25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
Size

987KB
MD5

21ca4eefbf7659b7eb943c577a27ac16
SHA1

9e041b0886bdc9211f3badba8f1e3f8cd39b3b22
SHA256

25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f
SHA512

5ad547846e5e5bf223b6f054e24e15707a281b21b66f074456f0657dbdc9535492078bf0e3b5c926c1ed62fb0c97d21e600f03ae819e5b5419571312530fdd74
SSDEEP

24576:GAhX8vziFhHENJyE8c+pFB5z+//ufNRoZW:GAMWFeeEJ+pFzz+/2fNR

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3368	alg.exe
428	DiagnosticsHub.StandardCollector.Service.exe
1940	fxssvc.exe
2756	elevation_service.exe
2292	elevation_service.exe
3920	maintenanceservice.exe
2600	msdtc.exe
2036	OSE.EXE
3896	PerceptionSimulationService.exe
4684	perfhost.exe
4676	locator.exe
3952	SensorDataService.exe
916	snmptrap.exe
2452	spectrum.exe
4516	ssh-agent.exe
4372	TieringEngineService.exe
3688	AgentService.exe
1640	vds.exe
2072	vssvc.exe
5048	wbengine.exe
208	WmiApSrv.exe
4936	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\locator.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\System32\vds.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4546394ac3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0ce372813aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a56252a13aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046a9112813aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab80292813aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000326ff72713aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3bf8c2913aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000765d8a2913aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005596fe2713aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e65a032813aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f0b332813aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046a9112813aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe
428	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	32	25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
Token: SeAuditPrivilege	1940	fxssvc.exe
Token: SeRestorePrivilege	4372	TieringEngineService.exe
Token: SeManageVolumePrivilege	4372	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3688	AgentService.exe
Token: SeBackupPrivilege	2072	vssvc.exe
Token: SeRestorePrivilege	2072	vssvc.exe
Token: SeAuditPrivilege	2072	vssvc.exe
Token: SeBackupPrivilege	5048	wbengine.exe
Token: SeRestorePrivilege	5048	wbengine.exe
Token: SeSecurityPrivilege	5048	wbengine.exe
Token: 33	4936	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeDebugPrivilege	3368	alg.exe
Token: SeDebugPrivilege	3368	alg.exe
Token: SeDebugPrivilege	3368	alg.exe
Token: SeDebugPrivilege	428	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4936 wrote to memory of 1632	4936	SearchIndexer.exe	SearchProtocolHost.exe
PID 4936 wrote to memory of 1632	4936	SearchIndexer.exe	SearchProtocolHost.exe
PID 4936 wrote to memory of 3100	4936	SearchIndexer.exe	SearchFilterHost.exe
PID 4936 wrote to memory of 3100	4936	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe
"C:\Users\Admin\AppData\Local\Temp\25fb4358f74016ad16dc2acce2bb847cd73a681e69a48eaf67b825ba29978c3f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2292

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2600

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:916

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2452

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1632

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 872 916 924 8192 920 900
2⤵
- Modifies data under HKEY_USERS
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
e8e0f14d8fa13573381f45e48ef0b686

SHA1
ad827ddbfd849e75ef3fc918c6db0ba96ef326dc

SHA256
b84367d9f5034ef20cfe9b4699eaa8feab4624e17bace20ae2b40c1fab7f6eee

SHA512
9b764b6f4a8931f15997078c1a8688214a76ba13fe0770d4c47383575404f3c7e42271b24ba4f4ebab9445ea08bddf63a42540a11a9084acebbb9ac09740322a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
a6b455401b74e39d5c9ede93e7b5b1a2

SHA1
f657444f9f702682e5e83802398c538de25871cc

SHA256
4c8ac13db579bbcee5a0a0d8b096a78131c84cc726e7246c931b39cef69270a6

SHA512
45c9287e03cf84dc70d470b0f02cf1f4df1603c4f6668be57839280b0d5d4396b6a5d46b0abd75ab2c362befbd8e7eb3875b2fce5bb17161981b499794b783fe

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
ea0c22a9c4665a3ed90db9f9f039f663

SHA1
856ab6daffb5b24e044ffabe8e9a089f4ad6985e

SHA256
9290004c1b87c05ce61dd13b5f65cf54c2734919b93d1e48047c3772f57c6c39

SHA512
3a3294189a03e58e31670f8101b5d79521958bb8606808fd24ebda850c4910cc8fa63e000868fc7dd6196f730cd87724a109849e42ac16054d63d6d010922556

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
2111e85351a72f49c44790c52aa11351

SHA1
a6fc6e9e638d4cfe8b6e6fb521bda206fe15fb7d

SHA256
2e2da3e7183c3e31f01229c181e9617dcb45305133159e2e3f09701490d716b2

SHA512
1aa2d8c5c2316592c9702d343db401340e38ce2094e1d7a283ee57ac4f6f021a08516b1fea2c26ac930948267125dc54e1e8859bcfe981ee35da4d38a9951c43

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
722475673efa4de3812ae725290f678e

SHA1
f5713d45d515b35c594c5ab18440d2d7af08cdef

SHA256
72ae64c5984bff42b9695f8c786f353246b9b23316d3aea9174d50671793798c

SHA512
dc6ace30649bdebef1956334d414af2350013b85ab8b6f284422074418abfa81f695a5dc99487dc1a7f90c72ad51c21268f38703922258f2a4e1f78d498f5c1a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
6591478f68a58dd21cf81d7b2803cacc

SHA1
1b33596f89b6e73339b9cbd3e9323a96ec246fa9

SHA256
10c3cb97f8155a2cd5e4345148a92239c654708c8f2825846103a1f71236ee20

SHA512
b8c260c6fa80d8adb040b502b9865918247d4c26d377cb66aaa93fe257c9b6d5fe2744ba56510f025c7a25adfc530274b7dc64dbdc6cd380cab2435e7022fd3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
b6960f1332af5230b61a172678b81824

SHA1
5f3b0214a4dab6a386a787ccd784cfbf0aebe2ae

SHA256
be8bf8b1d8f745cb4da62eae7c926c0c754453f945bcee3a37a09537a61458e0

SHA512
96bdb86d98c1c64eeecdeb1f44a7dfdc1ac4b409b9e1ffcb9b9bfd4ca5a3c3ea2568660879a172aea01d28ca0b72f569e329215088019878af02836f3f20f914

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
29e36a363c1f339863d3ffb7000a3c25

SHA1
d402e7eedee5e8b909e3c2cc34d132f1761d9866

SHA256
b6de4571547e10b68f569d071407b14748cce722c22abfd31c1002a8d79c43b8

SHA512
ef92d9b4c1e4f39443b618f13ecb756b2513a61da604138acd2f726090d70867561350d9ca05efb6a64ab705228d1ef5fb2483b4f6984362098935e5d4a363b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
02aca80c79db0e64b565a6a6685735c8

SHA1
3255e0481cab423ebfa55833e5e97f7220899a0d

SHA256
d37e2d4b39087ed8b360f1d5bebd9ebfb7d985c26ebf518d6b981cc3687def24

SHA512
7b579d76942553a29e6fa86781642ad24969656c930dae64056222fca33d30203e0d27f89aeeea378e6f3a2821ec9f070c5fd5efd48aa04f9b79456163332da3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
12573edacb191a9aee6bc82145c2cafd

SHA1
3c7882adb7754df11ec95d0b0c1a0ce38ac8ddbd

SHA256
54dbb07b1d0ab30fd92a309fb4f0b8843fc4715e3ad0d5f7b1d75976947f8fbf

SHA512
84e98b37d2e213804736a8bfb30757e7d0d19bf2205199f67759d6ed7d56eacbfacdfa31bed0d16cf1cd9aeb889c6bd18baa2555f650292faf4737ce3180295c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
746db1524448e646f729a60288cf9dc1

SHA1
2890ea089109f15399f0751eb3bfbbc22a4ad202

SHA256
ddc741884443a07f770af53c3ff55a2fead2f6717e1a6929c62106cd22a089dc

SHA512
14a96ad9687df869791061f48788f04bfe959f5114f5263054d3b349c0ddf12ecd465436b677c7225992d6bd2027bcfb46beb8bdeafbd1b5da4724bc1abde287

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
3a4787154636fadf1a7f20e340e460e9

SHA1
a3e734f74814b9e02c9e7f86b79dc998938d582e

SHA256
b7990a5a0fe3272e16f44340ad325f9ef6c55e97f57c477dd2807c0dc186411b

SHA512
2cd1cb05b626f0d37aa24e45810714c92d05de5677cae850696e6600eddfab9e487617957527ecae530e6674bba592969e07b84a02791914973b6cce806a4502

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
03dc90d26ae7510524dac092777f82f6

SHA1
5373e1e0d693525ea6f594af0d442cdb5ff33368

SHA256
c3f735f539abe3bf49e8f431a8a1cd8cd098ddc29f075bea673e28e1bce4f30e

SHA512
11ba4584d8a1b934174ab7790fa3eca605019f0433aae97a2e679f1162e508bda41bd8664fb6386eaab7e38533f50d2fb626feee43337a7aa80c8f17a9cceb34

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
6b8bda4d10b7892c85d2cb06a47f0f80

SHA1
b26589037e2c815c7d69a387bb36b18ba27ac8d7

SHA256
8fee0f595b7fe4e611ec0d374c53852fd833429edf408bb2783dd70d2dcf5375

SHA512
9f118d4839059be215c3109edad8178c269fe20fed035adde4ae08ebbf866467e8bff346ebe9d2d26515c1f16542b781705ac0728bdae2529dc27ed36fad7204

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
cc451df8340fc5b612c72b2f5c7c2444

SHA1
a9ee11ff23c8914f09fc98af833ed0de506f4ff1

SHA256
85bccc5ea2b45f31ec71d2875f969c60b0472947c5745656dd5614a06cd1f6b4

SHA512
a6dd5e746c0cda65bbd654818925cb12fab8ca6eb3b2e9aa47c7e75df3f7df23c2d9bcb556866eda1fee56a58d0dff8a5ce65a842ccce1dbbd1da16490a45658

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
ec2e507e077428a9530365cc3ca4abf3

SHA1
d0a2abda6f500c893ac8e413d2ac67ad6e99b602

SHA256
d9689187b47939b2112cc0740867cd581637288a6388ff961a233b4abaa97af9

SHA512
58b167597fa4ad484134778cce907605cccef2e670e80864823eec454cd1c9f14c04e49b57803c5bdb5ad490aee4d827b7748de2bef75e45a77983f7df3451da

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
f383463147497616052f57de9416796b

SHA1
a7acc9522d1807d4feda6d152bf6a74d329f8676

SHA256
eda73ab43cd5fc8847f74706200b567e91f0a71185a978b1cb55330d07bee88d

SHA512
c112b24e45d28352a8b20f0298f049a501d545d945946f729689b10d0a1066b5d675d0828c5a3ad9124aa8a696d7da7bf1b20f3292b68d36e810d41624c780ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
9e7357f865043d96f81daed2b9c13ece

SHA1
94e7b2f042f03cbbee1469248d00a9b638a74174

SHA256
199385e455f4ac4300536993f746bbc2d8200addf86b76790c4908df3471d9ec

SHA512
fdf8ecc339111aaaf201f9ed343c1302862217ed8307b5e5cab7f46c69ed53a479a2293451cea0dd4e6ab24e3f26ed0ba7a049e926af23a58259caa8df7a07dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
d927a7167bd021a0543875f90effbe9f

SHA1
b9ae82f0004d3e8a575a83f32ed6246bf1e938cf

SHA256
344a98fc601c65d7a62026ff959cdb9ccb06eeb618fa4bc81e1bb1bd2867d5ae

SHA512
e5e9e7d771d2375b9bccebd5c5ca1a7fa167f4ffdb52a14b070b2861d837fdd76ec37e9a010a17d6f7770bab587b883ddb5e11815434fa84a4fa663926a252ca

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
74768018b49ca00df046e65be20373c9

SHA1
eb60707ce01074029c32645a1be2bd4a07bc1576

SHA256
123fde60cee85884d2180c6c3918388d7b1be0da448f7bda6bc325f2b4da36cb

SHA512
186079d1325752945a0080996058914af7b92d54702da7bb38131b6cbac38e6027bdfed189c01259d8c17e537a102d21c5d1defbcd3779ef326c7ee76dd7c456

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
90d36637604581da7c7980847447a19c

SHA1
5de62e9e37f1e2256235e79762176e1c85923e00

SHA256
3d9c54838dc13644b7c14008a06ec53d2fb5419fb353520cabfeedf171d961df

SHA512
5280375a95a9dabbcc30becd35fbe66e2b4b437c888345c30b44ea8175c931c1fd58bb6a8021295e30f0b1dfddeea8839c1fe33dafaf0102ba028f14f7e59de9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
3a0a6afb905c388ab0b3b06fc3a06f67

SHA1
ffcf33dc08979aef2cc35616c8bb3f9f1700d0f5

SHA256
49455976cb8358d5ef05999e9a61140c8e8fa24369183d533c305297a939c6a2

SHA512
054728bd8f16df62247842b3982e75cbe6c5d8bb89f86fef630dbabc894b349bece224cdc1e9f32da173fec67c6c066cafc3503ad1ff2c7305007185b31647b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
a30e2a20c2a671f346a4a21dbe09ae32

SHA1
c5ff125c4ca217e1f5b79f2284d4fc955558d564

SHA256
fa85f4ebffe213751b0a2d68740f6fc71446fd1561083cd4de9ec105df589d93

SHA512
aa4278c3ab4aaa4f60310da218623a7f3a32a704c4e466fee400d5064dfccf1c409b1bd5875b58c06ef8120bc380a77ffaa9281575bdd091d5ab5e68c172b1df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
aa4f6de45c96a21e5a45043b03eccefe

SHA1
1d3266e52badbb20cd65475accd02d2bc26e0aee

SHA256
6c8773a74f6f78f0cf203dfe0fd6554fbe877d911e1ab6f23e84a0c66e030cbd

SHA512
9f2552f6d7ee764650d2ebf063c260298969b089456f174eaefd90eead7d3941b1963d950785da5ee752f5d416b2a1c5b12620aa45e0ae75d0c723129c2704d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
622d43b419637b94692bc819f5745943

SHA1
20360d1f83942900da201597aca906ea7004480c

SHA256
895c9315717ee616c2692111149a32ef0b9c2b377d57ede2be725e21e0d102bb

SHA512
721599e9ceea5fce28e67eae9509bb3305e41c85a4428e266f9d0dfe82680457de1ccc5b6afdcdd3fce7bd9521e69c2cf16841e413557f117d21fdf434e849b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
ee649ed9cf71f25b3dbcaf1fcc68c281

SHA1
a065091f674faacffb9d7021d40ab167c58bcb6b

SHA256
1324efa10f852e28f56f03c9be2f5f4c03b2fff3da43cec12d23d91e3837e59f

SHA512
9615810a90a5444c7ef1f61647982fb16d5d43715cfed02355b003dc732fa147575e01c37adf39d6a58fe602283da9b738167c5dfd1cf88bc52d3f87f978fdc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
7285dd47d240230c9220012f4a1dfa72

SHA1
58d09f9409aefb18e84273f86cfdc2d59a4a9916

SHA256
f423ef037958f0915ef133b080cd39c5a20cafce4f0a51abe50f9e19628cff62

SHA512
8d9d953c2992b61f3475dfd0958b4a91fd8a0fac2f2581b6f64180fc0956cb272a1da7d263cc5600aff567d8d186b8baebbb83de8d450481fbf4332487871b27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
7b8a48c096dcf8156895107101c27638

SHA1
746425de8dbe892d5dae8862a5b2bedfd4aa1e94

SHA256
1338449e55603a43f6d7de356e174be9d026c71a80e724d2ea7ba7619615ff93

SHA512
7065d35dd623be99a6189c7e8117bcc9131443a2415d2486a04f9f81d06301bc001553dd7708159e3140b05123214234cbbde2e61f8ebdbc134053198a5e70fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
57bdb9972dcbc8352d0af031537f76de

SHA1
1c51a6d122e52d6743cb119dd4ba1c5ffd886fce

SHA256
d8bdc5a3dbe9b85cc0f7151cfa92ef226fcf69c33c1a3c05d29b084843fcd473

SHA512
35ad07bfacb15a325b1f29a79724228404924471bea053b237bca55f1822ebd12a7ec463d31d9013f115a78b35e97ee4a55b5d3b3a5e9eceb02591f7125cdfd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
8cee8f841b83247273b7fbc8e88a68d3

SHA1
0a96bccb0df902c5c5130d5846590d33d41ce434

SHA256
da98f6733f82221868fbffdace086f99619ea832747ac0f2bab6f92365ab211d

SHA512
919558e5eb770e3bb389927b5504f570fa095ff4612031d6354e6b25a77429d524c58ae14fc1e8f354773c614e7028c1ade9ab442e8ade93b1476ccd3c4b2c26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
86ad8d94d1d1da1c61556596a9519c65

SHA1
508fcdd87f95c547aa99ff9652e20c10d221de01

SHA256
052d3854634e5e18c14432a1735f9c126f6c98c7271978255d42a20cb5234fd5

SHA512
323748b878da5ff2fa076049b3d2eef50e3399ed320463ed1a09c111fe591e7af9779e4e3265477113cd488e7b41535e4bafe66b1d83dff66dbb0fc25640e5a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
f27c63b4974191ef66962e5808c970e2

SHA1
f2f57e84266b5a219026c9f12837fbe16e91afa4

SHA256
c148a5b65ea1ea5e4451f72afaa0a8cd9a4e015962bb7b6fcf84b3e8fd8caf0f

SHA512
cbac793e7ac6379bec6dc53be96d60dc8bfa392cc8d05ebbc9de6e2b7d79f77b62af7f269c853dbc1e225c7bd7a0d8c19003acce8d13dd994e08feb9b1cf7be1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
a0f559c7e1d3f1a95e730660a2cca733

SHA1
46d04506d3b3d5a423399ea79fbaa9b11fade7ba

SHA256
d1d695938be802a8399fbb517f66e222d24ea406c0728553931a4927e08af1fd

SHA512
660dd3cfb66581b1378798e11ed57039115f54fc69e95ae3f95b0d785de7ca3f58382908090bdeae22dd37fe4d68d9dd3b889f37458cd621b362d57e6efeef6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
e148f03a0bdea49dd891189000819593

SHA1
a209c5dc3930d4944e66c2c1c97bbb4720301029

SHA256
5c25afdee752be9fc4271777b1dbe48b7f3d7da7a4619e109c987c8e2ddb0a1c

SHA512
617512934b531f97501e2c6da46e4d5381706c2fc923033103ca0076a10c597f558d5d448a2e063db07f47e5ca4f28e9835cdd58a40154aa2deced9982e4fcf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
b5f813e7281b2beba9314ee6d26d613c

SHA1
864688866522ddd68d6fb672b5b1f2438aee5a98

SHA256
9d7318b0026b298e336b780d2cff815d8645fc2ddf38b031106af930f1013355

SHA512
fc3125d1d589f659ce008dc31739316e812d41b5f2bda08d1e5ff36a0fa35cb1e267a9060e4d73a02241cbf75c75a34e241ccaff95b8712467e65bad349c723f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
5166e4a883bc8e946ad8f23e54804636

SHA1
01859dd7ed7867f5b5c32909912234252174c526

SHA256
759b03cc1b92c4d7243ed2788db58facfd03d657395e12c6b65ee93dae98f96c

SHA512
7d4965b7fb0a64dd581b017d2a5be6eca1bdee1c052e1ef948040d9b47e757c9dc9c49a8cb1b819b934381753aca42b568959eabd4675a53a2ab869eaff8b5f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
d311c1a95565dfc21c588753b8405db1

SHA1
31add2091626d6c6313adcf7a94aafcd3cd003fa

SHA256
c0d4cc1a36cec560aa143a2d900afbccbace315d31dc7248bb1a9d8c7125a831

SHA512
4a5f13a4c253dd463d126fc9377166aa5b488e18dcb856b06252b87cd4b4d50616a6c999737501941ad97e90e2830dd1dabbf00bc6a67f5effd7d891e43cdb13

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
d5168ddbaabc650ba3e5750e01480c2b

SHA1
a92a2f6b76b754d3a6b0423921f061eda34fa06a

SHA256
a59c7897c794d5d9769ada7235fff32ff8f6eb9b4b9f1c25bff88bf3c1099876

SHA512
2b432ed04b2f24a7b448f186151cc60d9ef5eeecda107505af7654e2ec9523fdd234f000eabc0dc7ce49167261d7f2505300735f7c72978f667b773085f0d892

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
9b44c7ba11c74b2a6650b69d46405b8f

SHA1
855957afc4cd813043006f58495bf5b2c5644f40

SHA256
52cadd5a85945fb990e89d3657fbbc59ca1f3107a708f9fb7291e6e249c3b780

SHA512
0a378d4d268aa82bc7c23f3b1e59a9a6b2fb6130e847306eb2052b451c2ed7296d3c6f442ab5f10e265b8adb3e643a7a26c6abc6fb3cb9ae29c82e9cae29685f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
8acb80dc7f2b0e5c5d90618c3ac346a0

SHA1
d932b8d4a4f6b78222bbe602f27470d09a4c569f

SHA256
ba4201236badae211f82199550c47ddb7b593a8f3faca0758388de30a88ecedd

SHA512
cc0f0b4c1d092954cd176b57c46e83afab25b57d52cf450de7c95b46bb2fb7c0f108d0222b4e404f6c9ed9855b63b852c829eab08eb8d975d6b6f457ac289089

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
7dba1652d86d74d1dee7c0d9ef08ae3e

SHA1
230c30153d20c69dbe793ca2706d30b57cbafaf6

SHA256
5bb675dbc8c19a55b733a29cdf0094fd9efce7e8ab212173bcb6dd1b823d5543

SHA512
d60bab1624e975aa775f7b7c3dcbee6924b1bdf524c9aa16f77742b43ee05a7010ce2a493d3317c3e198e3964af8bfd22920a54af9a1077a7a170c8ec96097ae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
51a773b08b131ef0c86a82f4db114238

SHA1
1b3990e0ede9b821324944e10cf3d60583d53e92

SHA256
eaee54a89aa295b3921af4dbc43b483ac2609ab6d9ba98b999c5430706937542

SHA512
86be0ba3f93c6eeb14be4c47c82de46eee6595087e9bd7f4e1f68be4bfb5183ebb5e4ea36a8321dfa0a187e716835247e82a7e006536d24d4349e5b97d4664b4

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
6abba3ebb8399f651f29e776cd4527f5

SHA1
e5daf980f725f29d3c404d8e9dcc5ca23253c829

SHA256
14c7d7eafcf022af4cd193ef367303724b6d8b856b0d514b07b5fc285ed25c61

SHA512
511cbef26a2bbd88829d78c909fc9c49a5cac30bce6447fa8ff8fd45a7a6d374b677513c87c350e64553d5b619e1899156268497db31968fc6bcf7366893efaa

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
40c645091ef091577f94a45429cfb7fc

SHA1
21a335941b21b6cc90effa5000ba4952074898a4

SHA256
babd726615074be99ed6839b4c3f5b27d73525f344900e7666ed9d294e8161c9

SHA512
76216eae810af6d4d6e9a6d8951e2fd86453de005e4a9b6d8e8768a07711e20e03bc4438bcdde4242872aeadb8d4736bf1edd81479b3f81880f925d87126c2ef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
081bce5ad81af1b4a7e6979e73ca9954

SHA1
ad7867deb25c0136d0513c1b8e6327f44977dca8

SHA256
0f0792deec6811098f81cb6c60c35898cb7fedc6a7486c2b95377b9185386f25

SHA512
4fd3a20f99f8558a40a761737d44a07f498037011f54db0ef5e7106f8c382f9f26b0e6127a63aee00226b8ede830461ae81fed0f2a576b31e4edb0ee7b816135

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
77727b2a4266b7514d99e20c1aa31ed9

SHA1
aa5ea53cfcb097a779cb470a08ac7f62a6036938

SHA256
d3916ad11ce21588a93a195d25f8fbe0e46253aa7030f4bfceed02a36f034ea8

SHA512
7f7ceb5282075fefda214586fc0013e4f62872c48a556df6d9e8c230ec26c02fdc0dad0dfb05c4a96888222f5207001513ca560fb4f155f8271b8045efec407d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e12ed6b5e14d843b01fb6385eec1e52b

SHA1
9e2e5c2e9adfa479a25bcf52d98ee272633b4c4e

SHA256
1bd794b95cba83da93a2df97b5738f0b27f918e718eb76703445edf5ffc74681

SHA512
7953b36718bc9969f17def63f7370af5ed0e2de8a077d04dfb4c44a85d8233cc948a8c04d004e6438513cf09a9f3028c0a7eb1ce3f2356e1acb931aba819b93c

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b706270a4c98734c4512551b1f4a8064

SHA1
abfd3ea2cf248b1f8dbb32da94bbeaca66e8b983

SHA256
03d9c42540e43785db37eb471a1800027ed31b3269f4039e30cfc02e9b155317

SHA512
713460cb01448f7abb60824396e7b66984680e5536f031d999328d49313895d52540e971f62aaefc58c4464a5425e6545b0caf8b8cc8435db2d12572f2043eac

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
02cc1180fff7ccbad54975290d5e6b0b

SHA1
4492076063ffdc63ae186bbff21b35d31d54e95e

SHA256
f05971af58fbfeff5ab4690b5cf93e3e579ff36893561a6b0fda728ec0961ce7

SHA512
84ad3ca0d41007f79157fd3b5ab7879adba574aded2e3caac305253b777285c6926e514a5d9ba61a6c5b973f9ba5869f69153656df1a0af2a0800f4b33b98342

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
d441628404c834d774347533901f9359

SHA1
3b244559819f46869f2f71facec00014bfcbbcfe

SHA256
012914b54b509d6a529e5aefa63c11b783ed1a3ce79a08ccdf0bf1fe7c3e4500

SHA512
203d3a7391f9175c9866f5c56f9b55bf7b02e6dd9ab0112e1156b02b40ab71961fb22d65babba791a6169d1774ff9316484f7526a70f41202f7381c4019f9b2a

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
840f258a9eb82b67cb865852c9c37ea1

SHA1
cef230c1291b52208a33cf7dd65f100ad2d2b245

SHA256
cf4fc0ef05fce530b9e5ae67d9a5f2b7546394979d255032a511cf97a0db7188

SHA512
34e0d5709346407257fa9625a63ce9f5c8a7a0c7d77b1cf3085bae422e4769a7345e40538ab6f8cd21487f06404bdb21ee0b986e2fedb9157c60385cd3781797

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
d49bad732b3fa2ba39cb01aec8817678

SHA1
8cba45a0223ee51ab570046e431aeac1a669d36f

SHA256
4b4ba8c39e7086365eb077ef37f12333938be1bad0e87e9753f9504a47d90975

SHA512
6b91395b1f95d6d3d0629637c04344a5a4c2ab89d10ff1877627064f32ded0e4969167a57a4ebd78500f97bdf4591edfe7b241f3dbe7b9e6fb8686ee230adbd9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
2c02185e1676aabefc4101e75847b03b

SHA1
11a8087d8d6d64dff26111b7878acdba951d290a

SHA256
e05184985f168ec66ea7ae3b425d39100e0f91fb02822435b01f786720df2708

SHA512
2ef0d0b818eafd0a7471d81bb80c395cf155ceb63be7999b46c8357a299f9e0478263becdc5b1dd71bbc1437e16143e4a6653d1c6ee1c36565540e667a4281d5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
02aa928750aabb2378f65b3a2803d84e

SHA1
ef3ac60f16d057c95b1648956bb39887bab9d0e6

SHA256
7010caea920b55b2f73ed63266f4b0cceecb00c34e324385faef1b550b0b6fa2

SHA512
6990b24c08282828bc8e7fcbba1f9450d6b9ef92a32e1f05d72a5bef2cd558f2d14439d8a2e68fb8bdd38d35444de295caf35855e840b140a5d9d0592d8cb002

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5fdf24e41bfd39c71294c87341f7b962

SHA1
fbb852f4522f0821008a22e4434e53ed59e10488

SHA256
856e57788a85e58649bd639779c762510419ca3e99c39e6e95e6a6a265c1e9a0

SHA512
e2dfa994bd90ee83e00aeebc6d6207cf529b3a70d1f7d7121c7f9318e2f71702fb7079d7fc7ad8b71c98a9ef3f85e2708341ed24aa69bd8ea06bc28a8fe99516

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
154c3265e32ce157a1aeb7a473153785

SHA1
ab758b0c8c4be971abfcf1da529cb237f75c53c7

SHA256
3df4536f090ba49a8ab535d32e5315bb1edc7cdfbd1cf1161ffd8422032a60e0

SHA512
8e7ad3d760dbac6a786349c173b0af83c7850a1f75a08514ab4f83263741c3f2ed0537cd25987bc83a30a2a9f600481f0ec4417fd6753f72138858575bba926e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
631a180d803b1366074b3db9d42ec97c

SHA1
6b2175cd3c3b7a94a1e89dee84b38331bda9262d

SHA256
3852b018e691d8dbb074745e7a4666b0dde6b50787b0c4c765d78aac927c0453

SHA512
9435b7fee3230e6c93c5ad80f82e1ea245e44dc42e1822cb765d8dbbcd3683f35dfd33b3c4188758897dd25a21a0d17ab76bc63e628d187a147e11edc4de70f9

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
bd810e167ed65d0c595d1594809fb5e8

SHA1
1c0f849b91fc0c013860eba079697173c75b503c

SHA256
288f4d0d80513a9fed2e5ae6711ac04ce85138d0343374be01e3dc2ef901e73d

SHA512
21f512561c151199cfd516e48a32e46d0eb8887835e87c8ddaedaab202c5d8f8c2b0d82c5e0af61a2f7a2755200695cc4d3df3be9775f79d814333ef28efea0b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
1caa885bec67997f43ec37180135fa4a

SHA1
15b978f6842ff283564c18672549d1ae2d74330e

SHA256
2b85afa0c64898791f81016e1d7a565208d2b8ae20a0e7e78e2710e7db25b11c

SHA512
e3ddbe739b31482cf446bf640b5a0a68bf6879ec870b175f1583827c5dd3fa3bd4d4901c6bbd8623d09b87790caf5eddc3c02bb7bc63d9370f0c45c80cce9b70

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
7c1522997f8ce87ad83e81c8bcaca488

SHA1
9983785af09a7782f6832cfc5aedaaef866860ff

SHA256
6690d4fb3c18e89cd1fbaf3ca51e27a438eecc5679daa81a1889d6280e1afee3

SHA512
8de0c73008556b7d2eaabfc65a11f6aa9becb8ae304477ee6527aa6d9f2ff2b0fca1a714240d7aaa1a140a6745359840dc01f2b7415118c59e3a5a0727841143

Download Submit
memory/32-8-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/32-0-0x0000000030000000-0x00000000300FF000-memory.dmp

Filesize
1020KB

Download
memory/32-188-0x0000000030000000-0x00000000300FF000-memory.dmp

Filesize
1020KB

Download
memory/32-463-0x0000000030000000-0x00000000300FF000-memory.dmp

Filesize
1020KB

Download
memory/32-1-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/208-269-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/208-660-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/428-604-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/428-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/428-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/428-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/916-261-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1640-272-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1940-47-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1940-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1940-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1940-38-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1940-59-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2036-189-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2072-267-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2072-659-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2292-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2292-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2292-654-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2292-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2452-264-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2600-90-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2600-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2756-57-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2756-655-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2756-50-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2756-51-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3368-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3368-435-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3368-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3368-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3688-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3896-190-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3920-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3920-75-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3920-86-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3920-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3920-81-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3952-193-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3952-586-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-266-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4516-265-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4676-192-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4684-191-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4936-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-661-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5048-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download