0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 09:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
Size

1.8MB
MD5

33b3b4f78fda3c26427aa2c30b0c277e
SHA1

a03222d34a2545abb1a4cca7665321f48faef3ff
SHA256

0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4
SHA512

9531cf5c3c491a525f21ad8a4ed2e598eefa75d4de379a5009c0ade525c56ab0b9214d96a096d095b11651b1b2ccba74bc03c3cc82ad1207d32750667b9150f0
SSDEEP

49152:ITvCEMTQYxsWR7aZTS0lDo4JLNiXicJFFRGNzj3:AyTQYxsWRO17wRGpj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4244	alg.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
5032	fxssvc.exe
2672	elevation_service.exe
5084	elevation_service.exe
1492	maintenanceservice.exe
3300	msdtc.exe
4736	OSE.EXE
4144	PerceptionSimulationService.exe
4424	perfhost.exe
2272	locator.exe
3636	SensorDataService.exe
2340	snmptrap.exe
5016	spectrum.exe
1472	ssh-agent.exe
4540	TieringEngineService.exe
5112	AgentService.exe
1572	vds.exe
1732	vssvc.exe
1008	wbengine.exe
3692	WmiApSrv.exe
4360	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4732-0-0x0000000000400000-0x00000000005D1000-memory.dmp	autoit_exe
behavioral2/memory/4732-84-0x0000000000400000-0x00000000005D1000-memory.dmp	autoit_exe
behavioral2/memory/4732-222-0x0000000000400000-0x00000000005D1000-memory.dmp	autoit_exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\locator.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b96e87f04521e136.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\System32\vds.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4732 set thread context of 1896	4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe	110

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b5e46ab73f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000132ff9ab73f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000437059ab73f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077fc24ab73f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034a30eac73f4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000887c07ac73f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f4328aa73f4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd1076ab73f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
Token: SeAuditPrivilege	5032	fxssvc.exe
Token: SeRestorePrivilege	4540	TieringEngineService.exe
Token: SeManageVolumePrivilege	4540	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5112	AgentService.exe
Token: SeBackupPrivilege	1732	vssvc.exe
Token: SeRestorePrivilege	1732	vssvc.exe
Token: SeAuditPrivilege	1732	vssvc.exe
Token: SeBackupPrivilege	1008	wbengine.exe
Token: SeRestorePrivilege	1008	wbengine.exe
Token: SeSecurityPrivilege	1008	wbengine.exe
Token: 33	4360	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4360	SearchIndexer.exe
Token: SeDebugPrivilege	4552	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2672	elevation_service.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 1896	4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe	110
PID 4732 wrote to memory of 1896	4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe	110
PID 4732 wrote to memory of 1896	4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe	110
PID 4732 wrote to memory of 1896	4732	0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe	110
PID 4360 wrote to memory of 4676	4360	SearchIndexer.exe	112
PID 4360 wrote to memory of 4676	4360	SearchIndexer.exe	112
PID 4360 wrote to memory of 1520	4360	SearchIndexer.exe	113
PID 4360 wrote to memory of 1520	4360	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe
"C:\Users\Admin\AppData\Local\Temp\0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1448

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5084

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3300

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4424

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3636

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3632

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4676
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
009f81d8614379426eec06f6f8c7fcee

SHA1
c3f80ceb2339a4d17e019b51c39759d41cfb0894

SHA256
c7a0bcf7d9398be6e7b6bd43dc031c878ba878bf15eb90026bd13619ba889143

SHA512
fcc2b7cf730cd47a6388b78618c4722ae2f697574326686b5ae248034c6697e9cec35a55f3c8cc557feb32f9b8b860bdae8680f03dc869b9ba2a0281af814822

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ca517989b41228cafaa7f207e7adaf20

SHA1
5c82a531530c49f86794445bc62088d9d0f79ae9

SHA256
22261490d78fd4955ea4b2b03b6cde9b6f433c62543c6181335b2dd3b1a3c390

SHA512
5b80313949132cbbbdd98672c2c83cdb8a215cb3356c774ac823a3cb6b856cd192536419d644e40db434eb611bc2d8864a7dd7b8157548872f19e2e464aa75af

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
dea4e624ea18704afc54fe0cb47ea790

SHA1
8f879dce34a79c38ec1a22a80b2ee571759ca729

SHA256
5d1b72886a187f4629bd6dd97773b418efdb7ec2e12f0eab2ccfce432778fdc7

SHA512
a95b8d20acaaec78fa54205d7e094defecf2bb735d91c526e5faf9d79e8698f02aa885036cb907759371a3a3f1a6a91b29c836f1adeb311600fd2956275fa176

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dc73eb438e933b836f3ffc6a729182fd

SHA1
b83d9986cd7280a2a2f6e8addfd102836526cf99

SHA256
f4540f3f7dfd6fa04321cdd99634a3acc12605d7d2a45f6c7d54ed721287517c

SHA512
a2cc17e92f9ab4d6ec71eb48557f5dfb07711185fc6053b7ddefb74f60a32b6a29fbf724ab3f70ec565c64a1c24205d59e43be175d35e29d1b45d7bbcc5249db

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5d6caf396279c7c66a18dff2e3d46a66

SHA1
8adaf67ceaff8e770591b9d1b0869a1cb0d53389

SHA256
b78aea371e5e4f77309847b41fa739ae4febf6d3278a5ed8fb30a71a53adfc10

SHA512
9ee0e5de5f49fd8378d35bff0e0c5f79f71ebb9d0ceca49e60310f13ce360e67b4bf14913ff0fd53a7338c78d4d972fd6ca19e2f313081bf8c09159c7aaceaf8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3f95c10e353fbe5f6cfd67ac4f77e1df

SHA1
9a16b6e34d9423adec461053d6b6fa35437c2fab

SHA256
509029292c42f5041418e3cabff031d5498c09543721599118013eea5b9a5b55

SHA512
3421d4b06cc78f3fba130c9d5cf3dc5b82be4d2dd89c0556a940d5e3bb85fadf15c9b9d2f8cfde19bc4f525a59b44686fdbc1648d1f7ca6d27ccbc2f16c2f757

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
c8887baab53e7f725ad1843b53525ae9

SHA1
4fca99d466c4963547f1573961dc5e39badf971d

SHA256
8f4c7cecc345123a2f59fc261447330c69798ae4213781ca30da25377cfb2bb1

SHA512
81ca9d66f6fe3fcf0c710dd08aac79a622d38d36aa19d987ca4e568530f961c9859323677ef1790ba67d2ae903a978cab6875a72f6dd73022692575078aa124c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
adb4d8372bb7a8903f9b12534a2c4933

SHA1
5e34c3f273cccf6b6ab4221e9cda3a5b09ad64b3

SHA256
53f6ebacbbf08bfdcdb4e211f2705cd669ab05b43f653adb78deadb40de0c3da

SHA512
462854a04948a57a8d74c38b0a70ad205777f3551a190374189570c105f0ac049ee6b287332179e4857133d10114b436dca4c79865cc4671b3e7a8281e167d30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
f6c9ae0177815dbf64f3f0757c99bf8b

SHA1
334758fbf5b55e458301ba03ec432307df94f73b

SHA256
ad8687d30e2cb24e664482493baff56b4f2dac7e30672fc9b5d59aaeb40f992e

SHA512
c8a9cb72bc6d210cddec5a39388dd6f30ec8d118026a47aca9aab320d686f75d330cb86caf9ba87d96b92dd1e249e7ad2c0ebc614f79515a5b1dda434a36d75f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5f931398924e19e5c31a809bb6abb513

SHA1
6b32de3680f2e0807270e61b0032a13fdee4d01d

SHA256
51094c8516457597ae592c6871dfd2f217af5f43c103e6bcad0fb567eb618974

SHA512
822a453b8760730e8c9f6c9721c8f16d7563dc912a0f5ed9436a1eaf4a2d8085f8fff2aebf1050e5d8e644922a987f058918288e7928173ba5240b3ac38cc2c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2b9ccfe48976fd9ceddaf6cbde6fcf0e

SHA1
ea1cf93a8ce6aa3ff1966f280829409e70f17490

SHA256
8aa86fd4f6f7e55878fb3a7386f61ee703a4cb1fa4c83d048751dabd01646019

SHA512
b5a46ab530fbbde2e5f1f0b9e4b32d8d27b6f5e9c8c8e21b3cb5873fe52d5f2c475038ea4ff760a5d9f80760cf37089e6149c338d582041784148b0b28ebba0c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8b5bbcaa2c06754630d6862e4c8fadbf

SHA1
8ce6d5f9578215642a0a62c67ad7055e14a87316

SHA256
a628fae8812b17fb65d00167d8d63115491fb419663cf9fe5947269b544cb9da

SHA512
9dd237cb901295cee4edf895631e4a04fddd863b365747b36f11195b5dee7e16c9540546eb71e7177f677783cc7c00212fd273d9b073a676ec32c6670ce040cd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
dc10b5aaa46376fe50bc207cff7959c5

SHA1
448c284276ef2c9c62b1b85402cf019575d1b2ee

SHA256
f81aad1e69701ce0c2ec3f217339bcb450908ca97ed2487797dffbb9053a0ed9

SHA512
bc8c2b0bcd155fee4bfe6bb1989e06229bd28e64e9e61b448b5d8fb8fa0f96c471b740a75fa7c002dcf98c7bec24d24f043febd31c8935fa9b3d9afcd3222131

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
662388910401d1d1151215fe173366ca

SHA1
dbdeb69cdb3d4ecc4839e713600e43ba5c220e5a

SHA256
560c55f7f345619616c9024b72600284b2becb862e365bd92b4be6c9c318ee21

SHA512
0a850dbff89c044685dc365ee57b13829b4267d4dd7b0bcb1f96a5be9937597a2d0dda589fed7fe95699e849a63a98ff85106c5e54e97f0e1d8cfc79bf25198e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c021da0cbe345816db7f2ae13578f349

SHA1
25d12172ca18a2e8fb8ad4b80237bf8008679f8a

SHA256
4fc6dab832cd67efed0b9af1788969136ec961b00a939253db5adefe9dd8dfab

SHA512
0b68353918295f462a5ed807315a15780368ea7aabffebd7777f01c5491fddda8f0ba7c21d566c5c50778118009551d175d0449f1bc58fb5e4f9ce38fe80ace8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
342754575e1fd6f381b6e3f1c6034740

SHA1
e1b086df3b8207dc88dc56d1890098fc7a375b03

SHA256
bf1fb386fbf0e99ed93c069a4fc96f03edae441c6f65d245cd8f4d09808679de

SHA512
b8e29a4bfa87b47ab4803cbb386a82a3436792732b3d132eb5b09b842b9305aa8b7748988e344ba39261c1747480e93b7debfa175a58c878aeeef7e3ea87508a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ca8d9da1fa6cb73df74abccd8145f340

SHA1
f091d1951f7794c35a92ba094b484a585346a782

SHA256
62ac2de21aa8eeb9de8732bb0cbe371897f17a8a376b37869ddbd280270f1228

SHA512
f97c559ad02f250d742f5006dfc1fad32e2bf83aa50c5101e1bf3713ce98c4a82243102eff3dc9ebc4e5a77c5ff92a3a675a5a1b96d676e1af4820cead0d3e28

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1304b491a5f57d89c4f2e6c623b0ee91

SHA1
21dd998b8cf0a7ac3c0589466469d01f38553db2

SHA256
864a13b0df7390208e13a3ef5f9c087113932d71ec9506a3671cf7684c4147fd

SHA512
5db9e0f11e1fbe4db9e78eeca392c115ffda3cde2a9551564392568bc68fd2102a6cf04126b8a4bd382fba46bef1cbb5d918d0a1b1b1bf06132ec4bf95160554

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
264320449b1a6b794fa0fbc91e981518

SHA1
e4333cf26e489062b6b014dac442608759c916eb

SHA256
02037ec9eb2c8412a898aa46ca2a90514c379445e50bd2894ef4e4a0daa7d37b

SHA512
ffd54775c6657fbd2733e9a4803d975e5297c13635828e6ca97bd960ab56c9a217b1621512d0e35dc87f33c982f81be21132c89abb83cb16ab32889051191e13

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
9778c6032dcf7e77afca99166a3ee2d6

SHA1
a25e94d050ff98a2c1e293a625b80adb63d84817

SHA256
dc4070f5b70f95c5283501d3171717a5dbe71aa6c0d736cd7bcec8f8713812ca

SHA512
de8d2f72b5d46f42a445ea4a735a77ca124d9b8739f9868657d0ed7519734d2550f2a45737004d0eff73b90e1b02e1994cad49b2076833f3fc8dfe69bfed2b25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
e0918fc9267c4a39ffa439acae4aa5b9

SHA1
411bfdcdafc219543272ddf8213da88ec675e0a9

SHA256
bda7dd729efdf52d78e49def7ed095cbd7cea99276a4c84e540e42435813490e

SHA512
e2b0bf470e606a894d7774f70a1fc2b495bee77e76717af1b6f1910e763c6a552ae20b7eb2fd67e387357bee1490f381184d5e7777cb3d0b0c5678ac3a157903

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9a5a7532f1585903d1d42f2581536299

SHA1
68c30680ef79d4d1c3161ba38734bcd3c08e4f38

SHA256
de1ea44b87ed696af26d49e5d5e6cdd81a59e740612e8f5b24127f7e1dc01d15

SHA512
d7aa7730c37006b017dc46cd6e275f07b7489f10559274eac8b09417c2c2ec76c33d43cb8d4b5dc09cd01012f1b6cbc879872446200723280030763bd65de351

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0600790c3dd96117220a2114babb16ed

SHA1
697a8e452fb1eecbe6d1095ba49fb64141137d8f

SHA256
338a448ec711784b7b5757cb8e88641d8d133879a72745ecf0982c4adf3b3283

SHA512
02cd32e3d19408e138aab124678ad933be969ff1a7a98164017a41745a37ca67c55548a2dd4610c9f23c84f64fd7b3d12d8c65704be44b9c30b75d7db37640a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
5a810f36597218194ce370758e49e3a0

SHA1
84c763ec58e31dc4f03a02f2bb2d9fcc03c58456

SHA256
ee6b75635161064532e85ba70295273161714b16ce989164ac425d9664fcb6e4

SHA512
4a72d6e01a5a058b020d0dc90c1c7e1e1e0d1d7c81ca4fbc90e8b9cdb22e23ee59bbc68a8b8a0031d4e7e68cd9eb35ed04e30cbefe7ccceb58f93fc5bff0423f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4f51fa7f7689c14baf7980ca08f438a7

SHA1
34f86eae3df42073f4a47b096be75775419bf55e

SHA256
6aa11ea7712d21e5db3f5ed59d0759add0c62d3d2883b3d53cf26a7504716afb

SHA512
96e1c402a4c4e934d6cbb6fde44cf08690ca55a7d50ae0a381fed4013b4d663b4ba02c5149738f00ba692eab1d9eea73c4b8d9fc3c8d19471ad88e00e38b20d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
a01dd74c1cc0155186e23adeb2c93abb

SHA1
4e1eea3f598987b6997cf0f3ef32638991cd6c2b

SHA256
c9bcf19cd2ad30b6c70a30cd79c9aa5b3856747f3b26e2d7407fa7a1e991a718

SHA512
40f7f666834f5e76c440581d6b6704edd7c552cddbfbba2e033733490a57b243980a19e2d4e269172846cdc4918b0c7e29a048ba5cc44144a9ed0eb986aeec76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
c6d74a7f7076fb33b69ea02744a6478b

SHA1
627cd49aedd55ffe850d9ba1ba08ca96bad04d35

SHA256
065dd4ef55318221314754a15c0428e4d7ef2d30338388c0ae695a02dd4a238d

SHA512
ea9fa10c31e954a77cf50dd2c92315fb6ba5ac31ce8dca52deece7c04f73e2a32de0eea31bda933855722efe53180be35f1baa19e1eb35ef4c5b358ad00d2aa0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
5d2aa9e7c6d47784d826561be7b18ed9

SHA1
3df85579fb6dfeda3668bd34da63d2b4b3a831d2

SHA256
46198dd19310f6a27d1e5bdc138644a3900acf0ca81e455954fcb2a91fc703c9

SHA512
b6adc152d0e13b407014c4478c4f582761e057aef2d57a37c29fa57a0c85ac0ef7ed73c4ec6386cbcaba064caf98bed557b975cbddaaaa228dd127a98b51bbf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8267e9d48c2f4838563c88c947edbc52

SHA1
fc9d41d470afd7ec89203968f60cac100052bfac

SHA256
4298c42332059e19d5935d5918d1b972c5c628f2f75d4cab3f914cc8c3f65f4f

SHA512
59e0c6e504a554d4f161e6dabd85eed9faaf84abc2229f511dbf0e9ab6b6652d5a6e1feabe6124d42eb69f903b69e190e6fb0ffe0cec05d939cd2b5c85275d96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
15cef983b20ef7555d20a59481bf8af2

SHA1
0834d317dee15c38413e6fd51d79c85ccaa5961f

SHA256
8d9f14b22b36331efa112110570a03f9139ef57796e272ec8b91de4a42ebad39

SHA512
a24beffd5ca47d6d4bd6095e96a68da21b61ffeaef81c3de3562bd92e590e68fe960dd28e060cd49f7b5feefdad6a3a2bd2bd18891af7e83f014829695d3208c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
c2ae07f5305f50073717abc0ce9f044c

SHA1
4675a636a285dad00d3583ed5043a428fe0cd4fc

SHA256
e6e0e04c6665d43c8e9e28767718a76a223f8efd2c0cbc8ec999aa5985b1dd57

SHA512
ad0bdf2a7be55a82972a034b036955d1d1fccf39ec1cc34a5e8f3c4ad99fd1913247759ae272bd1571e7f16bbe77bc10b8ee0bc3fb20e31a2be5a532815a3351

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4e7117aa736240c8a173f7532b62be4d

SHA1
bb2e4551db21d3e885b233596baa8e72bfd49339

SHA256
517a6b3e508549de120aa68f0578acf52c5593096242c1d0fc5b3d0c271550be

SHA512
5bffe3d04839ad2d293683c5e08a80036f1a98f358c4b498f8530761ed7826c1488376a6bc0f1ccaad59be011d6e308f1a6ea8c5cd71c85483740a3d3e15227f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
075deab926d0f4197f9392389e89c8c7

SHA1
a2c4d41da1328b4d4d6d622438697f17be43a0f5

SHA256
63507309627ff8f0ef9a04e6a315cfdf04eea674497717505fa93b635a615e10

SHA512
245c8c7b30032655f224647f975a551a065e76e4196bb2ecf6e8191ffe12af345fdd498a598b5289fa972363fc1cb0136adf1d2cc6141a4c07fae2fe47a69c37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
878b9d038e2f942d69dd42ee9692e16b

SHA1
4563f9ea1b293aacfb45c52158b1567f9456f16d

SHA256
318c4ac842242d36b4e05a29d48bd242f4e38cb62f369744012c949a5593b13d

SHA512
a2fe75bb9fd46928ed63609f515925e51aa56809c7b0d739587cda409d0175f65f45b04ea221754b78fdb84595e7f710455f95dccf60f5c9b74b08677a8317fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
42264733f641ac266b8f714f33cf552a

SHA1
1bb0d402fcd7c4c08d229c25836d09b188a32112

SHA256
ad94742c843ec0882c1f7d3d24ebc37c6ce565f1ae6e3afbd77ae1a0ba468e82

SHA512
a59a37346a55a0483138f9fdf197ccd821bfd5def7f619859d924e1ee69ccd66e24dbf1b023705dd42019601aaa34e1177a09c21160ff0452f670f9792fdce99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
b658bd765cbd00b4d4599e4e44ff5958

SHA1
b60b43c2e945ca2a8a220a93fd8ae6f88065044c

SHA256
2a41f4d9edd3f4e16279ee9ebf163608cb9ffb3522106a2b8d0df1a785afb4dc

SHA512
d838834aff02f07f726fc5ff483060a499f54b62968576e1b8e55fffa0816743c0933be3f6e71832f9b3402261ca3e92e780371cc13c9f7e63893dae2a4d917f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4ccb15a2f03d0d650a7d9c02d730d05e

SHA1
ac88637cb40b2052f8528d5bf8e4bc4df1231513

SHA256
7d6d9f83ffa76a75c2ab7a963ebe716991d4b6b810029fd1af2fb11de86d1774

SHA512
393f2d1a01651878ab992e81833955a3a2ae04ece02f43f1e157928e9d6be56493e3a9b75b1d57ee31bd60daa9a0a6d7a793e439aafa8cdbe2e5bbc34fbf33d8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
707ab62eddff2c933493d7c7a907ad9b

SHA1
150499d4dd8c49429e53184911fd010c3b98f747

SHA256
2a1448a71ff444e0e7e05ffbdab19d8870ce962498c6e2d25ba54a480ef60902

SHA512
1fa4a0271410c2a01ed5139b74d6962ea38be5d08dfa420b33c2ca21de097ce0496605231cfcc8af0a9527575bacbadaa8ea345ec12158015f91f70553a353ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut925D.tmp

Filesize
282KB

MD5
63c775524b2d6551ec58f83c0687d4c5

SHA1
5986309cb82fe51c09bb52a15acec311027e6c6a

SHA256
248562a258c22ae75da953a2292c78502f05492440aa15e0cd68cdd843d2f6e9

SHA512
97402137a0b4c19a8f6d69abb114c874e1897c003d489d78ee39b325e0210196d772366973367aafb3632b0fe01848cab6a4cce1eb9dac69fd1c64572355b478

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6eb34dd25e822ed18489a53682c0e1b7

SHA1
23940c0b78663fd273c874fbf054ee535e2c2b24

SHA256
05dd33f6ede8c9f0ba752be991bc83ce86c8e83f72586643cc6d98fe656bcba5

SHA512
2d02a64d2ce9134441f54a6438d9782b597b03699a04209e6e4c2f0266e86112fadc7cb3a1358c4c78bac213db8fbd9404e17d479f1a228c19ee26f3a1e71397

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4a688c669bcb30e0fcafb178bf97d1ce

SHA1
4fff5c0ea0fe7656920f429521039bf725ea8e7c

SHA256
655eab2f2e51bdd239c04c851376e8a398ec7530386beff72f30d01b814197c8

SHA512
9a48a60bc4ed82ed36453f200b514d0308521f958d6bc5a7aa550c3e96ef7e47063feb4404d5c6a3ddd3a888c8353b2abb5502417234b57e914baf6213982caf

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b5fb6bf042b058936e8787963e775a72

SHA1
80b9e518c7765423bc408ab59911c6536fc096f6

SHA256
00e15df94e8b32399b4c3ffb41c096b9b93e0f866dcaa3a05dbc938c03194664

SHA512
2a0ef2567c4217ad2d7f334fe9c0e8064e1c7dec03fd61cb76a6489e463efd7467aad4de8ff9bd3221a1644905d5a1b69059a9fe394bb2396dc76ad78d970a02

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
297daa042ea89eef27742222708f2d3d

SHA1
456fc325add311f33d3c543fd691229300e65172

SHA256
3abd5de51d5c7222ff495bfd42e96c2294f557c2d08476541a7b7881be1602d5

SHA512
d0083a572123f91c552e51dbb6e9e0ff57ea181159fdf789990945ba5b06d5cb171dcce7e4ebbeb99a194d2322e303b3183f171d79629e88310fadef38bd4b3a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
1f75b479c4e268ef64106157937e7ffb

SHA1
975de6506fb170dd66323aebd70ec247951fecd4

SHA256
15240d25d4bf90196b06d1e92538ca25a4e8e7633ff84a22f52e47614d346faa

SHA512
906d52a462b895867ef0a2aa3c6128f19ce0ac5c51722da54558693d25e51a20ca8110b4f156e71e5b396ee05ade807f7fc9c626c97f7be81835f7a9ea7bd515

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d74f86c300c457d22c866ef14da46084

SHA1
a524d56e6361f33e1af1aac78b519151dc557947

SHA256
13426d75433bb523f21dcb0176ba346000ab853c651c352ca2b1a7c450651f1a

SHA512
f2d0232be0e342dea745b5d8fdee4aa0358f207991281c7ba49020e215538d84730ced2383ebe2cc3459a359ed7a46412e1d6854e91246e8c46916a4f00fa087

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
29c7c1be9075159145f51638c6129845

SHA1
bf922fcb8883747d288f2948893dbf387c564984

SHA256
a8999d81c1a02b19bea2126af6244b072d4619ba8fdad9b4884a8f28c7b9b022

SHA512
cffc5d5901a246129bc9fe74714981e1089f4451df5955166273126acbf7d45b126f9d6468aed77e70015d8283a0d37a43e1f4f26edef39d8727fc5713b8beed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
87f644c0c2d90c1ac9c9347dbc2df036

SHA1
b7c103baedb65f02f85ca5d3ea4d24bfccd6e923

SHA256
807fea10c42b68b9c270368bfb3aa4bead52367fd17b764e38f4f58d01bb533f

SHA512
1427be36450690707a6313c497184e3bae1cbb45d40d4749e0ee8fd693a234240e68e7e4a65a755cc84c94dadb41f7da66a3ba99948ce3075e5afc9b16c77540

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5b5dfd942de6b36b59fbc7f9f0124e5a

SHA1
79da5dbf3de72b01ee6f25038dcf685d388158de

SHA256
f57380a2809cdb69a16bc71793a925d2c1fbb5ad90a877bdfdd149835120f214

SHA512
34e866c7d876cbedad326ab63689237115e58d075cee70bd3e7ea5a06a1e754b433a35e4dacb6d6d49b78807e3ffd801e71090b72ac7a33f1fa1abb68a4a93f4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
48b8c2e7f52b04eff2ab3c74adb47287

SHA1
023e18f4d183e70d79205e6c0a4d41110cf7ba27

SHA256
1e8d63f62aac4acd7d3e631c71d9687ae38be4bd2db5b8211ecdef6f5f406e4e

SHA512
5989452a7d0643dafdbf716f23a65835c674c9709a34803e3cd475f16e16dce3c6f0edbe09234388beb52dea280b4c9f325efffb6f5ca4452b79b7967dcc1179

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c2241443f27c0fbf4be69f1eee744f6a

SHA1
d43505add935c59df5e88bd4369bd8fbea51a18e

SHA256
8da7910b38e7000f5acef964b50243e8483f7be551d7d98450eca56b61db4a10

SHA512
c8957e95abeb73c66b6287d5a33f1142bb0a693b26a414d98f82c668a2dc5b026644e76250196d0096387eee997b79a75eb1e012f58c3d69ed92fcc8c3fa8ace

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1103d7a8045fbf730f840aa717ca638c

SHA1
667fe4e50288cb8ca4d216659f47747d979ba546

SHA256
004c47f85c57501e704ed70f7e4cc4a6d3475574eecd40fa512991b70fc5f380

SHA512
49ebf6babb44daef658fdb6096f26247046ac5a529725d23915f6efb2be48378635e7ffcc73c1f477a373b822b553f967dff861427cfdd06378436c55e38a295

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c3bc2247c06762eacae9213d25eb9ac2

SHA1
5b1263b9c97ca3b7a8e3ef644f8645389f60c7e1

SHA256
f0d8031a8fbaaac1c7ea5be36d4ee00b8faca5b572cd1a1c0f6903728775c184

SHA512
1c7fefd2e12e949c9f7eef33e23fba8cd892514449b742ca9a71c8cfc1e7f4629d340c017c9030be19734d6580a7ba9b07caa9d982c329512e82b52f6de2b937

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
50134d08a4904d8b0ae0995b7bdcf602

SHA1
716a85d4ab0c76d94d13cc986263f837f8d73a64

SHA256
3a9b77ef458bb0245fb3dc2159871d51b4451b6c95a58d4c067ebf0580068d91

SHA512
fd921c43a8c4a9a760797901999d24579769227d508574b4df2a1c2eecb37836da0a49efa2063a044ca73412d08a0c452940f49a6fb8767a81dcccb1a0b59038

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d5cf1132acb863c7f711d8c7073db78c

SHA1
482003f7f2309e3c658b7aed35f38f58f50b383f

SHA256
b90bde927c3446f66b32512422f9453afd428fa103f05bfd675cfd3a2034479f

SHA512
dca5894447b9dbef00bade24f4df068048a45d2c47c0252e1468fc6c55f89dc2423b88ba7a591ba5989826b94aa28b345d923bf88f92ab83676d404e81b10563

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
67d00f81d56e1d107f7695bf4ef47dc8

SHA1
95a5d9f33ea64232118507285a79ec27b5497955

SHA256
4386bcc0a9e8ca2abe5a5dac8ff7fa12aa25e85caf90d8c80e584f2736e462f1

SHA512
764ca6196a5e598de8e3f44d4a540ee8a62af2af4c9100baf73a3d9463aa891fe256aa4d8d81e25e825a6f97491b4c296fbd348f60d87eb5b8dafb66e23914d0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cc2b22e06ea0ef40003610f6e974d9fd

SHA1
91c2f697194f26566744b1a0fbe937aeb116575a

SHA256
42c85cd877eac31547bf771a38e65bd7088a4b283554dca37fa10219033297ce

SHA512
49d952fa22b1626c1306a50e83dca86f4becc4864c36312c8440a2a47b3906710a6f33cecea5fb8f0d68e642017aa64ca68209a1a49e680ac3d81dd8b3089624

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
84322fa9cc242094756f2ce32eb1576f

SHA1
a40304e77be8d16b346c7f2651ab8cfd19b0d357

SHA256
c4a8da181ab1fdbdd2f5482dd16e874423dae5e7e5c37106d853a42908873638

SHA512
6fa6ec3e7128eacde54979ec0e04e7b2bb09c23ff832835f99ee439384ca2192ce6def91eae01bc0d395a084dbfb057876a399618a3c2e87b914313066a83e31

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0798de8522113875e722e879779b701f

SHA1
5a8fbdcbcdc53e99b0c13b510715746aaf8dadab

SHA256
aa114b02e353e1069ccd4b8644c2b94140720e5beb4cac8332c52dcdc1ba76e5

SHA512
eb0a46f04344744da0cbabfef4a9d65a54560fb2940583838296fd273af24c5ceb92a5f2a878e73f4926f24da3070c60cc45afbcc1f23f7cb42f9c2917641de3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2c467e0e85f1bc182aec6a7c57e24011

SHA1
9eb20b29c23708e21e2870f8e1b6aac6db3be78f

SHA256
e8e8a7b387e8670d0c498c33befb3906e6a2f291163e09463ced1b9b39cef856

SHA512
48297d9e0dcd26795feeeea43ec1f3dd61d9cb3c0b76270079a7f856bfcf3c3705b32788a4d649820490ad03b378ba5a7a1daee35b17247229308dcc8884f115

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
bce1ab17ab7aa55e418e672123c34e5f

SHA1
4938c6d48f31a37fc3e93c811206855279fa04f3

SHA256
8b3c4f9d28e9d661e507ffb8667657bc9fa015cd5d6f12a7d15b2d7461ad691f

SHA512
448c1154bed76a899aa67e729a53a077402dad6916d79b537f7526eb3e82a94bfddb57445824748b4e4cbdecd10110a230320052eb1f561fc1d1f11ce47158d1

Download Submit
memory/1008-218-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1472-210-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1492-75-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1492-69-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1492-77-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1492-82-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1492-80-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1572-212-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1732-213-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1732-441-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2272-171-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2340-206-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2672-387-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2672-47-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2672-55-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2672-53-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3300-168-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3636-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3692-219-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3692-442-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4144-107-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4144-169-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4144-101-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4244-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4244-369-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4360-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4360-221-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4424-116-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/4424-111-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/4424-170-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4540-211-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4552-29-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4552-38-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4552-37-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4732-43-0x00000000042C0000-0x00000000042C4000-memory.dmp

Filesize
16KB

Download
memory/4732-1-0x00000000033C0000-0x0000000003426000-memory.dmp

Filesize
408KB

Download
memory/4732-8-0x00000000033C0000-0x0000000003426000-memory.dmp

Filesize
408KB

Download
memory/4732-222-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/4732-0-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/4732-84-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/4736-88-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4736-228-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4736-94-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5016-207-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5032-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5032-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5084-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5084-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5084-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5084-390-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5112-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download