5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Size

4.3MB
MD5

70aeafe4eb901ee040eb4a15196b4aa8
SHA1

3c0b9b13495c0475c3bec4ba7e9a4dced77f99c1
SHA256

5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb
SHA512

cfd2d8bd90bb532f1891583117eae7e4adf8dd89182e2a0335eca80f7643b30672959e47a98ba9d89ed0d102de6ded480887550b9bb9381f39389ab789abf3e1
SSDEEP

49152:+KKxeyjA45RD50kBSbxR+DOblWylRrlV/cu5UZLikDepLNiXicJFFRGNzj3:WEyj90kBSbxR+DObf+Av7wRGpj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3552	alg.exe
4920	DiagnosticsHub.StandardCollector.Service.exe
5168	fxssvc.exe
3628	elevation_service.exe
5756	elevation_service.exe
1560	maintenanceservice.exe
2688	msdtc.exe
3412	OSE.EXE
3536	PerceptionSimulationService.exe
4320	perfhost.exe
4912	locator.exe
2416	SensorDataService.exe
5972	snmptrap.exe
1256	spectrum.exe
1492	ssh-agent.exe
3240	TieringEngineService.exe
3748	AgentService.exe
3384	vds.exe
4432	vssvc.exe
2576	wbengine.exe
4776	WmiApSrv.exe
1588	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e815828dad45b396.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\System32\alg.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\locator.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\System32\vds.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eabcf6fc6a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000344b8f6fc6a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1778268c6a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003235d96fc6a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2c00c69c6a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeAuditPrivilege	5168	fxssvc.exe
Token: SeRestorePrivilege	3240	TieringEngineService.exe
Token: SeManageVolumePrivilege	3240	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3748	AgentService.exe
Token: SeBackupPrivilege	4432	vssvc.exe
Token: SeRestorePrivilege	4432	vssvc.exe
Token: SeAuditPrivilege	4432	vssvc.exe
Token: SeBackupPrivilege	2576	wbengine.exe
Token: SeRestorePrivilege	2576	wbengine.exe
Token: SeSecurityPrivilege	2576	wbengine.exe
Token: 33	1588	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1588	SearchIndexer.exe
Token: SeDebugPrivilege	5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	5072	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	5072	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	5072	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	5072	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
Token: SeDebugPrivilege	5072	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5072	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5072	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
5072	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 5272 wrote to memory of 5072	5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe	83
PID 5272 wrote to memory of 5072	5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe	83
PID 5272 wrote to memory of 5072	5272	5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe	83
PID 1588 wrote to memory of 876	1588	SearchIndexer.exe	110
PID 1588 wrote to memory of 876	1588	SearchIndexer.exe	110
PID 1588 wrote to memory of 5572	1588	SearchIndexer.exe	111
PID 1588 wrote to memory of 5572	1588	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
"C:\Users\Admin\AppData\Local\Temp\5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5272
- C:\Users\Admin\AppData\Local\Temp\5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe
  C:\Users\Admin\AppData\Local\Temp\5744f39bd81e200395ee9f9dd4b13befb71197a0fb9cadc7163803b5d9a94afb.exe ACBBE53A-E474-4D18-A5CE-B80EA7F71E43
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5072

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5580

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1560

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5972

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1256

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2132

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a71142cea55bd45efbba2eb23ddc6e1c

SHA1
98719af1a45929ba5d8e4afda4597a7cc6fd1f46

SHA256
4874f486f1544e83cac17fbf4e256004cf4da7a2d2819bc063d36cd9245f47c6

SHA512
819d44bce352cd5b1a177eb85fea8f08e42e9eeac5798d3c82205e33a1dddd83b58f38cf402ab78c6ad810ff7ca8820d3e717e88054917f950fa4481e3c62ce0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
a716097a7eab2f906bd6e2a6cad8fa4f

SHA1
2454e7d65b015c555b7e56d0dd171fd165200ef7

SHA256
0bdb571ddb18d862b4089a5522275d5640aa0eba9795434bd06ea8c9e7c7ea27

SHA512
7adf18973519cfcf3252f73a1f4a81fa099a60f6965de03336bcaaa3ab0d8a0d8ebf928cc462bb82ef830b32f4e9afe04bfca832c58fa586b785646f1096268f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
85e14b3d59b8709db0ba8ff0050603df

SHA1
cc364b3edbf2d041c3c12e54412294553af8145c

SHA256
25aeeb5ddeb7831a45902179b30044b97fa6d3679fc4d12bf2ae19c51477894a

SHA512
d4507094d124d43169f25826f44dd12a712ae18bc330d5eab8f0f254fe373dc826dab23375f0280dff1ebc1ed57f1c621f0413320cc305e1f65ac81cd34297c9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8ca76aae296e1fb87420d84f810eb58f

SHA1
87add2bf02ce530f32bb997a52421757fecab917

SHA256
2062afdb9482157dfd8b6301ebe961bbcbb19230a2c2d301f356c5fb62eceaf4

SHA512
41c808a8375c79448155602bba57f64d617779e7310fd8d9d96a4115cf77b855288a625ae6cc6f97138b110e18256e43af7f4ffe59b07c688c8e803b44bb9223

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c25816f5c7c4d25150749f8df91f06ff

SHA1
58171f5d8225be1f9a11254cea01298098244c75

SHA256
39b7bfdec20581b632b730cf29f8f5e552ffbe8a6d1e55c16e3e941c5bab0fad

SHA512
77e4a9a11781cb79b66575f13d2d8f2e44a8efc3ccf68a082e41f6615ca3f5745edaeeee006d0ee7ea8117559dacb833b3dffecf35e07d440015e52182a1305e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
41899c068126b6ae8a63a0b21afcbf3a

SHA1
1ccc6e6aa435058eb35315ee23562e081191da5c

SHA256
3f046b028233e80d3942808686ea7d5fea7d96871aae8358325771f86a046a6f

SHA512
436b0152e4b0eee9bfc2bd6b423990ed22487085f79b950d6bd60c4ef4a167628a762fa99c9a00cf17202c072de82b63d97c7805763adab1c969e0d4534d45c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f27b280d8b6cf26d2fd33c6eae51f1bd

SHA1
4a3e2de32b305f82dc3861fa6a985a6f946e1ef2

SHA256
4ecb7e3c140961603a5019481481fccfb892e9c60c631250b9f847d3ccbc5df0

SHA512
b370d05985745f4b330947543da183c1b131a5c6356e09726d6eeed13818e3287c8cb69e03ce8c73c199b2514bc9df4ee21eeb9450b236578b8411d3614056e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f81349eff3f4352b75db8631c9d5acf7

SHA1
aa60b13ab539307ed4ff6995024a086c8eb658a3

SHA256
6f5ff9819f8d4147726258a0ce647aa55934f77d8f3a290654d461a6a131db3b

SHA512
c5bcab040278c716669f63fe34cc55babf8a0ef1b46db11c33d30877be9897755dcc0592716b9941f99cfa7f2c736344936f35ade75e855b81761f60d47caeef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b5c8671b5ef29c445e47a9100a7a9aed

SHA1
48d0c577166230bd9d6430649cfe209436a6f940

SHA256
11a942fb07d33699c5c9ad01bafcb97a9948b07786c4f80fba40fb083ba49657

SHA512
75757629316d7c7a8c6369d885ee107c4ddb06a1e8ad40aaa5665f7c79fe28fd4d7a732dd311becd8a56bb41a2ae8cd0a738eb9812b5c1751c73763e63f44378

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8b7078ebdbf0f4b8c807940c78f68bf2

SHA1
2b3439f3fdeab30985301f62eac307fabfd30f3d

SHA256
7adbcc615525b6ef9f1011f9c9f7e48af83a938aa6e34b651a11207f10ec1495

SHA512
d027959155ff199b05733afffbffafe77672779108a404b996c42ceef23f7be7b4d849c78616c6cbe6d967034efc211cf38d051a4fb3f1a22c8539199af02df2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
03113e07b8212f9b0092c14e90ac80d8

SHA1
64825d070ac088ee592cc12bcf767a3f9160cbe9

SHA256
34f03ff91c45da15af0eede63c898eaf14a3c4177b5f5a5709af55f938c8a1d0

SHA512
33022233609bab30a09f60cfa98f8346d2a33aa891a5bdac96b3f62e026fe7db4aa7a31b96ffac24986c41ea592de26746967a370256c3bfdb115335393f2434

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
21c47ab1919015d6a53483d8cb617666

SHA1
b8326e01b710f680524343c9cf481667d62d596f

SHA256
53be07c3fbdddc4d15598b7e502db501d2cbecee720d3d3fa34e2519eb16b089

SHA512
e2d10d93035bf062ad3d5ebcdcbb6d2939e8976eb855f725cc7ae7ae48f1dc3cd2dbafaecaa084a92460ad6c25ab0e5a91f74b7532ab140d3b716153bae65f4e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6de1a3d1b94a8a6ce58def8ba6fb0e0b

SHA1
1b2057d360af215f8ab5607bd6c9fbd745d5fef6

SHA256
435dc406d3414916d7f3c9dc82a9dff0724c75c435effdf29b7732c19376b4a1

SHA512
1cf25c7f82e1a12faf9e88a6d8a28c6a9dee75b9cc2e3a435e32cf4e22f9ab9e965c68d68a746ae5524c440faa6abc22562c7a6ce967bafb92b17c05a80de996

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f54335aec972957264d59269f1380086

SHA1
943a43801d45932c37527aac019e3195f70fb9f6

SHA256
b37a883c498e536c50d19803905c3db84ecb60f2291b2be5903bdcd7e6d78ad5

SHA512
639b5c13c4b4445ef75babd599c8da30ef4a001fe66c620b9785fdc1622f254fa4ff3ff21543a2ac9545167092b88f20f47aeb121ce81c6b92190ff38425aa92

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f260d937ce24fd4f88a3fdb9cf7f0d25

SHA1
b9ad660d9d1f4694eb0c49d184f3eac3a6baebdc

SHA256
21be887db651421809aa99fc77295ae8d5d06896f5a64f02462fc00b0682b5dc

SHA512
ba7ae262e9c6b37f1f4bbf01c653e1990feb0560a2ffc3b2cfcffdeaf02cebcaaa2193c2082b8905be1d140e13bbe5728cb5a46bb5f823cffe30be0dd615739e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
f38b04bc44d9f83c9d9f07be51af8789

SHA1
3363f38898f1089978f45822a124def245b9185d

SHA256
2da3a37ec6557857cc6caa66e74425da584e56767f10bd49b73694d8c489d995

SHA512
6d079c55b73d614c15517225f20ceb91b2777496e3007f1ebd1429ebaa69082d662739956fe44582dbc981f319a25b8c85ae595f366f2df26a96ebe77eea44c8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
90801deeb37553dbd498fdbbd229076c

SHA1
b9131e6cdd59ebe12f8cf68bab44cb6595424369

SHA256
fa9c9fb1a93be1519ef3984669d45241691265cb57422bbd9a8d1c9e8480e463

SHA512
211d73437b207613e73a12e8c228086de29966aee32656a32e84b6200ca42e8527b042a9604ea067c67dfdfd89102cbb6e47d7c154977e9c05daa19d3e3aa950

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
8b9a5e35948b49d3cc2d66425504a9b8

SHA1
71a0afa10fbd441e815cec6c8b1636b50efda57e

SHA256
faf021ce82ee50b771b982a3817d640304336517a379bffe19f72a740bc624e5

SHA512
959dec5e4d2920cd7fd990fece8e2cb801d00241bc25dafc19b2e609efe1f08952411501d8116962ffbdc6daf14366385c245634bb82190b6783378005e4f943

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
5e2f9031ecbbd388e9f4c32851a3119a

SHA1
36902106901c870cc44eeeeaa3a6ecba36e92f0e

SHA256
01e9a681af52d65c07583153d44d9a69c47dc3e02d0d302412f27d82095adc58

SHA512
9f851da9069f2cd4c4e6e002d8c994ba818c635c4092645a6318856a45820bfb1ab3549012586721b0d030cef44500df20d8c8b69196752f31535b076ff95180

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c9311791ac9e68be2c12b445de043c24

SHA1
4fabb09ccdba90350142f76bdb4f0f074c5c64c6

SHA256
ab4a9da707bec3e364ffa341a13b94f0fdd6e15de00ceab1449125f3f79bb5d0

SHA512
8968bfcf789ecf5cf542285dcfd3aee07944202503c8a31d6538954d821afe8a031ea7a84e18d44e0ece589ac6b9442c64355a2a0268ad92c8e88ce16e024db3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
4f784eaba7fa7fc13edd291240d02841

SHA1
7ad9498c458df792a055697b93e641af288d309e

SHA256
d73cff7c21314b8bafad085460ad827184484aee5020c542f58d48f3ba33f15b

SHA512
488d0bcb32f4e5ab5730567c684cda295de4486090b8fcd425b017caa2319198e4518a7c9be8e6df0136c9c5a3b04becf6391957cf87b2bfcab5ea249a08a6a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5abe1d56297e353386b631f5e2870926

SHA1
36afe2a22fbcb39625d0c4f9a4de0707fe3fd90d

SHA256
220645f6f8cfac13a008101a8d6303dcbc3e9e29a3e6f8e7d8b6df274b9d8203

SHA512
17088e8fd4407600b10802866b7fc0433c8ef2d33ee3684dcfc8c5ac9ff499d4e4b4c97e2b28fc80d1bcd9ec351ceae8ad8a6651986a0654f70e5c6c1c2984f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7c14b99f606fd5a6507ff1c9c4de9e02

SHA1
ca3ac678f564110b08ec121b96b7bbf3a2d46603

SHA256
2cfd5d9435780552041b0c52f8cf68de0683c7ec361a1615ddd9fe7e8eaba075

SHA512
212918b2e25b443c902710753bde3ae6cac99dbf2b977c8febc7327bbfbf7f2ccae855b30f5845e27e9eb475337fcc42635a6b72b8f0ca30634005ea6d0f688a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f0b3a516ac718f7ee3cc4c68839b100c

SHA1
4055fd2c08c1602f67b3ea86cffb191f093fc8f1

SHA256
1bd6eb6d0336eedec85b2df5c15391787bae19e965021df30fc2298b837d5b24

SHA512
06677abf5236a07f794a226bfb936223c033be780461c9a59c7bebc588eda894a9c0b65504b332802205d8d90fe0f6b2b35cb950b4adbbd5b175455115ff3c5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1aa2ba237e48fa8e63f5909d31c3a27d

SHA1
e5e61cd47faacbc7d617fc19ef9f1810068cc3f3

SHA256
e706c73fb070e89813980d303969077dc300528ddb8d9bbb9f894cd414d3e695

SHA512
adbae5933038b4553fca3cc9801d7be06018661c8dc0cbb208480bc27a72ee7dbfcfd319fd94af15aac5c5d7c210a47e0bcfc77c44a885bca8ac5e3ffb56b1e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
595d5271aa9e858a1c3037f9ff413886

SHA1
7384b36cbc67cf541830d417cd46a033d6607292

SHA256
1f0aad6cca46004673e9b434daf474cca8c66c65bbd28f1aa90df7daaba511af

SHA512
f5cd003cd4c135fa92b754be47f2aa3939d43c09248156566e099954bef1e559d120ed9de743b022abf951c4ab17c163680c85025b3d46f303fbbddeb8bcdc52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
9dd25fb92317816fa95b56b937584c37

SHA1
4acc5656cf28cd5d6521574236e73515509feef6

SHA256
e41ba32160f5a29ed2c122a1117274edcfb37a5ff3bc58f1c4794fdec27f491b

SHA512
a175c1e87d74ece8869585bec86f9a616a4261b1671f5bc91e713674ec9f82ca2e0ff96630668f287c74a62fbc5f3bc7b0291bbf43075a96f046adca77575d2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5c5e4b84faa0bff16497f3501f3bdd06

SHA1
57bb02f6465d93df77642251e24dde50f0b48e0c

SHA256
9ac1081dcba43f18e55473a199109346058c8599d4e17aaf5d5f836f38754f4a

SHA512
bdd90aeacd62fb867c8d1377e6feadcf11b3ce48ddd06b384c15d1be928b996ebb85b2157212cc9639197f19a7f6c3b788b56c6e97cc5d821dd12d94988afbf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1310c638c5a07586993ae33a4b7f0be7

SHA1
af64f2a006b9d683fa2aef0e75873a47ee1ba344

SHA256
279cb518d011f50f3090dbd33bd164f06df5be876ffbf6114182f59a112cced7

SHA512
27f9b0ea39e049d3aec6e2bf2491f988167e594b4eceaf28f8e1aa7e29c6cd57e4f0d6032371872a38ce7741ae77d8697ee4b4d68567a2ff3b849bbeeb8589ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4c3d55924c8d486d17b36c86acc6ac49

SHA1
cdc681bbc21041a13849b6f8429dc5d1b28e54eb

SHA256
979df576afeb14bbc5f79e8bf8527641ac06c13407b286a81e761dd124859920

SHA512
c9e050aa2311b744f71b9c924d6a36af2bb041c5809ff5fde24af8976a1a6819a697b7f002fe9f8f3fb4743b025572d36daa9458c7c94debe34d64e928bb5a78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c8dd91dd31e2317c699acc8f041cd8d3

SHA1
0e6ae4b396a30055239fd9bc77ca5565e1d6c8f3

SHA256
63963f2ae93634f03a909519d83ff1a15c3895e41ed8d18f5a9aa05451cff5f7

SHA512
26a38620cf7ecbc5bf77dfee74819e4fe3ed426b1cba549ac96cd0463ec68946d3b58340a3f0a1209af3a904acf03e9b7f9336134fa6f4a2b22f773695a7a8e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
32cc6262fd3a1a76a997dcf65731f8ff

SHA1
6e4b868e59e2fdc9ffa25a4c0fec54862d1b4a7d

SHA256
cb15d8ca0db0dee3a45ddabdf158cd447a3745d0c10d65a79965fca377b3a4da

SHA512
1855422527f68be1b4cad89328f213dd4c87b410ac1478f9690422ee53f4f64e47cece2b972971ceb155a25ffa91863902a48a3eac7abf0bb3ca530533892c5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
de34a75e0d0d3a4a928bee3ce9c4844c

SHA1
7fb8c57f5a50266e1c6d859ef391148ad576c0f1

SHA256
259c4cbcc53ae1269fabe37262889d87bc1b71df76cf42b3ae8923614414a88b

SHA512
06801c15454e584c57aaaadcf42e234c53fb6c3f4a962de0e090838e364b5d3ee77f71efeeadd3322391a6a4aff983aeb3aeb9232189bf0787017c96583945ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
49811e82bd6d2cfdd7da2ca7830f64f3

SHA1
bc16ac1d2ad6b83b681d427716295b9f10774890

SHA256
5ea10716dd1e9fdcfa4da34a57412b1c575037f54de8c4cee23f1404b2fbfb09

SHA512
68ece0f2c46a1475d86bdf31b27e743fa97c8d51558fdace45ac44197a8d09929b8a92c04d5e017991c9fb6aab1e57213153365cedea92548c3c428a9703e672

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
174ec5978e8643131d9cb8b988669df2

SHA1
af535107a3cd4e57d2a359df3cbe59162f8c9596

SHA256
b8105c9dc48f5c28d0cb4a7c05099866074aa710346f75ad75654755e7851329

SHA512
c9cb72ec04e1a172a18e7aebfef71ff9393f9c3a9b375a72cf942151c318c42984746d8aa75f9b26b4b1926e5aedaa326124c84a5dbc00664061ceefd35526ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
60c3a7510283099ad60fcde3659ec345

SHA1
d3b14898a5aee5e7c633dc019758a5f6d0164cfe

SHA256
68061ea0be99596441266bc40d426e1646592cdb2dcd1aeae5d1119056792fe8

SHA512
7f543ee1ba4bb609eb9daa61a7c0d80b2bbccb1a0cd22ff804a36bd75f2cbacbac7aadd7a13f66b052d7070c306d28c969a259c08a2e9890e864e3993f05b45e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
1a3a3b0e0d05b2f74d126afce47db6c0

SHA1
248bf8c131eb67b18038e348691e477474e65cb8

SHA256
9140c9689179c6ecfadbc4a34e95e53a5890ed0e14de319d0989c5de1b07d44c

SHA512
d4c945487200ca68fc9d8de04c706c87292ac4d28ec2fdde764758f6483b7816adfac7a86ba64f2c4d1a3c8a68c6a418f73a5b765a78ada69debafefcccb0c7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
f1c034c9caa7d8cb3704d11206e90ec9

SHA1
641c716d6c8b170f22ed974f5ee422a8e7670ecb

SHA256
635f319f64e9980a824119caa19fba575509148589c1a5d6565b180c76d23c77

SHA512
b8b8598a98c1529f4f81d208f5d8cfff647c0fcb3d9f8bf4aab624aa5a9ce3829ba2a35d32c7e32a0b971575e350bc1a42fa559700a245722114e9dad5db7a4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
319186b561d052fab0f18dfb8c92df15

SHA1
53bae85f3c51a2392a0abe5ae809de13a8479dbe

SHA256
64f7fcc023fda04f4002d68459c6354d8b3e7e80dbecf44d7d43866f8e53889f

SHA512
12948f9ee4a45fc32617050b3df2f55b1c60dfd2a322114a872a41bd5522c02823b155bfcdfced18f2bcb046c252dfff7637a48782d89556db4da6d1013ace69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
3ef7a05b9d5ac137374fc6a834eb8aed

SHA1
67be09703aab4f0b62a5ba7d0f30340fa8910675

SHA256
3c3babfc246aca273c82c916c95b6037d4a70c00c45175052742e6f245df41c7

SHA512
27149672c534ca77459c0adf4c8bb3838a096eddc089bc7626b52cd567b4e5811fa48122321a6dfc5c83a375f7389093f1470b720b50d901580e9db5a8eef5e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
119d81b779e59e09ffa531f43fc49c64

SHA1
a73f57e6cb9fac705b9573f36c5555d548d8d8a3

SHA256
8389de293c2df7047644831882631796eb4261e494f6bcbba0b60a639e1e0454

SHA512
3459d0678bddc8789f589c990e30400c1b39cd5178eb13d57c01f6dd3226e5fd9744814efe652cda40568f0a26f3c3cfed707ea9be1926a8f703e84d3243be6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
f1e345606d32f71c1146599be2d9fbbe

SHA1
849ddff0854580734b5f0599f50282b708bfcc5c

SHA256
25920098b02455f684a4cbf9bc02abfa9d7fa7e8f50e9ae2dcacd5805bed75c7

SHA512
f1326899df8b1f37e17daf8b94409d43404acafdea51e0f670fc4760a678c4b5756814aad46a5ab875fc8cf61bcf1b139f073bdebbc85cc99baf4afc34118606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
6ddede385732899aae1f5c55de167f6d

SHA1
ce05b0a4d391c8d5fed83ce61a8a65768136ca48

SHA256
11ed7f740ed6a3c39a6bc84e0b290989d27a38f28639be2ca01b4b219f29e786

SHA512
791d8a0051e6382f5dd8c8a1978434a5e9ae37e8780d5137979e7fced3334b6e11b9aaad2af215874d9257af17e44f1b7add3edba4fae49a7894ffb58a509bae

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3bebb4c8554f3ccc8d1d89ae9eaef722

SHA1
368721b6d459d60cad3f514b20cee749dd34d4a5

SHA256
d3eaab28400b8267e5c90adb0e2d8494253773b7a060b189cf72e23fddb39202

SHA512
5d6f552aa622d07eb278352b632cef8d92f938a81f4318680452aa15b2a8c2432565d18aff13c6f7771e34fc51be0db2785c36dfb73ada9b59eb627682fce3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC3EBBD84C3537F51C8B7FBE4342A365.jpg

Filesize
2KB

MD5
5919d47a8fb4244acfbd22d9b8490dbe

SHA1
70f06dc71df92f59faa2cc4bd0b88a7be0abdaca

SHA256
edb09753889c5d0dfbe3d6e5384a3b7dc8055555e4fe5f8842cba0484a81ce75

SHA512
1524734a9cc7cd4a9ce1dcdb01e660be0b55dca59c6b1cf8de43a330344a70a32876f041dab3fb1cff35f45d55fe94b00bd73169a61ab0535c3caebc182bbde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UninstallBkav.log

Filesize
492B

MD5
c1498ffdcee09849df97d58d3bda421f

SHA1
af6c01ad20c36a81faaf02745cc5187ae0024524

SHA256
1138a8b65d4438a3c7cb41c1703ae9941b19bd31561bb1397b5e9a5816b23297

SHA512
c05c0b0d89a9b7459a737ca9d48a9b5d6b547c4dba774e350f46725ced90fcfcc0726d89ec60b29f2f09d52f01ddb31f5cedd4771536492f1b286a6f10fc8df0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3cc12e2998312483133af9f8f7029e1c

SHA1
846a735fd684a6af9b073baee85f576e9f6fc682

SHA256
e7d1b789accb65dd561b51084a01e7288d7537e8bcfa8fc46b2beabace8fef0a

SHA512
a0b9757599bb7b100a2950a5829c989719bea99fd95af1d1f39debfe53efa7a30199e6c2f7c01ec129da3d6a003d2bb452ed0dd5bf924686923d0280bba928fd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cd5516a0d812319c08725797a63c0c6b

SHA1
8d0113b5159b045b4f30a68913ebdbed5cf73b2b

SHA256
745d84a79024328cd4d5f116e4ea0f96eac859bca2e56c4968cd788075e0a96e

SHA512
964f3418e71c2668c181b037dbb7c01dd6837de015cc77c5c97465e58d0c18e40e6357c48a4bf9e21fcaae5440b279b027040841a34d28cf3c5bb864fc0ddbaa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4f89487c33e605c54c482240607eb042

SHA1
fbfa0158913646a2b274ab5ff8626dae888da875

SHA256
0aaee3d3865fee8ae85c5acc02b6e566dcd39cdae7eeff446fd50413fd782504

SHA512
d66c3ec3b9a7477257efe0ef0ec02f25f320147feeb3873ea672c2baf311550b505fe848177a3058113f70d85be555e4d874d5a22e6c4e207c96c71223dd3f41

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2f6a54d7be219757ab7766972b1e1b7b

SHA1
44c7d61e870be7313f861b63b44e19953915b3ef

SHA256
041100f0650694b0b5b325612e8f4ebc1b2c3db9da44c8d52406010feebbfb7c

SHA512
04862c13e4885bd786961369fe0a5790dcc6ff6eaa4ce58fb86e42815b7884566bc9e2293ae228166469e77131ece20690d05356a69dcb17cca057468c8335a9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ef30e7e1add59e65f1961ec57f879930

SHA1
de538908461b1f8f36b0cb6555adb9b4c136cc3c

SHA256
749aa720422b967dfee04f674796e1242f6ad5c88315049e4732c3aa48451f1d

SHA512
4e19279ebc24b445f52105a03ce8a14606643020d7b812c23d1af42d3f48fafce5075115ce289ef5b8daff8ac294131455cea362226a86c83b5ea4ee325ebf94

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bc09929b7249c1abdcee7188a2f4fe1b

SHA1
05f8c72b02d41a24897fcb02ad5b7249c0fb4bb2

SHA256
19a9b91446a379900752be148cfa20756e16dfb904ecb047359bcbaf101bc466

SHA512
c705e049fdbfd0828b904a17764d41a10412392a8de2b1e78ec600b764fd0bfca962d5b9d095306fbbf9bb084315983ed48fbfe22722af9f13d57fc13c6ac2d8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9b2d73313940de0c0e003a16c545914d

SHA1
fc506a92c9ece73031781c6e436f862c34a8b52c

SHA256
ab0b72687dcd11aee85b4213e69f96031feff4608138d74fb5bfcabbb7f669ba

SHA512
2ee9d37e8140955c2f67118d9ceecbb44f9cf7fbe271db9e8f67f34760239004834fe32042422fe3dfd64d05ffe0b1edfc528357a8e2cfacacd13023d8f3ced0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2bfbe441adfaccdfe13995862c529b80

SHA1
4f5d61d478cde18a164bbb70e6c3fb7b6078e299

SHA256
5313cea59aa949e8278b36b82d4a158984456d4557ec71c874871318d20d67f2

SHA512
99e2236b8c7bda66b14bd547f70d281336f6988898b1b6b1c478f6237f41734314c64a69255d2e9ee8c94a545d1b5e1faeb645a55dba5c24bf58145a7133e3d6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cbd33c887e905f9e640eeaddc2a3ebda

SHA1
88e5002f4e28856874ee111283b5ba72fb6f7ff3

SHA256
424ad94c6b03397c51b08127e8c32cd6f55e1120b8aabda05cb7200fb031f2c7

SHA512
5674e5df9dbd7ba0938a3126ff36854e16f6ef062936c393e57d7faadc47c78bd522e05234f661970a7080fbb668c163d9a79417c8d9cfe3b3f30b9907e6e861

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1983571799e7657e36757237d98c17ad

SHA1
a56c4a1ec869f196c8e94c26d964b48728f0d9ac

SHA256
dc4ed567b9c674a69a1055a4fb1f52c5dc57073b9d7214996d928a8922b06fbb

SHA512
36f7d9a96565ca2776d7fc031b5d1c2e32167d8ea32c3f12157d8e1fdbc9097d7b76b0577a78c4a85f6b35bbbc618753eeed1888bfc569b2b84bc10b0cb31025

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a3a01d446efd1e4299356c7f8731288d

SHA1
3eace740e3476d36eb37afbc4b1678ba5b5561df

SHA256
7aa202e4ec5019bcb71d84919b1431e832f6adb83c6c68e93822649bbefaaedc

SHA512
f00a0f6d55db40e299d97dd1305c8680d1e4ccd08e941e7e36e845e59f4c4ebb3774614dd7a52c3b9a90dffef0f303ba60af62dcec2ca08393dcbc5515362c97

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c18cd6132b9e702576fc045706700444

SHA1
560b9a797de74504d25811e5a80f0268b3678a67

SHA256
6a714f0cb1d8a1e264349527eff6ed2875d29be97b2b17a5388abe113e7e7853

SHA512
ff4a589ced520347e87bc1868ea92314868c61475a852fa230906debe2c6d0a7fe929f0d59b32bc27af01fdac4687308793b1610eda5ce2514f74cb4d61d90e0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a527beb5b781aae5d78dfb9b85386901

SHA1
6f5746e230102ddfec632c957945c68db2b97ca0

SHA256
e59a4f97087fdcf90247226b197b4788cee2f0b188c02613878b27674fcdf4db

SHA512
efd04b70155a39b135500d5404aa2a1730c05f23e03e91046b07a26f175bba04015473e3490a97bbd0445674b1654a0a0592751b7f463f721bfe36754b00796b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a82a4f008d74b41ba9d632d3aa1fcba3

SHA1
e71b99b3ceff9bac49b7f43f66e83dac03d51109

SHA256
f8ba576769a9e166d84be96931008e6f04dd6c85f3ae7bfef15be41f35060927

SHA512
e0aa8f2c63226caf627d22a1034ce135e8c38f5f025058dc6921c5d92c1a5982161f05543eee6814c4d0ece470fc2b5006e6c6be4a2943b516deec8650428661

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
de0b0f62089d992cb847600ee72073cf

SHA1
5cabb472f20c7fa88ddaec22d9db32ee5a4901dd

SHA256
f55b78eb1d77cbb0f34c6c04fc0a7876aff7a9ced42f3a82ce70b050b70efe98

SHA512
63902d3f9390ce6fd4e416dcdcc2c59a2ef696e4a3c3bb7c44ef103e3a59cc4e24708fe951df3adbffd16c66ff3530262c65050c8bd1d4eadf6e307c709a81e1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9467abb83fea2bbaecce22e2aceb5efe

SHA1
dcb49d973c34c5b15c8318d4ea329d29142ce738

SHA256
7d6574e40da0d9163edaf5611157b0c86407d768939cf577176b07b38f0c9f8d

SHA512
153d2e27d9a9027aedb32f9908a56954291bb4b3c8d176d94e072850fe8f33cac2592a801c0d964ff663dde005b8b45db4fb2f74d55acf1bf50a44454a39d476

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2ea171c3698e3fd6e6813a1082b5cced

SHA1
16d692b3b9cbb802ddfea31bc20d8c7b3d15defd

SHA256
e70d3b8d472e5683371b39954952f60177294132e9ef1508514587e550783ba6

SHA512
f2bbbe454f53ee10887f6b67218e2264cf992523e60039710e0d92a6d35b3106145ebd6c57987970b84e60236d2af804204a53b1c4bcd428d6722f133b3dc58b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
452a68d2bbae22d37f28f06a192b06a6

SHA1
d7483f79c8dfecfef044eb607ab018d8cab2daeb

SHA256
b61c22cd6d4e007efc243c1695032c01324f9f7c28f6c5cbbae34eb9a71e8226

SHA512
ccb305f9b825dae83edc60123c4cb211d93cdefff873d2382b2f5c5f680c187694d8b308729610649d133dc1edec39ccd8d9b777c0b3814bc09ba4071571d921

Download Submit
memory/1256-208-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1492-209-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1560-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1560-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1560-71-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1560-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1588-547-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1588-226-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2416-206-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2416-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2576-222-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2688-200-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3240-211-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3384-212-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3412-201-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3412-88-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3412-82-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3536-202-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3536-92-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3536-98-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3552-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3552-542-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3628-50-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3628-44-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3628-199-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3628-545-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3748-145-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4320-203-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4432-220-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4776-223-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4776-546-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4912-204-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4920-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4920-32-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4920-37-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4920-36-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4920-543-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5072-21-0x00000000024A0000-0x0000000002506000-memory.dmp

Filesize
408KB

Download
memory/5072-438-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/5072-13-0x00000000024A0000-0x0000000002506000-memory.dmp

Filesize
408KB

Download
memory/5072-20-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/5168-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5272-0-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/5272-437-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/5272-6-0x00000000026E0000-0x0000000002746000-memory.dmp

Filesize
408KB

Download
memory/5272-1-0x00000000026E0000-0x0000000002746000-memory.dmp

Filesize
408KB

Download
memory/5756-198-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5756-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5756-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5756-544-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5972-207-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download