53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
Size

1.8MB
MD5

99404750b37a9abc4983d2c54c9cdc2c
SHA1

025d55fd8172bf3a427b291e49e181c62fd03c4d
SHA256

53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa
SHA512

480a6428254a4c1d85eb54ccc8e1cff66ffc473fc7d328153cce9ea796c8a3c3403ebee0f643c46b8c046e8a369647ec219e4d223c2d69c56b39a43c129c4dd5
SSDEEP

49152:KKJ0WR7AFPyyiSruXKpk3WFDL9zxnSemgiTd8DsMcDKGfWbYCGE:KKlBAFPydSS6W6X9lnxBiTLMiKGu8CP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4220	alg.exe
2888	DiagnosticsHub.StandardCollector.Service.exe
2208	fxssvc.exe
1952	elevation_service.exe
560	elevation_service.exe
968	maintenanceservice.exe
4260	msdtc.exe
2192	OSE.EXE
1800	PerceptionSimulationService.exe
2556	perfhost.exe
4148	locator.exe
4032	SensorDataService.exe
3372	snmptrap.exe
1544	spectrum.exe
1076	ssh-agent.exe
2792	TieringEngineService.exe
916	AgentService.exe
3084	vds.exe
1424	vssvc.exe
1032	wbengine.exe
4592	WmiApSrv.exe
4372	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d1c86ec5c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\spectrum.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\msiexec.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\System32\vds.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\vssvc.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\wbengine.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\locator.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\AgentService.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4FB6.tmp\goopdateres_vi.dll	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4FB6.tmp\goopdateres_cs.dll	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4FB6.tmp\goopdateres_fr.dll	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4FB6.tmp\goopdateres_pt-BR.dll	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4FB6.tmp\psuser.dll	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4FB6.tmp\goopdateres_en-GB.dll	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4FB6.tmp\goopdateres_ta.dll	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4FB6.tmp\goopdateres_lv.dll	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe

Drops file in Windows directory 4 IoCs

Processes:

elevation_service.exe53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098effc40faafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000554e0243faafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe9f673ffaafda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079a9f941faafda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4a1ee40faafda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001ec5941faafda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
2888	DiagnosticsHub.StandardCollector.Service.exe
2888	DiagnosticsHub.StandardCollector.Service.exe
2888	DiagnosticsHub.StandardCollector.Service.exe
2888	DiagnosticsHub.StandardCollector.Service.exe
2888	DiagnosticsHub.StandardCollector.Service.exe
2888	DiagnosticsHub.StandardCollector.Service.exe
2888	DiagnosticsHub.StandardCollector.Service.exe
1952	elevation_service.exe
1952	elevation_service.exe
1952	elevation_service.exe
1952	elevation_service.exe
1952	elevation_service.exe
1952	elevation_service.exe
1952	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exefxssvc.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2724	53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
Token: SeAuditPrivilege	2208	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	916	AgentService.exe
Token: SeBackupPrivilege	1424	vssvc.exe
Token: SeRestorePrivilege	1424	vssvc.exe
Token: SeAuditPrivilege	1424	vssvc.exe
Token: SeBackupPrivilege	1032	wbengine.exe
Token: SeRestorePrivilege	1032	wbengine.exe
Token: SeSecurityPrivilege	1032	wbengine.exe
Token: 33	4372	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4372	SearchIndexer.exe
Token: SeDebugPrivilege	2888	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1952	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4372 wrote to memory of 1808	4372	SearchIndexer.exe	SearchProtocolHost.exe
PID 4372 wrote to memory of 1808	4372	SearchIndexer.exe	SearchProtocolHost.exe
PID 4372 wrote to memory of 2984	4372	SearchIndexer.exe	SearchFilterHost.exe
PID 4372 wrote to memory of 2984	4372	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe
"C:\Users\Admin\AppData\Local\Temp\53dc96b4655ac267fbd4ddd0e99474d11d16c5c76bc9724ad9d733abcca79efa.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2300

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:560

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:968

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4260

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3984

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1808

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2c407f43c7d0155fc16b755595efa050

SHA1
a81d6248df7cf889144158a7f82568eae01c4142

SHA256
66ddf8a2dbc4b8e2faa72c00b7979a2b4b8a0d76a6ddafc730aaf6005fdb477f

SHA512
fcbbbacfc41b4300d2f92e386f701c52a1a76ab2266326192c622aa26085b9d15e5fef7df8cc23be23c467190ced5554e578537d001b4875cbf51f4d756bf195

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
49586d27cccdbac9b0d4137a74d3ff84

SHA1
6ff0720f8c34a98bc2a93e43193954e39332c44c

SHA256
f6d9d42d96a03b796ef93b53bfc4fd6d153347d85bb85ef9838e7e06e698e344

SHA512
40be99ff606a828586eb568e06761c4b62ebd46a650f7bc033e675741eff9db3cc3ce175edefe2ff1da14497f70c4e62132f23f2e8beeb29dad5aa6a0a5c3a24

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.9MB

MD5
b893b3b76c9e0abe7212c5983f5d09b8

SHA1
1460f932a0d38f2f85558c511748f8bb5cd556fc

SHA256
c1f9011781a624f56736f4aab9384b917efaafa2a924635f12e04b33a06e5cf6

SHA512
6bb127049e924540683cef1599bbbd2c96c4fda0c873a403a83d9f68adbf58e4fc4037418be29384b0b2455d0010e92bfdf25eff2b35b44c2b9068e0ab323c47

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e2d78041326e70badb8485845ce27e70

SHA1
73f6b87079504ef419d331cf772089b797c2609a

SHA256
906cb95778729b84a67b2023096c7b5017cc742f6e717696ad8fa69633d53f22

SHA512
e75f5ff241a9ffd6398fcd1d15aa48653f2a20af567298ebd5e773382b3e3c07be31f266aaa23a91037406dc2599d1bb22034b88cc4483dea7467aaf0077ca6e

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e853a9992340b9ad81a6e768e67ab5aa

SHA1
39d17f38278bd90432660423a302267af5a8b6df

SHA256
31911535807492e39313f81480de12cbdafd8eb735cceb49099cdc8d5c7cc000

SHA512
2deffcf698b31b30757c17e1e72d6452bda0c7cc8b4a38c5d72075bf51cc6820440de59909abf6be34327aa470206773f524f0e751c623e19b8082eba725290d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
76a518148c77b957f6ce4111386f497a

SHA1
f98127c051c846c8300b2f1a8e9dd08ed33ddd7d

SHA256
8f257b1f1b215f881eb27c31474f14ec45781a8eedea52663adc32f92fd27235

SHA512
be8eb6a89940df8f88b77fe8f3106831b1a1d44ff3b1ca735f6c103a26fdebe4c11d55d58bef8267e223ecf342cbacd599bd9b31ad78d4f9e0f08a8823303287

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.6MB

MD5
f702166740125f3212dd45f9e227cc21

SHA1
efae5a4d250438a7a6d5af0475398188d49ec20a

SHA256
3a582fc74a68a4e29936fdd80b287a53b851107ac8a9d82448f5447d00ad028b

SHA512
c98f69a53e0f2e1c61bd02794d13b0202910b226d6613e6929861828b2de856e6c7afe2fb44547d5b6e14318bcc013ce229920ee6f8b726454deb0498815d65e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
f08c251768a91c4e2947dfe4f169f49f

SHA1
c8cafd69bd4f807d013c75d5fe00dd2215d90e72

SHA256
909dc3a4cf036da48c5a06f0b54dfb0df5ea6c3b50323b8589d48be0183871ac

SHA512
6af01a75cba80316e576dddba5d46dc97ba3c97d9163142736880e196a329bba2795f1a15cd031ff16f88dffb96ecd575124cb52d17db0ab7c3ce1e7409a213d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.7MB

MD5
35c0fce9b10ba21b2154eece5509be8a

SHA1
f3e5a655ef3e5af4c824a0a9c6ca04401899c532

SHA256
298c6313986121854812bc6e66dd77f48a8ffaf790a3f37c6832aa069469d90b

SHA512
029b6c3ab2b72db4c6fba214c2fea954e967b369dad77da912b1ce852cf78f69fa14db043e247a5b2a143201591cf5160c8fde2874b4c241538f259ad5eedd32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ebe3210dd81817a185b368ee6b1f0ff9

SHA1
dcddfd917c55717f94669e68bc9611b186605f18

SHA256
e57be669e91a1335e560e6782acefabbbe70dc9faad53147633ca074a5882c29

SHA512
9b90f30afd59eb9481298877f3d54708539b9a3404d40dc27302741f3b08c09320131ff7171019bbe01fbd5bb2f098dd134e555c56289fb0bac740cab0ff9830

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
7d19216a3cade29309acdc39fa78e7b9

SHA1
bfbee74f98a993be3eca8abd132c0b31d0c19bff

SHA256
e0aa42fcc63fa01635c8004746c1adec699dd6d43e5b10f03657fac9893be50f

SHA512
257a2edc0097732183bababf3c09395163c3f79733666d6e630679fc7a17bcdb308cc5d6f5fbf83a675a6be5ee7a6d37115e6ed0614aa9ea69d47a71fa10d441

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
d53a23674fe05002d6de6a0ce592c817

SHA1
e93f08fe8002bb6ba49239f2d89ceea50221c464

SHA256
8ba01c6b5fc2471f5eeaa32b8e09718e21977c702d451a24a54b31eda7d905ad

SHA512
dbfb468dd99dfc367bc5e9e9d1e47eebdf1630683205f879c1038126f8cfb6a3cd2ae69c1b3ca31faf8d093a323e1c95d036995fb224ba9bfd589eefd4f936e5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
c6d16c695e14608bd857ed28483f9034

SHA1
177d0afda26ed166067e2f6d09efbe29793726ac

SHA256
1e5c326d272a0931cbf1c78ed9937ff67c86a8a071ef7d8e0e4ab8fb128da774

SHA512
6ff87287ce5d3b9f0cec0bbef36e7a3dc2dc35aa75ad1b2587e97a18ea2cb4d033591cee094c97cef070e8a383c92e85a6782ac6a03b9074492972a114b94968

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
4392bb1cb953bab8bb767e71dcf10fff

SHA1
bdf8933e642890747f3651906c1994c51853f832

SHA256
13b3e2652099325400756f88cc6906b80c61fbbbce02a82b52642937afcf252e

SHA512
87ca457e8cf0973af6ad55f09afe9c51a732c7a64de8a6e7be09bc42ed27121d97cf37a54ac577651538bba5062634dfbf7e50cc2b610732295fed72d06b201f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
3423ed211fbe18e725badeb09682c6c3

SHA1
bb0302447492eb96951ab11f980ee52633c2f864

SHA256
66e10fb633d7ea60a7df2333f72f1c864cb305a45fb93c2c45f52a72b011abea

SHA512
b540587bb4ff8774db64a4700ba5b7fcfaee7e891aab02966426e213d08e896323dd9e6e64e01938af5c5302b8273c7d14b75dc3a94361f0698c63c92b22a140

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
8956a432744ead2e79d39acd3f895ff3

SHA1
ccfebcf4a44513ceac9772fefa6f0a8f89d723f5

SHA256
506eae992a9dcf004d5f71010b866275a49d6e6a78e18cfd553c1515bd83a1e0

SHA512
dc5be77631fddf3a6e9c75c88ea914870eb99177b68a03f72f48473b7577a8a579030f9dbd29f92feccd6f9fd29a6023afe536d7ba927411b7c6709456d7f9ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
3e24d008771c7019fcb49beb7d5fc653

SHA1
b791563ef7afbad1db052f5bd5b8cbff3c98e922

SHA256
ccc08c681b140f5e29e0246d47d4b8619be8d0a9c1d657c49545f3fd38e64e6f

SHA512
f0b01ccbc1506f559d57e0f9beed099044310241dbfede69e115d042ef83c0802e55553d1f32c6b88ea285abb072bf59441adf448d155affffebcb4621ec80f1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
f221c0e5f53c3a15a6814aefcc7337fd

SHA1
fb8826e934aa64e0e416a68dafac58ad77244ddf

SHA256
ee95bd298491b60042db5c44750fb22ec0f6bb9996943bfb7372b2df9eaff54a

SHA512
ffa95103fff66d81e2a7e1cae07839084319508e92064767c28beb1eec738aaf6257013a82d2e149c7829c74d4e9763624b5cc958af39b772a707bbdff4031b5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
bfe2a4fca94cfb37c18367c4e707719a

SHA1
7277ea0c52f7d409139faa4dab7f02044acf24a9

SHA256
f325b06986e72c448d5468d27b15bb19fc67d927432dc4bebf9cf14854e38602

SHA512
851e87ce7cfcaa71ddb0d4d3bb404d543c014253e24bc66e6db4ac9a3ea0c2000fa2d62ac00c50db0c2d24fd7a9f0f26f85712b4b76a89cf86f21d23a9066be4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
799f993397bc4513a35d5c59dfdbd28a

SHA1
141974b3cd74bc09c2f6bb68666e6042a9b51e42

SHA256
faff588bf663f7b7cb54f4a63ecfb1d6312b3dc6f3e223a5de440f3c0780afaf

SHA512
9f9eb73596f9833693b574ac4b268e768a696f41e727a877baed0944c887898dd7abeb7c6a17b4de08418fe927bf5d4881bc56d510c3f55d462db01a0987b572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
8c647b60ff7cf938a249c1fcbf1e16c7

SHA1
ee5c3d68719d0836a6ce20d7994d47affa4ce6a0

SHA256
f0d5b56b9e522a9d2fc95d280c2035162109c3bbfdce6fd3d7a48301f5f1adc7

SHA512
4f7cb33e7a0e3d15f1e44e071567e408bba6161a85d1b868a47a595ede7186aac108145001dc3eaf58d0133558670b7fdfbc9c781c15804d728d32e88d41a646

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
f554d6836d5cb3443cd9c80347c5282b

SHA1
1911c7eb94eb16672a1d05e652cd2fc8275c0385

SHA256
5e1109f92348b1dbab48d28f29c1371a03466effa4911a50f68d83cef4ed8f19

SHA512
6b7a88ec8dba071d02322135f3fc4a46e9b9b5beed10ed9f1796ee66beca805e3c7bd84daf07585b772371d3a4507b5ae0b0cdbbec8a65f453696cf6b0d30ef1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
861f4256c418496a9911f220fefe3eca

SHA1
e90060f7079fbf327b481cd21bb08a06d5280702

SHA256
17844f8484cb7cd50621619f47c56ededed40c7eb07bb2dfaf4c9e2f90d06003

SHA512
ff9094b9df69490ae4a913ba14819eb4aeadacd374827792947da56119542534bc51ec95e6aa7362bc8ed33a7e390ce1895ce59ff4235abee16f0f90fa8a2678

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.4MB

MD5
1c0adcb04157b63f3538a11f828242a3

SHA1
79c4af87b4f5064283e0ebc9f62fae68832e9184

SHA256
5c908503cb4d9bc297090d5448acb3a3998be1a735564a7e155f6823e1d47dbd

SHA512
5314303ed3965750b275e564579d840ea21a9b22bff7c6e77eec2cd3aff6e0b4b5f819794248eecf4297569dc0d68071775c7a2b636c602c75b5452e8922591b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
0562c71249e25bd55ffcbad7f23a2c77

SHA1
fd32373c3af6923ac5ec7fd2f458993b92b6dc16

SHA256
404776c3f91c75dd8872dfa5014436cefa480db226d1a642db6405fbaa33ab93

SHA512
5fbb1cd39ed4e9e2da00f32f9a1d23413ce5dc31bd35f68a6ba79d1d3fe24ab20f44ee36157aecdcc17371629af6610edc17e50c1154325b862064a5b8bd83bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
ab1de52ecb01f278874db5cb6955742b

SHA1
0ef5fef422653a7dc2e8392877c2f135e97d147e

SHA256
4b382d8954cd1ade669ca3bf1ea5bd345b589292481d601e44756214232f561d

SHA512
aadc0e6ca65621e743d3890a3c07140617f1ae7ce941c7589617fb8eab6a7f10263b0321c734089abdffed11b433349989968896b5190a8780ec9b478601dc5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
9f012c2a379efe6ffb7f13e27ce5eae6

SHA1
11ab693751cefbb8009e95343806be7cc1f24cfc

SHA256
46e50392b6da95375c880da3fcbac0b096ccc91a72c6e28931ec1e862220aae0

SHA512
da814198eb177668a136c1efce21f00751d08ecb93fc4e0ca1770c6853be3c4e532b42dbc19cf16a3d2084c13d194ce8b6bff9ab95f0feec5b25a0c515405ac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.6MB

MD5
dc1ff567793f84dcaf84512a4ee07f6a

SHA1
7e44244f12b3d1974f237046789cb377ab0e009a

SHA256
c01f7de2cca152455327e39d9d6a234916fd07fe2374f65b824dc4030a9b420c

SHA512
cd77431ef9d50c25c933450089309c5e60cb253dd2214a382e7bf581d80b0655275d471e18c88aadc3e98399f5e089bd2d6d3a12dc2a7bfa2c6ed9923850569c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
16451f676720940304ed3aaafda5add7

SHA1
03d2020a0e56ba30b29f86a8524bf347070d454a

SHA256
de8bc99bff6a6825d5415c618fb519a98aceec06ee079c36cf3e043377815804

SHA512
513184c15eb99379898d2140a0ef2255be01be304b2c0b657069faeee214b8083717d1d5b94cfa73d7a4a9ecfaa1c7cde777eaebca98d20571356663857bec47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
ab7b86ce5055915aad33abc0edd31b59

SHA1
7c6a8059a10b2f7bd1b555485aa7216394e8a146

SHA256
728423445d3a2f2ec3c1bae59695500b220d65bc574015dd1f1ec5439e094f67

SHA512
c89619f6148b3565d37eb2e483f20a2f0e8b628f5ebb8ab4c963abe42aef05a0b50e83c7dd229beb9e70dbf324325cf5580d74b388600722757a09d66cf91235

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.5MB

MD5
d484fd7ecc0c18edee113efec6a644eb

SHA1
ae08c8c849325979804e0547b249642e6a7c7991

SHA256
c3f67db768a518f8635c9e487196d33158950350f87f6cff7a09aa3299a077b0

SHA512
6f48058906a85a4725813b0fd435efe25856f025faf1ed1f36cc82f485fd8f1cf7933ff6d7b000fb9e69d5d1aa7e459e9dba0a494141575e589da643106ae4a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
0db9e7a816db3fca53c9f3e950c85015

SHA1
34db8a426477072a3ccc688b459007c399d015f3

SHA256
76d68a8ff750f4d89479cba6abadb3cdfe5164d38c6db504f9c85d1a302f0f5c

SHA512
4a6ad050107b36d5ec3487bd3b4a253254181a4b25ea6aa0b5b77ba5df734d90ad065c6ae284d14a002211f0ea199a1d038b153d50b9926e01277bee8dd04edd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
beb035c5595d3cf555cbcb13ab16b1de

SHA1
203a4860620253c4adb4aaf3cf542fb3177933c9

SHA256
6d04869476d456717e640921bdfb0ac09ada195f8536183508c168981f664e67

SHA512
9aa6c9f326f9900d7669638a039ac947cc5b3c310b4c7429fb8360fb958e9bb03030c896e381980518a33a2a59ed4e34bc7760ffe67886b3cbe43a9cd61d6598

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.5MB

MD5
74cb296b752fc942682e99f9e0d3ba61

SHA1
bf886a6d58f0527155252307fd3cbb5a0334f954

SHA256
9c2e2b7cf0f33f2bf48a4ad791201ed4fed7fe581eade80e6aa33ed9396c5f62

SHA512
eb0ea5233c4de8ebcd26cbc9a73e8a7c1bbacc233cc0852e2c02c6179c56e2b92072f310438dfb3416545828869013111091add4cb1d2534426656391079bd0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.6MB

MD5
0fe3f6869b90f476f185f6c6b1cceba8

SHA1
94cd55f349e1f5dcfd52cd0ed1043165a5799a33

SHA256
1224afd3853d5f0b4e370313732bd95984bcd2c8039736e9de504eb25e80a0a7

SHA512
5d6b10a7096a10a4b4897aa89bff887ce865c151d833186d0829f508cb74cfbddf6b7b65da927be860cdbbde58dfbb09c3f0137424c59d504d0e05c4b4c99f92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.8MB

MD5
6e5f6914fb1f82b32e3e6e95befe7d09

SHA1
86f9db71698aca47323735b92ef9e950830a3b52

SHA256
15a79ed0eb3d52509ac317d9048a50c10980248422996ceba97c3fe498e68d6e

SHA512
3af75bba49dd27d7fae3cd327f13ec4ae4d6538c102f5491cbbf4d3c33ac34a02ad2ab4db887649b9bc73f2d997536e9d7c67a03bcea35d85e53f2e657387a3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
4f22689d8c4189266439d8a58de5f67b

SHA1
7809860d226067a327f8611e62e183a7fc3bf4fa

SHA256
8830183702ac370ed8c5d2959f674f3d8731aeea2143305ee0a0c9a5d31c9123

SHA512
ebb11b4d3392d33553d3cf7d92cb99a0b80573e890233c4ade7ecb35228dd85e8df7c6f283b57c9a1902c3c812c4121eddf7d73d5bf92559e8fa232a40724d7c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
5d2197d79a05cfe7c3a66ab1b6df9b85

SHA1
01ba8ac20d03c6c905151124d6a73dfeaccb8e82

SHA256
0e4565f8dd425af515d3e3468adaff1e208c0b21ed912a0089e1895bfba7a875

SHA512
abce27f1b853c6c22a5030b06578823491268897d71a7fe558a40db327beec6e1da10447e8af0aa3623e7ebeb3efe53450bc0622ef7cb899602675f3e3909d32

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.5MB

MD5
acbda678cd4a243bb8554314b58d4eee

SHA1
77f5297d6005626fb5d54680e183d5653e5709ed

SHA256
70f43b3113a4f5b926f8cdc46a18e7eef6e358327ff92716f6352a0e56ec8c9e

SHA512
7c89ba9793209feabbc0cbdcc5244d024fd44c8b5836ed8f26cc7047499c70f1b84fdc118aefdc249a50e08959a3f4bfc3944dff71d3495cf585603656284a99

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
dff33ecab28d89b7b9592b1e3ca1443b

SHA1
fceb57aef7b53a650f8abf53e96e051b39072210

SHA256
c410cadcf74736bf7703c2568a74845d1832b2e457ef24610b993fefee0c22b9

SHA512
54f625879fc843bb0aaebdb5b469ae38a0f6d601a3f657605cdbbf7dcd070a51a82a28db1a800b6db07facef7dcf08abbd6f31b3a318b45fac29c21dc063666d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
739f3f1e463911644af42337e96e9c54

SHA1
2555fc12b32b1f9dccd54fa1c0ec1a1d87d4f22f

SHA256
d0148d43420b31d0c0de9ab7d33a6528f7d49d23805b49bb2d8c84cf304c034a

SHA512
127f8b38d0073d76ff226ef9c2a6698cf8b0bb9fafd007ef14fea257990e41a7eece722fca725019dc849f68931d0bd6bc75f760974f5985af92605e30190856

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
b9355375683c1cf8b76df6b091f61f03

SHA1
d9df75c8b644588f5adf81330974d353d855ac39

SHA256
4b50c769b95bf7eac5ff914a290df7dabbd9eadc02658006a2701a145445e315

SHA512
1bb91d9602f671928626d74461c00b923697a88d9dd767d30cad85caa19f22b9e12762db143ad75a153fc5d2a3fa20bbb13558c650c1a04c9d2400357a7bc340

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
f092dd37cd328fc82836a3e7f49bf859

SHA1
6f2007c6a53d72578f09ca29bc5093523330e417

SHA256
3ff58f0a1160cec28a8778228c95efe5382c0688807cf723b4b286e942c2cad0

SHA512
04e15104ffbda5470bcc77ea0989f4c2fd68e4c992ea7b7830f6487dfacebda7a1c626bdd104b98b784fd6633027934ec61cf546520fbaf66128934746570e03

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
8cd68f6d4d7046c7491584dfbe9252db

SHA1
46e32816d520b1357d8ac61fa4aa1d2d649209c4

SHA256
8dcb1bea4820c0ceab8aa06babea48a73df5cbd9b6f60c6d60b1ab3167299d75

SHA512
920d94e94ad92450c0470b161b16195bd3a7cb51a0f811b9b506725a0910273b194c17bb7b91f357e0960878740b29649f32ef9dbf213c1bdd37184f581f7011

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.7MB

MD5
cb3c32ad2fcb530244d9892959b6e8ee

SHA1
b7e61ea3148e624f8f08b0b2c059ea6e2f1bacd6

SHA256
b04695fff151077d7de34af10ff5da55118a0ef5c0f4970adfa9784cae848f94

SHA512
f22531c31895a98589fd98eeacd70137c432d6a3d8134ae321b0a6e2252dc5e71f683d6de29331f25f7a0617be1576482a372664089be073521afca5d510ffa1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
83c5cd7f83fca7b570932f4609ba9398

SHA1
68157b68c4cb6b784f267c97fb287f16390e51bc

SHA256
c2e30e2dea1cea9698821609ad517247428d48cf83aa70d8c35315f1fc052049

SHA512
356462988c5b308caab70111a88c7174f41b63e1590cbe866cdd7eac114ba7cf9bb972edb59b98c4739a9792debde0fdc3fb7eb146c92ad582aa5770ece75d9b

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
cab3dbe960a1db577259898f0c920c0e

SHA1
49f78074d4cecdf25ad18d7730b5fd210147f99a

SHA256
9c9e0e51f4e5bac9aa0cf6287559545d1c7dc7d769a5088adbfb59cfcfef3746

SHA512
d088de76ae473543d759ff9bb93aec78a67e64f3fa3ce054e0ce441d72c57edd7743089d447e465c41fd2638415e4556a4736c622973ae03577de76dfac47358

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9aa5d9b0d1eabb2ff2745f29b3fc5aae

SHA1
b807a98116dc87bb5c0b7085c854b4b2c6d4e2ca

SHA256
64be8ac189fefff8dff12b9def18bf15eb0cf9f753f7ff968ce553ea33857160

SHA512
ee7305c4267133d77761969d6885a2c337212acc9222fe4765343ce22da4fbd0947a97cbdb8c75e73d10c6cfe1ddabf0453f6f1466a6beec38a4ddce5031b4ec

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
2aae643a4ef9e0c8dd38e8c949d1e33a

SHA1
872c9e385f3a7f5ee2656a26c41e9067129b9263

SHA256
e80a3efdbacf943d0d328d667326d170e268abf5d5467cd5226618a796004b60

SHA512
736aa8a94962a68420f3c892bdc43ada23ff2b48162795292b027f45c579ea2ea501037c6bc66c79f0b71f710569659b87d103ef1ee2abdf4548576ad4aa7daf

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
b16302dfd925f8eae02c59d6ec0ec2af

SHA1
dcda709016b85b33b8c494b911aa4937250a614b

SHA256
2ddd8089523df88377f77c059425281d705a3de9027559888360d475596a8a8e

SHA512
57f4aee7db1764d8a430a2b4252677357f9b69933a0e1d57e87f16adfff65225ff0bfc484ee6f5cfa57bce6879c19284706eba7e07f98a9f9acb27c822e9076a

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ed7a6ca326d2029d162a0e18a3199700

SHA1
dbca3c2fdd6150d7edc3aff25014c7fc36e264b9

SHA256
2fb838313a9709af6a081272ce87dff8ad84bee5df5ae26f93aa4d303b048469

SHA512
166148ae585bb44745d21c8e1ed62979a4b0183ed025aee8d9f29525ded1e415bb88d76f09efa4c3a4da8f2857031b6de348771e4dba9794ee82def6bc1a6a55

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
07e4a9aecdcebcc237ce2ce6fced2c13

SHA1
3280510c1740fb9814140df549539ff98e067439

SHA256
a352fa476f12bea5d9a885acd2acc49db21223bb16a09299673e80042a9289fd

SHA512
6e49d2fdb2e4de2cb80ee32ba012983c689ce98a89f853de32e544ed267aa48ca2d69ac9febac223fa0f4c77a995d531df93dcdb137737bcfd150cd2326f70ca

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.5MB

MD5
19443f28fc3f5ca27a702688ec70d41a

SHA1
83c51dea11f53c138ac85408699dbd314f026a7d

SHA256
d39fb70a43427d8d3c63b0681f812465411833b94db6a52116e993dc6fc75a4f

SHA512
194b4db25101be0ccea320f9160eee5b27df15e23f04d52f0d14713268061a942693e995d374278c801fc555194132a6d0998ef13c3d0c1fd757a7af2ce759fc

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
e546cd4f815d740fea164e19e2e89b98

SHA1
9b262b433a24c9cb8c8da944c99651ec8548004d

SHA256
d7c22f000b349c5944e614be0b4b5845e434c4a48640a237c623bfd36014677e

SHA512
dc5dfb65f4198f4f8ba17ecb7e2f2d0a14d18456872b3eb63cd2fdbf2f87c7e0a7a4bc580fd7d5d392961101bd450c3e1342e96851b9e01cba36f8ec2a2180b3

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
531b39be6033d7ef39a9b7b09b16fe87

SHA1
6a5034f5d1f3b4f95bfa17788b41b4aaf6fe4008

SHA256
55d5cdc13e773a6fa08a01d728aeb4914af709df59c68642f1aa125eaba56d40

SHA512
f6b6e3f6eab1a441433bc1fb8c7a204143cb60334dbb9dd6f30c87d4fafa6711918676ad319482afbdefafc241175d1d9d317fe64633105efd082c3d75c3a366

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
e53233d9a881284a5e3027b471feee42

SHA1
2d934010becd18cfad46db9105888723b79227e0

SHA256
b5fa2def82fae2df886a28455ae2108e883c9b139572195b7ab0791d1f7453cc

SHA512
0ef59b41620ec83e71fad9880ec1984f31bfbc6bef197e8c75aa24ea6a13db70d1b82227d7089eae87b0755e9a3e3cfb7e8869c0b874a8dbd9300165a7c924b3

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
066a6530e0a5cfbd2d814a46a0821f8b

SHA1
6a9277e43ca0a67ab980d76006713a3ab207df77

SHA256
86c1480ad07b8f69505f196115530c67a3742c9fe80736e4a969cb675fdcbb83

SHA512
8205e9fab773ce40e94f1d07e960557da396c392878c2b258fb6cbf1b8db4239aaac8a3267ac44d75c3ef294a377a1bc5fa7ced76c0820b7c1bb7fb229e8549a

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d0a72fae746af79c822fb7abac3d131e

SHA1
3015328a9b9a704463552ebaf3cb5dc692b7b23a

SHA256
1ede411c5bdce1beb1da434d399349e0cad5728152484d30637352af50b14a91

SHA512
e60286b2a308a13db0f7c8e6f3a3eb3081371d0aa7a8d8374a49e165f1c427f762dd62ad8341df56383f749cfa6343d8e2239d7456d7259c40b0eae9657b3f35

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
32d8319aeebbdaca152f2a41e5cb4faa

SHA1
b88762fec122907225d62b42e637df133988e70e

SHA256
4a05794a2b514f30d3e43b6f3d5d796a7b390f26f2f24d193423d51c37bd48ad

SHA512
0d46ec3f16da9a3ef9aecd9a7233211511ceb40fc7ac81b9984f3c9b953cce25693e1d5ee8d979b2e6cd5f2111ff2f7466eba7a871eb5fa05abaa858f516fe1b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.4MB

MD5
9638fc16312289e702d6e9e0f181676b

SHA1
beea5b7b9295d5711b6663233361e4e6f60da845

SHA256
1979768f16549957d63b4f15e59bb5dcf114d6235db00df3edf874b4e0005a4f

SHA512
538284354c14dd05fe61b8795ff935bb31ee78c21dc81e352346632ac142f2a4fe4cb83e52fc905dca146dd8081b670f72044d7e4ba6ed33a99f078d56122258

Download Submit
memory/560-110-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/560-118-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/560-599-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/560-116-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/916-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/968-131-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/968-121-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/968-122-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/968-128-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/968-133-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1032-232-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1076-236-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1424-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1544-196-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1544-610-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1800-155-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1800-161-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/1800-164-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1800-606-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1952-341-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1952-98-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1952-105-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1952-104-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2192-144-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/2192-151-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2192-145-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2192-605-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/2208-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2208-108-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2556-175-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2556-607-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2556-171-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/2556-166-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/2724-428-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2724-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2724-143-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2724-6-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/2724-1-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/2792-228-0x0000000140000000-0x00000001401B4000-memory.dmp

Filesize
1.7MB

Download
memory/2888-83-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2888-90-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2888-180-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2888-84-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3084-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3372-195-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4032-182-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4148-181-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4220-22-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4220-174-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4260-138-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4372-235-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4372-612-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4592-233-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4592-611-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download