b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
Size

1.8MB
MD5

b0f6ee5eb4182d8ab86f5054f0210430
SHA1

4bf269c8a34fbbca743b42198d6b073ec993e468
SHA256

b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341
SHA512

8e30ebf60b4c299a0d0c3547e2d2d4befc53b9b63a0c63d3a63cdab99f242609c819c66cedc57862b74ff227f3caa71193b9907a4ccd375da7779369bcb4e91f
SSDEEP

49152:pKJ0WR7AFPyyiSruXKpk3WFDL9zxnSv3OPV6Vp:pKlBAFPydSS6W6X9lnW3C6Vp

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1896	alg.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
4184	fxssvc.exe
4956	elevation_service.exe
1056	elevation_service.exe
4200	maintenanceservice.exe
4936	msdtc.exe
2164	OSE.EXE
4180	PerceptionSimulationService.exe
1944	perfhost.exe
2304	locator.exe
3728	SensorDataService.exe
4468	snmptrap.exe
2012	spectrum.exe
4312	ssh-agent.exe
2676	TieringEngineService.exe
3108	AgentService.exe
3588	vds.exe
3796	vssvc.exe
232	wbengine.exe
4584	WmiApSrv.exe
1120	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exeelevation_service.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vds.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\locator.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\77eadff4b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exeb52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_et.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_fr.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_ca.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_id.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_es-419.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\GoogleUpdateSetup.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\psuser.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_ta.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_fil.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\GoogleUpdateSetup.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\GoogleUpdateOnDemand.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_cs.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D38.tmp\goopdateres_mr.dll	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exeb52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d175c0401baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c90d59411baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000514dd8401baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c911dd401baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097c3ce401baeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3ead5401baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0ea8c471baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	548	b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
Token: SeAuditPrivilege	4184	fxssvc.exe
Token: SeRestorePrivilege	2676	TieringEngineService.exe
Token: SeManageVolumePrivilege	2676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3108	AgentService.exe
Token: SeBackupPrivilege	3796	vssvc.exe
Token: SeRestorePrivilege	3796	vssvc.exe
Token: SeAuditPrivilege	3796	vssvc.exe
Token: SeBackupPrivilege	232	wbengine.exe
Token: SeRestorePrivilege	232	wbengine.exe
Token: SeSecurityPrivilege	232	wbengine.exe
Token: 33	1120	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1120	SearchIndexer.exe
Token: SeDebugPrivilege	2960	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4956	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1120 wrote to memory of 2104	1120	SearchIndexer.exe	SearchProtocolHost.exe
PID 1120 wrote to memory of 2104	1120	SearchIndexer.exe	SearchProtocolHost.exe
PID 1120 wrote to memory of 412	1120	SearchIndexer.exe	SearchFilterHost.exe
PID 1120 wrote to memory of 412	1120	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe
"C:\Users\Admin\AppData\Local\Temp\b52a4b431c317edeb85ecdd4b2d9abf71c0e18e62a566ced5078531642777341.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4684

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4936

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2012

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2184

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2104

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
333c6888152a2162c8a5d4b495fbfa25

SHA1
13250dcb7bb380610c6372703dddd63d68acb411

SHA256
5ef03f3cb989e3e9f9d770b9bff06d710d8f61651464ef4f0b8749acfc8b5084

SHA512
d1f0aeec9b7cddc6acbfb2572615019ef627120f760d6090f6e600ca985c50c82037602688e66b9ba42e1e171c3b7f2d36245503e97fba657d1761f4fa57655c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
a7cf9ca8929020a96d89d429eec862c9

SHA1
842dd755ec505a87c325377af74104cb6ec57acc

SHA256
64f56ac85f58cbed42c59cdf4dc6a53ca226bc4113bba3945acb40a489fe638d

SHA512
cd3747d3a25502663944999d08f8894f02bf116e3b0ce3f1a625985a4c9f26567b64cda081d502a0b585784f01698f9c76b0f24ab1a5aa50224d6b2be50cfd8b

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
ce9ac6ee5b8c1d0730774f0e444c897e

SHA1
e384601d450ac6b4a2b55696937d716fd93639a8

SHA256
7f0f5d2b95c59d52f4d93b3251854148de6c397232f3a83598fc0a03333c8bf3

SHA512
210ce7415767b7f1319cbe5b1308672e8002053b966e0d9a72d1d484e6fb988b0074ff69dc2c2f0e7efaa9d57d159a2cb6d96ecd0c8059bbf53bb4b46b0ee576

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
055037e1fe3565742fbd118036faddab

SHA1
22c6cca9189d08b7adacb1138e7756d021a05b24

SHA256
2dee57d44ae0d8eb44f48d20d0dd631195e8adde5a37ca028277432f24a2518a

SHA512
655f1a07f887f58c16fcaf99837a1ebf7883dce46ead2a46151f3b1abf634fd04552b33691a80694ccca1d1b635777512c9623654dae9d482ee8cdb94665ce87

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1fe4d43ee2daf0c42d1fe7c131a0324f

SHA1
7c9b0f310baf47c9efe3a87b397f3179e2d04c4a

SHA256
92022bd05881a32a91e92ec0d535058dd306266dc66bd29df6db67e6d1e0a086

SHA512
dbe40264a330ecba3e1966d3561b98beadc1e199237ba2d18acdb9107787e41c3f0245c1a371438f0ff754dba19fe27c16f3c458d0e018fdf3f392f5f137d7f2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
c1d43641aa7a13cf8b80cd89afa7a24c

SHA1
158ecffac021e129bb1283fa31ef332837b79162

SHA256
e04d6cb3e9b54e7c64555726963c14e8cb05e08aefd7ee6b0b817d756f1a3f75

SHA512
22006b23d6aa55bfe79c782416e81835f902125092dcdf748a73da1867736a33440c62bc041a34743fabe05ab9bb2cd2b4dd04cf741c781d1693fd91d0fc6922

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
dbc414437acdf7eb583cf54ebbc4d73e

SHA1
b8bcd6663e6b78fded242f0d7d0aaa88e9899af4

SHA256
de9e5c912d6ddbc92f61f33cb1dcd78340256005c4455ef7801b449be635e2ed

SHA512
bb18bf12c964d6f844fc57cac4b0c962a2d4c10d9583661d8c389b83a3954cbf9412e25d4ee7361e2c33f2c2808ce9e5cfce34383f19004a6ebfba4f4064ae02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
ae952fdabbf792cf37ef95ac6ea3fa1b

SHA1
dc03a4ecba77693f31263657cb78bbc9a25e5b20

SHA256
f415cb0b26d05131b8beb6390787f875313ae9e0c660bd2f5deca0f7d90d5854

SHA512
321d086895a48629dbe95cd3138808e897574198f4666338e51282f187d483e16afca2df6936cbe32c12736bcabae27dad11e23e40bb46baf3abe591d7bd3a95

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
d1d4b26d2f2db40e3ba4b63cb4aa40a2

SHA1
acb6871aedc34a07452ca06419bbb974a0f37896

SHA256
ac4e51d2a8fec1a53be3a0603309f3403d367518b2c70e15e9f354656abb2001

SHA512
764819d8843220c7139eeac137927c684705d53488f5ba64c0e12f5a0e8ecde6a17b9b2c0f82a010ab6f8cc62f24138f42b08529db66172120f6b2de11f2c110

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
11bd1acf8f47864da7d68bd86d22fa6d

SHA1
ea5ad1960e55a7c8b3f35ca49c8ae01e7a56c7fc

SHA256
3113918e69cae6352b5aecbd70d9fba45713da9eba23b04fa36b1e48ae31bcc7

SHA512
48a5d22d45a3c50faf42c95820871a222a46c2ede2b02537096b4b8ee5a20f45e8634ca0e48e6fefde0dd4abf858c848b4297a8516eec70c802ba2f8824a1f57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9de1718cd4d58e664eef3918ae0555c0

SHA1
50877fce47e965443dbbc6174c2df521d694bdb3

SHA256
764bccec498d0fc88a46d8931d0c1f3274112decf9e6512fc2428f5391e92887

SHA512
42e913174774406cfb32d49a38181e2d50f91cc7d6bb7f7a0bc53760a9a81f9abbe1ab9320871aeec873ef4b8841f8167bcb7665b950e05d72b90f0e031db7f5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
3beb690548850add2eb80a0e44860969

SHA1
a230c12830f158ae541d41fe68ea7dc573bc439c

SHA256
a449d79dc7f9f36734733ecd3e420c2b0bd2a358d096cd2c3ea37ca2546b6234

SHA512
3e8667cbad6020ea0d807033782dd704952fc27bcc23e43d9d52445bab05b0756542c3bf11fd34faf138a558816c85788568b2f8d2e7dc01856b3a01aa5d5166

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
6ff30d7fe369d4a8d8e4c97a81dd3c42

SHA1
22a622cb2c96f0d143f02aa44df9001718db0457

SHA256
69f7e0b0ccebcf54e40b9e9ab149a3f982b46ce3e71a73d69bcdfd8e769f709e

SHA512
7c51d89cf302c823df5cd8a0f576d9f505089748bd898379962a3bf1773f115582c5d3818bd57daee0f6e4a6c1b776d89149a3ced9a9fa2e749dfecdc33d3d20

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
9339e4c3f4b2a0bde11d614dcc40de01

SHA1
648820a4de35240e96a5ec5100561fd7c9c09b32

SHA256
fb861176d52fff97317fa8d8da24cc0e73f42e7094cd244b6c150e8945b00fc9

SHA512
a970fb2bac7330180d1d9f14106ec090d05aed24cf110815bd20669efdf0412e4b0624dc634624c3ae868b7fc1de37df9dd7673bdeac3cd1ff332f7740c109c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
a91f210db6a553bf000cd67fb5f0d545

SHA1
c072f50a0e96f81c2597ecf29636e385abc694c0

SHA256
817e52d6ee24bbf8f927264299aa8b1d532f53b165e944d8c0c1bc7773ce78c6

SHA512
f4565948a92b08145173b0023f68661224346ce2164019c58e42090d1b816ef11ea55e7ee152167d733d809930c0a0cae3964f064e43bae44ab357027b3ba9b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
3cfecc84820c5352a013038e8a522bc0

SHA1
4b7e5ea16a5d01f91bf420aef0f3603bc19665fd

SHA256
940c6d2f470650d4c785d1061287b5496c18f028544bda917206c1c50c7716c2

SHA512
3955c437c24a2e5b321c960c9c44050860ccba2632b04f59235ff60a5ceaab8000bb63bfb666c95e88a29fd4ade1239d648d92fef802f658c5bd40d1c7198801

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
af4240c7bbc175e8ae64c2222ec950f8

SHA1
9fcad1d3f712e635f1d20f50f7715cf33459753a

SHA256
35593e06456ee6bc2af16aad0304e5c0f50f1e8f9760eb97d10c7dd34bf6124b

SHA512
33f6f829480160ad4e68f13fc21519a2932d0ce2a5050283d1bd2fc0eb45402c5381c036f27ce3cc8d498003da6f46fc1ae0ff1f82f662a680ae5257d00a7f9a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
22d157978477a4cc64b8ae50e7b84df1

SHA1
665a4e33c6a7c3a82951b4f6f0e2b5a31fac7060

SHA256
c85f0ddda4c75feb0167627d02f3bfce77c9b2ed4447d720d3447b3a05958079

SHA512
1c690a75a523afd1ee6fbdbaf9b3ccab65475c1a1d8dfa8d762d1de283351930702bc3f7bc3e4f1ccc89cfffa1bdd5d615ea9c4854487e83ca1ff4ecf0002076

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
3862add049b3cf0697d5d26a458968a5

SHA1
cc15de8a845ea19e0e4226d9ad34536ee5fdfc06

SHA256
a1c5a3c3294257a61fb0396d667d7f66bc9d50f511555ab630068d6e92bd28ac

SHA512
6c10af314774a8a1f67b984da960eeac0d4161a9d7c5fce74ff772786665329a237d009470c8f354c78680394d2fc051604a0e5d8ed7bb8f776381c5aeb15745

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
0601bb5ad897cb0d93ddccab577c00ab

SHA1
cd95ee5201ac10b7c4a7b83bcc1e3ebf6cab9d7b

SHA256
ca9d9f14144a96503338cde9b11612b099c049d02de9af54b9b321cdc0ed08bf

SHA512
334ea54092d15ac22c69d228d7a6e94bfb7c668802057f1c628bdb549145615b6461d77d765f527138de20a62cee49bc5ee5e5d6a640dda2b22d459028fd31ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
3f33cb204ecc19992a93ebe0957547e8

SHA1
771e4815705e4cccf4ba44e3e2d3bdab29c64196

SHA256
3e2cc8d5d436c1db83a6c8d313aa9b819fd5b9a03065acccc7dd862fdca9825d

SHA512
e17d9c123688a52d628de967a30f6aeda7d4fdee8fc60d8460a59c788b3302f9f87d01a836fe84da8c4e13ab3c04f489d05aefef012ec58aa6e34aa59c71c49a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
cf6aabe0f8d1a91d972fb2935c5d9012

SHA1
bcbf85be42aca7e0c5a5845ec97e7833e5aa68d9

SHA256
c0f6d1c80c7904266494b2dc2510420f6f3e55bbbb3cccfd7d03c186585a5ffd

SHA512
c9d437d6fa8dc56967a658ce931e5dcf91dc5cd8268317aee6ebd13bbffdf826eaecc630561af67d86cf46648e4c9381e43c45e84b2bcb4e97912b1cd081f43c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
1cc8ef31101b2432537a114613efdb68

SHA1
37eba9febf06aa06d3387164ad38e7d04ea5fce3

SHA256
43760ad72a108d1d55604e1b073e3d46d1aadd1c3ece3009ec92c2c7eb0f3257

SHA512
443d97ecd696635378245b301a423a1315cf31a86fe7841fd7083e9554215748e2c46007660e4f468441be5017c3dfa945f8b317d1c9411f9e7eea18303ec57d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
6d64ab8dfd7c1675c3cae07986693878

SHA1
3f20aaee82f3182f6556a5e985059fe268dc9fda

SHA256
dfcf1946e2895b4eb9339c501db06190e4e3d69c5f4540e27e0e1cec1baf5daa

SHA512
75fe826a567fc36e2ec4c87f5fe24aeb12076e81a0a2d15968eec4ca6be522ca5473db8f04a396a860346de996f1d00c14942796064cb345f18e8b266786bc06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
4ca2231fb33edfcdf4018010a86c5b73

SHA1
40550e732a37444903a42517f25637bac87a4666

SHA256
8f54209e6be28e2c95c4d6f5517e32db8cab6c9029771d0337fd9af5416f33d3

SHA512
7d5b184f49c1b1d45e96e942eb5421b22353d5c28d45543b82ac40662e87ebd7a2ddd7ee921bc9df2ed0b900386b89479570f26124cc7b8e4dafe6810c8da85b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
49107f4913862da537961fe0e473228e

SHA1
bb94c84e422bc22094ff1ea9163d8f371513c9a5

SHA256
24140992ad7594183c8334e8531a3ae5f021940341d33c64e405a3292b4b0d53

SHA512
6b17379e47bdf9cc3aa9da110247a8c6a5cfd5c493ec4d1a47347a7099abaae3d6fe6b3288d659e18ae04aa79ec8959ba95b516520a4b57d8f050e5d21fdf4f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
d81600d64e05410e8707a0ed62be7e8a

SHA1
a924a619b3984d3a31d756fe2cb0b80a987854c2

SHA256
0a341f8a503d2f8879c092fe780cc4295365fc0a6eebc359340342635d71beca

SHA512
b65f259543c1648c55ba21ed9f1eebe5b3b8884986c0828bf5fec3753fdd94bd908b82213781a8c6ec5d738b1bf54e247c3da6321de0cc7a208adba47d27732a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
c9f6bf19d7de35ae7c9c0750a1d040b4

SHA1
81a1f1ad0910b24e41d1be44b8016e1bd3749fe8

SHA256
dd3cf52ac687ded62c8f84ceff1e4963195e1c801cce984ad268acadfadaa021

SHA512
3c4c441cb64d88322955eea8bd6a7bf46080852b4951d2cd0910dfaa97a736145ce37d36e8c47fe0ea2e3eddaab33642aea7bb07bd1f0d4450327fbf5d05d08e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
bc119f429b6591f9b27c826b83cade54

SHA1
5818b6a40d665020dcbe9033375fd836a8030472

SHA256
118fc1b23b111a499385144893938ce1367c09790a0e628fc840d1e290af3376

SHA512
521bb567a8f7590cae59e44d40ed49f5865b706bf6802ad1bb5cf9a8066ff7b04b87d1a72df594a92f608af0f3bc22e6179d30013e9711eaa204cdbbe1ab0690

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
ce1cfa528465aacde0391dc5f511eb2c

SHA1
d6dd377403d661411a0586c3b39997fe756066bd

SHA256
967774aa1b42e27269fcef39e4be1616dd2b76488b41e77961171eab11653ada

SHA512
1966bca722f3a21365536b42be29874d06d4e42a76a105148588488f7efe27fab591294e9d206dc1fa43b8bae68aed7f2a903ab1bf2c223849da9ed5cdae9556

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
8bf58a4797220881524890ace0c2b549

SHA1
2a4efc77976c3e4d4dc9f88d87a6c32e00f3f835

SHA256
b0d144a68c7ef47f928ed9dd6979b7a8743e84438e49697afb8bbbd49377a3f7

SHA512
56d0215733a1fb31467e39a784f7ede52cfe3718aa5209970349aeaa4ec191ed76df71321d50babec6b86d75f01031a514f6ef77ea1c9a3f22728cc8323252f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
7a0ea963eb5e5e5d1c06c1f68fdb2c15

SHA1
d21c24e745ae10b3a05f13bbd7e7962f71f2cc05

SHA256
3fe391605857d6ae3dd21d2633e513aa7711666a93c0ca02a45149361a12c57d

SHA512
c9072712270d8d207298b0530ffc81d74738d7a809c48b343241a8535cf27d4f684691fad4136881af1ee818a17023139fa388c9309fdea359774ba8dbc16825

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
b1a67a0d3a267993073de1c9127906b7

SHA1
035d4e3ecb26bd2f2ef1b586f37ef8dd44f2e156

SHA256
141944ff25365e65a61afb692b750d04610305e9e0e301205ac80745714df2a7

SHA512
875453f0c6df2e581e97c97c36ebe79a94fa2a2f884f4054139c3b7beaf48bd9fd0946e84a5bc0a353f539d5ff23f9a963d12310bb8368b05b154d3feb50909d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
e1115777a8b338771ccae7d56c147a29

SHA1
a7ccbe9faf705af04b840b0395ff8b0d6c9b7784

SHA256
6d51b2ddfc844e73b25c0ef14676947808821f35a7b16fe7e1da14ccd595ee6d

SHA512
36030beb63dab976e87651edadee375a2269225680f31ee1e393ae1c24345b6860380f3d2ec5491ed5b66df897118a267b7313d256d9edacfd5c7c5d1cf9e179

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
0f3f3347cb2205630c28ece5b6cc2b5c

SHA1
c976dc6857120fb306495d277b354de4b23d24d9

SHA256
d0d5ab9391f19fcec002149d99520f8df5da5247c6e59b296ee8b4877b8b9a6a

SHA512
96dde07a9982f57ae7df030ff3230e5260bf89e0f21c1c6f0040c36e4ac3b35debfa2a8c23ae5f412b16e48354d0ecbda34305a9444195749ec9e2ec5dcceeec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
f8899bf3f51a19dd154138b82664796a

SHA1
62fb7fe98b80148662859f7b4c166c916a6c026a

SHA256
3c118ecc44c5d46307d7c91f83c4182768d660a97f539f579113f61d12755d2f

SHA512
4ebc3b21d5040382c4f1953b596fcdc0db0d710ab79c9629f48684ac47d52db28d2062ff8bd27f6e4f936b3334d4b8b5baf0134387ae91deaab2dcec27016a19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
53b65a2b4bf437349d95bda925769415

SHA1
aca26e25c135e68f4fce3b3b6d3013098cab0bc3

SHA256
7b9c2b0e2ff91d516496712ad72a7ade058f39d48bd41c079cd032384cf8ba6a

SHA512
45f20ea347240a7c36cc3c8ce8ca6f3c3f08896ce8fed4aff6f268d6fbcba6d7e08fecb4dfecd9822ffa2a25ce7a59ab460b78bfc4aefd435ea5a5f8f8c4f414

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
1348560ff259fe95ef321f3550ba2af7

SHA1
b35f30590090ecdd44ce148b39962f1f0209ef1e

SHA256
e3770e87135d3279e775e97445c1efd87a7e6ab5f50c3757057d35c56501d3d2

SHA512
d82a9715dd2d542803ad64766ce5d954b2d60440278f8f364514a3f1937e56d0dcac3eedbc023a48675511fe01ebb30ea84d465f427dfa211efaa662ae9a4aba

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
38dd4b254810393ed4ec2d95d87b88a3

SHA1
4a88b8368b92c893e46f05b61b4dbc136ce2bc4d

SHA256
5168587e52d9ce12dc1c8aa30d3e3414e440c34e102d98fb989bb191c783a85a

SHA512
2dfa03ba7f1db3d53103be357db9d1ec71d5ea3f985e9fdf6e827965ab94a5969fac1fee227e3e22f048c681abd12b3b4a678d87513cdd4940091a8d90ad7715

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
60c5b7419ebe7f66bb3f34f64994929a

SHA1
97bd7546fb912c9f49464d05e33c888bb7737868

SHA256
4bb4f7b7722afab935b388e7a0d2edf398ec831d8629faa69eb3e80473927e55

SHA512
b0d8fe883572698652affb30ac91fcef7f6d6c047c1816d200c22cb5d257fb3d53ff5ea2dd094016f844d494fb008cd53e857026e80e0ee34865010936c5e601

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
bf7bdf6bf54b74736974a1d512d57d8c

SHA1
77e8d1a43c79d2a589459ac2cba4caf232de5aa8

SHA256
91a6f07fb6aade2cd0d3f1b6a26ce06f1977aeedd2adfdd54a3ce33b81e009c9

SHA512
1ae3c62e8ee1e8f222e4095aa5d568b708e5bd69c4fc78575d45a9f27d19b5e81e53d380996c77b880a308ad40270940501049b7f6bd2bf7a06292825afb2261

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
136b4b974610dd31a7f0b6ffe8eecea9

SHA1
88ca242a2c64ce33f90a6309ab333b87e579c985

SHA256
ceac262867ab66ca91d41f07c8af51940602133e5c452a1fca01a3d72307515d

SHA512
e75e954495dce53816ada715be0f29b39ec774fe2b355a52f4aad132ecb50c8a0d211cb52ccbe4738c0afe64f8523debbe620ddeeaa19cc9c201a07789a4ccfb

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
09cf105c2d86a95f59c441db01d3d9d6

SHA1
1541deb9fa204e72f22bb8e67c0cbc1bdfc27d72

SHA256
ee0f52b1e8432c7dec7b6ea29ecd8c92824a31d9570027895a92eba11a159302

SHA512
b283cc57cd92fbacd281ad0df7cf10ce2704f0f8ab7d2d2a76615f365851a220932bdc7f3701dd16a2db19e4ab31f5646266e191beca8fa4fd0bd86729e750f6

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
d548b10bc82be19c61ec6dd8c197d9db

SHA1
f642e39269f6acc441fdb5930449c1f51530c1e8

SHA256
f01d995548ca6409b5cf2a3b6352f68ad011c11d47b273c214f0ae7869e24c5e

SHA512
5221096b4411ccc091b771bbbc86379e94139fd342d56253969d95f9f1f5fb0641485653d1ca0aa21f987955186029d26b401e70f891ffa350d8ed4cc225f697

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
0d42bdec36f74da9c8fcf4b8c2c8ce0e

SHA1
dd56189840408fbe7f3bd2185272a0e5f6a3abd1

SHA256
75d22cf74edd387cd94b61ad361a15a989ac555d2dbb1420a4cb10e85b60c751

SHA512
5c0bdce385307fc536bd3ae70390374cc579f4fb52f8bc605a9d832f4a22d13a580a24b6142a0d0be1230a1f9f259857bc47609b2c0d18b13e8f0c89497af7d7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
ab4cdf897eb1f4aa5098a6e789922139

SHA1
026ca4c4bf39ff0af4d29f49634593b5f76897dc

SHA256
9d5ef4c991ed76dece2c5987021b7c9bc37f2d6200cdbc94b29e93e42d2f67f5

SHA512
9df76343e6ad554234f35e142d149bee0286bc1a4856f02a99456cf07c1c34c306614d50df70cc0c8c515d3069c127273d04d41351f52fd92a83f90daeabb334

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
89a0d165726afd5e08329a07a9f5838d

SHA1
a1f062cc5a54a6575100d21d5c9833692f909260

SHA256
538286ea752fe573c06aa64b2c6a01c4259dee8c9397dcb535ed1a5c9be6574b

SHA512
9fbc48440717d837b1215065f7b8be77a36e82d969e3de6cb4f881d18a0ee68fe5dbaa91bcfe4f5cb1fb329c28b6b1db3d323152ab2b6ab4a9aff0d2a537999b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
8552de76c33ecce5e4329cf8c751dc29

SHA1
eb0a84f79e26e7626cb52614ac120455b50023c8

SHA256
9e86035ae3be115dab04d760ad89e9f51f98a8b44670f87f1da02f26fb3327c3

SHA512
a4764c9ed470e12e27cc86f40950fa5aa70098e6784945b3739a96a716e0421c31331f9a3beb6e8d742e38b354042bd42d2ed68c1a34ccf0e2b57a224b18e594

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4125a7e347889a6517c103cc0e1f55d3

SHA1
ef53bb7b72bdad187e7dc0ce57bc73873b2e1f7c

SHA256
f03516b62d2a810dd034491678955d80c997891695eb32b48c5d122074203c1c

SHA512
01eb64ff0355f834aedf04c385a9faf1a57c541784d04c16a46c20294ec5a2a3908997413a25f903220ec1d1cd146b79ca6dbe4115a4995395fd82fd4b68faf9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
e14c73990c55f7a2dd44def6e44392ab

SHA1
c1fd91ac3813f3834ba76e1a1a07732143aa1d39

SHA256
7d83821ddba0fb2f277c7bdedbfc59885c77e90930b6cce0d19b9c4c98c77109

SHA512
681b1538aaaa6f887cb6d780da58b57685dca69162de976480823cd13056c36805ae369ed91d2ff6d061e8cdef39250fa39c29779ea17f7f1f4a87b476509cfb

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
67ca0b92bb51af08b426d880fd3a0fb5

SHA1
6101ad02d5115d0be99c5208b8e8293c75224877

SHA256
5b5b29720aa61b4c6c478b48c32b46a5cdc59800592e53e5ed9fd09fb8b4f51e

SHA512
0c6a5c631c8edcf10b17426873907ba9d9d0ec07980ad818f8094164ba47d95ce4b3c82d4b85757e57f08ad92763f6f18b690b56536816483888ebd121363f44

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
c719d3ee24b0ddab6cea5378c7e6e424

SHA1
dc9c149cec23242d7fa4055726d0b5bd2f3bb8aa

SHA256
d9c9de233715deee96d415c62650f4d5a66100516a566c7a0e4428151a9e37c1

SHA512
3406ebf8e365432be4de8065471eff2f133bc5d655734953f02e5d8f5c639c4365d457152506fe29df568a6c37b80d20b33ea5c5d502ffa078e0d4cbc6f865b4

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
4d7ef8edd549bf71cf82c4a2b0eef056

SHA1
e0a8ca2f11f172237555858867f837328b549da9

SHA256
3056ad34cd07646b112754ac203929a6099c44b6dd074a0d0425f05b398a51a2

SHA512
42ab67dcf9518e216d33b8525eaca5815548f04425eea24768346331830ec0536226011eea559241553d4360e48d95e6ee9c01a90a8953c8e041a54f01d1d246

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e2b55cddfd5dad91318ace3559ae4bdd

SHA1
94aea6915d685a29364194ee323bf39285ebc1aa

SHA256
428dd3b4db5a56e4c770537e43609bb361648b9dca6d189c81edca0e3fcc65a6

SHA512
de81207ad992438b85a95a12a77cceac5414deb27592b16836b4580271bd01a49a1babf06f9399c769aafd01270832d7fa9a7ad72fe9a726893db94f54f1ed06

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
560de4006e3a6c62dd3259839b6e0711

SHA1
fc011227173c738bc853c2e1f268651ea10b5b00

SHA256
f69311597db7d8e86544403583b2ac499bade0b235669e62cd0db95ae521e000

SHA512
f542a99c07778951af6c805271da00dcc62f5817ff29a3dcd3520cfcb964860c935c8442b342abba164ff6f1cb82f8765e1df099606ab910782b82020c13c1d6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
cf55be52e5db3ebeab674cfef2771ba9

SHA1
2c975d77d7b4691631be05a38f22d7ed77ac4ebc

SHA256
b5c57def31dcecd4127e37a58d944491d46b6f6973dd5a9b1ca2618b391deff0

SHA512
97ba96cd0e15847df6ec97d279a09503c9f8bee1e67fc04e506be92c42a9346538d9a16b6cec1fb2f547ddcdbb0a422a0f430a506e98b2986daacff1e88dae2b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
39c06034ba4d64559c8a7046994d153e

SHA1
853731eeecc68a89a29d899c616dcc1dee54f88d

SHA256
7d9c3d103c6829accb66036ed43dcdbd13a1dd8f2f54b43124e0210da0d64044

SHA512
8195c3a0f8dee071a4ed2392be0c5bf1a4087bbe4a06111d5273fbb582cd7bd7e20a99b2010dd5d988347d768a5ddfe7cc6dd630981046fe1a438ecb13bc9ecf

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
479f7a710ffeba9cc3c2b1ee4460b2f3

SHA1
c79d870b1a62512b6ea163bcd37098e973a9166c

SHA256
9aedb8f38e32b5b831319fcd852defb9c1bacfdb00d50cb9869467c1f6b488ea

SHA512
a90fc1beaace94061acf7e5f0947ccb0ca288b22ddc4933d77039123b151e1f2ac8b137822680bc504dd34369dd2c47cf422c9474fd602bb5266794fb92b1fec

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
5afd9ebcaaf9e58bafb87343e1fbb803

SHA1
b8312c86ab1318cc92bc21bb4b2a30144f7536e8

SHA256
17c19e1fd2fa125ab4af9b9f10ce8594875b84d4d153ccb1521c177c4a6029d2

SHA512
ab10b90f6de69a4593dc5eb2bfd7ee6885333396a772efa37e09dcd7a1a583c6e0f281177adc1e49f20a4c728c293ee3cf8c441fa63e2e7d7dddffd2ba6a844c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
9d34fc3f9e0dbf6e5801193dfb298680

SHA1
baceac036a78fe49195d53821e83c57f2ff0d79c

SHA256
eeebee469a78f3f67ca2465a8d758a9ff15b850c580f9ae92636b4d811120962

SHA512
cdefde12bfee85b728fd71056edf506d701346b09313e744216a6ea0cedfbf8b3d07d22a87a109d443a9875259ee10844dee4614b5b3002ca90fc3819c0fa302

Download Submit
memory/232-228-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/548-1-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/548-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/548-6-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/548-174-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/548-510-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1056-117-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1056-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1056-118-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1056-215-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1120-236-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1120-675-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1896-185-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1896-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1944-172-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/1944-166-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/1944-230-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1944-175-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-188-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2012-568-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2164-144-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2164-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2164-148-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2164-139-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2304-180-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2676-571-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2676-212-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2960-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2960-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2960-15-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3108-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3588-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3588-620-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3728-235-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-569-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3796-223-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3796-673-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4180-152-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4180-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4180-159-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4180-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4184-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4184-108-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4200-133-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4200-128-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4200-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4200-122-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4200-130-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4312-570-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4312-200-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4468-406-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4468-186-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4584-674-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4584-231-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4936-143-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4956-99-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4956-107-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4956-105-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4956-211-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download