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4160-127-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4160-107-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4188-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4188-820-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4328-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4328-748-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4328-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4512-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4512-826-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download