c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
Size

1.7MB
MD5

86597af3de246b16f15bda108e6c7403
SHA1

15859182f9f2ad8aa8b7c07bfb46eb0911e8222c
SHA256

c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9
SHA512

ce60b824bbda3afdcf01faca8f0ae0203f70e476343c9bdb89816e0470243f535121d6dc413e3eb1192dc3ea4bd8f55ebd42d96de4584d1a6fd5d671cfefebf3
SSDEEP

12288:WczfDIEy56Avaylw/IyES7zN4kqho3qJlW7puLThWyEIPB44CNTnpjFqQ:WczfsEyfhG/5ESOhoaJlmUvgAPS9pjY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3360	alg.exe
4344	DiagnosticsHub.StandardCollector.Service.exe
1912	fxssvc.exe
1936	elevation_service.exe
3380	elevation_service.exe
2888	maintenanceservice.exe
1352	msdtc.exe
4396	OSE.EXE
1460	PerceptionSimulationService.exe
1232	perfhost.exe
4660	locator.exe
4480	SensorDataService.exe
3664	snmptrap.exe
3356	spectrum.exe
5020	ssh-agent.exe
4000	TieringEngineService.exe
3036	AgentService.exe
1644	vds.exe
3132	vssvc.exe
1148	wbengine.exe
2608	WmiApSrv.exe
3344	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exec62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\91b94f15293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\System32\vds.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\locator.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exec62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exeDiagnosticsHub.StandardCollector.Service.exec62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bde6f816bcacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a0e0017bcacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000857c9117bcacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094e59e18bcacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001beb7c16bcacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a8ce217bcacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d970917bcacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091f28717bcacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db609216bcacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000149bac16bcacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d11ef19bcacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
4344	DiagnosticsHub.StandardCollector.Service.exe
4344	DiagnosticsHub.StandardCollector.Service.exe
4344	DiagnosticsHub.StandardCollector.Service.exe
4344	DiagnosticsHub.StandardCollector.Service.exe
4344	DiagnosticsHub.StandardCollector.Service.exe
4344	DiagnosticsHub.StandardCollector.Service.exe
4344	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
Token: SeAuditPrivilege	1912	fxssvc.exe
Token: SeRestorePrivilege	4000	TieringEngineService.exe
Token: SeManageVolumePrivilege	4000	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3036	AgentService.exe
Token: SeBackupPrivilege	3132	vssvc.exe
Token: SeRestorePrivilege	3132	vssvc.exe
Token: SeAuditPrivilege	3132	vssvc.exe
Token: SeBackupPrivilege	1148	wbengine.exe
Token: SeRestorePrivilege	1148	wbengine.exe
Token: SeSecurityPrivilege	1148	wbengine.exe
Token: 33	3344	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3344	SearchIndexer.exe
Token: SeDebugPrivilege	232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
Token: SeDebugPrivilege	232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
Token: SeDebugPrivilege	232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
Token: SeDebugPrivilege	232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
Token: SeDebugPrivilege	232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
Token: SeDebugPrivilege	4344	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe

pid	process
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
232	c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3344 wrote to memory of 3300	3344	SearchIndexer.exe	SearchProtocolHost.exe
PID 3344 wrote to memory of 3300	3344	SearchIndexer.exe	SearchProtocolHost.exe
PID 3344 wrote to memory of 3852	3344	SearchIndexer.exe	SearchFilterHost.exe
PID 3344 wrote to memory of 3852	3344	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe
"C:\Users\Admin\AppData\Local\Temp\c62248b357218fe492d10789f817bf05cf3e14d9ee3482f03a9b07344c1cdfa9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4860

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3380

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1352

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3356

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3300

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c11b2df64ff148714c482fbc0f1745f6

SHA1
f925e9b7ab05fada2e9195ea6664bd75f9c81ce9

SHA256
ef2aa4bdde22c0c5c7227d6d2537e9724b5babe48f6b65bd824a11ec9353ccdc

SHA512
b26eec5691f1f4e43b6412b86549acee35de5e8a94dc6ecfade473963f1edc8696de8ab26ce8bc84568e40fd67fc43edd8a56c94b70a07fb35719f8d2bf750ca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
e9c549af9832365df99825c5835d85d5

SHA1
debd27cdc4a96961184234b1a93490133021a05f

SHA256
b9ef3df07974830348904bee4a76390f4bb1d659680c4bef79004c20319a32a3

SHA512
23031ccdc313401c921c13db52926ff1954ac7064893616f94a6a4015cb36043fb737f7c4c3fa0cb740c1d1b150d62f40e9155723891e3a72a60e9ef2916a670

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
05a7c486c370192cae96cefcbc2ec844

SHA1
a62446cd518f79bbd640d673cc09f05be5109103

SHA256
ccfc86577946e1c1e4147a57d49e785b1dc8e83e9635bc8b38557cf60f24c489

SHA512
21a031ede1c5e10c5162fa20c1d962876f30e9f95cf0e59f483113a696efaeb2c42200515d664c79c4da64926387b5f33b1b2990f0df769ea19ad450bab6b979

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
68eddebe1b5dfb73a9af92edc473032e

SHA1
dac6bc99fe2895daf583d9054b710eb24c0b1956

SHA256
8cbc4f81dcad309d5518687ac2bdbe2d394d4ac93ab356f79fec79409079760a

SHA512
7661f1a6634674eab20b3cc5fd18ef7b02cb23783f65fcd0fdcb18c5d1dc214c9fedb6a9b078c68ae7818ecb6491835c2fd3699d994c19b2c0f5909974a775ab

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
845f771b4120f5a0192396072b1bf322

SHA1
7a0ab360c5b32806be2377d4be7c50a02d30c4c5

SHA256
73894c6e06d993a321868c62f64bfd8474699e6d5ee13befe79e13b49c8401c6

SHA512
4ff50a8d58774376fb6723170388913146a2c02272d177c611af935eb8f3616e151bbbc08b0e8d77848c35a122bfd431892f7dca923ca5567d0c86533d0f03ae

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
ad2fd1475c7aabfd611ff693784704f5

SHA1
e82ccd531f631574559c0946491e9f3ddd760b55

SHA256
ffb5ec77e90e7a735d62089b8ba300c12917a711883fad74d204b3565b6325c0

SHA512
95e5c0134423e28fc7861646b899a33398f0f197608c90a512a83fdc173cb802458f61299a287d15a0edabd815d8575eaeb46f4a9d33869b4a9eb7e7c76ece75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
909d0313c6e42fc9b5bd09b8a3b198de

SHA1
80e1be001e6840aa7392202f946097c52691e946

SHA256
348b23727ada786db14d5898574d709b1a587af43c29dae13d8cb59d3088b54a

SHA512
16004c3dda08b3affe16e4223ee8788cd6141318f73312811db54f8a6fa6551de86788ebbea373ee15a812caa3ad6e24d765e6b3081f54122850ace0b766fd64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8ced3478eceb1940015c75d2e3bfbaaa

SHA1
e3ecad9fbdd8830344dac37090b07732717d6235

SHA256
c969e7f59135b47be88038635902cdccbb0dc832f0cd64df7692fbc4aae65c8c

SHA512
bb2f0f1da39d59fd0a46f248faec545b41fa526eddcb11eec0eae60720609f9307227fc9a1383e6f601843954ecbfde65b7482e00de71ba47c7a27fd69f5706a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
fbac76bcf6eca574f80220bfa0c200ee

SHA1
3053d08d76fc01fc7727259716d1f0fdbe9e4668

SHA256
78518bae8c19dfca635bb4fd9abc8e30539b7c4e032175138bdcb6f407d77ee8

SHA512
f279ee90ac5f69ac5310705ee09d5b699c18ab8fae56cf729533ddf43766a3cfdcdf6dc2bfd9756322d05d485eefbf01b472ca41b80a293251defeac52945238

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
44052522ae38ed9235d88a1ed60bdeb3

SHA1
7cc021173c510e6601a72de8d3c4cdffd9a5581f

SHA256
8bdf16b956a5a3ef6c9130a26abf86b86f42764d275ef7d0f357568beeb1f5b2

SHA512
4ba88e72e1f37c752050a4afca676e35ed24ddd569ff597918ef937ce2979054daa0bdf1ba57f008e097842d915a5b3b15fc0403bb9351e5f592ca0d67ac26a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1960034f118891dc500e5f952f06583a

SHA1
ac552558ad07c809d1a7e3dc3de3f2ef05cccdb0

SHA256
aa94f7328cecaa4467715dd2a80a46108e477882e4d557f6b3b0a007094fa3e7

SHA512
f4a634828e6da83c5641a394226eccf6f0b9d14abc2812a7767f15e6e578d84dc9041f6b0d0bfd8c338b30370de94921343404b2d06447e4129c36ef67fb24df

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6475f5ced34fd95acd0c1934a6094896

SHA1
8ec2eac1d7d44d41c3c95d8a1110e9cd5bb0b92d

SHA256
1208c62c207f81a823cdea7025bf42ca34c471f26ee7bce77f679c88803abf03

SHA512
323cc8df92fea384b17ca40cc9bff6da4b08e114fece8dd41c1abe30d23a72e1efe333a8dc50abc8813dc81f9d8bda32937898686bdab250627d87e3fb766fef

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
f1271bc82495bb0a0e2f7f4f1b879a9e

SHA1
92f41ec366e2a107daa795322f4a2aeadae703b2

SHA256
3415a7e8c115b4c0d7b10323bc5b59aff11e2df8ffffe57d107e3e1e5ae2f8c8

SHA512
4751165cac1d7df9726f5229f627598251d429b81c95c5d171b56fc3d441acd10c590f734bbd6d201205d96a1829fef9172daf7678e8a0a14484b59d81768ea9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
807d3f2f460c83d7a6e6e5f721236fbf

SHA1
f4192d303f580499d8998f8212d7a5be6ff00143

SHA256
cc8cfebfaca7e9a5055de1b6676d171fc7e6baef1d33d95cd9e5c50a76479a42

SHA512
8645f8082df5f2287fb697faee86c738a27bfad140b72a44c9442d7dde3d822858c1fa04c41953da74d9ffb856bdd92c3606a86d6f3f1659f1a5d1e7357b40d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0ea8caaa70b0563d62d597d76e757e16

SHA1
0f72b9ac486892b98a158a67804f381acc827b91

SHA256
2e3f5e9fbc56a75a6c72e124bd8ef2ea4579ddc505135c1ac4d6bbb1c9752829

SHA512
9d8ca70805f93ad8735935c058767473c5899d94923c73cfe06fbc1092a0abdc71d950d6039e4dd9a32e5ccc4600ebce05d1a89b45918d1759e7d312b1ab86d2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cc4ff843be8879fb5e61ba04722dea59

SHA1
f26d4a07c6df4a0275f98b8f9d5f7083d1de8aa3

SHA256
b883ba1ff39e6bdd0e0bdfdb9289efa7fd3612a5550ef5953ce672b24f84e4a6

SHA512
34f13bfb43c5f5bef8a9f82da1fcdf34020e04470f50dbddf974f0612e1a3d30bf6d9066389db556009aa2dcaeb4b8bc30a4631351e02bb6b2a0b4f105356b28

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4d10bf031b4b0fd84db755a1632bc37d

SHA1
83ef002c1f6090e1ff87191936702e46b761f77a

SHA256
0ccba58ee5e9132729343903fd3bfd3d5efc5b7973257263aca68a594a039651

SHA512
9e45aaefeb03831c08e63bb9ee40a1bab5b825d232ac7fb5f3514efd09574943df3e02d27343b10059aa71d0702834af436b5a9b56b0ab9529f480fd55736464

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
613dd5f9d0aefb2df80005d97bbc160f

SHA1
a6b2227c20c1ada80244249d0b6e4e5d380cf384

SHA256
1128b965ec06a8a65773468c1b11fd08490fc0daf92a2ed16b2dfc0b383ba6d0

SHA512
8ea236f258d83baac6395f9de07a4a6a33ac3a488142871e4204fdd077f5d945ba5ce72b03e1d9d36f5d2c9f4a6bbdf0c7c0cbbb43afeb8221999e932af41542

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
34a4e27b6b7a9bed6400d2da1f7fe341

SHA1
99887a14eafc2d004218bf05677f0c45eff5331d

SHA256
fb9b697f64cac861a1b54b5d760ceec67152f973b943c1ffcc36537a32f592e6

SHA512
6ae0200e79357946e5b8a63f10442aa4ac90059719a6308dec2a6e55bd3a5e8fc6926d2e1ed74316391d5047309731a88b8cf6b2d2e47f19220c7f1be9412fbd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f8c3d68bca7511a9bbef944a84c3935f

SHA1
ef41c653b49b58d104c7ac5135e4a389f0e2aa8d

SHA256
2e7cdf17702a4db78cb802c14ad8c0e99c6d0f5c074558b67f506bbd1de58c24

SHA512
cc22a8e73071d532b301b12545a3fc12e9ecb85d6e1758b4e8eabd36dcd30e7b0836657c1d8945210cc6d6e6cf7087a69651dbf9e0bcef36ae25d9c7576fedd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
6fbf2ba34cdcef210297a442d7bd4114

SHA1
4cf247e979c3e2623d399b3e0a598db449aef035

SHA256
e1b923b3b8ed9f4c02ed92ce9488c4d3f92f440b68f15f42b061da90ffa7c9ae

SHA512
96f0c3d71e768d0967f2338d64ae9fa1194c201979d88f858a0009b5f9b1399e4fea7a7d3c5ff49c4ecfbc1d153d35cee939e02ef2365af57d088e9771e0a8e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
64a65e01d4e7815d3ead8842dcfc0050

SHA1
add28c4f267f8e4ffac5a9041024804b5403098b

SHA256
8e8e2b5acc8b4c5152b54147dc33bca5168a844275b4a0ee401beac633bd2138

SHA512
2e2bf6bc60c2f559f0e64ebc6b4fd8e482bf874ceec5c75860e60b2b3b344dd2ac997bbf096becbeb8335cc1141c5f4e7d5f26ab86e86cef4a1f5afda980edaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
451218ed770679e62909c200d3c0e4c2

SHA1
39a302bf07dc8a6097ecdadfb04ec4e7884feeb2

SHA256
1c88e143fd8691941455d4fae9f4ff72cbcd9247441117335e1fa1a869d25e50

SHA512
1928bfcef08c78c1c889cefde5d42b7b78c21bcfaf32423b4f0ffc2e64d3d7a6c5544636423b0b723f7ffee2ddae170657d6ea9b2f12caf85bc73c136717874c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
cbf9aae6ec1854208f47fcd832f1164c

SHA1
3886a155bc2f9da0e89d1266649c94f37e02385a

SHA256
204da90716a7db71a775a5117d0e3d418aff721a748a9ea7cd11916e93c880b4

SHA512
4a1f7ad06ff87fa8a4d2fbf3113e81fffb0f2e234ae53ff6db1d7c874cf2dab19a1980fee5c41789ffc39386b519214a27c7042d54051d495a2f6ebd0f3d5493

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
26427ef619af735a4046f7bdbba709ec

SHA1
f1035af80afa348008e4dfc8c08415abf933b756

SHA256
d052deae8e07280c05c45cee88eee78ead0f410d26d161ed2a6fb1aa7b3c20cc

SHA512
76d269c48c8d3089737410b6efb4bdb0af441250c42718fb78064f00d1a88a07ced95bcf7076fed61a5f51c723e87c51ef96648fa0e010626a2846391363dd10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
feba7571e1bb116ed181df28b23ec6ed

SHA1
4399bde705365b88ae9ac4cca99fe4ebe06843bc

SHA256
3f0a23681b3af5dd941686dd1c1b071da8bbf2836ead8fa93c53319531f1693e

SHA512
25c6d818a65a4590c41c9b0071c93f4b6e97cd4fd7bd1fe021820468d0775b457a46d74851498a41281563cb26ed7c552bc2e2036611f89d28fc8fdb69d1b8f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
bbf1b3a7f41c615fabd9d5fa305e8e00

SHA1
35d42d83b7b7358a025709a712377afd0a513c8f

SHA256
f3f374e59ed3c1cdadf8eb5963e1628c43ef2920cab60fa11caa87c310f99fab

SHA512
9eaddc4753422404fc8873c0899aafaf57f2cbcce4cffd4bd5626c4e6447a56b3f40e7406435c769cee2a201ed88d2249f2a5bb5322bc06215e7018576d70dc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
5300320ad1bf81c6d57c4197e7d96915

SHA1
c996918be7766d3bc3214b6b9c45b41573966a40

SHA256
8b427a49fcf86459877d78d440e826892b77d78fe014e391504264ed59b37f1a

SHA512
2a52008d2f460d9434377ee0960b95478d62523b41398f931af56981a82343a8d27105cdae1d512cdd98c2a2551b4bfb41b1d8bf2269970d31fa12f92c251fd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
cb15d1f6f686a1d4ebc48cefdcc8dee5

SHA1
036920338e60c5ec0d5b11a6502c0c7925cb052f

SHA256
f46087af2a4abedd334e14c70839369a76840690160c1e227f1bebfd731c48fd

SHA512
dee214dd6008e79ca565a0ec1ae4afa4ecfd28afd85fb0c7d6e9f26a1485115111de4d35177f4979e3e8d476e0c8358635cebb372a7f69af06835ac8505cceab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
7c356a49fbbb9123d7dd5b07b8486369

SHA1
12a523d36fac3d1271fdf7b3ece5aa3d5433ee02

SHA256
07904e14b5934fe94f1682fc041dccc601f613036bdfdd041c8fd01684a62cdf

SHA512
76d565092c5b906ab30d028340a93d83e63728a774cd213c794ffcac69a94d23312d7c0a9160d7f58e65e1431a12034fa687d89f61b35edf8e732eb5cd2f01aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
07f2d65af4cbe88d917286eefee2ab5d

SHA1
e394f5bbfe2112355ff46c14bf8573fb0aaa3ea4

SHA256
f3b96e609337981a2a31e3c4ae350448d3bd343ed7af34b633b165a903483d10

SHA512
b04a0055a1600e82b3b2ad118d7c283f28393ea0ca36c80af17342a6ae2266e626aafbc0c515e955d3183813ff00f354d9bd640e0da660520e248c21d09af99c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
4dc797af25289d9645dad16cf1d078a7

SHA1
ecf06ac810668ebb93d2dc7ae3cdd5a3c52ffa8a

SHA256
87d89f10c535518cd1a270bea05fcb7306be64bd8c69091c59118c10415a4a45

SHA512
48609f02232ec8a3864f2512101a8149ba17e271a9f2df7a4672c4e7876a2cbeaf5cf31cc58e97d14939ee27503e1d0b2c7e0510bc623471ee4f326f58848b0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
725f6a6b0dfb3c6289be49ba27a56a3e

SHA1
9fdb5d5477840eafb5f2e92c38fde3176c38737c

SHA256
6ac3ba418850a358af6630c8737367f05b2b8a5d6b404c5b811c51b34bb479e5

SHA512
cff47d0231b21b95a9f884f503353017092c32df6df521a922d3bea1a233d09d0204388e9305b5de3a8c2a0db80a766eaa917a7da6c138f437234e1ceac528f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
1dec222e34e22e7f7eee97ca53485e2f

SHA1
c6e8b6456eeb24b2a771b84ca7057f501fa1d9d3

SHA256
0a9fe6664c9b607e9e22e2f51c3076fb88649be9923271400fb20f78db2fc1a8

SHA512
b52ed33f1a0a08626fb1a04435724146f347b259f18b4fd1c6bdff661baa26b12dea9e279c5c4e85c56e65722d057c235ee118ac31fc1ba4f1fa71784e147a80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
989ef7abda8b22905aff7e3dc241b7b9

SHA1
abe49cc2a3ec9514fce2237ab2e866ccb77c7ee0

SHA256
aceeb107245710c66880308ed720b8c931f8c85ed02533a766862a75cc62e5b8

SHA512
8e711bb509e84eaccc1572535fee60101a9163388837f8906533369ebeee94e3afd45bcc619a7fccb2fa3f6a6dd24f87961045fa7b24a12b8d5d6be05143a04b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
0d12fd6b843a0ccc4c8ae2ea53589104

SHA1
93bafac505742a416484923a046dc56bfa4280f9

SHA256
6112e758be5d0b98933fe7f54a60b575fb14311c2b001d98ca42d6749a1860d9

SHA512
257b5b19207c358c9593c0b85397a0ce4acaaa0106a46f5bdd036a3bbe5cb4cf733b84e2fe0c263d9c4607c0d7592fcfab300aa460804150f53ecd838b758662

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7f8d5c102fa44b574970cf734da93a3d

SHA1
372e6847b799ea560e46bed88ba70f9af11f2dea

SHA256
cbc4b910077f296cef1726fcc541fa127ec7545d756a6d161388293bef38bd32

SHA512
83348cf4ecff35e089a2aa4ffcfb7980e58de8c1c908b86c029355a9cae6c3486ca0c83cc0bc2241fce7b34898203d2251c2c4333417958dccb24eafedefcc99

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
1ba17dd956da93a3aab1cd1aa6d7461c

SHA1
2777c3b404b0afbd5a0a684b031f2bfa05d567c0

SHA256
dd50288dc1270fb0726346cf35fd236af4d14d0958393e1b1ee0604f08f2af8c

SHA512
5eb2c0e07a8d5f471cc502ff343aa57713760f8fe824ee7ab01cb08c0977c8bcd74443682b295d883a468696f34bf48e58ad687f48dbae21946c00e63e4903da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
78fbe69fada4f4d557d90cde8a5198fd

SHA1
4f3b5f7e046ae7acdf98eccf99703c68523c0c64

SHA256
900550562f67ecb56d913df23638191ff76b12a469c765f664a11a9e465b835d

SHA512
e4bfc413288398ba87546d42b596f68bad78cbec35469de7e312bc134aad778575de3e318b6cf6134c2d4f813f51e6c1cf78a018ecab1d6f59fd95238dc074b7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8c39bc1ff8e311d38a7fbce8d0867b82

SHA1
b9a70b933adf56e53e0ea39ea371ae0f334e1e65

SHA256
c9a91d871a947fc54803f230290b5a66d28adb1ef3e32b6872e95eb311ecab5c

SHA512
a0251f755f56f0ed1d5a5f3658f8dda4fd12f65b26873734c8b688899950fe6e242e193015bee5f8cb86fc8101048ebc0a99293dfecf40226bd4fa29175c4a4f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0d7dc62fca22e606c9e58f7e039104f6

SHA1
b235c651a484d65ccaa0df4297e599be4bfc6fae

SHA256
2a0b8c2b59262f21d226b797346f86c1678c97bad41cbe826d7d878b41686fc9

SHA512
b239ec10c951cfb8e621d69e96ea05869d1a5700de19b4c8cf801f947886540cb525d91df155e810a3b7046ff52469352958887c35039a628b061f5b652433bc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
706a26555ef6a5e336239a50e2208f7e

SHA1
ca299ec7358d870e4ba069335ca80b56492cd0bb

SHA256
29ef31991d850eb7dcc49e97bd825c710f7e4f5f8132403bbe36b58e5df99461

SHA512
ac6e0c74e10e67a25e0d1917d0cd329ecdda4f18f8966c1cddf01dde406eb67dc85d62fa06c6a398c25394b50f88b0baebebb2fd767989624c89603d9c28e284

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
9b71bc9a9abeec8046c5dbac21797ee7

SHA1
a55f64e784523807896c9313848800618f8e8d97

SHA256
7104a378d106f52f652d7342583b66d5ee2e9172c02e118c4a6c54c4ded69ead

SHA512
6d7c80f74f65ad17b52d3aed054e7e644039e94cb7d8076f5d1580782f7a11e7764d2cba7eb2c4d60c24a0274c0f43881c54df576ef3f8a2fd36a3f3d7cbb874

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
7939b9d75dd302f79c310d06e42f3fc9

SHA1
a88254b6e71b7378837922f35689e92ffae7b8fd

SHA256
628188d4eb76f3b281150a500992495f67d65c18f528691629814abda3af1319

SHA512
d828e419fb2fb9c71fd78d7f2fc333c3e0a23fb1f06a539bbb586a560c7ca186c447a1b3ca7a27a535234995daada5156a5b03675d9e35cb182586a1efc65894

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
e00f31be6ed5fdf5dd92ac5521aeef04

SHA1
26903dab90dcf3c2c2ecf58aa63a26e9a84e7260

SHA256
4073058146ea7f0593d6d9aa540b82d9aaccd44d3781461cf14e083e40a29cbb

SHA512
5241dbc07e6956822a8995e7a9d904681583a771dd7c13d0c8f97a7e46d0bbe6cb18ff7e825bb88ccdcf4b06d7aa1b6fa1a6cf0d932ac86c640df425f90d19ed

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c7241651acc60e9567a8d4c641f8cc98

SHA1
5632124863636fca1fed82896dd7e45847a500f6

SHA256
03c0b3a71be213f2567f8de104768138fdac22e8b6a46dfef6ef338ca5b21fce

SHA512
70f565ae084e6fef0634c1089e965217c68e39aac190d9d15a770dd6cb969008d9a0686e925928dc9f49db6306f28e8939b38ecf1d2d8055afa16442d146888d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
edf409072742c7f782631f01d6925d23

SHA1
214c5f248d7b207615528bde2b853db606adc897

SHA256
f8ef3e909da6524de46f78e25141de2ecbbc547cb253c3a1e5cc31359c0ca5be

SHA512
e1dd90d173c53c21552c3cbdafa4ccc92461501c79e98a2a8140c83d26b4bbe2775f9fb7898e8f985c4c1eec465a19cc4a55fd688ac5f6371dfb889b37d7cd5f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3b894de62480672044bafee4fe3fef63

SHA1
1d97e386a34fd1d36fc1f9b776564bd281fcfcfd

SHA256
2854b6cef31352b365d636fc2afc0c6001df8f8c047167f60994fe290c5b3e4f

SHA512
2fc33b642118538d129a044fbcd87969e05414abf7bcf74487c9171923d185fde8dd8308ad473d782e4dacb1933cf8aaa5b9bef4eeb32424d33466c042829560

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
cde9e8b6fc494d04694a58bfd23ab938

SHA1
0fa4f634cffa03322b0fce4c43434becf6456cf9

SHA256
4bc2b703e1d6db19752b2aa15998dcf136f4e462e4c1100f9427e2f1761abe72

SHA512
281234e18fa26f84519c5d4f8033605fbba75afe0c23462b998094ae61f23741374cefe222741a8ebcde4bfaf6efca607004b6b08816ec4ee383777c2d3020ec

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
47dda4c5fbc67c609504d44c518149dd

SHA1
1f7335afaad9db2e9af40ee7be298f68fea819ef

SHA256
cdbb1b370e43cb2c49a4cf9a0d75b66b583d347045206d3027c19b1121d608ba

SHA512
d29392732997ef462f9cbe46a41a3dc3cbf51e7e57ac635aca1f012e83e549e3a350cdadc6b61e990b7099ce5be4f6da9009b9297442e62ed94d8cc9bf463e14

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
cf55ecb577559d1ea38286d8346d0dca

SHA1
a6c4c6445f5c8ec5d774ef2e524bdd57ffe9865a

SHA256
745edebf1211bafe82bd3563a2e31ebfd09d020d9045d9fef3a0cf86c163b441

SHA512
2ded09ba0fecb01ac64de2c4ac3caa9194e48f85ce95d0359a172b36bb2d26f64871d0214a31cf62ae106bc57b2a319c99892a9f5aab7487434387833e9dd647

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
87a132d09b7e138c2d0d10a06901c182

SHA1
e541a9f5f7b8f1329e18ffee30bc1e8638e64056

SHA256
f71e6542e7fbc7962af6de4f7e1a24f7388e7eebaeeb9915fd764c8676a89c91

SHA512
4299509db2fd461a2ec63dc791b1de4824f69f0938678ea64d849346f33103694c98fb3cd6a1f60dc9ac5ec8829909ce40da1e0cae39ebf17886985ca90e6c54

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
1b44eb9401c0e1a66c1fd57ed39bed97

SHA1
b3532ef0451440396a8c5ac1f41748cece642856

SHA256
da10a8fead0266033285f2d492bc02d227b002f631273c40783ecaf05b355a6b

SHA512
60598dbe70438b9da71f3da4c89b7b5c25bb337c06c72d5ad4eec19e79bbe453a0e9e7d508584514eb307d0024aeb657fc840679bf374435aeac3ae1cbc46aa0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7a793403938fe1b3eb638445ec84a635

SHA1
d77b45570a298ebb564738d856f9969e6aeae833

SHA256
1f2517a5f52e91c7c8e5e1706d0a6edec8217a4db39ef390061bd620a0530c97

SHA512
34b07e6ab616973ec4a60fef6bda8474c287a73300300de5f887df5efeeb267f5f1c22f8b1d16c76dbeebcad4c4bbdcafaed86873cec45168a1121c6a93e1cca

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
6b43a26651144231fa7a86df65e7bf11

SHA1
ff81a9f1dfe739acba1c9ea38f82a2acc2b97c36

SHA256
277acd2d12497f60aaeaea51d1e8cd29fa845ed105a8810b4a7d05f8e56c3d04

SHA512
f28346770c28e0d623356da9211539dd61db182456a70518b905ccecfe76323845e8eef6055b39f2784ecde13578d91665296d122d1904b9c91ad228c2d66a29

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
edf8eaba56d043540c2732d0ed5e1975

SHA1
08c9f81a50774c8131fdd1a7fb284ae8792db0d8

SHA256
9ff663c9bf98e0fbe1c16787fc18c330a3c55a584f971dcd44ed82e756bb13eb

SHA512
0ee3bc37edac7002b94b28edfe3cb44db2f3a41e147e2540161bc024752db03dd314ad2415700fc108b1c4b734c370fd795fca0f814d26c559c4fb46ade52539

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e659bbb41d7757a503bd792b32f21d60

SHA1
f9c9000c0e28266e9843d8f67b6012f7b164e359

SHA256
7d617918ff52283bec79879f26c97d7d98abfed44c79bd427156a07f26539476

SHA512
e8940a884ac81fd3f5f57d549fb6665fa3543d5b2d0f0ab15a813372f994b0f47cca2903ecb36ecb3fc846bea271ea92157c7862773da6d4ddd9455966661884

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
2eb8245f27d73db2b1b4aad9aea06e3c

SHA1
7596842a229f442253ff671805acede83b90ddeb

SHA256
3311dfb09e467164acee626611a16b7ccbbd4f3ddbe9a2b28ccf33daf4611452

SHA512
e50747532ce6bb1b7deb0d95453f7fae4f6cba3b1dff5b1de61b538953bee4610733add2e6c0ee3193dffa29cf9bb51f824aa553a682c53d618483de35c96120

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
5c521ebb841251b507e9e0ef3dbc6d28

SHA1
1d0e8371731ca80fafb27b99b44d309c2d5c09cd

SHA256
99c522f95811397dcc978d98c81c00877cc44abd28e5fa84570961adcf657b29

SHA512
ab6406620b0428bd62e021af620e7f0a9a294ed7f0e3aec2e90ab9c02c425796c65984210897b0ddc05bbb4c73cb8bbbd5f2d483407513dcd4b2f0996761d99c

Download Submit
memory/232-7-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/232-8-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/232-88-0x0000000000400000-0x000000000067F000-memory.dmp

Filesize
2.5MB

Download
memory/232-2-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/232-0-0x0000000000400000-0x000000000067F000-memory.dmp

Filesize
2.5MB

Download
memory/1148-503-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1148-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1232-161-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1232-100-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/1232-105-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/1232-108-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/1352-70-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/1460-157-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1460-95-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/1460-89-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/1460-97-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1644-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1912-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1912-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1936-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1936-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1936-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1936-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2608-507-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/2608-167-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/2888-56-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2888-67-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2888-65-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2888-62-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2888-55-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3036-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3036-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3132-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3132-502-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3344-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3344-508-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3356-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3356-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3360-111-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3360-14-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3380-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3380-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3380-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3380-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3664-118-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3664-279-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4000-500-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4000-147-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4344-24-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/4344-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4344-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4396-83-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4396-77-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4396-153-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4396-85-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4480-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4480-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4480-356-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4660-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4660-112-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5020-429-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5020-135-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download