4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
Size

1.8MB
MD5

fbdd4b8a4e609d97cc2751f115a0ee28
SHA1

4d731a40314568fdc52a9b3dbfb55d5eec3b5ba5
SHA256

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1
SHA512

eb5ea30cbf0e6681cf243ad8bd49951f949d0476ed9a4927b658cc2c73a2fb8e2f738564709cafffb398d2863dd7012e00d78e6ef3f1c7db5112d465329082db
SSDEEP

49152:pKJ0WR7AFPyyiSruXKpk3WFDL9zxnSzJE3jM2ce:pKlBAFPydSS6W6X9lnUE3Xc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
208	alg.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1272	fxssvc.exe
5084	elevation_service.exe
1756	elevation_service.exe
1184	maintenanceservice.exe
1156	msdtc.exe
808	OSE.EXE
2564	PerceptionSimulationService.exe
1984	perfhost.exe
1648	locator.exe
3164	SensorDataService.exe
3172	snmptrap.exe
3672	spectrum.exe
2848	ssh-agent.exe
3336	TieringEngineService.exe
3440	AgentService.exe
1628	vds.exe
4640	vssvc.exe
3324	wbengine.exe
2796	WmiApSrv.exe
1248	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\locator.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\System32\vds.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\20eec3058beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\GoogleUpdateCore.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\goopdateres_id.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\GoogleUpdateBroker.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\goopdateres_en-GB.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\GoogleUpdate.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\goopdate.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\goopdateres_hi.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\GoogleUpdateSetup.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\goopdateres_ms.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38D3.tmp\goopdateres_vi.dll	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ecdc79d11aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007deef09f11aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003973b19e11aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041de9f9f11aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000247bbc9f11aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072c9ca9f11aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c41155a011aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1b8d39d11aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8d73aa011aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9c246a011aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b44ca9d11aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe
1624	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4544	4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
Token: SeAuditPrivilege	1272	fxssvc.exe
Token: SeRestorePrivilege	3336	TieringEngineService.exe
Token: SeManageVolumePrivilege	3336	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3440	AgentService.exe
Token: SeBackupPrivilege	4640	vssvc.exe
Token: SeRestorePrivilege	4640	vssvc.exe
Token: SeAuditPrivilege	4640	vssvc.exe
Token: SeBackupPrivilege	3324	wbengine.exe
Token: SeRestorePrivilege	3324	wbengine.exe
Token: SeSecurityPrivilege	3324	wbengine.exe
Token: 33	1248	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1248	SearchIndexer.exe
Token: SeDebugPrivilege	208	alg.exe
Token: SeDebugPrivilege	208	alg.exe
Token: SeDebugPrivilege	208	alg.exe
Token: SeDebugPrivilege	1624	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1248 wrote to memory of 1324	1248	SearchIndexer.exe	SearchProtocolHost.exe
PID 1248 wrote to memory of 1324	1248	SearchIndexer.exe	SearchProtocolHost.exe
PID 1248 wrote to memory of 4820	1248	SearchIndexer.exe	SearchFilterHost.exe
PID 1248 wrote to memory of 4820	1248	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe
"C:\Users\Admin\AppData\Local\Temp\4307906e668fe3c5e31e0ad8fc824aa6b7bbb5a11505fb13d423a85efc00b7c1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1156

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:808

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3672

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3604

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1324

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
8942bca6b5fbb6c4557a23f141b571d6

SHA1
6e0d8531afdfde06c7279415715f0aef9b862a8c

SHA256
cd63b82a2011e3081bb415f5258cf5ff8d79a769e4ea7e3c9f8efa349ab81090

SHA512
13be1a26fae4afc53964cd67247f04967485f70b8093100601879f88d07a4227ba4ed432a239d4ba5a110daa4c96f06d4717e6a8191847fda8ad9a319bda8516

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
489f4f95e94330cb2bf0601b818a5b19

SHA1
b4fbfc9194dc3f1eaf413b94aca49c8fea9dd53d

SHA256
a5bc77f36edfb3a18ffab6633cac8f3cdac5307ee608f36b28ef45ee1b29ee4e

SHA512
bcb9eb377a32d2226a1b5caa5014104955921a7339c204274826cd79e307cd9f28cf471ac04b4c51a9fc2c4f6f6cf0c5b8dcfebb03bc74adbc7e57bb708dc867

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
020bf7694bcb7328867f3aa0d502b95c

SHA1
4aa18b35299bdde3d774fd8773d5a5262142b96c

SHA256
fa3b628ab84cb4aea61d07f0729ed9ea0ce48dd298e8f866578678538160848a

SHA512
8469a595e9d47ed25928cf6d1b12c48853d2f9a17cacf4d89cb547a5749e234a1111f8a5bf0ad8c2c00b9cd4178df5a04e50baa7dc3500b8415ccb0bfd02cefb

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b3493e716858caff96375e428d5c4a49

SHA1
535ab954bdf3ebde746fb49a399a0b402290bff8

SHA256
4446f76b93ef4a560ba37a53eb7d2244ce1aac67422d5b26d642335a22d5774f

SHA512
108513ce7d66f4eb8b58b5f73014c52a6a9709af2008fb9cfd3efb1bc6aa5af5702ef2400f2e03b66f896582588c6324a14757ed45fe76fc2bd12e5efe252ee2

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
0009bdd5e646207a9911b7a62e0107ce

SHA1
a65b9eaae6a27169ceab824736165bf94528fe49

SHA256
22885a9273c79eabd7f7b5c49d7063268abb946bccee4440a317dd7ee6734854

SHA512
af40f2abff5ee29bf087a29a7f498adaf2f51ebcfa9df7343392a7c3dd6318d4d7b08fb9f60ef52999a7cc2bc99f211c79588d76d198e87c941d5e7861fcca7a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
e3dfd69a03960f0beedf3cb45a0d407b

SHA1
a3b42b0da973efae270632291b04fb32402f5d93

SHA256
fdc5fa536da10fb2bde4af73500f9210b23c087135224c250a4b2d0c0e3f3824

SHA512
b20d34bf9c763038b1e3a58bb594d133f191590b2137e0ab1d890d324699b5346da4d1e8d95a838e49d2af3ffcd6ef0ec22fc671a2d493b86266c2a6a7374b45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
ca1c2d7188ab5bf6dd6405d9f60235cc

SHA1
3b4e7a5772d06db023554a0923566358c3f59b74

SHA256
112569f5296d8620cfe1bae8d0510243483a46f0667cddddb0da22e8383c42e5

SHA512
c098ad3f4ea2d4724b689c7f0f7970a7aeafb567ab6f2f0541c77315dbb75e2c1d5ef78a08183cf55f455b9973472e29e2ac8c7c84dcda9f05b1b5254a2c1523

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
f699ac6f0742042f8c025258c1236d44

SHA1
e6cb1f036fe558c4d4950532348c09195c5d0bef

SHA256
3b86448c98ca74ca493c1f7dc52d88f85150cac6830ed4ad22238a146d14d5d1

SHA512
5d98ab786b56f6a1709c2343cdb39f28a3b2ed65dbd60587c86aab522c94f6f08f5ccf10fa2dc021fc82e27798a4da7f4a89b6dee83c6a4a308b5b83653ca09e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
6fd63671166a344eb25bd89040ccb9c0

SHA1
37b377989249c30ca0eef8374161de312dcfb85d

SHA256
5c204f0c2da66827f66837b79f9199154f0f03968a75f172e3814d99f26194d4

SHA512
f564aaf18abeece74b0a5f8fd313dc167239ede206b20f21524e41cb63ff7a5f4085ba020d3f36e8851532435d812c3b02c6cb7fe81c3862fa968fb1d607d303

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f769d9fa6d9a6c4d762f8af82c6c13f2

SHA1
c0f05e0e01974f54ede01650ee7735156300e75e

SHA256
5c5f945b1b18bf930a6497e1de48ffae5d89cdea772355c38fe04b5b8c80cafd

SHA512
31559d8bea60ab13870431ae85c1c3f49ec9dd1f6a281beae59102842fed397e86b1b33fb4c6e5185a309dfaabc2d6a144d4434eab2ab82f126b1a7409e8c4d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ee0f1f29472c7c806fc8d19b3e9e67ed

SHA1
aa3769fe4a4db25f4058cdcecf4b4a216b4c58b2

SHA256
187ed92763e29c68f65cd41e04d165c5b5469b3593c5679b66b6f7bf3b2d85ee

SHA512
5d20a825bf51bf4e1bd02b361d755b22c4fb16ed6d08700c6942ff062963e9b5fee50b77417c8d59562987c4c23c400bf9c7a919dd809ee349c2da2384a7d2d8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
6d061d7665dfd5dd74e23c57286545bf

SHA1
f448cd8238bb1c314a4f0f2f8fe0b2388eeb6ccc

SHA256
6e10947da36d23e57a874e4dc33d5cbbf8875fa5cf9144f83769daadaf64c215

SHA512
d7872ebae37a065204c0d841654aad9d27c2087541e78ef26b1a5824a5676d5d60a5b13089f152fa76a058a5eba95202cd8fdc86526a049022ea346c570f3512

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
5e62baaf7c840f7f3a746ae6b2361619

SHA1
4cd5eeaa962955e48615291cd488b625eb8b1f07

SHA256
8da3dcd40cfaa4a9360e3f6208f0b0bfe22df37a0a8d03707faccdd0f108c921

SHA512
d9e03304e34db9f3ce9c552b8105555aa6cedff1b3ad0cc3f40f169d7a3a6fefc97e9f0336bbbaa79036519c743624de88757fd6529b6e10a68943add5cd607a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
3bad68f6587ae6bf1308c5f789cb2f3b

SHA1
d01e9f47bd5cdf906d2fc1d79612379132bbe6ee

SHA256
de67105d9ed74c3799a0f50193d75670d712275985c6948dc8db71d19e74ad65

SHA512
96fd15845c1688749c36e7d154d04c1c5ea80ac7ff01b0989fffd43c120119dcef4c9651957129eee94a93510aa4adc63077a9735497fa2bf89d217e151c8ec2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2adaf63805842c9c3287298f2c897960

SHA1
dd98ea2681659f795335d6edf04c98adbba77de0

SHA256
aadb9c0c894ce24cc4d3149fed3bec071e9db53189dc8e70552e616e5e4266f3

SHA512
ee4f026d162f3779cc76e8548a9c0204063e1c031597457b143a0b6426c14641f8999edcaaac063080f560b5dc9651c6bccd93b2110d61b92f9f09857f22104b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
ad05426bfe012cea2ed58486b39eec97

SHA1
e1a22d107ee457e26bd7c3da8e2509def521ed64

SHA256
d3c60c0a95f04e6d1d1224b6a00834cb01636432ccf47eda1e6855e0497cde2b

SHA512
50593cc85e2a87703d5c8eaa2bad63ef1d536d3063e26adc73c21ff70d3ebaf57b9341af886abda77a4cc7ba7bcba10113955dd621c31857a18b252ec23f50ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
bfb9e23ffbf4ff7c3e53386e85981dbe

SHA1
8330cb09b1eee41090513e931037de0591f8f783

SHA256
6a2da61b5240dc225c8c49306e2771803b287d11173204b949273b8fcf45bbfa

SHA512
05d79288333aeb4958d0145d8a95cadafb65de788b4fcfd3dd1fc3740b20c9843fc4c4222560a1b8eeb701209913784c5ee0ab84b3642683b4e1bda02805703d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
a4c31a2f20be6d597ce0229fae6d21f9

SHA1
755be8c5f2bfd73182a2603522459d3ba545abf3

SHA256
ea9941f63e769ce588609befa6b494b5ef0445fd0454d7c876e3fc3c31dca0b6

SHA512
c4a0c4d983e1e15ac581574688bdab8f67b59be637e10c2ff2640650be09319b118ef252c0a8f5e7628d6e3c283f0a96d2eec42124026c686ae7a4ba16b0d5bc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
2c23a11daaa15e6c6cc5ee1f834d3d71

SHA1
8dea5b44dcbcf39ca73143a3dff15058d92bcce5

SHA256
b369eb15246efd9f0e6b0737e98b2dace8c2edfbfcecb289ff3289e86bcc0050

SHA512
fabf084a2a4ec8b0e618bfc217a104a5a3d2fa301627d9577707fe4bc670a8b8727a855eba01389b8a4dfed074634ed06f8e9c8dae33bed4b67aac0a218ced1d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
cd374a645051a355b8f9131c4c23b484

SHA1
4693a41b26be48ec7410bb4a65309024cb43926c

SHA256
a4db6118fa5b4135f2075ba28ab6d6099e7122f93fefb62c42f44802c7a255f7

SHA512
c2e83310a4830ba4356c117ac7b682a9b66cb7d7e59d44bafcd801e3a99cf4a8725e6e295f7a1c782dbad88aad055b2b72078eeb7fbd427df72923f60826abc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
47d4af561d019bb5941767237583d8c7

SHA1
d4719bbb9a1911a7b3695fcd147347b95f3f8fc4

SHA256
242bb3b611f81fba4a4abbaa4896b3cc58d2d0cfe8ef6e9c211b4a7b5ea179e8

SHA512
a897047fabc2fdc70a770b6cf8eb688f08b20477fa94ea8a21f53c19a7b6169390939e712f0ec1683e4aa06b87ebf6960f516d4aebfdc4fb2e0dca5d2cc4afae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
c5f8944a5523cdf729025779949531b9

SHA1
a6e375d874336f0d3d3ce581f5a96f3f1a445096

SHA256
b3c86c688f84c23d46740a76d88f9bf9bb77da6431d539a4a808ec002071bfad

SHA512
0d86a925813b6681ec4f64d12a4dc0ae3dcce37162b53dd7b6938426930b565ebb256f9fe12aaf85a66a7fd8494c7a29288cb29069f6853b9a1841a2dc9bfed8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
dacca64b95c5a62ba8aa72c849afa9ed

SHA1
0fb4158cae0e1f0a5154e17d6f8d03ef3cb3646f

SHA256
866e374a2cf18acdff86d9b7e2537bef9e123cb2883baf9efcfc4f48cd2ca543

SHA512
3e000f08ac6925d8f1db62118e1e25b75f70168763afc00ec86478e6954e02e03b0015eecf34123bba7a91cd56b1dcd13087fe0ee0e13eaae0724b784b513e96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
c80ee1fafdde20e54d8ddbe1ddbe0e7e

SHA1
0b471eab358141594ff29003541ce08e9034d5fc

SHA256
61bfedf829f4eb2bf958b11be26b2354cfd1df49cbf55ca38fe34a5b6a1afd87

SHA512
4a08ac8dd868cb57476f93de3d70d2e65422efb836259da25b7967c0a97f8d85d8033a59fae37654865fff32ea3dba04133b51866c3fd19559f312e238e5cb72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
139570ba143bc3104f3d94511cbbf706

SHA1
7a2df9450a40cc5fc9a6361aea87be0f1db4644a

SHA256
b75301a526408d880934bdbadf3b9a9655a6c59cbb3b3cf87a04381e36bd4784

SHA512
6d3bf4e2aa729e537e38db1b3fc244eca999205ed8a3b97f1c2372a67a15dfb99e4a5a6046e5ba1b5a7be3f19648b10964224e08566fe73622d3bf5382fd66d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
49c53576fb18276b848c0c1909a98a34

SHA1
d1c2016e98499a2f1bcf7ae49593cd478b099669

SHA256
dd55b2599084c16b7d383df6caa1233b5c1d6744574e6c4e62307199e14dedce

SHA512
6d33aa2d64536d35df0960b8b6b770c6ef6bbd848d4d4820f48ef892fc1970befb6aa126ee229ddbf6ed2560b103f21947fa0f6b3b2e754cd259ac98fd16f200

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
29bcdff0175429425e5d01eace3617f5

SHA1
e5da7f0ac86240c8e9caa8ae380ac90ce3a5abc4

SHA256
febd812a8e5a0d5b66f161f88e46bfe3d928231f8fbc59965a70c15ea3db5d3b

SHA512
f62050bfbed2dd0e452dc2bc8ccfaa7b28b0bca33bbbe1d96ec0b780f0dfaebfc656d0981f69eed6ca3ade0f10fa536649d8ad66fb8afcc8638db016e83f3b7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
6423439a3d14442b0756f272a26826a9

SHA1
715a30b3478d674a3b318f06b013837bfd9af1f0

SHA256
12b8897c49fd2618097bca0942e36e70f3c4f35b4fa2ec13c9bbf23461a5d032

SHA512
accbf99d566649696e3618aa9906bea2fd2e18fee7f2543fec93d3889b675b6dd5d4f90d05fd92b2c153d53efbeb801cd72599503b1bf4c2e4337c370948b77d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
8844869af8320d3b456fb9c8f0c2f73a

SHA1
574c420bf4d5c5b1bc9c10eb4fa483c7a8f9d1c6

SHA256
98e24a34903dbe385469356344d51df0b558516af48dea9d9892146d6814651b

SHA512
71f5dd9c4933b2bdbe4f612ae9b5cd41005195a79710a5ccef4899a39ca307b72139392a5c09a8c0e607a634b4552a5ba356c8ad7fc4fbbe74596fa214b670d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
bb6b91d572040caba1a9dd13257917c9

SHA1
04fa04e766449ef3c3b84af2d11145984e28f7c9

SHA256
c943c1ba1abf3c3d6df2e7548a870b4fad06c64453cb6df38e7d861005f2c6e5

SHA512
a8e1f86fa07e485e5822d7e1604b07af2caea546cc9ec7046a07eaaf3202f7c71d34e09f1b59dacbf1ef1b0d5bd6375b5cf527311e2af2511a81b517daef63da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
61e998c7843f3969ac5e3159377ee7b3

SHA1
b62ae6c3da30ee4126552f410dc109fe34e1d147

SHA256
4ec52267a832439531d4b3ee7994a9f7094ef881bacd8c4c1c74801142cfd016

SHA512
aa2ae9b47eff85d5a0678d42ebc98755b31cf177ccfe169b7d8914b39d04d73fe671decbe7664881d85a0a2470fa014a1b0129f78ac1f0b3bdfd14131d876038

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
972f8d135737bc63221d9da383512bb6

SHA1
b19d0aa9b6e1325997642b308b173b4d32a1f5d0

SHA256
77a1a25b089e92131ebc8219b4aa6ef13d39088d2b95a58596394e510c91770b

SHA512
385522c50a784b7887a9900010a70e1ec00dc6683ea361ffafdd1d5c7814806109b1fdf354fcda880fe6990662b831eab70223754d369e085476d040705a293c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
53f08e2e884b4472ef50cd47f1939da3

SHA1
ac99bef9cba8bd6f145d39d9101154ab7d75fbbd

SHA256
7dfc0b700e038f7645fa378b72a340f86e1440c27686197a9c56034e94b61a58

SHA512
02fd6a4699f7832dc882ebfacfa00b7d8d722d188f3ec68f4833d853467e395969c5d10ff38995399104093c49d1cb25f371dc294c0ec909bb34123b4599b1a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
0855fbd57a258c7a123ed663d21a2e5a

SHA1
2353380b2ec224400867a165ec66a2f32cf729c4

SHA256
74533820ea9081e7fe0db3292cef73fbf4089e309eb5be4014addbfd9fda0399

SHA512
e9b80a1b8b079e8e3429a225ee2407a749c8fa6c157a66166b9b7bd1f8f6e6c37b3b2fe2dd126e508675700b9760989e9c854020d53c11c176fda078ac500310

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
bd4ecd433c687a6562c4c23248c8816d

SHA1
85cc026590e2c908b3cc1d4b5d1a6c557d644e73

SHA256
201e8d7091a77698dfe1e61264d44ebc2d777a081645422e6ad3c60506de8576

SHA512
0df1b63b2854f6097edd3a44fd39f693a68fc9d636d02f4d0063ce2ffd73eaa416d7817beb87e72e7d8cefa7cb56aa4d8535ccfc6550cbf40b222f42633da29e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
e0ebd7f0f43fe57d89cbd3efcea12ff4

SHA1
3f2aee65f29c9c37e0cae5eb65f657fa61a1e337

SHA256
43d24493395f66d955d5e9a4dd978bcb00d428f7d5cfdec9d98329eb590bef41

SHA512
535116cc547aedf364d435b4fdeef20ae9fa3b72c446130a5252712e6baaf0c8676f8c0ccd871313558121689c75fd61c1188ee85efc905b5ebe3c3b4b2b6355

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
642538d3b987603db3112730d2320099

SHA1
fd915a7bfd4bf2055582a4e1681c3a6802bf94ad

SHA256
7032848243878440f17a03dc97212a6ce616c1f28574534cc5642e915394eddc

SHA512
6fdb55e9fb81f304d7ac6af49e4f64d289d5a697674379ed37343186950f416c25cb41cc2ee34b1b26df66f4766175465eea4f60ad1215db77df52aea517aab7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
4f09c637528a93d1aa12b8098076f0e4

SHA1
d78194df8a132672a1481becec174cdc12f5f61b

SHA256
df0b142489ae4b2d998eb54bf250738e3bc96f3f7a01fc4988ef6317ef680a6b

SHA512
37f81f89ad2ab4231828deabb9804afbbcdcbe02bb4fcc8075e4b19f4b2db57390b1d3c2089ca8d54a346fd37f53d83df3ca9ae5e1de2c989310101f8687b6e3

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
28fee8b5bc1cf36fc24a6faa97ceb534

SHA1
fc75c8b50ce1d1e9212a251e97a038fd537245aa

SHA256
6856ed6d8a6837db0e1bc9cf306d71ec8b104b8feaf11162e867a92d6a653fe8

SHA512
627f2810f8e23cc9ca974a3b4cc7104122ff0685234aa51e7a95e3d88de87e7fcf5ed3a99754fb70b8f8ed59f57b5fcef7e2f5d7a8e687bc183bdedbd9bb6cb2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
57e8314dff2a1fc73acfbf07c9b37859

SHA1
2a802c50151e4fa06e057d2d6d02119d2a405d8b

SHA256
c1c660268cc02da3e4d3013051a0df05c3b6654e221a51051e582f186ecf0046

SHA512
e4c833b11d56d1ede8eb9b2a369a5bad3d9a32e4316275f4c65c2b1721d098fa3815fad9e3ea0abc635f4629924d7d80c2aef8c2636b36d37d0735ce2f7ee72a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
1958d410e297d5d81a61e5aa2047563b

SHA1
2eaf7ba544ca19775338c8e01ceb7718fd8b8562

SHA256
526774ed03e94704d06b63a0c63b628b3e2bdcd34f88ee070fe152e104f0cf0e

SHA512
6bc8d14f96b9baeca8238499f84da96c0f4b09f4f83e14cc3e1d9a706a58fc0e39725eb41b10228576bb7c4fa86855932548baf81d84455f4c4ba8d2a3559d98

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
7687bdc836442a5aefc83f11abf557c6

SHA1
72fc4dff034b67068d7117d8ce12922641e6c76b

SHA256
e2f0199fb976d5c58593674ee86c4c49830d48d0a11eac374a1904d4643943a3

SHA512
875fc13b8018a4d5e005377c06333c8ed35bbd2fc44d01dcfacbcfe9322ee10085bebb8eaddef7b30e2a1f17fda7348d83c68dadea58a871390159c1fb5c91e3

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a4cd0ea6c9a97042188dcc00924d6284

SHA1
af7fb56d283c1e358373206c7643798ce964ada2

SHA256
0ded02d4558bf8818eddd3bbd950fb92ff9c378c5ef953986215f572e9123dad

SHA512
9b5bc81fe1630a9c8643946a78895d4017bafdcf649f642dec8613db7d46ae91370e585ff9c9b40d57b1afd2f0157d4831d8e0119b2829f4e6f442ef7ac22f5c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
2cab3124e2b0a5a9b6073ea6270f32a2

SHA1
ce0d8a7dd180667f06b99cd9f7c2d38bd2f9a65d

SHA256
92cf145efe7db451f1a918af7f05813e33b8baae9dc683e968fbf2a9cfa52b8f

SHA512
b98a2fbc48f712999b3228a1c858f5a70b772957d4bc4449ecd6929cbdc05d03dc4ba609619f89858930263204a50e7b14995e865304d20eadbd79f7db36b2ee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
2965b9064373156f3434eeb99d39deb1

SHA1
5da3c56e0b6cf1fd415380ca3f0a66cd8a9195c7

SHA256
20b31c304e5f8b6219da634dd2f3586ad425f87d6daf83b0619b237481ef1067

SHA512
94f94214d70a6a2f02c0938d71879875be7bc66160f53a743d17a92e0f15e9f87773e33adcaffa8050a4b668da9483b491df57b8afa12eb16ae505c2217042bc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
694d3d24679a1b14630e3a4286aa95c2

SHA1
8901ed6d24b10632f926e9be93d2d7a3ee1f7fdf

SHA256
01b62513d8f17249a7d56bfa1dba78322b44afdc3e18bf681f832c247dcb19ca

SHA512
f8c7e0557525a38f6fce9dab7597c052cd9fbc70308ea1a436c144b745479010a69d85069b426b0b62b7324d27b87f0a3f7e356397f48d87d71bec9469ed2681

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f4b8782c1d468dee899065b173214372

SHA1
08abdfd9bbedcbf2471182e94c9ad41739a4a33c

SHA256
3d0791157a51696b23da2a0aa5b6fdf2c41729aea41aade986abaf838bbfec7d

SHA512
6fed676f790932b530bbbaf104d06f4a9f6bd9990a3878654c5a7739f2af3b396066e74a54f5a637b51c8d70046ef51eb4b331a78706d71433871ca8c5f962f0

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ad14e6feb3e2eb230c459c0bf5c8a427

SHA1
ad2275a95abb519dba41376e28b8904c99d6766b

SHA256
4dc49424868c3ba57525624d18dabd656ec251127ba1aa9f7f08bd0ba8c1c584

SHA512
4069ce8e20da8304dcf031c7c3d1c613e5efd666c8178b8f05e648644755745630f0f1ec3b052d38e33d831f1196a9bb8e007362a9b5723cd299758ed7646efa

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
b8faf4fbcfe0f54fdf971844ede988ea

SHA1
45ceb0e24e57cce6045798936402e6be64e1a1cc

SHA256
64622db0e73820f458d53950606b7e727f6c180fb622f552d78f65fae8782e25

SHA512
0191071f52bbefcd6b850482f46627f03c16b18fc3790bc1ef44ee7f66897e88e476f7a7dfcf11bebaf601dcacce6bc81837637f24214d1a43da24382607f63e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
4ad9887992e2879ad857ea1812761fbc

SHA1
833b280fb2436351f2165fdc0b8e42ac48a6d57b

SHA256
8cacbf82017977d09bc650bdb2bab9629dbb3b04395590c80546463b1217ad95

SHA512
94cf16f9234a1eb6742a2477bf423fc73aac5dd51920d57419f7b109d7d8fa750f59e382babbfc95ad1d0df139480bf3b272739e98d6c8e2dc85a16c59a9893b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
b11e8db7e883cdbb55a5ee9024c84db2

SHA1
94d789fa0d96e64f8a05f566d59f52fce84637cc

SHA256
2854f06db1267549a78e535230954869074ee8a3a45d7a8992e19fe1adc8fe5c

SHA512
74b41db470a38bec12a48f816b109a50da96f471779d38c92c78b8bf00a961883a6d24591b1393429b1df1324a38d56e3f2d5686ddbf93ae199e6037c5804c25

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
07a03933a58e914a70fc54d7e541833d

SHA1
bde3d9738c144ac231055ffb5c23a842c2d9da43

SHA256
39db780823aa4eeca39e8e53587ac017ee9836717c87f89eb455e6d1c3bc52ec

SHA512
a1f40ddf40df7bb9338b635e55ddbcc35a314604bc102f0f89475b3eaa9a49b65b8cf739fd7f491f1eeeeb9efe7e32a3135163f11c6b987165c8d53d6e0db23c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
914ef677bbae8e0231daf3989021905d

SHA1
c99a41ef0ae0155a62180e5234500930dde9102a

SHA256
7af24e136bd2ed7991113301433826dcb807a76dc9a7899bb48961718533cf48

SHA512
8e0fd3903bf7682299194203db80d0f0b08136c8b4908d6e87b6ac28c6ebf294cf2c12e7a4a5e73a04a4db78ffd9cbf1d19b5aa1db305fb3bf4cde313d522234

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
b7b449a9842ac5ddd8e6f0ac6a04f217

SHA1
e1e84f3ace8db286bd7fd7a71bb79106743f2786

SHA256
8405bd067c938b7dff31056b8378f41d366253ecd23b7246cbb6f2ec313eff71

SHA512
5ff2df66c985736afbb0a907fad869c4958c10139c4b6b4c3403d44ab0b1c2e272e8dd3fb782b3204704f88a047e293f7ada84afea0976b7199393d15d4d7ca8

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
250164a51d29adbc063a8b96d290f76a

SHA1
d7cfd95d6dd1c6222f921133fe374065903f76ee

SHA256
d11ac573ee848d9c87c7bf23811cd928fee940224536bb50e10b448b58feb740

SHA512
ccd7a4aa610c74d5e3acc57874ad2f4a891bbd256da652b0428485a7d5482fc593d0c33eaf77ca8c77375a9efc0c33d0062700e89bcad2c09b1b0d88a52cfb64

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
94eb2e6dbd01575e04b6f1b62c23ff75

SHA1
a9d6514b96dd35b9aeca728548a4e27f882727b9

SHA256
f558b9a39b3ecf92d10a43f87f8bee3b6b2fe11014ba72e04f473ff0658c4530

SHA512
23312036a00115a5c51dbcf232419232cfbebc7263e32802555f4e64938195ec8ff948ea86d80d31749033008be0477bc8abad2147ee8a4107991f02edb0053c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
24d095c99b641bfc777ae27c01e4b138

SHA1
d7056ef52dcf2fba9f8f06177e69dbbdb74066ad

SHA256
cbbdee1b85b16393b2c21e858d2dfb1f2091001eb490945015fd37b0e0ecaf11

SHA512
01bbe1c0c3c4ed8ab0c42cbff1a05c7bce57038acbfe0ee45055c83afa22e8b0316570377d25cfcb93986bd3b788264c29451e94dd41fee880787644b7a81866

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
6768756c0c9d5b38dce13da1c6e945d3

SHA1
81d6a9b2a84f39b5ec29eeda68e4d96b910933cb

SHA256
718a3b4436bf40b560c708b62af43a3ca93b17dbec3ccfc18a72b9616135ae48

SHA512
6cef698b07bc6f19e3bbcbd0d9d1e910d4c077355be687f5bdd3c47db0d161cb0d2f954dcb270f911ab56fab5060f9418aa746f6dd701cee900073dc986f2d77

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
81070c979e29d496831bd1eb8c68757a

SHA1
620a7d48d980f68b2065c45a9bfdd152b856a530

SHA256
df3caa679cdc36911e6c3661f035ea8928e1273a70a9e6b1c85262a8a8d38c10

SHA512
bddb775ae3def4f2b47e3614134fbecd662fbd37aa627e02e6c8604a100815794184d8d77fca5d0318a66e1f78695abde56dcad28a4c1354700b18031baa819e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
ca19a93d43e731e2ad05740ff8cb9ddd

SHA1
dac987ca6b84deb4b194c0e8591211520a9f8cc7

SHA256
8bebe940aa0760047f46caf65f236ff0f3d6571595ba4de21783781d592e13c1

SHA512
f27f3bd76ca74488a268488932aa8641898bff8edaec8fb7cb474ce2f034d9218eeb4ab465c89a6e0832e19c40d8522613848cabfa1f8cd91cccb7da7d2528ff

Download Submit
memory/208-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/208-195-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/208-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/208-19-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/208-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/808-284-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/808-178-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1156-167-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1156-157-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1184-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1184-154-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1184-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1184-143-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1184-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1248-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1248-833-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1272-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1272-102-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1272-67-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1272-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1272-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1624-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1624-207-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1624-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1624-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1624-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1628-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1628-827-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1648-320-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1648-208-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1756-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1756-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1756-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1756-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1984-196-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1984-308-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2564-296-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2564-183-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2796-329-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2796-832-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2848-825-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2848-248-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3164-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-760-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3172-512-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3172-229-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3324-831-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3324-315-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3336-826-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3336-259-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3440-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3440-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3672-707-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3672-243-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4544-8-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/4544-1-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/4544-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4544-615-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4544-177-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4640-828-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4640-297-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5084-121-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5084-119-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5084-127-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5084-242-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download